BIPI
BIPI

Network Pentesting Methodology: From Recon to Domain Admin

Cybersecurity

A structured walkthrough of internal network penetration testing — host discovery, service enumeration, lateral movement, and domain takeover using open-source tooling.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 1, 2025 · 14 min read

#network-pentesting#nmap#lateral-movement#active-directory#domain-admin

Network penetration testing remains the bedrock of offensive security engagements. Despite cloud-first architectures, most enterprises still run fat internal networks where a single misconfigured service can cascade to domain compromise in under an hour.

Phase 1: host discovery and port scanning

Start with a fast ping sweep to map live hosts before deep-scanning. Use nmap -sn for ICMP and ARP discovery, then follow with a targeted SYN scan on common ports. Avoid noisy full-range scans on the first pass — rate-limit to stay under IDS thresholds.

  • nmap -sn 10.10.0.0/16 -oG live-hosts.txt
  • nmap -sS -p 21,22,25,80,135,139,443,445,1433,3389,5985 --open -iL live-hosts.txt
  • masscan for speed on large /8 ranges; pipe output to nmap for banner grab
  • netdiscover for ARP-based discovery in switched environments

Phase 2: service enumeration

Version detection and script scanning turn open ports into attack surface. NSE scripts for SMB, RPC, and SNMP often hand you credentials or OS details without any exploitation.

  • nmap -sV -sC against confirmed live hosts
  • enum4linux-ng for SMB/RPC: users, shares, password policy
  • onesixtyone + snmpwalk for SNMP community strings
  • nbtscan for NetBIOS names that reveal host roles

Phase 3: vulnerability identification

Run targeted NSE scripts for known critical vulns before reaching for Metasploit. EternalBlue, PrintNightmare, and ZeroLogon checks can be scripted in seconds and confirm exploitability without false positives.

Phase 4: initial access and lateral movement

Credential spraying against SMB, WinRM, and RDP with a single password across all discovered hosts is the fastest path to initial foothold. Tools like CrackMapExec and NetExec automate this with built-in lockout avoidance.

  1. Collect usernames via LDAP anonymous bind or enum4linux
  2. Spray with threshold of one attempt per account per 30 minutes
  3. Pivot via WinRM (port 5985) for agentless shell
  4. Use pass-the-hash once NTLM hashes are extracted from first host
  5. BloodHound for attack path visualisation to DA

Phase 5: domain takeover techniques

Kerberoasting, AS-REP roasting, and ACL abuse remain the dominant paths to Domain Admin in 2025. BloodHound shortest-path queries cut through noise to show the exact chain.

  • GetUserSPNs.py for Kerberoastable service accounts
  • GetNPUsers.py for AS-REP roastable accounts (DONT_REQ_PREAUTH)
  • BloodHound ShortestPathToDomainAdmins from owned nodes
  • DCSync via secretsdump.py once replication rights obtained
4 hours
Average time from first host to DA in internal tests
78%
Engagements where Kerberoasting yielded crackable hashes
password spray
Most common initial foothold vector
BloodHound does not find vulnerabilities — it finds the truth about your Active Directory permissions.

Reporting and remediation

Every finding needs a reproducible proof-of-concept, CVSS score, and a remediation action the sysadmin can execute without a security PhD. Map each issue to CIS Controls and MITRE ATT&CK tactics for stakeholder context.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.