External and internal network engagements: recon → enumerate → get a foothold → escalate → move laterally → reach the objective.

Prereqs

• TCP/IP fundamentals, OSI layers, common protocols.
• Comfort in a Linux shell; basic Bash and Python scripting.
• A controlled lab (HackTheBox, OffSec Proving Grounds, your own VMs).

Stage 1 — fundamentals

• Host discovery and port scanning: nmap, masscan, host-discovery.
• Service enumeration cheat sheet — by port:
  • 21 ftp-enum · 22 ssh-enum · 25 smtp-enum
  • 53 dns-enum · 80/443 http-enum
  • 88 kerberos-enum · 110/143 mail
  • 139/445 smb-enum · 161 snmp-enum
  • 389/636 ldap-enum · 1433 mssql-enum
  • 3306 mysql-enum · 3389 rdp-enum
  • 5985/5986 winrm-enum · 6379 redis-enum
• Vulnerability scanning vs manual triage — when each makes sense.
• HackTricks pentesting checklist — internal & external: https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-methodology.html.

Stage 2 — intermediate

• Initial access patterns: weak creds, default creds, known CVEs, password-spraying, exposed-services.
• Windows post-exploitation primitives: windows-enumeration, credential-dumping, token-impersonation.
• Linux post-exploitation: linux-enumeration, linux-privesc-vectors.
• Lateral movement basics: pass-the-hash, pass-the-ticket, smb-exec, wmi-exec.
• Pivoting: port-forwarding, ssh-tunneling, chisel / ligolo-ng.

Stage 3 — advanced

• Active Directory attack chains end-to-end.
• Cross-segment pivoting, dual-homed hosts, double pivots.
• Operating under EDR and PAM (see red-team-operations).
• Detection-aware tooling — replacing noisy public binaries with bring-your-own-tool.

When you’re “done”

• You walk into a /16 you’ve never seen and have a working hypothesis in under an hour about where the crown jewels live.
• You stop reaching for automation when the lab is small enough to triage manually.