Once the PenTest-er has identified their targets and researched potential vulnerabilities, they will begin attempting to exploit them. Depending on the type of resource, this may involve network‑based or host‑based attacks. The PenTest-er will also try to authenticate on the devices so they can navigate the system and carry out further attacks as needed.

<aside> <img src="/icons/target_red.svg" alt="/icons/target_red.svg" width="40px" />

Mission Objectives

• Sniff Network Traffic
• Explore Nmap NSE
• Discover Vulnerabilities with Netcat
• Perform a Relay Attack
• Crack a Password with John the Ripper
• Crack Passwords
• Clear Audit Policies
• Perform Privilege Escalation
• Implement Payload Obfuscation
• Perform SQL Injection
• Investigate with Evil-WinRM
• Exploit LOLBins
• Implement Credential Dumping </aside>

1. Perform Network Attacks

Enterprise networks often rely on legacy protocols for compatibility, which can be exploited to intercept traffic or redirect users.

• Layer 2 Attacks: Exploiting ARP (Address Resolution Protocol) to perform ARP Spoofing, allowing the tester to sit between a user and the gateway.
• Name Resolution Poisoning: Using tools like Responder to spoof LLMNR, NBT-NS, and mDNS responses. This tricks workstations into sending hashes to the tester’s machine.
• VLAN Hopping: Bypassing network segmentation by exploiting "switch spoofing" or "double tagging" to jump from one VLAN to another.

2. Perform Authentication Attacks

In an enterprise, the "Identity" is the most valuable target. We aim to steal or bypass credentials to gain access to the domain.

• Password Attacks:
  • Brute Forcing: Systematically trying every possible combination.
  • Password Spraying: Trying one common password (e.g., Summer2026!) against hundreds of usernames to avoid account lockouts.
• Kerberos-based Attacks:
  • AS-REP Roasting: Targeting users with "Do not require Kerberos pre-authentication" enabled.
  • Kerberoasting: Requesting service tickets (TGS) for service accounts and cracking them offline to obtain cleartext passwords.
• Passing the Hash (PtH): Using a captured NTLM hash to authenticate to a remote server without ever needing the cleartext password.

3. Perform Host-Based Attacks

Once access to a single host (Windows or Linux) is gained, the focus shifts to internal exploitation.

• Privilege Escalation:
  • Windows: Exploiting misconfigured services, unquoted service paths, or kernel vulnerabilities to move from Local User to SYSTEM.
  • Linux: Exploiting SUID binaries, writable /etc/passwd files, or outdated kernels to reach root.
• Living off the Land (LotL): Using built-in tools like PowerShell, WMI, or Certutil to perform malicious actions. This minimizes the "footprint" and helps bypass Antivirus/EDR.
• Persistence: Establishing a way back into the system (e.g., via scheduled tasks, registry keys, or new user creation) that survives a reboot.