To gain access to a target device during a PenTest, vulnerabilities need to be identified first. Once these vulnerabilities are found, the PenTest-er will attempt to exploit them to gain access to the network resource. Using the information gathered during the reconnaissance and enumeration phases, the PenTest-er will begin scanning for and identifying potential vulnerabilities.

<aside> <img src="/icons/target_red.svg" alt="/icons/target_red.svg" width="40px" />

Mission Objectives

• Scan for Cleartext Vulnerabilities
• Use Metasploit
• Use aircrack-ng to Discover Hidden Networks
• Locate a Rogue Access Point
• Network Reconnaissance
• Scan for Linux Vulnerabilities </aside>

1. Vulnerability Discovery Techniques

Discovering vulnerabilities requires a mix of automated precision and manual inspection.

• Automated Scanning: Utilizing tools like Nessus or OpenVAS to compare target signatures against databases of known CVEs.
• Ad-hoc Scanning: Using the Nmap Scripting Engine (NSE) for lightweight, targeted vulnerability detection (e.g., checking for EternalBlue or Heartbleed).
• Passive Identification: Monitoring network traffic or analyzing public headers and banners without sending probing packets to avoid detection.
• Credentialed vs. Non-Credentialed: Determining whether to scan as an outsider (unauthenticated) or as an insider with system access to find deeper configuration flaws.

2. Analyzing Reconnaissance Scanning and Enumeration

This is the "Brain" of the mission—turning raw logs into a tactical plan.

• Pattern Recognition: Identifying clusters of outdated OS versions across a subnet that suggest a systemic failure in patch management.
• Service Mapping: Correlating open ports (e.g., 445/SMB) with specific version vulnerabilities (e.g., SMBv1) to determine the likelihood of successful exploitation.
• Filtering Noise: Removing false positives (services that report as vulnerable but are actually hardened or behind a WAF).
• Attack Surface Visualization: Creating a map of the "Path of Least Resistance"—the series of vulnerabilities that lead most directly to the client's "Crown Jewels."

3. Physical Security Concepts

A digital fortress is useless if the front door is unlocked. This lesson covers the physical barriers that a penetration tester must evaluate.

• Perimeter Security: Evaluating fences, gates, lighting, and signage.
• Surveillance & Detection: Identifying the placement and "blind spots" of CCTV cameras and motion sensors.
• Access Control: Testing the integrity of badge readers (RFID), biometric scanners, and "Man-traps."