Back to Details

conducting-network-penetration-test

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Conducting Network Penetration Test

开展网络渗透测试

When to Use

适用场景

  • Assessing the security posture of internal or external network infrastructure before or after deployment
  • Validating firewall rules, network segmentation, and access controls under realistic attack conditions
  • Identifying exploitable vulnerabilities in network services, protocols, and configurations
  • Meeting compliance requirements for PCI-DSS, HIPAA, SOC 2, or ISO 27001 that mandate periodic penetration testing
  • Evaluating the effectiveness of IDS/IPS, SIEM, and SOC detection capabilities against real attack traffic
Do not use for testing networks without explicit written authorization from the asset owner, against production systems without a pre-approved change window and rollback plan, or for denial-of-service testing unless explicitly scoped and authorized.
  • 在网络基础设施部署前后,评估内部或外部网络的安全状况
  • 在真实攻击场景下验证防火墙规则、网络分段和访问控制的有效性
  • 识别网络服务、协议和配置中可被利用的漏洞
  • 满足PCI-DSS、HIPAA、SOC 2或ISO 27001等合规要求中定期渗透测试的强制规定
  • 评估IDS/IPS、SIEM和SOC检测能力对真实攻击流量的响应效果
禁用场景:未经资产所有者明确书面授权测试网络;未经预先批准的变更窗口和回滚计划测试生产系统;除非明确界定范围并获得授权,否则不得进行拒绝服务测试。

Prerequisites

前提条件

  • Signed Rules of Engagement (RoE) document specifying target IP ranges, excluded hosts, testing hours, and emergency contacts
  • Written authorization letter (get-out-of-jail letter) from the network owner
  • Dedicated testing laptop with Kali Linux or equivalent distribution with up-to-date tools
  • VPN or direct network access to the target scope as defined in the RoE
  • Out-of-band communication channel with the client's incident response team
  • Scope document listing in-scope IP ranges, domains, and any explicitly excluded systems (medical devices, SCADA, critical infrastructure)
  • 签署的参与规则(RoE)文档,明确目标IP范围、排除主机、测试时段和紧急联系人
  • 网络所有者出具的书面授权函(免责函)
  • 搭载Kali Linux或同等发行版且工具已更新的专用测试笔记本
  • 按照RoE定义的目标范围,具备VPN或直接网络访问权限
  • 与客户事件响应团队的带外通信渠道
  • 范围文档,列出纳入测试范围的IP地址、域名,以及任何明确排除的系统(医疗设备、SCADA、关键基础设施)

Workflow

工作流程

Step 1: Pre-Engagement and Scope Validation

步骤1:测试前准备与范围验证

Validate the scope by confirming IP ranges with the client. Verify that all IP addresses in scope are owned by the client using ARIN/RIPE WHOIS lookups. Confirm testing windows, escalation procedures, and any sensitivity constraints. Set up the testing environment with a dedicated VM, VPN connection, and logging enabled on all tools. Create a timestamped activity log that records every command executed, every scan launched, and every exploit attempted throughout the engagement.
通过与客户确认IP范围来验证测试范围。使用ARIN/RIPE WHOIS查询确认所有纳入范围的IP地址均归客户所有。确认测试窗口、升级流程和任何敏感性约束。搭建专用VM测试环境,配置VPN连接,并启用所有工具的日志记录。创建带时间戳的活动日志,记录整个测试过程中执行的每一条命令、启动的每一次扫描和尝试的每一次利用操作。

