How to Perform Network Penetration Testing in 2024

How to Perform Network Penetration Testing

A network penetration test is one of an organization's fundamental security assessments. This essential guide will teach you how to perform network penetration testing, the eight key phases involved, and the goals network pentests strive to achieve.

The article focuses on performing an internal or assumed breach test where you have already gained initial access to an organization’s internal network. This is a common assumption in real-world assessments as it allows the testing team to spend more time finding vulnerabilities. No time is wasted trying to gain initial through a phishing email or exploiting a zero-day.

Let’s jump in and discover how to perform network penetration testing.

What Are the Goals of a Network Penetration Test?

Before diving into how to perform a network penetration test, let’s take a look at the goal of this type of security assessment.

Often security controls focus on defending the perimeter by building strong fortifications that keep the bad guys out. However, many organizations neglect implementing security controls that limit what an attack can do if they gain access to the internal network. This is where a network penetration test comes in.

A network penetration test assesses the security of an organization’s internal network. It assumes that an attacker was able to gain access to the internal network and asks what the attacker can do now.

Phishing is the most common initial access vector attackers exploit. Around 36% of all data breaches involve phishing, and the number of phishing attacks grows yearly!

It is vital organizations ask this question because defending the perimeter is no longer enough. You must be secure on the outside and the inside to defend against sophisticated ransomware gangs, Advanced Persistence Threats (APTs), and nation-state threat actors. A network penetration test ensures this by aiming to achieve the following goals.

Goals of a network penetration test:

  • Identifying vulnerabilities: Find potential security weaknesses and security flaws within an organization’s network infrastructure, systems, and internal applications.
  • Testing security controls: Validate the effectiveness of existing security controls that defend the internal network, such as firewalls, anti-virus, and EDR solutions.
  • Determining the impact: Assess the impact of exploiting vulnerabilities or other security gaps.
  • Compliance validation: Verify an organization’s IT systems comply with relevant cyber security standards, regulations, and best practices.
  • Improving security posture: Offer remediation advice and best practice recommendations addressing any identified vulnerabilities or security gaps.

In most network penetration tests, you will be given a low-privileged account with access to the organization’s internal network. You will then assess if you can gain access to sensitive information and systems or perform a complete domain takeover.

A network penetration test consists of eight steps.

Network Penetration Test

The first of these is Planning and Preparation. Let’s take a look at this phase.

1. Planning and Preparation

In the Planning and Preparation step, you and the client will discuss the testing activity that needs to be performed. You will determine the scope of the assessment, the time required to perform the testing, and the objectives and goals you and the client aim to achieve. It is important that during this step, you obtain legal permission from the client to perform the testing and sign a legal contract to undertake the work.

There are two main objectives you need to achieve during this step of the penetration test:

  1. Obtain legal agreements: You and the client must sign a legal contract that outlines the work to be performed and provides you with the necessary legal permissions to perform the test.
  2. Clearly communicate the scope of the work with the client: You and the client need to be absolutely clear on the expectations of the penetration testing. This includes the type of testing that will be performed (e.g., internal/external/assumed breach, white box/black box, pentesting/red teaming) and what systems are in-scope.

You must not skip Planning and Preparation. This step ensures you have the legal permissions to perform the work, know what work needs to be performed, and are protected if anything goes wrong. Once complete, you can begin your assessment.

2. Reconnaissance

The first technical step of a network penetration test is the Reconnaissance step. During this step, you will collect information about the target organization, the internal systems that are used, and the network architecture.

There are two forms of reconnaissance you can perform:

  • Passive reconnaissance: Gathering publicly available information about the organization and its systems without direct interaction with the target.
  • Active reconnaissance: Directly interacting with an organization’s network and systems to collect information that can be used to identify vulnerabilities, weaknesses, and potential entry points.

