🏗️

Network / Infrastructure Pentest

Asset discovery, port scanning, Active Directory attacks, cloud auditing, and CIS benchmark hardening checks.

Prerequisites

  • Authorization token / Rules of Engagement document from client
  • Target IP range or hostname confirmed in scope
  • Engagement type selected (Full Pentest / Vulnerability Assessment / Red Team)
  • For AD testing: domain credentials in Auth Vault, DC IP confirmed
  • For cloud: AWS/Azure/GCP API credentials with read-only IAM role minimum
  1. 1

    Select Network / Infrastructure from Home Screen

    Click the 🏗️ Network / Infrastructure card on the Home Screen.

  2. 2

    Complete the Network Wizard

    Environment → Test Lab / Pre-Production / Production Engagement → Full Pentest / Vulnerability Assessment / Network Only Target Scope → IP range (192.168.1.0/24) or hostname (corp.internal) Auth Token → Upload ROE document AD in scope → Yes/No → if Yes: DC IP + domain name + credentials Cloud → Yes/No → if Yes: select AWS / Azure / GCP Intensity → Standard (safe) | Aggressive | Full (all exploits)
  3. 3

    Review AI Test Plan and Launch

    Claude generates a phase-based test plan. Review phases, adjust intensity, click Launch Scan.

  4. 4

    Monitor the Network Topology Map

    The Topology tab shows a live network map built by Claude as hosts are discovered. Click any node for service details. Attack paths are drawn in red when exploitation chains are confirmed.

  5. 5

    Review AD Attack Path (if applicable)

    The Active Directory tab shows BloodHound-style attack paths from the compromised user to Domain Admin. Each path step shows the technique used (Kerberoasting, DCSync, etc.).

  6. 6

    Download Network Security Report

    Reports → Network Report → includes: asset inventory, port matrix, AD attack paths, cloud audit findings, CIS benchmark scores, and remediation roadmap.

Claude's 8-Phase Network Assessment

  • Phase 1: Asset discovery — subfinder, httpx, Shodan passive, dnsx
  • Phase 2: Port + service scan — nmap with service detection and NSE scripts
  • Phase 3: Vulnerability identification — Nuclei network templates + OpenVAS
  • Phase 4: AD enumeration — BloodHound CE, Impacket, CrackMapExec (if in scope)
  • Phase 5: Cloud audit — Prowler for AWS/Azure/GCP (if in scope)
  • Phase 6: CIS Benchmark check — Lynis, kube-bench, docker-bench
  • Phase 7: Exploitation — Metasploit network modules (Full Pentest only)
  • Phase 8: Attack chain correlation + attack path generation
⏱️ Typical duration: 45 minutes (small /24 network) to 6 hours (large enterprise with AD + cloud).

Common Issues

Use --min-rate 5000 or start with masscan for fast port discovery, then run targeted nmap service detection on discovered open ports only: nmap -sV -p [port_list] [host]. Use -T4 timing template for faster scanning on reliable networks.

Ensure the BloodHound CE neo4j database is running and data was ingested correctly. Upload the ZIP file from bloodhound-python to the BloodHound CE UI at http://localhost:8080. Check if the correct domain is selected in the UI. Run the built-in "Find All Attack Paths to Domain Admins" query.

Metasploit requires the msfrpcd service to be running. PhantomYerra starts it automatically, but verify with: Settings → Tools → Metasploit → Test Connection. On Windows, ensure msfrpcd is running in WSL2. The Metasploit adapter only activates for Full Pentest intensity with explicit exploitation authorization.

Related Topics

☁️ Cloud Security ⚡ Automated AI Mode 📊 Reports
© Ravi Yerra. All Rights Reserved.