Step 2: Host Discovery and Network Mapping

步骤2:主机发现与网络映射

Identify live hosts within the authorized scope using layered discovery techniques:
  • ICMP sweep: 
    nmap -sn -PE -PP -PM 10.10.0.0/16 -oA discovery_icmp
    to find hosts responding to ping
  • ARP scan (internal networks): 
    nmap -sn -PR 10.10.0.0/24 -oA discovery_arp
    or 
    arp-scan -l
    for local subnet enumeration
  • TCP SYN discovery: 
    nmap -sn -PS21,22,25,80,443,445,3389,8080 10.10.0.0/16 -oA discovery_tcp
    to find hosts with ICMP blocked
  • UDP discovery: 
    nmap -sn -PU53,161,500 10.10.0.0/16 -oA discovery_udp
    for hosts only responding on UDP
Consolidate live hosts into a target list. Map the network topology by identifying gateways, VLAN boundaries, and trust relationships using traceroute and SNMP community string guessing where authorized.
使用分层发现技术识别授权范围内的活跃主机:
  • ICMP扫描
    nmap -sn -PE -PP -PM 10.10.0.0/16 -oA discovery_icmp
    ,查找响应ping的主机
  • ARP扫描(内部网络):
    nmap -sn -PR 10.10.0.0/24 -oA discovery_arp
    arp-scan -l
    ,用于本地子网枚举
  • TCP SYN发现
    nmap -sn -PS21,22,25,80,443,445,3389,8080 10.10.0.0/16 -oA discovery_tcp
    ,查找屏蔽ICMP的主机
  • UDP发现
    nmap -sn -PU53,161,500 10.10.0.0/16 -oA discovery_udp
    ,查找仅响应UDP的主机
将活跃主机整合为目标列表。通过traceroute和经授权的SNMP社区字符串猜测,识别网关、VLAN边界和信任关系,绘制网络拓扑图。

Step 3: Port Scanning and Service Enumeration

步骤3:端口扫描与服务枚举

Perform detailed port scanning on discovered hosts:
  • Full TCP scan: 
    nmap -sS -p- --min-rate 1000 -T4 -oA full_tcp <target>
    to identify all open TCP ports
  • Top UDP ports: 
    nmap -sU --top-ports 200 -T4 -oA top_udp <target>
    for commonly exploitable UDP services
  • Service version detection: 
    nmap -sV -sC -p <open_ports> -oA service_enum <target>
    to fingerprint service versions and run default NSE scripts
  • OS fingerprinting: 
    nmap -O --osscan-guess -oA os_detection <target>
    to identify operating systems
Enumerate discovered services in depth using protocol-specific tools:
  • SMB: 
    enum4linux -a <target>
    , 
    crackmapexec smb <target> --shares
  • SNMP: 
    snmpwalk -v2c -c public <target>
  • DNS: 
    dig axfr @<dns_server> <domain>
    for zone transfer attempts
  • LDAP: 
    ldapsearch -x -H ldap://<target> -b "dc=example,dc=com"
对发现的主机执行详细端口扫描:
  • 全TCP扫描
    nmap -sS -p- --min-rate 1000 -T4 -oA full_tcp <target>
    ,识别所有开放的TCP端口
  • 热门UDP端口
    nmap -sU --top-ports 200 -T4 -oA top_udp <target>
    ,针对常见可利用的UDP服务
  • 服务版本检测
    nmap -sV -sC -p <open_ports> -oA service_enum <target>
    ,识别服务版本并运行默认NSE脚本
  • 操作系统指纹识别
    nmap -O --osscan-guess -oA os_detection <target>
    ,识别操作系统
使用特定协议工具深入枚举已发现的服务:
  • SMB:
    enum4linux -a <target>
    crackmapexec smb <target> --shares
  • SNMP:
    snmpwalk -v2c -c public <target>
  • DNS:
    dig axfr @<dns_server> <domain>
    ,尝试区域传输
  • LDAP:
    ldapsearch -x -H ldap://<target> -b "dc=example,dc=com"

Step 4: Vulnerability Identification

步骤4:漏洞识别

Correlate discovered service versions against known vulnerability databases:
  • Run 
    nmap --script vuln -p <ports> <target>
    for NSE vulnerability scripts
  • Use 
    searchsploit <service> <version>
    to query the Exploit-DB offline database
  • Cross-reference with NVD (National Vulnerability Database) and CVE records for confirmed vulnerabilities
  • Check for default credentials on management interfaces (Tomcat Manager, Jenkins, phpMyAdmin, database consoles)
  • Test for common misconfigurations: anonymous FTP, open SMTP relays, unrestricted SNMP communities, NFS exports without authentication
Prioritize vulnerabilities by CVSS score, exploitability, and business impact. Document each finding with CVE identifier, affected host, service, and version.
将已发现的服务版本与已知漏洞数据库关联:
  • 运行
    nmap --script vuln -p <ports> <target>
    ,使用NSE漏洞脚本
  • 使用
    searchsploit <service> <version>
    查询Exploit-DB离线数据库
  • 与NVD(国家漏洞数据库)和CVE记录交叉验证,确认漏洞
  • 检查管理界面(Tomcat Manager、Jenkins、phpMyAdmin、数据库控制台)的默认凭据
  • 测试常见配置错误:匿名FTP、开放SMTP中继、无限制SNMP社区、无身份验证的NFS导出
根据CVSS评分、可利用性和业务影响对漏洞进行优先级排序。记录每个发现的CVE标识符、受影响主机、服务和版本。