You will likely use both forms of reconnaissance. For instance, you can start using a tool like the OSINT framework to perform passive reconnaissance and gather information about a target. This framework provides useful resources and data repositories to gather OSINT data, such as domain information, IP addresses, web application details, employee information, email addresses, and tools or technologies a company uses.

The OSINT Framework

Open Source Intelligence (OSINT) is publicly available information you can collect from search engines, social media platforms, and anything else on the open Internet that relates to your target.

You can then supplement this information by using a technique called Google Dorking. This involves sending specially crafted Google search requests to discover hidden information about a target. This technique lets you find specific file types, hidden directories and files, login credentials, and even open FTP servers!

Performing Google Dorking

Depending on your Google queries, some may step into active reconnaissance because you are directly querying the organization’s web infrastructure. The target can log and track this, so consider using a VPN or VPC.

With all this information about the target, you need a tool to keep track of it!

A tool like Maltego is very useful can be very useful. It is a link analysis software that can be used for OSINT, forensics, and other investigations to visualize links between the data you have gathered. You can upload the information to Maltego to keep track of it, then run Machines or Transforms to find even more data.

The Maltego Investigation Tool Interface

The information you gather during this step can be used later to determine possible user accounts, identify naming conventions a company uses, and build password lists. The more information you gather, the easier subsequent steps will be. You will know the technologies being used, the IP addresses or domain names of critical assets, and have a large list of passwords to brute force access and use to move laterally.

3. Scanning and Enumeration

Once you have gathered as much information as possible about the target organization, you can move on to the Scanning and Enumeration stage. Here you will scan the targets you uncovered to try to identify vulnerabilities you can exploit.

Scanning involves sending network packets to IP addresses or domain names to elicit a response indicating whether a system is active, what network ports are open, and any security controls. This is called port scanning and the aim of scanning is to enumerate network services running on target systems. These services are potential access points to other machines that you can exploit.

The scanning and enumeration step will start with network scanning to identify systems and services running on the local network that you can attack. You can use a network scanner like Nmap to identify systems to attack and enumerate services running on the system.

Performing a Version Scan in Nmap

If you are attacking an Active Directory (AD) environment, you can use tools like PowerShell or SharpHound to gather detailed information about AD groups, users, and systems. You can then use this information to map out attack paths using Bloodhound and discover how to compromise high-value targets (users or systems).

Finding Domain Admins in BloodHound

Scanning is a cyclical process. You will perform scanning from a machine you initially compromised to find information about other systems within the local network. Using this information, you will perform lateral movement and gain a foothold deeper within the corporate network. You will then scan again to find new systems to attack.

4. Vulnerability Assessment

After scanning and enumerating the target environment, you use the information you gathered to identify vulnerabilities or security gaps to exploit. This is known as performing a vulnerability assessment.

During a vulnerability assessment, you will use an automated vulnerability scanner to send specially crafted network packets to systems you previously identified - a vulnerability scan. These packets will elicit a response from the systems indicating whether they are vulnerable to known exploits. The scanner will list all the potential vulnerabilities a system may have, which you then manually verify exist and are exploitable.

There are various vulnerability scanners you can use. One of these is Nmap. To perform a vulnerability scan using Nmap, you must use the Nmap Scripting Engine (NSE). The NSE lets you run scripts that detect common misconfigurations and vulnerabilities you can exploit.

Performing a Vulnerability Scan in Nmap

Again, verifying these are exploitable is important.

5. Lateral Movement and Privilege Escalation

Exploitable vulnerabilities allow you to compromise systems and steal user data. You will use the vulnerabilities you found during your vulnerability assessment to identify potential attack paths you can follow to move to sensitive systems or take over high-value accounts.

Moving between systems within the corporate network is known as lateral movement. It is an invaluable step during a network penetration test because it allows you to move closer to achieving your objective of compromising specific targets or obtaining sensitive information.

