Chapter 43: Network Penetration Testing¶

Overview¶

Network penetration testing is the systematic evaluation of an organization's network infrastructure to identify exploitable vulnerabilities before adversaries do. Unlike vulnerability scanning, which produces automated output, network penetration testing requires human judgment to chain findings, exploit trust relationships, and demonstrate realistic attack paths from initial network access through domain compromise. This chapter covers the full methodology — from host discovery and service enumeration through lateral movement, credential harvesting, and domain dominance — with every offensive technique paired with its corresponding detection strategy. The goal is to produce security professionals who can think like attackers and build defenses that withstand real-world adversary operations.

Learning Objectives

1. Execute a structured network penetration test methodology from reconnaissance through post-exploitation using industry-standard frameworks
2. Enumerate network services and identify exploitable misconfigurations across common enterprise protocols (SMB, LDAP, Kerberos, DNS, SNMP)
3. Explain credential harvesting techniques including LLMNR/NBT-NS poisoning, Kerberoasting, AS-REP roasting, and relay attacks at a conceptual level
4. Demonstrate lateral movement concepts using pass-the-hash, pass-the-ticket, and remote service exploitation
5. Map every offensive technique to MITRE ATT&CK and implement corresponding detection rules
6. Write network penetration test findings that communicate risk to both technical and executive audiences

Prerequisites: Chapters 1–4 (telemetry, logging, detection), Chapter 16 (penetration testing methodology), Chapter 41 (red team methodology). Familiarity with TCP/IP, Active Directory, Windows event logging, and basic Linux command-line usage.

Curiosity Hook¶

Network Penetration Testing Methodology¶

A structured methodology ensures comprehensive coverage and reproducible results. The following phases build upon each other sequentially, though skilled testers may iterate between phases as new information is discovered.

flowchart TD
    A[Phase 1: Scoping &\nAuthorization] --> B[Phase 2: Host Discovery\n& Port Scanning]
    B --> C[Phase 3: Service\nEnumeration]
    C --> D[Phase 4: Vulnerability\nAnalysis]
    D --> E[Phase 5: Exploitation\n& Initial Access]
    E --> F[Phase 6: Credential\nHarvesting]
    F --> G[Phase 7: Lateral\nMovement]
    G --> H[Phase 8: Domain\nDominance]
    H --> I[Phase 9: Post-Exploitation\n& Reporting]

    style A fill:#1e3a5f,color:#e6edf3
    style B fill:#2a4a6f,color:#e6edf3
    style C fill:#36597f,color:#e6edf3
    style D fill:#36597f,color:#e6edf3
    style E fill:#8b4513,color:#e6edf3
    style F fill:#8b4513,color:#e6edf3
    style G fill:#8b4513,color:#e6edf3
    style H fill:#8b4513,color:#e6edf3
    style I fill:#1a3a1a,color:#e6edf3

Phase 1 — Scoping & Authorization¶

Before any packets leave the tester's machine, the engagement must have signed written authorization. Chapter 41 covers scoping and rules of engagement in detail. For network penetration testing specifically, the scope definition must include:

• IP ranges in scope (CIDR notation): e.g., 10.50.0.0/16, 192.168.100.0/24
• IP ranges out of scope: e.g., 10.50.200.0/24 (production SCADA network)
• Testing window: business hours only vs. 24/7
• Allowed techniques: credential attacks, social engineering, physical access
• Fragile systems: printers, legacy devices, medical equipment, ICS/SCADA
• Point of contact: emergency phone number for immediate de-escalation

Phase 2 — Host Discovery & Port Scanning¶

Host discovery identifies live systems on the target network. Port scanning determines which services are exposed on each host. Together, they produce the attack surface map that guides all subsequent phases.

Host Discovery Concepts¶

Host discovery uses multiple protocols to determine whether an IP address has a live host. No single technique is universally reliable — firewalls, host-based firewalls, and network segmentation all affect results.

Nmap Scan Theory¶

Nmap is the foundational tool for network reconnaissance. Understanding its scan types is essential for both penetration testers and defenders.