Step 5: Exploitation

步骤5:漏洞利用

Attempt controlled exploitation of validated vulnerabilities using the principle of minimum necessary access:
  • Metasploit Framework: 
    msfconsole
    with appropriate exploit modules matched to confirmed vulnerabilities. Set RHOSTS, RPORT, and payload options. Prefer bind/reverse TCP Meterpreter for post-exploitation flexibility.
  • Manual exploitation: Use public proof-of-concept exploits from Exploit-DB after code review. Compile and modify as needed for the target environment.
  • Credential attacks: Use 
    hydra
    or 
    crackmapexec
    for password spraying against discovered services (SSH, RDP, SMB, HTTP basic auth) using common credential lists. Respect lockout policies.
  • Pass-the-hash / relay: If NTLM hashes are obtained, attempt pass-the-hash with 
    impacket-psexec
    or relay attacks with 
    impacket-ntlmrelayx
    where SMB signing is disabled.
Document every exploitation attempt including failures. Capture screenshots of successful compromises showing hostname, IP, current user, and privilege level.
遵循最小必要访问原则,尝试对已验证的漏洞进行受控利用:
  • Metasploit Framework
    msfconsole
    搭配与已确认漏洞匹配的适当利用模块。设置RHOSTS、RPORT和payload选项。优先选择bind/reverse TCP Meterpreter,以便后期利用的灵活性。
  • 手动利用:在代码审查后,使用Exploit-DB中的公开概念验证漏洞。根据目标环境编译和修改代码。
  • 凭据攻击:使用
    hydra
    crackmapexec
    ,针对已发现的服务(SSH、RDP、SMB、HTTP基本认证),使用常见凭据列表进行密码喷洒。遵守账户锁定策略。
  • 哈希传递/中继:如果获取到NTLM哈希,在SMB签名禁用的情况下,尝试使用
    impacket-psexec
    进行哈希传递,或使用
    impacket-ntlmrelayx
    进行中继攻击。
记录每一次利用尝试,包括失败的尝试。捕获成功入侵的截图,显示主机名、IP、当前用户和权限级别。

Step 6: Post-Exploitation and Pivoting

步骤6:后期利用与横向移动

After gaining access to a host, demonstrate business impact:
  • Privilege escalation: Check for local privilege escalation paths using 
    linpeas.sh
    (Linux) or 
    winPEAS.exe
    (Windows). Look for misconfigured services, SUID binaries, unquoted service paths, or kernel exploits.
  • Credential harvesting: Extract stored credentials from memory (
    mimikatz
    ), files (config files, browser stores), or cached hashes (
    hashdump
    ).
  • Lateral movement: Use obtained credentials to pivot to additional systems. Test network segmentation by attempting to reach out-of-scope networks from compromised hosts.
  • Data access demonstration: Identify sensitive data accessible from compromised systems (PII databases, file shares, backup files) and document access without exfiltrating actual data.
Maintain detailed notes on every pivot point, credential obtained, and system accessed to build the attack chain narrative.
获取主机访问权限后,展示业务影响:
  • 权限提升:使用
    linpeas.sh
    (Linux)或
    winPEAS.exe
    (Windows)检查本地权限提升路径。查找配置错误的服务、SUID二进制文件、未加引号的服务路径或内核漏洞。
  • 凭据收集:从内存(
    mimikatz
    )、文件(配置文件、浏览器存储)或缓存哈希(
    hashdump
    )中提取存储的凭据。
  • 横向移动:使用获取的凭据渗透到其他系统。通过从已入侵主机尝试访问测试范围外的网络,验证网络分段效果。
  • 数据访问演示:识别已入侵系统可访问的敏感数据(PII数据库、文件共享、备份文件),记录访问情况但不得泄露实际数据。
详细记录每一个渗透点、获取的凭据和访问的系统,构建攻击链叙事。

