HomePenetration Testing in 5 DaysDay 3
Day 3 of 5
⏱ ~60 minutes
Penetration Testing in 5 Days — Day 3

Network Penetration Testing

Network tests go beyond web apps to attack infrastructure: routers, switches, VPNs, Active Directory, and internal services. Today covers the tools and techniques for internal network engagements.

Active Directory Attacks

Active Directory (AD) is the backbone of Windows enterprise networks. Common attacks: AS-REP Roasting (Kerberos pre-auth disabled), Kerberoasting (cracking service ticket hashes), Pass-the-Hash (reusing NTLM credential hashes), and BloodHound (visualizing AD attack paths). Impacket is a Python library with tools for all of these.

Man-in-the-Middle with Responder

Responder poisons LLMNR, NBT-NS, and MDNS requests on a LAN, causing Windows hosts to send you their NetNTLMv2 hashes automatically. Combined with Hashcat, you can crack weak passwords and use them for lateral movement. This attack works passively — just run Responder and wait for victims to misconfigure their name resolution.

Password Attacks

Dictionary attacks use wordlists (rockyou.txt has 14M passwords). Rule-based attacks apply transformations (append numbers, capitalize first letter). Hashcat supports GPU acceleration — an RTX 3080 cracks 40+ billion MD5 hashes per second. Hydra and Medusa brute-force network services: SSH, RDP, SMB, FTP, web login forms.

bash
# Kerberoasting with Impacket
GetUserSPNs.py -request -dc-ip 192.168.1.10 DOMAIN/user:password

# Crack Kerberos ticket with Hashcat
hashcat -m 13100 krb5tgs.hash /usr/share/wordlists/rockyou.txt

# Responder on LAN interface
responder -I eth0 -rdwv

# Crack captured NTLMv2 hashes
hashcat -m 5600 ntlmv2.hash /usr/share/wordlists/rockyou.txt

# BloodHound data collection
SharpHound.exe -c All
# Then import .zip into BloodHound GUI

# Hydra SSH brute-force
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
  ssh://192.168.1.100
💡
Run Responder only during business hours when users are actively browsing — you need live systems making name resolution requests. Passive hash capture requires victim activity.
📝 Day 3 Exercise
Kerberoast a Lab AD Environment
  1. Set up a Windows Server 2019 evaluation VM and configure Active Directory
  2. Create 2 service accounts with SPNs (setspn -A http/svc01 domain\svcaccount)
  3. Run GetUserSPNs.py to request and capture service tickets
  4. Crack the tickets with Hashcat using rockyou.txt wordlist
  5. Map the attack path in BloodHound using SharpHound data collection

Day 3 Summary

  • Active Directory attacks: Kerberoasting, Pass-the-Hash, BloodHound paths
  • Responder captures NTLMv2 hashes passively from misconfigured Windows hosts
  • Hashcat with GPU acceleration cracks most weak passwords quickly
  • Impacket provides Python-based tools for all major AD attacks
  • BloodHound visualizes privilege escalation paths through AD
Challenge

Set up a two-machine AD lab (DC + workstation) and complete a full kill chain: Responder hash capture → Hashcat crack → SMB login → BloodHound enumeration → escalate to Domain Admin.

← Previous
Day 2: Web Application Testing
Next →
Day 4: Advanced Tools & Evasion
Finished this lesson?