Network / Infrastructure Pentest

Prerequisites

Authorization token / Rules of Engagement document from client
Target IP range or hostname confirmed in scope
Engagement type selected (Full Pentest / Vulnerability Assessment / Red Team)
For AD testing: domain credentials in Auth Vault, DC IP confirmed
For cloud: AWS/Azure/GCP API credentials with read-only IAM role minimum

1

Select Network / Infrastructure from Home Screen

Click the 🏗️ Network / Infrastructure card on the Home Screen.
2

Complete the Network Wizard

Environment → Test Lab / Pre-Production / Production Engagement → Full Pentest / Vulnerability Assessment / Network Only Target Scope → IP range (192.168.1.0/24) or hostname (corp.internal) Auth Token → Upload ROE document AD in scope → Yes/No → if Yes: DC IP + domain name + credentials Cloud → Yes/No → if Yes: select AWS / Azure / GCP Intensity → Standard (safe) | Aggressive | Full (all exploits)
3

Review AI Test Plan and Launch

Claude generates a phase-based test plan. Review phases, adjust intensity, click Launch Scan.
4

Monitor the Network Topology Map

The Topology tab shows a live network map built by Claude as hosts are discovered. Click any node for service details. Attack paths are drawn in red when exploitation chains are confirmed.
5

Review AD Attack Path (if applicable)

The Active Directory tab shows BloodHound-style attack paths from the compromised user to Domain Admin. Each path step shows the technique used (Kerberoasting, DCSync, etc.).
6

Download Network Security Report

Reports → Network Report → includes: asset inventory, port matrix, AD attack paths, cloud audit findings, CIS benchmark scores, and remediation roadmap.

Claude's 8-Phase Network Assessment

Phase 1: Asset discovery - subdomain enumeration, HTTP probing, internet intelligence feed, DNS enumeration
Phase 2: Port + service scan - PhantomYerra Network Discovery with service detection and scripts
Phase 3: Vulnerability identification - PhantomYerra vulnerability scan engine (network templates) + OpenVAS
Phase 4: AD enumeration - BloodHound CE, Active Directory attack framework, network enumeration engine (if in scope)
Phase 5: Cloud audit - Prowler for AWS/Azure/GCP (if in scope)
Phase 6: CIS Benchmark check - Lynis, kube-bench, docker-bench
Phase 7: Exploitation - PhantomYerra Exploitation Framework network modules (Full Pentest only)
Phase 8: Attack chain correlation + attack path generation

⏱️ Typical duration: 45 minutes (small /24 network) to 6 hours (large enterprise with AD + cloud).

Prerequisites

PhantomYerra scan tools installed: network scanner, vulnerability engine, Active Directory framework, BloodHound CE
Written authorization from client
Network access to target range

1

Asset Discovery

# PhantomYerra → Tools → Asset Discovery Engine - domain: corp.target.com # PhantomYerra → Tools → HTTP Probe, live host check with title detection # PhantomYerra Network Discovery - host sweep: 192.168.1.0/24 → live_hosts.txt # Output: all live hosts extracted to live_hosts.txt
2

Port Scan and Service Detection

# PhantomYerra Network Discovery - service scan against live_hosts.txt # Top-1000 ports, service fingerprinting → service_scan output # Full port scan (slower but thorough): # PhantomYerra Network Discovery → Full Port Sweep (0-65535, high rate) → masscan.xml
3

Vulnerability Identification

# PhantomYerra vulnerability scan engine - network templates, medium/high/critical # Input: live_hosts.txt # SMB vulnerability check (MS17-010, MS08-067): # PhantomYerra Network Discovery → Scripts → smb-vuln-ms17-010,smb-vuln-ms08-067 → port 445 # RDP vulnerability check (MS12-020): # PhantomYerra Network Discovery → Scripts → rdp-vuln-ms12-020 → port 3389
4

