Packet capture and analysis — intercept unencrypted credentials in transit
Build a network pentest report — map the attack surface with risk ratings
Background
Network pentesting predates web app testing and remains the most common engagement type. Understanding how to go from "IP range" to "root shell" is the core skill of offensive security.
Real-world examples:
2013 Target breach — attacker entered via a third-party HVAC contractor's VPN credentials, then performed internal network scanning to discover the POS system network; pivoted to 40M card records.
2016 SWIFT banking attacks — attacker spent months doing internal network recon after initial compromise to map SWIFT messaging terminals before initiating fraudulent transfers totalling $81M.
2020 Garmin ransomware (WastedLocker) — network recon identified file servers and backup infrastructure specifically to maximise impact; attackers spent ~72h mapping before deploying ransomware.
Typical pentest engagement: week 1 is almost entirely network recon and enumeration; exploitation comes after understanding the full attack surface.
PORT STATE SERVICE VERSION
2323/tcp open telnet?
5000/tcp open http Werkzeug httpd 2.3.7 (Python 3.10.12)
8080/tcp open http-alt Werkzeug httpd 2.3.7 (Python 3.10.12)
# Aggressive scan — OS detection, version, scripts
nmap -A -p 5000,8080,2323 $TARGET 2>/dev/null | grep -v "^#"
# Check response headers manually for version leakage
python3 << 'EOF'
import urllib.request
T = "http://target-adv18"
for port in [5000, 8080]:
req = urllib.request.urlopen(f"{T}:{port}/")
print(f"\nPort {port} headers:")
for k, v in req.headers.items():
if k.lower() in ['server', 'x-powered-by', 'x-framework', 'x-runtime', 'content-type']:
print(f" {k}: {v}")
print()
print("[!] Apache/2.4.49 → CVE-2021-41773 (Path Traversal + RCE, CVSS 9.8)")
print(" PHP/7.2.0 → End of Life since 2019, multiple CVEs")
print(" Port 2323 → Telnet: cleartext credentials, no encryption")
EOF
# Demonstrate cleartext credential capture via HTTP
python3 << 'EOF'
import urllib.request, urllib.parse
T = "http://target-adv18:8080"
print("[*] Simulating victim submitting login form over HTTP (no TLS):")
print(" Payload: username=admin, password=SuperSecret123")
print()
# POST the form data
data = urllib.parse.urlencode({"username":"admin","password":"SuperSecret123"}).encode()
req = urllib.request.Request(f"{T}/login", data=data,
headers={"Content-Type": "application/x-www-form-urlencoded"})
r = urllib.request.urlopen(req).read().decode()
print(f"[!] Server response confirms credentials received in plaintext:")
print(f" {r}")
print()
print("[*] With tcpdump or Wireshark on the network, the capture would show:")
print(" POST /login HTTP/1.1")
print(" Host: target-adv18:8080")
print(" Content-Type: application/x-www-form-urlencoded")
print("")
print(" username=admin&password=SuperSecret123")
print()
print("[!] All HTTP traffic is visible to any network observer (ARP spoof, tap, MITM)")
EOF
python3 << 'EOF'
import socket
print("[*] Banner grabbing port 2323 (Telnet-like service):")
s = socket.create_connection(("target-adv18", 2323), timeout=3)
banner = b""
for _ in range(3):
try:
chunk = s.recv(256)
if chunk: banner += chunk
except: break
print(f" Banner: {banner.decode('utf-8','ignore')!r}")
print()
print("[!] Telnet vulnerabilities:")
print(" - Credentials transmitted in cleartext (no encryption)")
print(" - Banner leaks device type and firmware version")
print(" - No brute-force protection by default")
print(" - Replace with SSH (OpenSSH 8.x+) immediately")
s.close()
EOF
python3 << 'EOF'
print("=" * 62)
print(" NETWORK PENTEST REPORT — target-adv18")
print("=" * 62)
print()
findings = [
("CRITICAL", "Apache/2.4.49", "CVE-2021-41773 Path Traversal + RCE (CVSS 9.8)"),
("CRITICAL", "Telnet on 2323", "Cleartext auth; any observer reads credentials"),
("CRITICAL", "HTTP on 8080", "Login form over cleartext HTTP — credential exposure"),
("HIGH", "PHP/7.2.0 EoL", "No security patches since Nov 2019; multiple CVEs"),
("HIGH", "/admin exposed", "Admin endpoint returns credentials with no auth"),
("MEDIUM", "Version banners", "Server/X-Powered-By headers fingerprint exact versions"),
("LOW", "No HSTS", "Browser can be downgraded from HTTPS to HTTP"),
]
for sev, title, detail in findings:
icon = "🔴" if sev == "CRITICAL" else ("🟠" if sev == "HIGH" else ("🟡" if sev == "MEDIUM" else "🟢"))
print(f" {icon} [{sev:<8}] {title}")
print(f" {detail}")
print()
print(" Recommended Remediation Priority:")
print(" 1. Immediately: disable Telnet → SSH only")
print(" 2. Immediately: force HTTPS on all services (TLS 1.2+)")
print(" 3. This week: upgrade Apache → 2.4.57+, PHP → 8.2+")
print(" 4. This week: remove /admin from public access (IP allowlist)")
print(" 5. This month: suppress all version disclosure headers")
EOF
exit
