Practical Guide to Network Penetration Testing

Network penetration testing simulates real-world attacks against an organization's network infrastructure to identify exploitable weaknesses. It covers external (internet-facing) and internal (on-premises or assumed-breach) perspectives. Engagements may be black-box (no prior information), gray-box (some context), or white-box (full architectural detail).

Authoritative methodologies include PTES (Penetration Testing Execution Standard), NIST SP 800-115, OSSTMM (Open Source Security Testing Methodology Manual), and the OSCP/PNPT-style step-by-step kill chain that combines discovery, enumeration, exploitation, and post-exploitation.

Two perspectives dominate. External pentests probe the perimeter as an unauthenticated outsider. Internal pentests assume the attacker has already landed inside the network (via phishing, a compromised laptop, or a rogue device) and tries to escalate from there. Both are valuable; both surface different findings.

Rules of engagement are non-negotiable. Authorized scope, exclusions (production change freezes, fragile systems), permitted techniques, working hours, and emergency contacts must be documented in writing before any packet is sent.

Define scope precisely. Which IP ranges, hostnames, VLANs, sites, and cloud environments are in scope? Which are explicitly excluded? Is wireless testing in scope? Are denial of service techniques permitted? Document and get signoff.

Plan the test environment. From where will you test: a kiosk laptop on a guest network, a dropped device in the office, a VPN connection, a virtual machine in a customer-provided isolated network? Each has different visibility and impact characteristics.

Stand up your toolkit. Kali Linux or Parrot OS in a VM, with up-to-date tools: nmap, masscan, naabu for discovery; CrackMapExec/NetExec, Impacket, BloodHound, Responder, mitm6, ldapsearch, evil-winrm, enum4linux-ng for Windows networks; Metasploit and Cobalt Strike for exploitation (within license); Wireshark and tcpdump for traffic analysis; Hashcat and John the Ripper for cracking.

Establish operational security. Use a dedicated VM and IP for testing. Note the source addresses so the customer can correlate logs. Tag all custom payloads and tools so they are recognizable as test artifacts.

Set up note-taking. A structured notes system (Obsidian, Notion, CherryTree, or even Markdown files) tied to each host and service collected accelerates report writing tremendously.

Start with host discovery. nmap with appropriate flags (-sn for ping sweeps, -PE/-PP/-PM for ICMP variants, -PS/PA/PU for TCP/UDP probes) identifies live hosts. masscan is faster for large ranges but less accurate. naabu provides a Go-based alternative often used in modern bug bounty toolchains.

Then service enumeration. nmap -sC -sV -p- against each live host reveals open ports, versions, and default-script output. For UDP services, nmap -sU --top-ports against a curated list is often a reasonable tradeoff. Parse output programmatically (XML or grepable formats) for easier integration with other tools.

Probe each service. HTTP/HTTPS: web app testing methodology applies; check default credentials, exposed admin panels, .git directories, and known CVEs. SMB: enum4linux-ng for shares, users, and policies. LDAP: ldapsearch for naming context, user listings (if anonymous bind allowed). DNS: dig and dnsrecon for zone transfers and subdomain enumeration. Database services: check defaults; mysql/psql/redis often allow anonymous probing.

Look for forgotten services. SNMP with default community strings (public/private) frequently reveals interface details, ARP tables, and software inventories. IPMI on server management interfaces is a recurring source of credential extraction. NTP, finger, rsh, and X11 remain on legacy networks.

Enumerate management surfaces. Switch and router management interfaces (web, SSH, Telnet), printer admin pages, NAS appliances, IPMI/iLO/iDRAC, building management systems, and IoT devices often have default credentials and known exploits.

Document everything. Hosts, services, versions, banners, response details. Findings come from correlating signals across many sources.

Use vulnerability scanners to amplify discovery. Nessus, OpenVAS, Nuclei, and Qualys VMDR probe for known CVEs. Treat output as input to deeper investigation; raw scanner findings are not pentest findings until validated.

Cross-reference versions with public CVE databases. Tools like searchsploit (offline Exploit-DB) map versions to known exploits. CISA's Known Exploited Vulnerabilities (KEV) catalog prioritizes vulnerabilities with confirmed in-the-wild exploitation.

Look for misconfiguration. Open NFS exports, accessible Rsync modules, exposed Elasticsearch/MongoDB with no authentication, Docker daemons on TCP/2375, Kubernetes API on /api/v1, Jenkins on /script, and unauthenticated Prometheus/Grafana have all caused breaches.

Test for default and weak credentials. CrackMapExec/NetExec for SMB and other Windows protocols, Hydra for various services, and targeted attempts on web admin panels. Many networks still have admin/admin, vendor/vendor, or known service-account defaults.

Sniff and respond. On internal engagements, tools like Responder and mitm6 manipulate LLMNR/NBT-NS/MDNS broadcasts to capture NetNTLM hashes. With a foothold and patience, this typically yields credentials within hours.