Tester (10.50.1.100) -> Target (10.50.2.25)

Step 1: SYN -> port 445    ->  Response: SYN/ACK  -> Port OPEN (SMB)
Step 2: RST -> port 445    ->  (Connection reset by tester)
Step 3: SYN -> port 3389   ->  Response: RST       -> Port CLOSED (RDP)
Step 4: SYN -> port 8080   ->  Response: <none>     -> Port FILTERED (firewall drop)

Port Scanning Strategy¶

A professional penetration test uses a phased scanning approach:

1. Quick sweep: Top 100 TCP ports across all hosts — identifies the most common services in minutes
2. Standard scan: Top 1,000 TCP ports on responsive hosts — covers the vast majority of enterprise services
3. Full TCP scan: All 65,535 TCP ports on high-value targets — catches services on non-standard ports
4. UDP scan: Top 100 UDP ports (DNS, SNMP, NTP, TFTP, IPMI) — slower but critical for finding management interfaces
5. Service version detection: Banner grabbing and probe-response analysis on open ports

Phase 3 — Service Enumeration¶

Once open ports are identified, service enumeration extracts detailed information about each running service. This phase transforms a list of open ports into actionable intelligence.

SMB Enumeration (Ports 139/445)¶

Server Message Block (SMB) is the most information-rich protocol in Windows environments. Proper enumeration can reveal usernames, shares, group memberships, password policies, and OS versions.

Enumeration targets:

Target: 10.50.2.50 (Windows Server 2019 — File Server)

[1] SMB Negotiation -> SMB signing: NOT required (relay attack possible)
[2] Null Session bind -> Anonymous access: ALLOWED
[3] Share enumeration:
    \\10.50.2.50\ADMIN$     -> Access Denied
    \\10.50.2.50\C$         -> Access Denied
    \\10.50.2.50\IPC$       -> READ access (null session)
    \\10.50.2.50\Public     -> READ access
    \\10.50.2.50\IT-Scripts -> READ/WRITE access
[4] User enumeration via SAMR:
    Administrator, j.smith, s.johnson, svc-backup, svc-sqlengine
[5] Password policy:
    Minimum length: 8 | Lockout threshold: 5 | Lockout duration: 30 min

LDAP Enumeration (Ports 389/636)¶

Lightweight Directory Access Protocol provides a wealth of Active Directory information to any authenticated user (and sometimes to anonymous binds).

Key LDAP enumeration targets:

• Domain structure: Domain name, forest structure, trust relationships
• User accounts: sAMAccountName, userPrincipalName, memberOf, lastLogon, pwdLastSet
• Service accounts: Accounts with servicePrincipalName (SPN) set — Kerberoasting targets
• Group memberships: Domain Admins, Enterprise Admins, privileged groups
• Computer accounts: OS version, last logon, organizational unit placement
• GPO enumeration: Group Policy Objects linked to OUs, password policies, logon scripts
• LAPS: Whether Local Administrator Password Solution is deployed

SNMP Enumeration (Port 161/UDP)¶

Simple Network Management Protocol often uses default community strings (public, private) and can expose extensive system information including network interfaces, routing tables, running processes, installed software, and ARP caches.

Target: 10.50.1.1 (Cisco Catalyst 9300 — Core Switch)
Community String: public (READ)

System Description: Cisco IOS XE Software, Version 17.06.03
System Contact: netops@acmecorp.example.com
Interfaces: 48 (GigabitEthernet1/0/1 through 1/0/48)
ARP Table: 312 entries (reveals additional live hosts)
Routing Table: 15 routes (reveals network topology)
VLAN Database: 8 VLANs (reveals segmentation boundaries)

Phase 4 — Vulnerability Analysis¶

Vulnerability analysis correlates enumeration findings with known vulnerabilities and misconfigurations. This phase bridges enumeration and exploitation.

