This chapter covers network exploitation techniques used by penetration testers to compromise target networks after gaining initial access. You will learn how attackers move laterally, escalate privileges, and exfiltrate data while evading detection. For the PT0-002 exam, this topic is critical, appearing in approximately 15-20% of questions across domains like Attacks and Exploits (3.1) and Post-Exploitation (3.2). Mastery of network exploitation is essential for both the multiple-choice and performance-based questions.
Jump to a section
Imagine a large office building with multiple security layers. At the street level, there is a reception desk where visitors must sign in and show ID (this is like the perimeter firewall). Behind the reception, there are locked doors to different departments (internal network segments). Each department has its own security guard (host firewall) who checks badges. An attacker's goal is to get to the server room in the basement (critical data). To do this, they first case the building from outside, looking for unlocked windows or delivery doors (port scanning). They might pretend to be a delivery person to get past reception (spoofing or social engineering). Once inside, they tailgate an employee through a badge door (ARP spoofing or exploiting trust). They then find an unlocked closet with network jacks (open ports) and plug in a device to map the internal layout (network scanning). They discover a maintenance access panel with a default code (default credentials) that leads to a server room corridor. Finally, they bypass the last door by exploiting a faulty lock (software vulnerability) and access the server rack. Each step in the building has a parallel in network exploitation: reconnaissance, initial access, lateral movement, privilege escalation, and data exfiltration. The key is that each layer must be bypassed in sequence, and failure at any step alerts the guards (IDS/IPS).
What is Network Exploitation?
Network exploitation refers to the phase of a penetration test where the attacker leverages initial access to expand control within a target network. It includes lateral movement, privilege escalation, data exfiltration, and maintaining persistence. The goal is to simulate real-world attackers who, after breaching a perimeter, systematically compromise internal systems to reach high-value targets.
The Exploitation Lifecycle
Network exploitation follows a structured lifecycle: - Reconnaissance: After gaining a foothold, the attacker scans the internal network to discover hosts, services, and trust relationships. - Lateral Movement: Using compromised credentials or exploits, the attacker moves from one system to another, often using protocols like SMB, RDP, or WinRM. - Privilege Escalation: The attacker elevates privileges on a compromised host to gain administrative control, often exploiting misconfigurations or kernel vulnerabilities. - Persistence: The attacker installs backdoors or creates new accounts to maintain access even after reboots or credential changes. - Data Exfiltration: Sensitive data is collected and transferred out of the network, often using encrypted channels or blending with normal traffic.
Key Techniques for Lateral Movement
Pass-the-Hash (PtH): The attacker uses NTLM password hashes instead of plaintext passwords to authenticate to remote systems. This works because Windows allows authentication using the hash. The tool mimikatz can extract hashes from memory. Command example: psexec.exe -hashes <LM:NT> <target_ip> cmd
Pass-the-Ticket (PtT): The attacker steals Kerberos tickets (TGT or service tickets) and reuses them to access services. This bypasses password changes. Tools like mimikatz or Rubeus can export tickets.
Overpass-the-Hash: The attacker converts an NTLM hash into a Kerberos TGT, allowing access to resources that require Kerberos authentication.
Remote Desktop Protocol (RDP): Using stolen credentials, the attacker connects to remote desktops. However, RDP sessions can be logged and audited.
Windows Management Instrumentation (WMI): The attacker uses WMI to execute commands remotely. Command: wmic /node:<target_ip> process call create "cmd.exe /c whoami"
PowerShell Remoting: Uses WinRM to execute PowerShell commands remotely. Command: Enter-PSSession -ComputerName <target_ip> -Credential <cred>
SSH Tunneling: On Linux, attackers use SSH to create tunnels for accessing internal services.
Privilege Escalation Methods
Kernel Exploits: Vulnerabilities in the operating system kernel allow escalation from user to root/system. Example: CVE-2021-1732 on Windows.
Misconfigured Services: Services running with SYSTEM or root privileges that can be manipulated. For example, a service with weak permissions on its binary can be replaced.
Token Impersonation: On Windows, attackers can steal access tokens from other processes to gain their privileges. Tools: Incognito module in Metasploit.
DLL Hijacking: Placing a malicious DLL in a directory that a legitimate application loads before the intended DLL.
SUID/GUID Files: On Linux, executables with SUID bit set run with the owner's privileges. If owned by root, they can be exploited.
Sudo Misconfiguration: Users may have sudo rights to specific commands that can be abused to gain a shell.
Data Exfiltration Techniques
DNS Tunneling: Encoding data in DNS queries to bypass firewall inspection. Tools: dnscat2, iodine.