There are various attack techniques you can use to perform lateral movement. Some of these include:

  • Stealing a user’s NTLM password hash and perform a pass the hash attack
  • Attacking the Active Directory direcly with keberoasting or a pass the ticket attack.
  • Stealing a user’s password and use that to impersonate them.

Let’s explore these attack techniques in more detail.

Pass the Hash Attack

There are a variety of ways you can perform lateral movement. One of these is capturing hashes and using them in a pass the hash attack. In this attack, you steal another user's password hash and use it to authenticate to a service or system they can access. This allows you to jump to this new system by impersonating said user.

How a Pass the Hash Attack Works

You can obtain another user’s password hash in several different ways. You can use ARP spoofing to capture the hash as it travels across the network, or you can use Mimikatz to extract the hash directly from a compromised machine.

Using Mimikatz to Perform a Pass the Hash Attack

If you choose to extract a hash directly from the machine, you need to have system-level privileges on Windows and root-level privileges on Linux. To discover how you can escalate your privileges to these levels, read these articles:

Active Directory Attacks

You can also perform lateral movement by directly attacking Active Directory (AD). AD attacks include: Kerberoasting, AS-REP Roasting, pass the ticket attacks, Windows Group Policy attacks, creating gold/sliver/diamond tickets, forging certificates, and more!

Keberoasting is one of the most popular AD attacks. The diagram below details the basic steps.

How a Kerberoasting Attack Works

Stealing Passwords

If you can’t steal password hashes or attack AD, you can always target a user’s browser using the Browser Exploitation Framework (BeEF). This tool allows you to take over a target’s web browser using a phishing email or XSS (Cross-Site Scripting) and steal their passwords. With these stolen passwords, you can impersonate these users and access machines deeper within the corporate network that host sensitive information.

How the BeEF Hacking Tool Works

6. Maintaining Access and Data Exfiltration

Once you gain access to a new system, you want to do two things: maintain access and exfiltrate sensitive data. To achieve both of these objectives, you can use a Command and Control (C2) framework.

Maintaining Access

C2 frameworks are tools that hackers will use to control machines they have compromised, examples include Metasploit, PowerShell Empire, and Cobalt Strike. They have a number of built-in mechanisms that allow you to maintain access to a compromised machine.

For instance, you can modify registry keys to run a reverse shell on startup, add scheduled tasks that will run a C2 agent and call back to you after a set period of time, or create a malicious service that executes your malware whenever the system boots. The screenshot below shows how to use a PowerShell Empire module to create a scheduled task for persistence.

Creating a Scheduled Task for Persistence With PowerShell Empire

Data Exfiltration

C2 frameworks also allow you to extract sensitive information from machines you compromise. They have built-in tools that can dump password hashes, extract credentials saved in web browsers, and locate various other forms of sensitive information. The process of collecting all data from a machine is known as data harvesting.

Once you harvest all the sensitive data you can from a machine, you need to sort through it to find out what you can do with it. If you find password hashes, you can use them to perform a pass the hash attack or use a tool like Hashcat to crack them and reveal the password.

Cracking a NTLM Password Hash With Hashcat

Another way to steal sensitive information for exfiltration is by intercepting it as it travels across the internal network. You can use a tool like Wireshark to do this.

Wireshark is an open-source network protocol analyzer that you can use to capture and inspect network traffic. During a network penetration test, you can use it to intercept sensitive data that is traveling around the corporate network. This could be passwords, hashes, or files.

Capturing Network Packets With Wireshark

7. Analysis and Reporting

When the network penetration test is complete, you move to the Analysis and Reporting stage. During this stage, you will go through all the activities you undertook as part of the network penetration test, analyze the vulnerabilities and security gaps you uncovered, and detail your findings in a report for the client.

This is perhaps the most important stage of the penetration test. It is where you showcase your value by providing actionable advice the client can use to improve their security posture. Here are the key elements to include in your network penetration test report.