Vulnerability Categories in Network Testing¶

Prioritization Matrix¶

quadrantChart
    title Vulnerability Prioritization
    x-axis Low Exploitability --> High Exploitability
    y-axis Low Impact --> High Impact
    quadrant-1 Exploit Immediately
    quadrant-2 Plan Carefully
    quadrant-3 Deprioritize
    quadrant-4 Quick Wins
    ZeroLogon: [0.95, 0.95]
    Default SNMP: [0.85, 0.60]
    SMB Signing Off: [0.75, 0.80]
    LLMNR Enabled: [0.80, 0.70]
    Weak SSH Ciphers: [0.30, 0.25]
    Missing SMB Patch: [0.65, 0.85]
    Telnet Enabled: [0.70, 0.45]

Phase 5 — Credential Harvesting¶

Credential harvesting is the process of obtaining valid authentication material — passwords, hashes, tickets, or tokens — that enable deeper access to the target environment. This phase is often the turning point in a network penetration test.

LLMNR/NBT-NS Poisoning¶

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are fallback name resolution protocols in Windows environments. When DNS fails to resolve a hostname, Windows broadcasts the query via LLMNR (UDP 5355) or NBT-NS (UDP 137). An attacker on the same network segment can respond to these broadcasts, impersonate the requested host, and capture NTLMv2 hashes.

sequenceDiagram
    participant V as Victim Workstation<br/>10.50.1.50
    participant D as DNS Server<br/>10.50.1.10
    participant A as Attacker<br/>10.50.1.100

    V->>D: DNS Query: fileserv01.acme.local?
    D-->>V: NXDOMAIN (typo, no such host)
    V->>V: LLMNR Broadcast: Who has fileserv01?
    A-->>V: LLMNR Response: I am fileserv01 (10.50.1.100)
    V->>A: SMB Connection with NTLMv2 Auth
    A->>A: Capture NTLMv2 Hash
    Note over A: Hash captured for offline cracking
    A->>A: Offline Cracking or Relay

Conceptual flow:

1. A user types \\fileserv01\shared (typo — actual server is fileserver01)
2. DNS returns NXDOMAIN
3. Windows falls back to LLMNR, broadcasting "Who is fileserv01?" to the local subnet
4. The attacker's listener responds: "I am fileserv01"
5. The victim initiates an SMB connection to the attacker, sending NTLMv2 authentication
6. The attacker captures the NTLMv2 hash for offline cracking or relay

NTLM Relay Attacks¶

When SMB signing is not required, an attacker can relay captured NTLM authentication to another host rather than cracking it. This is particularly dangerous because it works with any password complexity — the attacker never needs to know the plaintext password.

Relay attack prerequisites:

1. SMB signing is not required on the target (default for Windows workstations)
2. The captured credentials have administrative access on the target
3. The attacker can trigger an authentication to their machine (LLMNR poisoning, print spooler abuse, etc.)

Environment:
- Attacker:       10.50.1.100
- Victim (auth):  10.50.1.50  (j.smith, Domain Admin, logged in)
- Target (relay): 10.50.2.25  (Server, SMB signing disabled)

Step 1: Attacker poisons LLMNR on subnet 10.50.1.0/24
Step 2: j.smith workstation sends NTLMv2 auth to attacker
Step 3: Attacker relays authentication to 10.50.2.25 (port 445)
Step 4: Server accepts authentication (j.smith is local admin)
Step 5: Attacker executes commands on 10.50.2.25 as j.smith
Result: Code execution on server without knowing j.smith password

Kerberoasting¶

Kerberoasting targets Active Directory service accounts that have Service Principal Names (SPNs) registered. Any authenticated domain user can request a Kerberos Ticket Granting Service (TGS) ticket for any SPN. The TGS ticket is encrypted with the service account's password hash, making it crackable offline.

sequenceDiagram
    participant A as Attacker<br/>(Domain User)
    participant DC as Domain Controller<br/>10.50.1.10
    participant SA as Service Account<br/>svc-sqlengine

