Network penetration testing – Types, tools & best practices


Penetration testing is an authorized, proactive attempt to assess an IT system’s security by safely exploiting its vulnerabilities to identify application flaws, improper configurations, and potentially dangerous end-user behavior.

Network penetration testing is critical to identify the security exposures, when cyberattacks are launched from the internet and intranet. The security assessment aids in the discovery of vulnerable network services that unknown threat sources can exploit.

There is a wide range of flaws that necessitates a comprehensive penetration testing process, such as remote system and password compromise, web server, database, network service, network device, directory, and other non-configuration, information disclosure, and weak cryptography.

Apart from the vulnerabilities mentioned above, concerns such as threat identification, perimeter security evaluation, certification of industry regulations, IT security cost control, anti-vulnerability solutions, legal compliance, validation of security protection, and, most importantly, justifying the return on security investment drive the need for penetration testing. All in all, penetration testing aids in improving IT security’s operational efficiency.

Types and stages of Penetration Testing

External Network Penetration Testing

External network penetration testing aims to show the presence of known security vulnerabilities that an attacker could exploit as they appear outside the network’s perimeter, usually from the internet. External testing entails a review of publicly available data, a network enumeration phase, and an examination of security device behavior. It is the traditional Penetration Testing method, and it entails evaluating the target’s servers, technology infrastructure, and underlying software. It’s done without knowing anything about the target environment. To assess their security posture, penetration testing should be performed on all web servers, mail servers, firewalls, routers, IDPS, and other systems.

Internal Network Penetration Testing

Internal network penetration testing provides a comprehensive picture of a company’s security posture. An internal network security assessment uses a similar approach to an external network security assessment but with a more comprehensive view of the site’s security. Several network access points representing each logical and physical network segment will be used to conduct the testing. Tiers and DMZs within the environment, the corporate network, and partner company connections are examples of this. Internal network penetration testing is used to see if a disgruntled internal employee of the company can break into the network using his limited IT knowledge. If a hacker compromises the weak perimeter security controls and steals sensitive information from the internal network, or if a guest visitor walks by the company and steals sensitive data from the internal network.


Profiling entails gathering as much information about the target network to identify potential entry points. This entails determining the target operating systems, web server versions, DNS information, platforms in use, and the presence of vulnerabilities and exploits to launch attacks. Various techniques, such as Whois lookups, enquiring about DNS entries, google searches (using GHDB), social networking sites, emails, websites, and so on, can gather information.

Discovery & Enumeration

Discovery entails identifying live hosts in the network using automated tools and manual techniques, determining the target system’s operating system through banner grabbing, presence of open ports, services running, and versions of the services, technology information, and protocol versions, as well as determining the target system’s operating system through banner grabbing, presence of open ports, services running, and versions of the services, technology information, and protocol versions. Enumerating an internal network allows a penetration tester to find network resources and shares, users and group users, groups, routing tables, audit & service audits, service settings, machine names, applications & banner applications, banners, protocols, and their details. The Penetration Tester would be able to use the information gathered to identify system attack points and carry out password attacks to gain unauthorized access to information systems.


Scanning entails using enterprise-class tools with the most up-to-date feeds and the best manual scripts to find vulnerabilities in network services, information systems, and perimeter security controls. Furthermore, manual assessments aid in the elimination of false positives reported by tools and the identification of false negatives. Scanning will reveal network topology and OS flaws, application and service flaws, application and service configuration errors, etc. The penetration tester will look for exploits during the scanning phase and assess the attack surface area.


This stage uses the information gathered on active ports and services and the vulnerabilities associated with them to exploit the services exposed safely. A combination of exploit payloads will be used for attack scenarios in the production environment under agreed-upon engagement rules. It entails using Penetration Test frameworks like meta-sploit to conduct research, test exploits, and launch payloads against the target environment.


The client is informed of all exploitable security vulnerabilities in the target system and their associated CVSS v2 based scores. The discovered security flaw is thoroughly examined and reported with appropriate recommendations or mitigation measures.

Popular tools

  • Frameworks: Kali Linux, Backtrack5 R3, Security Onion
  • Reconnaissance: Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft.
  • Discovery: Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident, LanSurveyor, OpManager
  • Port Scanning: Nmap, Megaping, Hping3, Netscan tools pro, Advanced port scanner
    Service Fingerprinting: Xprobe, nmap, zenmap
  • Enumeration: Superscan, Netbios enumerator, Snmpcheck, onesixtyone, Jxplorer, Hyena, DumpSec, WinFingerprint, Ps Tools, NsAuditor, Enum4Linux, nslookup, Netscan
  • Scanning: Nessus, GFI Languard, Retina, SAINT, Nexpose
  • Password Cracking: Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper, Rainbow Crack
  • Sniffing: Wireshark, Ettercap, Capsa Network Analyzer
  • MiTM Attacks: Cain & Abel, Ettercap
  • Exploitation: Metasploit, Core Impact

Best practices

The following are some of the best practices for implementing an in-depth defense strategy across internal network services.

  • Develop technical standards for hardening systems security and network security devices.
  • To avoid introducing vulnerability in technology environments, security assessments should be integrated with change management processes.
  • Platform teams or system owners must closely monitor the management of patches and vulnerabilities.
  • Change management and firewall configuration reviews must be done regularly.
  • Periodic internal and external network security assessments, including compliance checks against build standards if package operating systems (hardened builds) are used.