Key elements to include in a comprehensive report:

  • Highlight vulnerabilities based on criticality and impact: Detail the vulnerabilities you found based on their criticality using the Common Vulnerability Scoring System (CVSS) so the client can prioritize the gaps they need to address.
  • Offer short and long-term remediation advice: Not all issues can be fixed with a patch. You should provide the client with short-term fixes for problems and long-term remediation advice to tackle institutional issues, such as using a deprecated authentication protocol like NTLM.
  • Map your attacks to the MITRE ATT&CK framework: The MITRE ATT&CK framework provides a common language defenders can use to discuss attacks. Mapping your attacks to this framework allows the client to better understand what you did and how they can combat it.
  • Use the Common Vulnerabilities and Exposures (CVE) system when referencing vulnerabilities: Any vulnerabilities you find should include their CVE number (e.g., CVE-2023-1234). This allows the client to quickly look up the CVE and find relevant remediation advice.
  • Include what the client is doing well: You shouldn’t just focus on where the client is failing. Include what the client is doing well so they know what security practices to continue, their strengths, and where to dedicate more resources to improve.
  • Make your report clear, concise, and easy to follow: Structure your report so that a variety of readers can gain value from it. You want to include an overview of your testing activity for executives to understand and a deep technical analysis so security professionals can implement the appropriate remediations.

Remember, the client pays for the report. Dedicate appropriate time to making it your best work and showcase how the client can improve their security.

8. Post-Engagement Activities

Delivering your penetration test report to the client is not the final stage. It is highly recommended that you perform post-engagement activities with the client to help them understand what you did, how you did it, and how they can protect against it in the future.

Post-engagement activities typically include a client debrief where you discuss the results of your network penetration testing activities, including the technical details about vulnerabilities or security gaps you were able to exploit. This allows the technical security team to better understand the remediation advice you provided and take action. They may ask you to retest the vulnerabilities you found to verify that the vulnerabilities have been effectively remediated.

During the client debrief, you may also talk to higher-level managers or executives about long-term mitigation strategies, such as policy changes, investments in more advanced security tools, or tactical decisions to improve the organization's security posture.

Remember to mention the need for regular penetration tests during your client debrief and their role in continuously improving an organization's security.

Ethical and Legal Considerations

Throughout your network penetration testing activities, it is important to consider your actions' ethical and legal ramifications. You must understand the legal implications of performing penetration testing and the specific laws that may apply to you based on the state, country, or jurisdiction you operate within. It must always stay within legal boundaries by only targeting systems that are within the scope, and you have permission to test.

The legality of your pentesting activities should not be your only consideration. It is important to think about the ethics of your activities and how your actions may impact others. For instance, using a phishing email that uses a pretext of a family member's death may be legal, but it is certainly not ethical. You should always be ethically responsible during your penetration tests and prioritize the well-being of the people involved.

You can learn more about the legality of penetration testing and hacking in Is Hacking Illegal? The Law and Ethical Perspectives

Conclusion

A network penetration test assesses an organization’s internal network security and assumes an attacker was able to get initial access to this network. It aims to uncover vulnerabilities and security gaps that attackers can exploit to access mission-critical systems or exfiltrate sensitive data.

You discovered that a successful network penetration test follows 8 main steps that require special hacking tools and skills to perform. While testing, it is important to consider the ethical ramifications of your actions and ensure go outside of scope and attack systems that you do not have legal permission to test from the client.

If you want to learn more about the tools and skills required to excel at network penetration testing, consider a StationX membership. You will get exclusive certification advice, mentorship, and over 1,000 classes and labs to help you take your career to the next level. Take a look at some of the courses included:

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Adam Goss

    Adam is a seasoned cyber security professional with extensive experience in cyber threat intelligence and threat hunting. He enjoys learning new tools and technologies, and holds numerous industry qualifications on both the red and blue sides. Adam aims to share the unique insights he has gained from his experiences through his blog articles. You can find Adam on LinkedIn or check out his other projects on LinkTree.

>