Step 7: Cleanup and Reporting

步骤7:清理与报告

Remove all testing artifacts from compromised systems:
  • Delete uploaded tools, shells, and temporary files
  • Remove any accounts created during testing
  • Revert configuration changes made during exploitation
  • Verify cleanup by re-scanning affected hosts
Prepare the penetration test report with executive summary, methodology description, finding details with CVSS scores, proof-of-concept evidence, and prioritized remediation recommendations.
从已入侵系统中移除所有测试 artifacts:
  • 删除上传的工具、shell和临时文件
  • 删除测试期间创建的任何账户
  • 恢复利用过程中修改的配置
  • 通过重新扫描受影响主机验证清理效果
准备渗透测试报告,包含执行摘要、方法论描述、带CVSS评分的发现详情、概念验证证据和优先级排序的修复建议。

Key Concepts

核心概念

TermDefinition
Rules of Engagement (RoE)Formal document defining the scope, boundaries, testing hours, authorized actions, and escalation procedures for a penetration test
PivotUsing a compromised host as a relay point to access additional network segments not directly reachable from the tester's position
Service EnumerationThe process of identifying running services, their versions, and configurations on discovered hosts to map the attack surface
Credential SprayingTesting a small number of commonly used passwords against many accounts simultaneously to avoid account lockout thresholds
CVSSCommon Vulnerability Scoring System; an industry-standard framework for rating the severity of vulnerabilities on a 0-10 scale
Lateral MovementTechniques used to move from one compromised system to another within a network, expanding the scope of access
Post-ExploitationActivities performed after initial compromise including privilege escalation, persistence, credential harvesting, and data access
术语定义
Rules of Engagement (RoE)正式文档,定义渗透测试的范围、边界、测试时段、授权操作和升级流程
Pivot将已入侵主机作为中继点,访问测试人员无法直接到达的其他网络段
Service Enumeration识别已发现主机上运行的服务、版本和配置,以映射攻击面的过程
Credential Spraying同时使用少量常用密码测试多个账户,避免触发账户锁定阈值
CVSS通用漏洞评分系统;行业标准框架,用于在0-10分范围内评估漏洞的严重程度
Lateral Movement用于从一个已入侵系统移动到网络内另一个系统的技术,扩大访问范围
Post-Exploitation初始入侵后执行的活动,包括权限提升、持久化、凭据收集和数据访问

Tools & Systems

工具与系统

  • Nmap: Network discovery, port scanning, service enumeration, and vulnerability detection via the Nmap Scripting Engine (NSE)
  • Metasploit Framework: Exploitation framework providing exploit modules, payloads, encoders, and post-exploitation tools for validated vulnerability exploitation
  • CrackMapExec: Swiss-army knife for Windows/Active Directory environments supporting SMB, WinRM, LDAP, and MSSQL enumeration and exploitation
  • Impacket: Python library providing low-level programmatic access to network protocols (SMB, MSRPC, Kerberos) used for relay attacks and remote execution
  • Burp Suite: Web application proxy used when network services expose HTTP-based management interfaces
  • Nmap:网络发现、端口扫描、服务枚举,以及通过Nmap脚本引擎(NSE)进行漏洞检测
  • Metasploit Framework:漏洞利用框架,提供与已验证漏洞匹配的利用模块、payload、编码器和后期利用工具
  • CrackMapExec:Windows/Active Directory环境的多功能工具,支持SMB、WinRM、LDAP和MSSQL的枚举与利用
  • Impacket:Python库,提供对网络协议(SMB、MSRPC、Kerberos)的底层编程访问,用于中继攻击和远程执行
  • Burp Suite:当网络服务暴露基于HTTP的管理界面时使用的Web应用代理