Active Directory Enumeration

# BloodHound collection bloodhound-python -d corp.local -u user -p 'Pass123' \ -dc 192.168.1.10 -c All --zip # Network enumeration engine: SMB share enumeration # PhantomYerra → AD → Network Enumeration → SMB shares → 192.168.1.0/24 # Network enumeration engine: LDAP user enumeration # PhantomYerra → AD → Network Enumeration → LDAP users → 192.168.1.10 # Kerberoasting via Active Directory attack framework # PhantomYerra → AD → Kerberoasting → corp.local / 192.168.1.10 # Output: kerberoast.txt → crack with hashcat -m 13100
5

High-Risk Service Checks

# Unauthenticated Redis redis-cli -h 192.168.1.42 ping redis-cli -h 192.168.1.42 config get dir # Anonymous FTP - PhantomYerra Network Discovery → Scripts → ftp-anon → port 21 # Input: live_hosts.txt # Default SNMP community strings onesixtyone -c /usr/share/doc/onesixtyone/dict.txt -i live_hosts.txt
6

CIS Benchmark Audit

# Linux hardening audit lynis audit system # Docker CIS benchmark docker run --rm -it \ -v /var/run/docker.sock:/var/run/docker.sock \ docker/docker-bench-security # Kubernetes CIS benchmark kube-bench run --targets master,node

⏱️ Duration: 1 day (small network) to 1 week (large enterprise with AD + cloud).

Common Issues

Set a higher minimum scan rate in the Network Discovery configuration, or start with a fast port sweep (all ports, high rate) to find open ports first, then run targeted service detection on only the discovered open ports. Use the Aggressive Timing profile in the scanner settings for faster scanning on reliable networks.

Ensure the BloodHound CE neo4j database is running and data was ingested correctly. Upload the ZIP file from bloodhound-python to the BloodHound CE UI at http://localhost:8080. Check if the correct domain is selected in the UI. Run the built-in "Find All Attack Paths to Domain Admins" query.

The PhantomYerra Exploitation Framework requires its backend service to be running. PhantomYerra starts it automatically, but verify with: Settings → Tools → Exploitation Framework → Test Connection. On Windows, ensure the service is running in WSL2. The exploitation adapter only activates for Full Pentest intensity with explicit exploitation authorization.

Full Disclosure

264 modules · 30+ surfaces · 14 vuln families · 120+ classes

The sections above describe what this surface tests. For the complete enumeration of every vulnerability class PhantomYerra covers across all surfaces — with scanner module names — see the Coverage Matrix.

View Full Coverage Matrix →

Network / Infrastructure Pentest

Prerequisites

Select Network / Infrastructure from Home Screen

Complete the Network Wizard

Review AI Test Plan and Launch

Monitor the Network Topology Map

Review AD Attack Path (if applicable)

Download Network Security Report

Claude's 8-Phase Network Assessment

Prerequisites

Complete Wizard in Semi-Automated Mode

Approve Initial Scan Proposals

Review and Approve Targeted Vulnerability Checks

Prerequisites

Asset Discovery

Port Scan and Service Detection

Vulnerability Identification

Active Directory Enumeration

High-Risk Service Checks

CIS Benchmark Audit

Common Issues

264 modules · 30+ surfaces · 14 vuln families · 120+ classes

Network / Infrastructure Pentest

Prerequisites

Select Network / Infrastructure from Home Screen

Complete the Network Wizard

Review AI Test Plan and Launch

Monitor the Network Topology Map

Review AD Attack Path (if applicable)

Download Network Security Report

Claude's 8-Phase Network Assessment

Prerequisites

Complete Wizard in Semi-Automated Mode

Approve Initial Scan Proposals

Review and Approve Targeted Vulnerability Checks

Prerequisites

Asset Discovery

Port Scan and Service Detection

Vulnerability Identification

Active Directory Enumeration

High-Risk Service Checks

CIS Benchmark Audit

Common Issues

Related Topics

264 modules · 30+ surfaces · 14 vuln families · 120+ classes