HTTP/HTTPS Tunneling: Wrapping data in HTTP requests to blend with web traffic.
ICMP Exfiltration: Hiding data in ICMP echo packets (e.g., ping).
Encrypted Archives: Compressing and encrypting data before exfiltration to avoid detection by DLP systems.
Steganography: Hiding data in images or other media.
Evading Detection
Living off the Land: Using built-in system tools (e.g., PowerShell, WMI, certutil) to avoid triggering antivirus.
Timing Attacks: Performing actions during off-peak hours to avoid security operations center (SOC) attention.
Encrypted Channels: Using TLS or custom encryption for command and control (C2).
Log Tampering: Clearing event logs or modifying timestamps.
Configuration and Verification Commands
Windows: net use \\target\ipc$ /user:username password to establish a connection.
Linux: ssh -L 8080:localhost:80 user@target for local port forwarding.
Checking for SUID files: find / -perm -4000 2>/dev/null
Checking for weak service permissions: sc qc servicename on Windows.
Interaction with Related Technologies
Active Directory: Many lateral movement techniques rely on AD trust relationships and Kerberos.
Firewalls: Internal firewalls may segment networks, requiring attackers to pivot through multiple hosts.
IDS/IPS: Exploitation tools must avoid signature-based detection; using custom payloads or encryption helps.
Endpoint Protection: Antivirus and EDR may block known exploits; attackers use obfuscation and fileless techniques.
Initial Foothold Establishment
The attacker first gains access to a single host, often through phishing, exploiting a public-facing application, or using default credentials. At this stage, the attacker has limited privileges (e.g., a standard user) and is likely on a low-value system like a workstation. The attacker then performs reconnaissance to map the internal network, including running `ipconfig` or `ifconfig` to determine the IP address, subnet mask, and default gateway. They may also query DNS or use ARP scanning to discover nearby hosts. This step is critical because it defines the attacker's starting position and available tools.
Internal Reconnaissance
Using the foothold, the attacker scans internal subnets to identify live hosts and open ports. Tools like `nmap` or `PowerShell` cmdlets (e.g., `Test-NetConnection`) are used. The attacker looks for common services such as SMB (port 445), RDP (3389), WinRM (5985/5986), and SSH (22). They also enumerate domain controllers, file servers, and database servers. This step reveals potential targets for lateral movement. The attacker may also extract cached credentials from the compromised host using tools like `mimikatz` or `LaZagne` to obtain plaintext passwords or hashes.
Credential Theft and Reuse
The attacker dumps credentials from the compromised host's memory, registry, or LSASS process. On Windows, `mimikatz` can extract NTLM hashes, Kerberos tickets, and even plaintext passwords if WDigest is enabled. On Linux, the attacker may read `/etc/shadow` or memory of running processes. These credentials are then used for pass-the-hash or pass-the-ticket attacks to authenticate to other systems without needing plaintext passwords. For example, using `sekurlsa::logonpasswords` in mimikatz reveals cached credentials. The attacker prioritizes high-privilege accounts like domain admins.
Lateral Movement to Target
Using stolen credentials, the attacker moves laterally to a more valuable system, such as a file server or domain controller. Common methods include using `psexec` to execute commands remotely via SMB, or `winrm` for PowerShell remoting. The attacker may also use RDP to interactively log on. To avoid detection, they may use built-in tools like `wmic` or `schtasks` to create scheduled tasks on remote hosts. The goal is to reach a system that contains sensitive data or provides elevated privileges. Each lateral move increases the risk of detection, so attackers often use encryption and mimic normal administrative traffic.
Privilege Escalation on Target
Once on the target system, the attacker escalates privileges to administrator or root. This may involve exploiting a local vulnerability (e.g., CVE-2021-1732 on Windows, CVE-2021-3156 on Linux), abusing misconfigured services, or using token impersonation. Tools like `PowerUp` or `BeRoot` automate the identification of privilege escalation vectors. After gaining elevated privileges, the attacker can disable security tools, dump additional credentials, and install persistent backdoors. This step is often the most noisy and may trigger alerts if not done carefully.
Persistence and Data Exfiltration
To maintain access, the attacker installs backdoors such as creating a new local user, installing a service, or scheduling a task that calls back to a C2 server. They may also modify system files or use registry run keys. Data exfiltration then begins: the attacker locates sensitive files (e.g., databases, documents) and transfers them out using encrypted channels like HTTPS or DNS tunneling. They may compress and encrypt data to avoid DLP detection. The attacker also covers tracks by clearing event logs and removing tools. This step concludes the exploitation phase, but the attacker may remain dormant for future operations.