Common Scenarios

常见场景

Scenario: Internal Network Penetration Test for a Financial Institution

场景:金融机构内部网络渗透测试

Context: The client is a mid-size bank requiring PCI-DSS compliance. Scope includes the internal corporate network (10.10.0.0/16), excluding payment processing systems in a separate VLAN. Testing window is Monday-Friday 20:00-06:00 to minimize impact on operations.
Approach:
  1. Perform ARP-based host discovery on accessible subnets and TCP SYN discovery for hosts with ICMP disabled
  2. Conduct full port scans on all discovered hosts, prioritizing Windows servers and domain controllers
  3. Enumerate SMB shares, SNMP communities, and web management interfaces for quick wins
  4. Identify and exploit an unpatched Apache Tomcat instance with default credentials to gain initial foothold
  5. Escalate privileges via a local Windows kernel vulnerability, then extract cached domain credentials with Mimikatz
  6. Demonstrate lateral movement to the database server containing customer records, proving inadequate network segmentation
  7. Document the complete attack path from initial access to sensitive data, with remediation steps for each vulnerability
Pitfalls:
  • Scanning too aggressively during business hours and triggering IDS alerts or service disruptions
  • Failing to verify that all target IPs are actually owned by the client before scanning
  • Not documenting exploitation attempts that failed, missing the opportunity to report on effective controls
  • Forgetting to clean up Meterpreter sessions and uploaded tools after testing
背景:客户是一家中型银行,需要满足PCI-DSS合规要求。测试范围包括内部企业网络(10.10.0.0/16),排除位于单独VLAN的支付处理系统。测试窗口为周一至周五20:00-06:00,以最小化对业务运营的影响。
方法
  1. 对可访问子网执行基于ARP的主机发现,对屏蔽ICMP的主机执行TCP SYN发现
  2. 对所有已发现主机执行全端口扫描,优先处理Windows服务器和域控制器
  3. 枚举SMB共享、SNMP社区和Web管理界面,寻找快速突破点
  4. 识别并利用存在默认凭据的未打补丁Apache Tomcat实例,获得初始访问权限
  5. 通过本地Windows内核漏洞提升权限,然后使用Mimikatz提取缓存的域凭据
  6. 演示横向移动到包含客户记录的数据库服务器,证明网络分段不足
  7. 记录从初始访问到敏感数据的完整攻击路径,以及每个漏洞的修复步骤
常见陷阱
  • 在工作时间扫描过于激进,触发IDS警报或服务中断
  • 扫描前未验证所有目标IP确实归客户所有
  • 未记录失败的利用尝试,错失报告有效控制措施的机会
  • 测试后忘记清理Meterpreter会话和上传的工具

Output Format

输出格式

undefined
undefined

Finding: Unpatched Apache Tomcat with Default Credentials

发现:存在默认凭据的未打补丁Apache Tomcat

ID: NET-001 Severity: Critical (CVSS 9.8) Affected Host: 10.10.5.23 (tomcat-prod.internal.corp) Service: Apache Tomcat 8.5.31 on port 8080 CVE: CVE-2019-0232
Description: The Apache Tomcat instance on 10.10.5.23:8080 is running version 8.5.31, which is vulnerable to CVE-2019-0232 (remote code execution via CGI Servlet). Additionally, the Tomcat Manager interface is accessible with default credentials (tomcat:tomcat), allowing deployment of arbitrary WAR files.
Proof of Concept:
  1. Accessed http://10.10.5.23:8080/manager/html with credentials tomcat:tomcat
  2. Deployed malicious WAR file containing a reverse shell payload
  3. Obtained command execution as NT AUTHORITY\SYSTEM
Impact: Full system compromise of the Tomcat server. From this host, the tester pivoted to 3 additional systems on the same subnet using harvested credentials, ultimately accessing the customer database containing 50,000+ records.
Remediation:
  1. Immediately change default Tomcat Manager credentials
  2. Upgrade Apache Tomcat to the latest stable release (currently 10.1.x)
  3. Restrict access to the Tomcat Manager interface to authorized management IPs only
  4. Implement network segmentation between web servers and database tier
undefined
ID: NET-001 Severity: Critical (CVSS 9.8) Affected Host: 10.10.5.23 (tomcat-prod.internal.corp) Service: Apache Tomcat 8.5.31 on port 8080 CVE: CVE-2019-0232
Description: The Apache Tomcat instance on 10.10.5.23:8080 is running version 8.5.31, which is vulnerable to CVE-2019-0232 (remote code execution via CGI Servlet). Additionally, the Tomcat Manager interface is accessible with default credentials (tomcat:tomcat), allowing deployment of arbitrary WAR files.
Proof of Concept:
  1. Accessed http://10.10.5.23:8080/manager/html with credentials tomcat:tomcat
  2. Deployed malicious WAR file containing a reverse shell payload
  3. Obtained command execution as NT AUTHORITY\SYSTEM
Impact: Full system compromise of the Tomcat server. From this host, the tester pivoted to 3 additional systems on the same subnet using harvested credentials, ultimately accessing the customer database containing 50,000+ records.
Remediation:
  1. Immediately change default Tomcat Manager credentials
  2. Upgrade Apache Tomcat to the latest stable release (currently 10.1.x)
  3. Restrict access to the Tomcat Manager interface to authorized management IPs only
  4. Implement network segmentation between web servers and database tier
undefined