The big picture of practical network penetration testing [2026]: a map of attack classes and defensive design — a version faithful to the official docs

Network penetration testing is not the act of firing off tools. It's a reproducible "methodology." Excellent assessors don't bash away at nmap blindly; they hold a map of the attack surface and crush it systematically along phases. This article maps the network-layer attack techniques (OSI L2–L4, ≒ the Link/Internet/Transport of TCP/IP's four layers) faithfully to NIST SP 800-115 and MITRE ATT&CK, and is the pillar article that serves as the entry point to the spokes that go deep on each attack technique.

This is the layer below the web-app attack cluster (L7 attacks like SQLi/XSS/SSRF). Rather than slipping past the app's input validation, it's intruding into, impersonating, or flooding the communication itself — that's a network attack.

The absolute premise of this cluster (read first) All attack techniques handled here are executed only within three safe zones — ① your own assets (an isolated network in a home lab, VMs you manage) ② CTF ③ a scope authorized in writing. This is the line drawn in white hackers and the law. Network attacks are especially dangerous, and ARP spoofing and scanning can drag in the traffic of third parties on the same segment. The instant you try it at work or on public Wi-Fi, you may touch the Unauthorized Access Act and the Telecommunications Business Act (secrecy of communications). We proceed assuming a hands-on environment of a legal home lab (2–3 VMs within an isolated virtual network).

1. The assessment methodology — NIST SP 800-115's four phases

A pro's network assessment runs in the same "form" every time. NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) organizes this into four phases.

The most important is ① Planning. Even more than web-app assessment, network assessment can harm third parties' traffic by getting "the target" wrong by one. Fixing the scope boundary (which segment, which IP range, which time window) in writing is a pro's condition that precedes technique.

In MITRE ATT&CK terms, this cluster mainly corresponds to the tactics Reconnaissance (TA0043) / Lateral Movement (TA0008) / Collection. Being able to predict "what the attacker does next" by tactic helps prioritize defense.

2. The map of attack classes — grasp in the lower OSI layers

Network attacks exploit the nature that each TCP/IP layer "trusts the layer below." Let's organize by layer.

2.1 L2 (data link layer) — exploiting same-segment trust

Within the same LAN, hosts operate on idyllic premises like "believe ARP responses unconditionally."

• ARP spoofing / man-in-the-middle (MITM) — lie "the MAC for this IP is me" and twist traffic to route through you. The king of L2 attacks.
• MAC flooding / VLAN hopping / DHCP spoofing.

2.2 L3 (network layer) — forging the source

• IP spoofing — falsify the source IP. Used for DDoS reflection/amplification and bypassing trust-based authorization.
• ICMP redirect / Smurf (reflection).

2.3 L4 (transport layer) — exploiting TCP/UDP specs

• Port scanning & service recon — reveal which ports are open and what's running. The origin of all attacks.
• TCP session hijacking / RST injection — break into / sever an established TCP connection. The sequence number is the key.
• SYN flood (DoS) — exhaust resources via the half-open state of the handshake. This cluster handles it defense-centrically.

2.4 Cross-cutting attacks

• DNS spoofing / cache poisoning — hijack name resolution and point a correct domain at a fake server.
• Packet sniffing — intercept plaintext traffic. The "read" phase of MITM's spoils.

3. Why network attacks succeed — three root causes

Before getting into individual techniques, let's grasp the root causes common to all attacks. Knowing these lets you strike defenses "structurally" rather than "case-by-case."

1. Lack of authentication: ARP, early DNS, and IP have no mechanism to verify the source. "First to say it wins." → Defense: verify cryptographically (DNSSEC, IPsec, 802.1X, TLS).
2. Plaintext: unencrypted communication can be read and written by anyone on the path. → Defense: encrypt everything (TLS everywhere). Render sniffing and tampering meaningless.
3. Excessive trust boundaries: the premise "the internal LAN is safe" collapses entirely with one breached machine. → Defense: zero trust. Don't make network location the basis of trust.

These three appear repeatedly in each spoke of this cluster. Even though attack techniques are diverse, the defenses that work converge on a surprisingly small number of principles — this is the hope of network security.

4. How to build the lab — a minimal setup for safe hands-on

To practice legally, build a virtual network completely isolated from the outside. As an extension of the home-lab article, here's a minimal setup where you can try L2 attacks.

   [ ホスト OS ] ── VirtualBox / UTM の「内部ネットワーク（intnet）」※外部と遮断
        │
   ┌────┴───────────────┬───────────────────┐
   │                    │                   │
[ Kali (攻撃) ]   [ Victim VM (被害) ]   [ Gateway VM (ルータ役) ]
 10.10.10.5         10.10.10.10            10.10.10.1

The point is the "internal network" mode (neither NAT nor bridge). This confines ARP spoofing and scanning to just your three VMs, leaking nothing at all to your home LAN, company, or public networks. This isolation is the physical wall that separates legal from illegal.

# ラボ内（自分のVM間）での疎通確認だけは最初にやってよい
# ※これは「自分の資産」内なので合法。外部IPには絶対に向けない
ping -c 1 10.10.10.10        # Victim VM が同一セグメントにいるか
ip neigh                     # 自分のARPテーブル（誰のMACを学習済みか）

5. How to walk each spoke — always offense and defense paired

Each article in this cluster always handles "the attack mechanism → detection → RFC-compliant defense" as one set. The recommended reading order is as follows.

1. Recon & port scanning (nmap) — first, "make it visible." The origin of everything. Defense is minimal exposure and IDS.
2. ARP spoofing / MITM — break into the path. Defense is Dynamic ARP Inspection, 802.1X, TLS.
3. DNS spoofing / cache poisoning — hijack name resolution. Defense is DNSSEC and source-port randomization (RFC 5452).
4. TCP session hijacking / RST injection / IP spoofing — seize / sever a connection. Defense is RFC 5961, ISN randomization, BCP 38.
5. SYN flood / DDoS — flooding. Defense is SYN cookies (RFC 4987), rate limiting, cloud DDoS protection.
6. Packet sniffing / Wireshark / encryption — reading. Defense is TLS everywhere and visibility operations.

6. Summary — the network assessor's mindset

• Methodology first, tools later: crush the attack surface systematically with NIST SP 800-115's four phases. nmap is merely an instrument subordinate to the methodology.
• Grasp attacks by layer: L2 (ARP), L3 (IP), L4 (TCP/UDP), cross-cutting (DNS/sniffing). Each layer gets exploited for its "trust the layer below" nature.
• There are three root causes: lack of authentication, plaintext, excessive trust boundaries. So defense converges on encryption, verification, and zero trust.
• Build the wall of legality physically: a VM lab on an isolated internal network. Fix the scope boundary in writing.
• Understanding offense is defensive design: always pair each technique with "how it lands" and "how to crush it per the RFCs."

Only those who understand network attacks can proactively crush "where it breaks" at the design stage. From the next chapter, starting with recon (port scanning), we go deep on each attack and defense one by one.

I (Hinata Tomoda) have designed and implemented multi-layer networks in AWS multi-account environments (the API Gateway→NLB→ALB→ECS configuration, VPC design, least-privilege IAM, GuardDuty threat detection, WAF multi-layered defense). With the perspective of one who knows the attackers' moves, I'll enumerate the attack surface of your network/infrastructure and design and implement RFC-compliant defenses (segmentation, encryption, detection). "I want to diagnose where our boundary breaks, from the attacker's perspective" — when that's the case, feel free to reach out.