Introduction to Network Penetration Testing

In this chapter, we will cover the following topics: • Exploring password-based attacks • Performing host discovery • Identifying and exploiting vulnerable services Password based attacks: OBJECTIVES: Gaining unauthorized access to remote hosts on a network by performing attacks against its authentication system Retrieving the password associated with cryptographic hashes Retrieving the password to access a password-protected sensitive file Different types of password attacks: Brute-force attack: In a brute-force attack, every possible combination is tried against the system. This is a very time-consuming process as every possible password combination is tested against the authentication system of the target until the valid password is retrieved. While this method may seem to be the best method, the time constraints given for completing a penetration test are often not achievable. Dictionary attack: In a dictionary attack, the threat actor uses a pre-populated wordlist that contains thousands or even millions of candidate passwords. These are tested against the authentication system of the target. Each word from the wordlist is tested; however, the attack will not be successful if a valid password is not found within the wordlist being used by the threat actor. Password guessing: This is a common technique that’s used by many people, even threat actors and penetration testers, who are attempting to gain unauthorized access to a system. I have often seen IT professionals use simple and even default passwords on their networking devices, security appliances, and even the client and server systems within their organization. For instance, by performing a Google dork using common default passwords, you will easily find default passwords for various systems. These default passwords are set by the manufacturer of the device. Password cracking: In this technique, the threat actor uses various tools and techniques to retrieve valid user credentials to gain unauthorized access to a system. Sometimes, a threat actor may capture a user’s password in transit across a network in plaintext by an unsecure network protocol, or even retrieve the cryptographic hash of a password. Password spraying: This is the technique where a threat actor uses a single password and tests it against an authentication system with different usernames. The password is a guessable password, obtained from data breaches or a wordlist. The idea is to test which user account within a specific list uses the same password. This technique is good when testing which users Credential stuffing: This technique allows a threat actor to use a common wordlist of usernames and passwords against the authentication system of a target host. This technique checks which combination of usernames and passwords leads to valid user credentials. Online password attack: In an online password attack, the threat actor attempts to gain unauthorized access to a host that is running a network service or a remote access service. This allows authorized users to log in to the system across a network. A simple example of an online password attack is a threat actor attempting to retrieve the username and password of a valid user to gain access to a server that is running the Remote Desktop Protocol (RDP). Keep in mind that online password attacks focus on using a combination of passwords from a wordlist directly on a web login page or network service interface until the correct one is found. Offline password attack: In an offline password attack, the threat actor uses various tools and techniques to retrieve the valid password of a password-protected file, such as a document, or even the cryptographic hash of a user’s password. A simple example of this is capturing a domain administrator’s username and password hash from network packets. The username is usually in plaintext but you may need/want to retrieve the password from the hash value. Important SecLists is a collection of pre-built wordlists containing passwords and usernames that are commonly used by penetration testers to perform both online and offline dictionary attacks. Furthermore, SecLists contains URLs, sensitive data patterns, and fuzzing payloads, which are valuable to penetration testers. You can find the SecLists collections at https://github.com/danielmiessler/SecLists. Additionally, you can use the wordlists command within Kali Linux to view the local wordlist repository that is already pre-loaded within the operating system ...

November 24, 2025 · 5 min · 885 words · 0x-s0M3n4th

Introduction to Network Pentesting

• Introduction to network penetration testing • Working with bind and reverse shells • Antimalware evasion techniques • Working with wireless adapters • Managing and Monitoring wireless modes The following are typical phases of network penetration testing: Defining the scope: The scope provides a clear understanding of which systems and networks are to be tested and whether specific tools or techniques are restricted. Performing reconnaissance: This is the information-gathering phase, where the penetration tester performs both passive and active reconnaissance on the target. Scanning and enumeration: The scanning and enumeration phase is commonly used to collect specific details and information about the target such as open ports, running services, and operating systems, and identify user accounts, network shares, and configurations on targeted systems. Vulnerability analysis: During this phase, the penetration tester analyzes the collected data from the previous phases to identify any potential security vulnerabilities on the target, determine their severity and risk rating, and identify countermeasures to help the organization improve their cyber defenses. Exploitation: In this phase, the ethical hacker or penetration tester attempts to exploit each security vulnerability found on a targeted system using both manual and automated techniques to determine whether the security vulnerability actually exists and gain a foothold on the target. Post-exploitation: Once a targeted system is compromised, the penetration tester will attempt to expand their foothold further into the compromised system and onto other systems within scope. During this phase, the penetration tester can identify additional security vulnerabilities on the target. Reporting: This is one of the most important phases during any penetration test. The penetration tester is required to provide a detailed technical and executive report to the stakeholders of the targeted organization with information about the security assessment, the techniques used to discover the security vulnerabilities, the security vulnerabilities that were found, and recommendations on how to improve the security posture of the targeted system. Remediation: Based on the information in the report, the organization can implement the necessary steps needed to remediate the identified security vulnerabilities on the targeted system. The process may involve applying security controls and patches and improving the configuration of systems and devices. Some examples of security controls may include network segmentation, encryption, access controls, and intrusion detection systems (IDSs). The vulnerability rating and severity should be used to help organizations prioritize higher-risk vulnerabilities and allocate resources to remediate them. Penetration testing encompasses a broad range of activities beyond identifying patch management inefficiencies. These activities include testing application-layer vulnerabilities, network-layer vulnerabilities, and human-based (social engineering) vulnerabilities. In addition, this helps organizations thoroughly assess their cyber defenses and determine whether their systems, networks and infrastructure are compliant with various industry standards and frameworks. For instance, organizations that process a payment card system are required to be Payment Card Industry Data Security Standard (PCI DSS)-compliant to protect sensitive data during a payment transaction.

November 24, 2025 · 3 min · 475 words · 0x-s0M3n4th