# The big picture of practical network penetration testing [2026]: a map of attack classes and defensive design — a version faithful to the official docs

> A complete guide that systematizes network-layer (L2–L4) attack techniques faithfully to the NIST SP 800-115 methodology and MITRE ATT&CK. Recon and port scanning, ARP spoofing/MITM, DNS cache poisoning, TCP session hijacking, SYN flood, and packet sniffing — each attack's 'why it lands' is always explained paired with 'how to defend per the RFCs.' With legal procedures confined to your own lab / CTF / authorized scope, it turns offensive understanding into defensive design.

- Published: 2026-06-28
- Author: 友田 陽大
- Tags: セキュリティ, ネットワーク, TCP/IP, 脆弱性診断, ホワイトハッカー, 倫理的ハッキング
- URL: https://tomodahinata.com/en/blog/network-penetration-testing-methodology-attack-defense-guide
- Category: 実践ネットワーク攻撃と防御

## Key points

- Network pentesting is methodology, not 'intuition.' With NIST SP 800-115's four phases (planning → discovery → attack → reporting), crush the L2–L4 attack surface one by one. This article is that map and the entry point to each spoke.
- Grasp the attack surface in the lower OSI layers: L2 (ARP spoofing/MITM), L3 (IP spoofing/ICMP), L4 (port scanning/TCP session hijacking/SYN flood), and cross-cutting (DNS spoofing/sniffing).
- Unlike web-app attacks (SQLi/XSS, etc.), network attacks often presuppose 'being on the same segment' or 'being on the path.' That's why zero trust, encryption, and segmentation work.
- The absolute condition for legality is 'authorization (scope).' All procedures in this cluster stay within three safe zones (your own assets / CTF / a scope authorized in writing). Even one unauthorized scan can touch the Unauthorized Access Act and the Telecommunications Business Act.
- Understanding attacks connects directly to defense. Each technique always shows 'how it lands' paired with 'how to crush it per the RFCs' (DAI, DNSSEC, RFC 5961, BCP 38, TLS). Offense and defense are two sides of the same coin.

---

Network penetration testing is not the act of firing off tools. It's a **reproducible "methodology."** Excellent assessors don't bash away at `nmap` blindly; they **hold a map of the attack surface and crush it systematically along phases.** This article maps the network-layer attack techniques (OSI L2–L4, ≒ the Link/Internet/Transport of [TCP/IP's four layers](/blog/tcp-ip-protocol-suite-fundamentals-complete-guide)) faithfully to [NIST SP 800-115](https://csrc.nist.gov/pubs/sp/800/115/final) and [MITRE ATT&CK](https://attack.mitre.org/), and is the pillar article that serves as the entry point to the spokes that go deep on each attack technique.

This is the **layer below** the [web-app attack cluster](/blog/web-application-hacking-techniques-methodology-owasp-portswigger-guide) (L7 attacks like SQLi/XSS/SSRF). Rather than slipping past the app's input validation, it's **intruding into, impersonating, or flooding the communication itself** — that's a network attack.

> **The absolute premise of this cluster (read first)**
> All attack techniques handled here are executed only within **three safe zones** — ① your own assets (an isolated network in a home lab, VMs you manage) ② CTF ③ a scope authorized in writing. This is the line drawn in [white hackers and the law](/blog/ethical-hacker-law-japan-unauthorized-access-act-active-cyber-defense-disclosure-guide). **Network attacks are especially dangerous**, and ARP spoofing and scanning can drag in the traffic of third parties on the same segment. The instant you try it at work or on public Wi-Fi, you may touch the Unauthorized Access Act and the Telecommunications Business Act (secrecy of communications). We proceed assuming a hands-on environment of a [legal home lab](/blog/ethical-hacking-home-lab-kali-juice-shop-ctf-self-study-roadmap-guide) (2–3 VMs within an isolated virtual network).

