Network Pen Testing Tips, Tricks, Tools and Resources

[Editor’s Note: For this year’s SANS Pen Test Poster, we asked some of the best pen testers and instructors in the industry to share their wisdom in a series of tips, tricks, tools, and useful resources for various kinds of penetration tests.  We got some great input on network pen testing, web app pen testing, mobile pen testing, exploit writing, and wireless pen testing.  We’ll be posting these really useful recommendations as a series of blog posts over the next few weeks.  The first in the series is this set of recommendations from the amazing John Strand of Black Hills Information Security. –Ed.]

By John Strand


  • Recon – This is the one area most people skip over or put the least amount of effort into. Don’t. Without question, this is the most important phase. If done correctly, it is possible to gain access to a network without using a single exploit. For example, take a look at the modules available in recon- ng. Some of our favorites are the pwnlist modules and namechk.
  • Scanning – Try to be as accurate as possible. If your scanner supports a scan dedicated to PCI, don’t use it. PCI scans have a very high false positive rate. If the project is a Crystal-box or Grey-box test, look into credentialed scanning. It will reduce the false positives, and the scan will run much faster. As an added bonus, it will also dramatically reduce the likelihood of crashing a system. Finally, always review the low and medium risk findings. These lower-risk findings may add up and result in significant potential for attack.
  • Exploitation – Always explicitly set the TARGET in Metasploit, as it will reduce the likelihood of a target crash and will increase the likelihood of successful exploitation. Get very comfortable with the Social Engineering Toolkit. Learn how to bypass AV, see the reference section below.
  • Post-Exploitation – After you have access to a target system, put the exploits away. Dump the passwords, crack the passwords. Get familiar with mimikatz. Get familiar with passing the hash. Get familiar with password spraying. Pivot mercilessly.
  • Reporting – Tell a narrative and demonstrate the risk through screenshots and videos. Never, ever, copy and paste results from an automated tool.

Must-Have Tools



Teensy* – Emulate keyboards to take over systems.
Pwnplug* – Small, portable, powerful covert pen testing platform.
* These tools are available on a commercial (cost) basis.

Resources for Staying Current 

Associated SANS Courses

SEC504: Hacker Techniques, Exploits, and Incident Handling
SEC560: Network Penetration Testing and Ethical Hacking

–John Strand

SANS Pen Test Cheat Sheet: Nmap v1.1


Whenever we attend information security conferences like DerbyCon, ShmooCon, or any of the many BSides we support, we always take SANS Pen Test Cheat Sheets with us and everyone that comes by the booth takes a few for themselves and their colleagues back at the office.

So… we have made them available for you to download, print, and share with others.

Ed Skoudis and the fine folks at Counter Hack have put together a nifty Nmap cheat sheet covering some of the most useful options of everyone’s favorite general-purpose port scanner, Nmap.  And, with its scripting engine, Nmap can do all kinds of wonderful things for security professionals.

Please check out the updated cheat sheet below.  Even if you are an experienced attacker, it might cover a tip or trick that’s new and useful to you.


2-Page, Printable, PDF: NmapCheatSheetv1.1

Oh… we just made something that we think is pretty helpful. Here is a desktop wallpapers, in multiple sizes, based on the Nmap Cheat Sheet for you to download and use.

(Click on the image for full-sized version to download)


Learn how to use Nmap and penetration testing methods, techniques, and tools in SANS SEC560: Network Penetration Testing and Ethical Hacking.

–Ed Skoudis.

SANS Fellow
Counter Hack Challenges Founder

Upcoming SANS Special Event – 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen