All SkillsGet Started Free
Conducting Network Penetration Test
Conducts comprehensive network penetration tests against authorized target environments by performing host discovery, port scanning, service enumeration, vulnerability identification, and controlled exploitation to assess the security posture of network infrastructure. The tester follows PTES methodology from reconnaissance through post-exploitation and reporting. Activates for requests involving network pentest, infrastructure security assessment, internal network testing, or external perimeter testing.
MCP get_skill({ skillId: "conducting-network-penetration-test-7512c8eb" })Use this skill with your agent
Create a free account and connect via MCP
# Conducting Network Penetration Test ## When to Use - Assessing the security posture of internal or external network infrastructure before or after deployment - Validating firewall rules, network segmentation, and access controls under realistic attack conditions - Identifying exploitable vulnerabilities in network services, protocols, and configurations - Meeting compliance requirements for PCI-DSS, HIPAA, SOC 2, or ISO 27001 that mandate periodic penetration testing - Evaluating the effectiveness of IDS/IPS, SIEM, and SOC detection capabilities against real attack traffic **Do not use** for testing networks without explicit written authorization from the asset owner, against production systems without a pre-approved change window and rollback plan, or for denial-of-service testing unless explicitly scoped and authorized. ## Prerequisites - Signed Rules of Engagement (RoE) document specifying target IP ranges, excluded hosts, testing hours, and emergency contacts - Written authorization letter (get-out-of-jail letter) from the network owner - Dedicated testing laptop with Kali Linux or equivalent distribution with up-to-date tools - VPN or direct network access to the target scope as defined in the RoE - Out-of-band communication channel with the client's incident response team - Scope document listing in-scope IP ranges, domains, and any explicitly excluded systems (medical devices, SCADA, critical infrastructure) ## Workflow ### Step 1: Pre-Engagement and Scope Validation Validate the scope by confirming IP ranges with the client. Verify that all IP addresses in scope are owned by the client using ARIN/RIPE WHOIS lookups. Confirm testing windows, escalation procedures, and any sensitivity constraints. Set up the testing environment with a dedicated VM, VPN connection, and logging enabled on all tools. Create a timestamped activity log that records every command executed, every scan launched, and every exploit attempted throughout the engagement. ### Step 2: Host Discovery and Network Mapping Identify live hosts within the authorized scope using layered discovery techniques: - **ICMP sweep**: `nmap -sn -PE -PP -PM 10.10.0.0/16 -oA discovery_icmp` to find hosts responding to ping - **ARP scan** (internal networks): `nmap -sn -PR 10.10.0.0/24 -oA discovery_arp` or `arp-scan -l` for local subnet enumeration - **TCP SYN discovery**: `nmap -sn -PS21,22,25,80,443,445,3389,8080 10.10.0.0/16 -oA discovery_tcp` to find hosts with ICMP blocked - **UDP discovery**: `nmap -sn -PU53,161,500 10.10.0.0/16 -oA discovery_udp` for hosts only responding on UDP Consolidate live hosts into a target list. Map the network topology by identifying gateways, VLAN boundaries, and trust relationships using traceroute and SNMP community string guessing where authorized. ### Step 3: Port Scanning and Service Enumeration Perform detailed port scanning on discovered hosts: - **Full TCP scan**: `nmap -sS -p- --min-rate 1000 -T4 -oA full_tcp <target>` to identify all open TCP ports - **Top UDP ports**: `nmap -sU --top-ports 200 -T4 -oA top_udp <target>` for commonly exploitable UDP services - **Service version detection**: `nmap -sV -sC -p <open_ports> -oA service_enum <target>` to fingerprint service versions and run default NSE scripts - **OS fingerprinting**: `nmap -O --osscan-guess -oA os_detection <target>` to identify operating systems Enumerate discovered services in depth using protocol-specific tools: - SMB: `enum4linux -a <target>`, `crackmapexec smb <target> --shares` - SNMP: `snmpwalk -v2c -c public <target>`
#mukul-cybersecurity-skills#security#cybersecurity#penetration#testingnmaparp-scanenum4linuxcrackmapexecsnmpwalkdigldapsearchsearchsploit