---

## 1. The assessment methodology — NIST SP 800-115's four phases

A pro's network assessment runs in the same "form" every time. [NIST SP 800-115](https://csrc.nist.gov/pubs/sp/800/115/final) (Technical Guide to Information Security Testing and Assessment) organizes this into four phases.

| Phase | What to do | Main tools | The relevant article in this cluster |
|---|---|---|---|
| **① Planning** | Fix the scope, rules, and **written authorization**. Decide what not to do | Contract, RoE | Law and ethics (premise) |
| **② Discovery** | Host discovery, port/service identification, vulnerability mapping | `nmap`, passive recon | [Recon & port scanning](/blog/network-reconnaissance-port-scanning-nmap-service-detection-defense-guide) |
| **③ Attack** | Safely demonstrate (PoC) the identified weaknesses. MITM, impersonation, flooding | Various dedicated tools | The ARP/DNS/TCP/SYN spokes |
| **④ Reporting** | Record reproduction steps, impact, and **RFC-compliant fixes** | Report | Each article's "defense" section |

The most important is **① Planning**. Even more than web-app assessment, network assessment can harm third parties' traffic by getting "the target" wrong by one. **Fixing the scope boundary (which segment, which IP range, which time window) in writing** is a pro's condition that precedes technique.

> In MITRE ATT&CK terms, this cluster mainly corresponds to the tactics **Reconnaissance ([TA0043](https://attack.mitre.org/tactics/TA0043/)) / Lateral Movement ([TA0008](https://attack.mitre.org/tactics/TA0008/)) / Collection**. Being able to predict "what the attacker does next" by tactic helps prioritize defense.

---

## 2. The map of attack classes — grasp in the lower OSI layers

Network attacks exploit the nature that [each TCP/IP layer](/blog/tcp-ip-protocol-suite-fundamentals-complete-guide) "trusts the layer below." Let's organize by layer.

### 2.1 L2 (data link layer) — exploiting same-segment trust

Within the same LAN, hosts operate on idyllic premises like "believe ARP responses unconditionally."

- **[ARP spoofing / man-in-the-middle (MITM)](/blog/arp-spoofing-mitm-attack-detection-defense-guide)** — lie "the MAC for this IP is me" and twist traffic to route through you. **The king of L2 attacks.**
- MAC flooding / VLAN hopping / DHCP spoofing.

### 2.2 L3 (network layer) — forging the source

- **[IP spoofing](/blog/tcp-session-hijacking-rst-injection-ip-spoofing-defense-guide)** — falsify the source IP. Used for DDoS reflection/amplification and bypassing trust-based authorization.
- ICMP redirect / Smurf (reflection).

### 2.3 L4 (transport layer) — exploiting TCP/UDP specs

- **[Port scanning & service recon](/blog/network-reconnaissance-port-scanning-nmap-service-detection-defense-guide)** — reveal which ports are open and what's running. The origin of all attacks.
- **[TCP session hijacking / RST injection](/blog/tcp-session-hijacking-rst-injection-ip-spoofing-defense-guide)** — break into / sever an established TCP connection. The sequence number is the key.
- **[SYN flood (DoS)](/blog/syn-flood-ddos-attack-defense-syn-cookies-guide)** — exhaust resources via the half-open state of the handshake. **This cluster handles it defense-centrically.**

### 2.4 Cross-cutting attacks

- **[DNS spoofing / cache poisoning](/blog/dns-spoofing-cache-poisoning-dnssec-defense-guide)** — hijack name resolution and point a correct domain at a fake server.
- **[Packet sniffing](/blog/packet-sniffing-wireshark-tls-encryption-defense-guide)** — intercept plaintext traffic. The "read" phase of MITM's spoils.

---

## 3. Why network attacks succeed — three root causes

Before getting into individual techniques, let's grasp the **root causes common to all attacks.** Knowing these lets you strike defenses "structurally" rather than "case-by-case."

1. **Lack of authentication**: ARP, early DNS, and IP have no mechanism to verify the source. "First to say it wins."
   → **Defense**: verify cryptographically (DNSSEC, IPsec, 802.1X, TLS).
2. **Plaintext**: unencrypted communication can be read and written by anyone on the path.
   → **Defense**: **encrypt everything** (TLS everywhere). Render sniffing and tampering meaningless.
3. **Excessive trust boundaries**: the premise "the internal LAN is safe" collapses entirely with one breached machine.
   → **Defense**: **zero trust**. Don't make network location the basis of trust.

> These three appear repeatedly in each spoke of this cluster. **Even though attack techniques are diverse, the defenses that work converge on a surprisingly small number of principles** — this is the hope of network security.