    A->>DC: TGS-REQ for SPN: MSSQLSvc/sql01.acme.local:1433
    Note over DC: Any authenticated user can<br/>request TGS for any SPN
    DC-->>A: TGS-REP (ticket encrypted with svc-sqlengine hash)
    A->>A: Extract ticket for offline cracking
    Note over A: If svc-sqlengine password is weak:<br/>Cracked in minutes to hours
    A->>SA: Authenticate as svc-sqlengine

Why Kerberoasting is effective:

• Any domain user can request TGS tickets — no special privileges required
• The attack is nearly invisible in default logging configurations
• Service account passwords are often weak, old, and never rotated
• Service accounts frequently have elevated privileges (local admin on servers, database access)

AS-REP Roasting¶

AS-REP roasting targets accounts that have Kerberos pre-authentication disabled (DONT_REQUIRE_PREAUTH flag). For these accounts, the KDC returns an AS-REP message encrypted with the user's password hash — without requiring the attacker to know the password first.

Phase 6 — Lateral Movement¶

Lateral movement is the process of moving from one compromised system to another within the target network. This phase leverages harvested credentials to expand access and reach high-value targets.

Pass-the-Hash (PtH)¶

Pass-the-hash allows an attacker to authenticate using an NTLM hash without knowing the plaintext password. This works because Windows NTLM authentication uses the hash directly — the password is never transmitted.

Prerequisites:

• Local administrator access on at least one host (to extract hashes)
• Target host accepts NTLM authentication (not Kerberos-only)
• Target host has a local account with the same password hash, OR the attacker has a domain account hash

Step 1: Attacker has admin access on WKST-50 (10.50.1.50)
Step 2: Extract local admin NTLM hash from SAM database
        Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889
Step 3: Many organizations reuse the local admin password across workstations
Step 4: Use hash to authenticate to WKST-51 (10.50.1.51) without knowing password
Step 5: Commands execute as local Administrator on WKST-51

Pass-the-Ticket (PtT)¶

Pass-the-ticket uses stolen Kerberos tickets (TGT or TGS) to authenticate to services. Unlike pass-the-hash, this technique uses Kerberos and can bypass NTLM restrictions.

Key concepts:

• Golden Ticket: Forged TGT using the KRBTGT account hash — grants access to any resource in the domain for up to 10 years (default TGT lifetime can be overridden)
• Silver Ticket: Forged TGS using a service account hash — grants access to a specific service without contacting the DC
• Diamond Ticket: Modified legitimate TGT — harder to detect than golden tickets because it has valid PAC data

Remote Execution Methods¶

Once credentials are obtained, lateral movement requires executing commands on remote systems. Several Windows protocols support remote execution:

Phase 7 — Domain Dominance¶

Domain dominance represents the highest level of access in a Windows Active Directory environment. Achieving domain admin or equivalent privileges gives the tester control over all domain-joined systems, users, and policies.

Active Directory Attack Path Concepts¶

Attack paths in Active Directory are chains of permissions, group memberships, and trust relationships that allow escalation from a low-privilege user to domain admin. Tools like BloodHound (conceptually) map these paths by collecting Active Directory relationship data.

Common attack path elements:

DCSync Attack Concept¶

DCSync simulates the behavior of a domain controller requesting replication data. An attacker with the Replicating Directory Changes and Replicating Directory Changes All permissions can request password hashes for any account — including KRBTGT.

Required permissions on the domain object (NC head):
- DS-Replication-Get-Changes        (GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)
- DS-Replication-Get-Changes-All    (GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)

By default, these permissions are held by:
- Domain Admins
- Enterprise Admins
- Domain Controllers group
- Administrators (builtin)

DCSync request extracts:
- NTLM hash for target account
- Kerberos keys (AES256, AES128, DES, RC4)
- Password history (if stored)
- Supplemental credentials

Phase 8 — Post-Exploitation & Evidence Collection¶

Post-exploitation focuses on demonstrating business impact and collecting evidence for the report. The goal is not to cause damage — it is to prove what an attacker could achieve and document the evidence chain.

Evidence Standards¶

MITRE ATT&CK Mapping¶

Tools Reference (Conceptual Overview)¶

Exam Prep & Certifications¶

Review Questions¶

Key Takeaways¶