Fine Tuning Adaptive Network Penetration Test – External, Internal and Wireless

Fine Tuning Automation for Network Penetration Test

By Shritam Bhowmick
Web Application Penetration Tester

Network Penetration Testing

A lot has been discussed earlier related to network penetration test in forums, IRC’s and security conferences but everyone looked for some automated approach to keep network penetration test related task going fast. The fast approach is desired for mass IP scans and lot of IP ranges which have to be tested in a short time. Most of these network nodes have services open which could be further investigated if these services were well known to be exploited in the wild.


There are various Network Penetration testing which could be referenced below:

  1. External Network Penetration Testing
  2. Internal Network Penetration Testing
  3. Wireless Network Penetration Testing

Now as most of you had already assumed, there could be automated approach to all of them; this however seems easy but is harder if taken from a wide security view-point. The art of choosing a set tools at your disposal for Network Security Audit lies beyond the scope defined since lot of these tools send malicious packets which could deliver stress to the web-server or critical production server costing the clients financially off their services. As a penetration tester I have learned this art from my own lesson and experiences and this would be my own personal methodology for a Network penetration test. Some of the questions which should be asked before-hand to the client before beginning with an engagement would be the major feedback on how one should be preparing for the penetration test.

My personal set of questions and key-points for both external and internal Network Security Audit would always be these which should be asked to the clients on the meetings:

  • The reason behind the network penetration test/engagement
  • If the engagement would require any compliance requirement criteria to be met
  • The test hours of the engagement and if the servers were on operational servers
  • If the servers were on operation servers, what time should the testers go ahead to test?
  • If the servers were development servers, are they configured exactly the same as main servers?
  • An estimate of the IP along with their ranges which need to be tested?
  • Among the IP’s which are specified, how many of them are external and how many internal?
  • Are there any appliances, both hardware based or software based such as firewalls?
  • Is there any load balancer and proxies in place during the engagement?
  • After successful exploitation of the server, a local vulnerability assessment would be performed?
  • After local vulnerability assessment, should the Red Team go ahead attempting to gain ROOT?
  • Should the Red Team perform a brute-force based approaches during their engagements?

All of these questions are essential for a professional network penetration tester to audit both external and internal network from the security standpoint and additionally estimate the costs which would be required for such an engagement. This have a lot in common to do with the Red Team, wherein the Red Team Lead has to decide how much man-power would be required for a certain project test. If the scope is huge and there are hundreds of IP ranges to be scanned thoroughly both automated and manually; it would require a bigger statistical plan to go ahead with the Penetration test Engagement and would require more focus on the test since at this point the clients would be dead serious about their security.

Apart from External and Internal Network Security, which have to do with various network appliances such as routers, switches, and other network nodes; there is a very vast requirement for a network penetration tester to understand and relate to the key differences between internal/external network security audit and Wireless Network Security Audits. Wireless Network Security Audits will certainly be centered towards protocols, encryption and authentication criteria used. To be precise, these questions should make an abstract idea of what a network penetration tester might require from the clients end.

  • The number of Wireless Networks which are in place?
  • Is there any Guest Network available around which the client own?
  • If there is a Guest Network, does it require authentication to connect?
  • What Encryption is used for the Wireless Network generally?
  • What is the area coverage of Wireless Network node used?
  • Is there any enumeration needed of rouge devices?
  • Would the Red Team be allowed to attack wireless end-points against the Wireless clients?
  • Estimation of number of clients routinely checked in and out during a normal day?

After everything is set-up and talked about in the scope during the initial meetings, the penetration tester is required to set-up his networking equipment’s’ and test them thoroughly before conducting the tests. Of course the whole penetration test operation would have a timeline period and a set legal agreements which are prepared and signed both by the penetration tester and the client who shall be abiding all the rules and regulations accordingly as state or country law. The scope creeps have to be decided and worked upon before-hand such as the payment terms, if any stress testing would be done, or which department would be responsible for what operations including the management department into the picture. All of this have to be exchanged in written as well as verbally to make the communication gap clear off the midst. Some companies prefer Denial of Service Testing, while others don’t consider it as a threat. The latter is a personal preference and a wide variety of opinions are discussed as to why a particular network should not be tested for Denial of Service and Brute-force attacks. In such cases, no matter how technically sound it might sound, it’s always great to avoid bitter situations to the client since one must respect their decisions and there could always be a management infrastructure problems which later off will clear the whole picture. The scope creeps are hence a necessity before the actual engagement. The goals of the engagement should be defined.