---

## 4. How to build the lab — a minimal setup for safe hands-on

To practice legally, build **a virtual network completely isolated from the outside.** As an extension of the [home-lab article](/blog/ethical-hacking-home-lab-kali-juice-shop-ctf-self-study-roadmap-guide), here's a minimal setup where you can try L2 attacks.

```text
   [ ホスト OS ] ── VirtualBox / UTM の「内部ネットワーク（intnet）」※外部と遮断
        │
   ┌────┴───────────────┬───────────────────┐
   │                    │                   │
[ Kali (攻撃) ]   [ Victim VM (被害) ]   [ Gateway VM (ルータ役) ]
 10.10.10.5         10.10.10.10            10.10.10.1
```

The point is the **"internal network" mode** (neither NAT nor bridge). This confines ARP spoofing and scanning **to just your three VMs**, leaking nothing at all to your home LAN, company, or public networks. **This isolation is the physical wall that separates legal from illegal.**

```bash
# ラボ内（自分のVM間）での疎通確認だけは最初にやってよい
# ※これは「自分の資産」内なので合法。外部IPには絶対に向けない
ping -c 1 10.10.10.10        # Victim VM が同一セグメントにいるか
ip neigh                     # 自分のARPテーブル（誰のMACを学習済みか）
```

---

## 5. How to walk each spoke — always offense and defense paired

Each article in this cluster always handles **"the attack mechanism → detection → RFC-compliant defense"** as one set. The recommended reading order is as follows.

1. **[Recon & port scanning (nmap)](/blog/network-reconnaissance-port-scanning-nmap-service-detection-defense-guide)** — first, "make it visible." The origin of everything. Defense is minimal exposure and IDS.
2. **[ARP spoofing / MITM](/blog/arp-spoofing-mitm-attack-detection-defense-guide)** — break into the path. Defense is Dynamic ARP Inspection, 802.1X, TLS.
3. **[DNS spoofing / cache poisoning](/blog/dns-spoofing-cache-poisoning-dnssec-defense-guide)** — hijack name resolution. Defense is DNSSEC and source-port randomization (RFC 5452).
4. **[TCP session hijacking / RST injection / IP spoofing](/blog/tcp-session-hijacking-rst-injection-ip-spoofing-defense-guide)** — seize / sever a connection. Defense is RFC 5961, ISN randomization, BCP 38.
5. **[SYN flood / DDoS](/blog/syn-flood-ddos-attack-defense-syn-cookies-guide)** — flooding. Defense is SYN cookies (RFC 4987), rate limiting, cloud DDoS protection.
6. **[Packet sniffing / Wireshark / encryption](/blog/packet-sniffing-wireshark-tls-encryption-defense-guide)** — reading. Defense is TLS everywhere and visibility operations.

---

## 6. Summary — the network assessor's mindset

- **Methodology first, tools later**: crush the attack surface systematically with NIST SP 800-115's four phases. `nmap` is merely an instrument subordinate to the methodology.
- **Grasp attacks by layer**: L2 (ARP), L3 (IP), L4 (TCP/UDP), cross-cutting (DNS/sniffing). Each layer gets exploited for its "trust the layer below" nature.
- **There are three root causes**: lack of authentication, plaintext, excessive trust boundaries. So defense converges on encryption, verification, and zero trust.
- **Build the wall of legality physically**: a VM lab on an isolated internal network. Fix the scope boundary in writing.
- **Understanding offense is defensive design**: always pair each technique with "how it lands" and "how to crush it per the RFCs."

Only those who understand network attacks can **proactively crush "where it breaks" at the design stage.** From the next chapter, starting with recon (port scanning), we go deep on each attack and defense one by one.

---

I (Hinata Tomoda) have designed and implemented multi-layer networks in AWS multi-account environments ([the API Gateway→NLB→ALB→ECS configuration](/case-studies/lumber-industry-dx), VPC design, least-privilege IAM, GuardDuty threat detection, WAF multi-layered defense). With the perspective of one who knows the attackers' moves, I'll enumerate the attack surface of your network/infrastructure and design and implement RFC-compliant defenses (segmentation, encryption, detection). "I want to diagnose where our boundary breaks, from the attacker's perspective" — when that's the case, feel free to reach out.