Scenario 1: Enterprise Active Directory Compromise
In a large enterprise with thousands of workstations and hundreds of servers, an attacker gains initial access via a spear-phishing email that installs a remote access trojan (RAT) on a user's laptop. The laptop is joined to the corporate domain. The attacker uses mimikatz to extract the user's NTLM hash and discovers that the user is a local administrator on their machine. Using pass-the-hash, the attacker moves to a file server that hosts shared drives. From there, they enumerate domain trusts and find that the domain controller is accessible. They exploit a Kerberos vulnerability (e.g., MS14-068) to forge a ticket granting ticket (TGT) and gain domain admin privileges. The attacker then dumps the entire Active Directory database using ntdsutil and exfiltrates it via HTTPS to an external server. The misconfiguration that allowed this was the lack of network segmentation and the use of a single domain with no tiering model. The attacker's movements were not detected because the SOC lacked visibility into lateral movement and relied solely on perimeter defenses.
Scenario 2: Cloud Network Exploitation
In a cloud environment (AWS), an attacker exploits a misconfigured S3 bucket to obtain access keys for an IAM user. Using the keys, they access the AWS Management Console and discover that the IAM user has permissions to launch EC2 instances. The attacker launches a new instance in a private subnet with a reverse shell payload. From that instance, they scan the internal VPC and find a database server with an open port 3306 (MySQL). They use the compromised IAM user's credentials to access the database via SSH tunneling. Inside the database, they find plaintext passwords for other services. They then pivot to a jump box and eventually reach a server containing credit card data. The attacker exfiltrates the data using AWS Data Pipeline to an external S3 bucket. The root cause was over-permissive IAM roles and lack of network ACLs restricting traffic between subnets.
Common Failures and Misconfigurations
Flat Networks: Lack of segmentation allows attackers to move easily from a workstation to a sensitive server.
Weak Password Policies: Pass-the-hash is effective because many organizations still use LM/NTLM authentication.
Unpatched Systems: Privilege escalation exploits often rely on known vulnerabilities that remain unpatched.
Insufficient Logging: Without proper logging of lateral movement (e.g., event ID 4624 for logon), attackers go undetected.
Overprivileged Service Accounts: Service accounts with domain admin rights are prime targets for credential theft.
PT0-002 Exam Focus
This section covers Objective 3.1: Given a scenario, exploit network-based vulnerabilities. The exam tests your ability to identify and execute the correct exploitation technique based on the scenario. Key areas include:
- Pass-the-Hash vs. Pass-the-Ticket: Know the difference and when to use each. PtH works for NTLM authentication; PtT works for Kerberos.
- Lateral Movement Tools: Be familiar with psexec, wmic, winrm, ssh, and scp. Understand that psexec requires admin credentials and SMB access.
- Privilege Escalation Vectors: Common misconfigurations like unquoted service paths, weak service permissions, and missing patches.
- Data Exfiltration Methods: DNS tunneling, HTTPS, and ICMP. Know that DNS tunneling is often used to bypass firewalls.
Common Wrong Answers
Using plaintext passwords instead of hashes: Candidates often think passwords are required for lateral movement, but pass-the-hash uses hashes. The exam may present a scenario where only hashes are available — the correct answer is to use PtH.
Selecting RDP for lateral movement when credentials are hashes: RDP requires plaintext passwords or tickets. If only hashes are available, use PtH with psexec.
Choosing kernel exploit when service misconfiguration exists: The exam often includes a service with weak permissions; the correct choice is to exploit the service, not a kernel bug.
Using FTP for exfiltration when HTTPS is available: FTP is often blocked; HTTPS blends with normal traffic and is more likely to succeed.
Specific Numbers and Values
Default SMB port: 445
Default RDP port: 3389
Default WinRM ports: 5985 (HTTP), 5986 (HTTPS)
Default SSH port: 22
Mimikatz command for hashes: sekurlsa::logonpasswords
NTLM hash format: LM:NT (e.g., aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0)
Edge Cases
When Kerberos is enforced, pass-the-hash fails; use pass-the-ticket instead.
On Linux, lateral movement often uses SSH keys; if keys are found, use ssh -i key.
For data exfiltration, if all outbound ports are blocked except DNS, use DNS tunneling.
How to Eliminate Wrong Answers
If the scenario mentions "hashes" and "SMB", the answer is likely pass-the-hash.
If the scenario mentions "Kerberos tickets", the answer is pass-the-ticket.
If the scenario involves a service running as SYSTEM with weak permissions, the answer is to abuse the service.
