Part 3: Exploitation -- Network and System Attacks

"Exploitation is not about running a tool. It is about understanding a system deeply enough to make it do something its creators never intended."

This is the part of the book you have been waiting for. We know it, and we are not going to pretend otherwise. After six chapters of foundations and five chapters of reconnaissance, you are ready to do what most people think of when they hear "ethical hacking" -- you are ready to break into systems.

But here is the thing that distinguishes this part from a tutorial on running Metasploit: we are not just teaching you which buttons to push. We are teaching you to understand what is happening underneath. When you exploit a buffer overflow, you will understand why the stack is vulnerable. When you crack a password hash, you will understand the mathematics that make it possible. When you escalate privileges on a Linux box, you will understand the permission model well enough to know why that misconfigured SUID binary is dangerous. This understanding is what separates a penetration tester who can adapt to any environment from one who is lost the moment their favorite tool fails.

Part 3 covers network and system-level exploitation -- the techniques you use to gain initial access to infrastructure, move through networks, crack authentication, and escalate your privileges from a low-level user to root or SYSTEM. If Part 2 was about mapping the battlefield, Part 3 is about taking the hill.

What You Will Learn

Six chapters take you from exploitation theory through to full domain compromise in an Active Directory environment.

Chapter 12: Exploitation Fundamentals and Metasploit starts with first principles. What is exploitation, really? We cover the Metasploit Framework in depth -- not as a point-and-click tool, but as a platform whose architecture you understand well enough to extend. You will learn how to find and select exploits, understand the relationship between payloads, encoders, and handlers, master Meterpreter as your primary post-exploitation agent, and write custom exploit scripts. In our MedSecure scenario, we demonstrate exploiting an unpatched service on a clinical workstation to gain our initial foothold -- the moment when the engagement shifts from reconnaissance to active compromise.

Chapter 13: Network-Based Attacks covers the techniques that exploit the trust assumptions baked into network protocols. ARP spoofing and cache poisoning, man-in-the-middle attacks, DNS spoofing and tunneling, VLAN hopping, and lateral movement techniques -- these attacks work because networks were designed for connectivity, not security. You will learn both the attacks and their detection signatures, because understanding what defenders see is essential to understanding what you are doing and why it matters. When we demonstrate ARP spoofing in the MedSecure lab to intercept traffic between a medical device and the hospital network, the real-world stakes of network security become viscerally clear.

Chapter 14: Password Attacks and Authentication Bypass addresses the most common way into any system: weak or stolen credentials. We cover the full methodology -- online brute force and dictionary attacks, offline hash cracking with Hashcat and John the Ripper, password spraying against enterprise environments, multi-factor authentication bypass techniques, and the devastating pass-the-hash and credential relay attacks that allow you to authenticate without ever knowing the plaintext password. You will gain a deep appreciation for why authentication is simultaneously the most important and most frequently broken security control.

Chapter 15: Linux Exploitation and Privilege Escalation takes you from a low-privilege shell to root on Linux systems. We start with the Linux security architecture so you understand what you are attacking, then work through kernel exploits like Dirty COW and PwnKit, SUID/SGID abuse, capabilities exploitation, cron job hijacking, PATH manipulation, and container escapes. You will use automated enumeration tools like LinPEAS while understanding what they are actually checking. Every technique is demonstrated in the Student Home Lab against realistic targets, and we emphasize the importance of understanding why an escalation path exists, not just how to exploit it.

Chapter 16: Windows Exploitation and Privilege Escalation is the companion chapter for the platform that dominates enterprise environments. Windows privilege escalation is a different discipline than Linux -- the security model is more complex, the attack surface is different, and the tools are specialized. You will learn token impersonation, service misconfiguration exploitation, unquoted service paths, registry and DLL hijacking, and modern CVE exploitation including PrintNightmare and HiveNightmare. We cover both manual enumeration and automated tools like WinPEAS, PowerUp, and Seatbelt. Given that MedSecure's infrastructure is primarily Windows-based, these techniques are directly applicable to our running scenario.

Chapter 17: Active Directory Attacks is the crown jewel of this part and, for many professional pentesters, the most important chapter in the book. Active Directory is the backbone of enterprise identity management, and compromising it means compromising everything. You will learn AD enumeration with BloodHound and PowerView, Kerberoasting and AS-REP Roasting, Pass-the-Ticket and Overpass-the-Hash, delegation attacks, AD Certificate Services exploitation (ESC1 through ESC8), and the ultimate objective -- domain dominance through DCSync, Golden Tickets, and Silver Tickets. We walk through a complete AD attack chain against MedSecure's domain, from initial foothold to Domain Admin, demonstrating how the techniques from Chapters 12 through 16 chain together in a realistic enterprise environment.

Key Themes

Chains, not single exploits. Real-world compromise almost never comes from a single vulnerability. It comes from chaining together multiple findings -- a weak credential here, a missing patch there, a misconfigured trust relationship that bridges two network segments. Part 3 teaches you to think in chains.

Understand the system, then break it. Every chapter in this part begins with the underlying architecture before moving to attacks. We teach you how Linux permissions work before we teach you to abuse them. We explain Windows tokens before we teach you to impersonate them. This is deliberate. Understanding why something is vulnerable is what lets you find new vulnerabilities, not just exploit known ones.

Detection is part of the picture. For each major technique, we discuss what defenders see. This is not a defense textbook, but a penetration tester who does not understand detection is flying blind. Knowing what logs you are generating, what alerts you might trigger, and what artifacts you leave behind makes you a better attacker and a better consultant.

Active Directory is the real target. In enterprise engagements, the goal almost always leads back to Active Directory. Even when the initial foothold is on a Linux web server or an IoT device, the path to maximum impact usually runs through AD. Chapter 17 ties together everything in this part.

How This Part Connects

Part 2 gave you a map of MedSecure's network: open ports, running services, employee names, technology stack, prioritized vulnerabilities. Part 3 turns that map into access. You will exploit the services you enumerated, crack the passwords you identified as weak, escalate privileges on the operating systems you fingerprinted, and compromise the Active Directory domain you mapped.

Part 4 shifts the attack surface from infrastructure to applications. The web applications, APIs, and authentication systems that Part 3 sometimes touches in passing become the primary focus. Many of the concepts you learn here -- authentication bypass, session manipulation, privilege escalation -- have direct parallels in the web application world, and we will draw those connections explicitly.

The skills you build in Part 3 are the core of offensive security. Whether you go on to specialize in web application testing, red team operations, cloud security, or any other domain, the ability to exploit systems and escalate privileges remains fundamental. Everything that follows builds on what you learn here.

Time to get root.

Chapters in This Part