A penetration testing lab should begin with scope, not tools. Read the brief carefully, identify the target range, note the allowed techniques and write down what evidence your report must contain before running any scan. This prevents random command output from becoming the centre of the work and keeps the lab focused on an ethical academic objective.
Enumeration is the most important study habit in a practical security lab. Record ports, services, versions, pages, usernames, error messages and any assumptions separately. When a finding appears, explain how the evidence led you there instead of only listing the final exploit step. A strong report shows the route from observation to conclusion.
Screenshots should prove the point, not decorate the report. Capture the command, the relevant output, the timestamp or tool context and the result that supports the finding. If a step fails, keep a short note explaining why it was rejected. Failed attempts often demonstrate method and help the reader understand that the final path was tested.
The final report should separate vulnerability, impact, evidence and remediation. Describe the risk in plain academic language, explain the technical cause, show the proof and recommend a realistic fix. This structure helps BSc and MSc students turn lab activity into a professional submission rather than a loose collection of terminal screenshots.