Always consider the path of least resistance: exploit misconfigurations before attempting complex exploits.
Pass-the-hash uses NTLM hashes, not plaintext passwords, to authenticate to SMB and other services.
Pass-the-ticket uses Kerberos tickets; it is effective in Kerberos-only environments.
Common lateral movement tools: psexec, wmic, winrm, ssh, and scp.
Privilege escalation often exploits misconfigured services, unquoted paths, or missing patches.
Data exfiltration can use DNS tunneling, HTTPS, ICMP, or steganography to evade detection.
Always clear event logs and remove tools to cover tracks after exploitation.
Network segmentation and least-privilege principles are key defenses against lateral movement.
These come up on the exam all the time. Here's how to tell them apart.
Pass-the-Hash (PtH)
Uses NTLM hashes for authentication
Works with SMB, WMI, and other NTLM-based protocols
Does not require Kerberos
Can be performed with tools like Mimikatz and psexec
Less effective in environments that enforce Kerberos-only authentication
Pass-the-Ticket (PtT)
Uses Kerberos tickets (TGT or service tickets)
Works with any Kerberos-authenticated service
Requires a domain environment
Can be performed with tools like Mimikatz and Rubeus
Bypasses NTLM restrictions and can access services that require Kerberos
Mistake
Pass-the-hash requires plaintext password.
Correct
Pass-the-hash uses the NTLM hash directly; no plaintext password is needed. The hash is used to authenticate to SMB or other NTLM-based services.
Mistake
Lateral movement always requires administrative privileges.
Correct
Some lateral movement techniques, like using WMI or PowerShell remoting, require admin privileges. However, pass-the-hash can be used with non-admin accounts if the target allows delegation.
Mistake
Data exfiltration only works over HTTP or HTTPS.
Correct
Data can be exfiltrated over many protocols, including DNS, ICMP, SMTP, and even via social media APIs. Attackers choose the protocol that best evades detection.
Mistake
Privilege escalation is only possible through kernel exploits.
Correct
Kernel exploits are just one method. Common misconfigurations like unquoted service paths, weak service permissions, and DLL hijacking are more frequently exploited.
Mistake
Network exploitation is only about moving laterally.
Correct
Network exploitation includes lateral movement, privilege escalation, data exfiltration, and persistence. All phases are critical for a successful penetration test.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Pass-the-hash is a technique where an attacker uses the NTLM hash of a user's password to authenticate to remote systems. Instead of needing the plaintext password, the hash is passed to the target service. Tools like Mimikatz extract hashes from memory, and then the attacker uses tools like psexec or wmic to authenticate. This works because NTLM authentication uses the hash directly. For the exam, remember that PtH requires administrative privileges on the source machine to extract hashes and SMB access to the target.
Pass-the-hash uses NTLM hashes and works with protocols that support NTLM (e.g., SMB). Pass-the-ticket uses Kerberos tickets and works in Active Directory environments where Kerberos is the primary authentication protocol. PtT is useful when NTLM is disabled or when targeting services that require Kerberos. The exam may test scenarios where one is preferred over the other based on the available credentials and target services.
Attackers use built-in tools (living off the land) like PowerShell, WMI, and scheduled tasks to avoid triggering antivirus. They also encrypt their C2 traffic and mimic normal administrative behavior. They may clear event logs after accessing a system. Using legitimate credentials and tools that are whitelisted by security software helps evade detection. The exam focuses on understanding these evasion techniques.
The most common is exploiting misconfigured services, such as services with weak permissions that allow the binary to be replaced or the service to be restarted. Unquoted service paths are also frequent. Kernel exploits are less common due to patch levels. The exam often presents scenarios with service misconfigurations as the easiest path to escalation.
DNS tunneling encodes data in DNS queries or responses. The attacker sets up a malicious DNS server that responds to queries from the compromised host. Data is split into chunks, encoded as subdomains, and sent as DNS requests. This bypasses firewalls because DNS is usually allowed. Tools like dnscat2 and iodine automate this. The exam may test the concept that DNS exfiltration is stealthy but slow.
Common tools include Mimikatz (credential theft), psexec (remote execution), wmic (WMI execution), winrm (PowerShell remoting), netcat (reverse shells), and Metasploit (exploitation framework). For Linux, SSH and netcat are typical. The exam expects familiarity with these tools and their basic syntax.
Attackers create new user accounts, install services, add registry run keys, or schedule tasks that execute payloads at startup. They may also use DLL injection or modify system binaries. In Active Directory, they might create a domain admin account or modify group policy. The exam tests understanding of common persistence mechanisms and how to detect them.
You've just covered Network Exploitation — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?