SANS Penetration Testing

Network Pen Testing Tips, Tricks, Tools and Resources

[Editor's Note: For this year's SANS Pen Test Poster, we asked some of the best pen testers and instructors in the industry to share their wisdom in a series of tips, tricks, tools, and useful resources for various kinds of penetration tests. We got some great input on network pen testing, web app pen testing, mobile pen testing, exploit writing, and wireless pen testing. We'll be posting these really useful recommendations as a series of blog posts over the next few weeks. The first in the series is this set of recommendations from the amazing John Strand of Black Hills Information Security. -Ed.]

By John Strand


  • Recon - This is the one area most people skip over or put the least amount of effort into. Don't. Without question, this is the most important phase. If done correctly, it is possible to gain access to a network without using a single exploit. For example, take a look at the modules available in recon- ng. Some of our favorites are the pwnlist modules and namechk.
  • Scanning - Try to be as accurate as possible. If your scanner supports a scan dedicated to PCI, don't use it. PCI scans have a very high false positive rate. If the project is a Crystal-box or Grey-box test, look into credentialed scanning. It will reduce the false positives, and the scan will run much faster. As an added bonus, it will also dramatically reduce the likelihood of crashing a system. Finally, always review the low and medium risk findings. These lower-risk findings may add up and result in significant potential for attack.
  • Exploitation - Always explicitly set the TARGET in Metasploit, as it will reduce the likelihood of a target crash and will increase the likelihood of successful exploitation. Get very comfortable with the Social Engineering Toolkit. Learn how to bypass AV, see the reference section below.
  • Post-Exploitation - After you have access to a target system, put the exploits away. Dump the passwords, crack the passwords. Get familiar with mimikatz. Get familiar with passing the hash. Get familiar with password spraying. Pivot mercilessly.
  • Reporting - Tell a narrative and demonstrate the risk through screenshots and videos. Never, ever, copy and paste results from an automated tool.

Must-Have Tools



Teensy* — Emulate keyboards to take over systems.
Pwnplug* — Small, portable, powerful covert pen testing platform.
* These tools are available on a commercial (cost) basis.

Resources for Staying Current


Associated SANS Courses

SEC504: Hacker Techniques, Exploits, and Incident Handling
SEC560: Network Penetration Testing and Ethical Hacking

-John Strand


Posted November 21, 2013 at 6:00 PM | Permalink | Reply

Mike w.

PCI scans have a very high false positive rate."

Posted January 20, 2014 at 4:53 PM | Permalink | Reply


Hi, this is my first time to this site, and find it awesome, will come often XD

Posted December 23, 2015 at 2:49 PM | Permalink | Reply


I only tried it. The 3CX softphone won't operate without also installing the 3CX system,
and also the "program" will not install without a static public IP address, so I did not finish setup
of the program. I did complete setup of the client, and really
it doesn't work at all on it's own. Correct me if I am wrong, but it seems like it's designed to be its
own committed VoIP system, and not a stand alone client that may work with any VoIP system.

Post a Comment


* Indicates a required field.