Exploitation should be deliberate. Before launching anything intrusive, validate that the exploit matches the target, understand the impact, and confirm scope. Test in lab if uncertain. Coordinate with the customer for anything that could disrupt production.

Use Metasploit Framework for many known exploits. The module library is large and battle-tested. Manual exploits from Exploit-DB or vendor advisories are often more controllable and stealthier.

For Windows-centric environments, modern exploitation usually does not need a memory-corruption exploit. Credential abuse, Kerberos attacks, and built-in tooling produce reliable paths to domain admin.

Capture and crack hashes. Responder captures NetNTLMv2 hashes, which crack offline with Hashcat using rules and good wordlists. If NTLM relay is permitted by SMB signing posture (often disabled on many endpoints), ntlmrelayx can relay captured hashes to other targets for direct access.

Look for Kerberos abuse. Kerberoasting (requesting service tickets and cracking them offline) and AS-REP roasting (requesting tickets for users with pre-auth disabled) consistently yield credentials. Tools like Impacket's GetUserSPNs.py and GetNPUsers.py automate the asks.

Use BloodHound to find attack paths. Once you have any AD credentials, SharpHound collects relationships across users, computers, groups, GPOs, ACLs, and sessions. BloodHound shows shortest paths to high-value targets and surfaces nonobvious privilege escalations (DCSync, AddSelf to admin groups, GPO write rights).

Look for known weaknesses. ZeroLogon (CVE-2020-1472) and noPac (CVE-2021-42278/42287) granted domain admin from a single network connection. PrintNightmare (CVE-2021-34527) impacted print spoolers. PetitPotam coerced authentication. Each of these classes still appears on under-patched environments.

Once you have an initial foothold, escalate and pivot. Local privilege escalation tools like PowerUp/PrivescCheck (Windows), linPEAS/winPEAS, and lse (Linux) inventory typical local misconfigurations: writable services, weak file permissions, sudo misconfigurations, kernel CVEs.

Dump credentials carefully. On compromised Windows hosts, lsass and SAM dumps yield NTLM hashes, plaintext passwords (depending on configuration), and Kerberos tickets. Mimikatz, secretsdump.py, and similar tools are standard, though EDR products will flag classic patterns. Operators often use process dumps and offline parsing to reduce noise.

Move laterally. WMI execution, PsExec-style services, WinRM, and DCOM-based execution all enable lateral movement once you have credentials. Token impersonation, pass-the-hash, and pass-the-ticket are the bread-and-butter techniques.

Look for cross-trust paths. AD trusts between domains, forest trusts, and Azure AD/Entra ID tenant connections frequently provide pivots beyond the initial scope. Always confirm before crossing trust boundaries; some are outside the pentest scope even if technically reachable.

Search for high-value data. File shares, code repositories, ticketing systems, password managers, configuration management databases, and backup systems often contain credentials, secrets, and intellectual property worth flagging in the report.

Establish persistence only if authorized and necessary for the engagement. Drop test artifacts that are visible and easy to remove. Document every change so cleanup is comprehensive.

Clean up. Remove test artifacts: created accounts, scheduled tasks, files written to disk, configuration changes, and binaries dropped during the engagement. Confirm with the customer that cleanup is complete.

Write a clear report. Executive summary up front: top risks, business impact, recommendations. For each finding: title, severity (CVSS or similar), affected systems, narrative of how you found and exploited it, evidence, impact, and remediation.

Include attack narratives. Walk through how the engagement progressed: from initial discovery to first foothold to domain admin (or whatever the deepest access was). Narratives help defenders understand chained vulnerabilities and the value of each individual control.

Map findings to frameworks. MITRE ATT&CK techniques tie your actions to industry standards. NIST 800-53 or CIS controls translate findings into the customer's compliance vocabulary.

Provide remediation guidance. "Patch the system" is rarely sufficient. Specify versions, configuration changes, and ideally generic hardening that prevents the entire class of finding.

Offer a retest. Verify fixes within a defined window. A retest confirms the customer's remediation works and closes the loop.

The 2020 ZeroLogon vulnerability allowed unauthenticated attackers with network access to a domain controller to escalate to domain admin in seconds. Network pentests in the months following overwhelmingly flagged it as a top finding; many environments remained unpatched well into the following year.

Kerberoasting is a consistent finding in internal network pentests across industries. Service accounts with weak passwords are still common, and the offline cracking of service tickets routinely yields privileged credentials.

Open NFS exports, unauthenticated Redis/MongoDB/Elasticsearch instances on internal networks, and exposed Docker daemons regularly enable trivial root access to data and compute that should be tightly controlled.

NTLM relay attacks remain effective in environments without SMB signing universally enabled, often allowing pivots from a single mis-clicked phishing link to lateral movement across many hosts.