Along with my research with Defencely as an application security penetration tester and application security expert cum security specialist, a comprehensive list of automated techniques which could be utilized to conduct network penetration testing has been documented which I am delivering to this post. Among the most utilized and known scanners, I have selected he ones which have the quality impact on the tests performed and could fine-tune the results for a detailed manual inspection of the network infrastructure. The success stories with using these tool-set have been already proved from over the globe and has been well-documented. Most of these automation would run in Linux operating system as well their alternatives could be found in packaged Windows environment. Automation would again depend on the performed post-manual test which have to be efficiently skilled and to the exact exploitation point. For a ready reference, I have described them along with references to their phases in which any network penetration test engagement would go through. Network Mapper (Nmap) is best among the tool-set which could be used for more than one phase and have been marked on the next reference modules. This comprehensive list could be utilized by professionals to keep a check.

Information Gathering

  • Social Network
  • Maltego
  • Creepy
  • Social Engineering (Who do I talk to, to apply for an IT job?)
  • Recon-ng
  • TheHarvester
  • Metagoofil
  • Shodan + Shodan’s API
  • DNSenum/DNSrecon

Network Discovery

  • NMap
  • Unicorn Scan
  • Maltego
  • NetDiscover
  • SMBClient
  • Ettercap
  • Wirehark
  • TCPDump
  • Arping
  • Hping3
  • Xprobe2
  • TCPflow


  • NMap
  • NSE (Nmap Scripting Engine)
  • Maltego
  • NBTscan (NetBios Scan)
  • Cisco Analysis Tools
  • Wireshark
  • DNSEnum
  • smtp-user-enum
  • snmpwalk
  • DumpSec
  • Nat
  • SMBScanner
  • NBTEnum
  • Netcat

Vulnerability Assessment

  • NMap
  • NSE (Nmap Scripting Engine)
  • Metasploit/Armitage + Nexpose
  • Nessus
  • OpenVAS
  • Powerfuzzer
  • Custom Fuzzers
  • Cisco Analysis Tools (Nipper is a great one)

Exploitation and Security

  • NSE (Nmap Scripting Engine)
  • Metasploit/Armitage + Nexpose
  • Wireshark + SCAPY (I’ve actually attacked routing protocols with this)
  • Various Servers (Bind9 DNS servers, DHCP servers, SMB Servers, Radius servers, etc…)
  • Yersina
  • Hexinject
  • Tcpreplay
  • Pineapple (For wireless Pentests)

Post Exploitation

  • Stunnel
  • SBD (Secure Back Door) ~ Linux
  • Cryptcat
  • Meterpreter Persistence
  • Powersploit
  • Iodine
  • UDPTunnel

The best way to scan a large amount of IP addresses is with an asynchronous scanner like Masscan or Unicorn Scan. NMap (as well as other port scanners like Masscan, Unicorn Scan, SuperScan, etc) are called “Port Scanners.” Essentially, what these do is send various packets of information in order to detect a wide array of aspects that may be useful to the pentester. For example, it can help identify firewalls, software listening on ports and versions, the operating system and version, among others. Nmap has something called the Nmap Scripting Engine (NSE) wherein people can write scripts for attacking and recognizing various software and I recommend you check it out! It depends on the scope of the engagement, what you’re needing to do with it, the amount of customization you need, etc. Generally speaking, proprietary applications may be more useful, but also more expensive and with less customization since open source are regularly updated by a large community feedback and are frequently checked for bugs in the program code.

About the Author

Shritam Bhowmick is an application penetration tester professionally equipped with traditional as well as professional application penetration test experience adding value to Defencely Inc. Red Team and currently holds Technical Expertise at application threat reporting and coordination for Defencely Inc.’s global clients. At his belt of accomplishments, he has experience in identifying critical application vulnerabilities and add value to Defencely Inc. with his research work. The R&D sector towards application security is growing green at Defencely and is taken care by him. Professionally, he have had experiences with several other companies working on critical application penetration test engagement, leading the Red Team and also holds experience training curious students at his leisure time. The application security guy!

Shritam Bhowmick has been delivering numerous research papers which are mostly application security centric and loves to go beyond in the details. This approach has taken him into innovating stuff rather than re-inventing the wheel for others to harness old security concepts. In his spare time, which is barely a little; he blogs, brain-storms on web security concepts and prefers to stay away from the normal living. Apart from his professional living, he finds bliss in reading books, playing chess, philanthropy, and basket-ball for the sweat. He wildly loves watching horror movies for the thrill.


Looking for intellectual opinions. Feedbacks are welcome!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s