Skip to content

🚚 Free shipping on orders over $200
Analityk bezpieczeństwa IT analizuje kod wykorzystujący luki w systemie.
May 15, 2026 SAPSAN TEAM

Network exploit types: practical examples from pentests

Picking the right exploit is not a matter of intuition - it is a strategic decision based on attack surface analysis, software version and the operational goal. During a network infrastructure pentest every minute counts double, and a thoughtless choice of technique can end with an IDS alert, a lost session or no access to critical resources. In this article you will find a structured overview of network exploit types, concrete CVE examples and practical guidance for classifying and prioritising techniques that actually work in the field.

Table of contents

Key Takeaways

Point Details
Exploit classification criteria Effective exploit segmentation lets you pick the right tool for a given infrastructure faster.
Real CVE examples Analysing known vulnerabilities like CVE-2008-4834 translates into better pentest preparation.
Testing heuristics Tracking the most exploited bugs lets you prioritise actions more efficiently.
Edge case pitfalls Not every flaw works in every environment - test and analyse implementation differences.

How to classify network exploit types?

Now that you know how much the right choice matters, it is worth understanding the logical framework for classifying exploits. Without a coherent system to organise knowledge, every pentest becomes a chaotic process of trial and error. Classification is not just theory, it is a working tool.

According to Exploitation Techniques Overview, network exploit classification is best done along three independent axes: attack surface, technique class and operational goal. Each axis answers a different question, and together they paint the full picture of an attack scenario.

Attack surface

The first axis is the attack surface - the protocol or service that is the entry vector. Most commonly seen in practice:

  • SMB (Server Message Block) - widely available in Windows environments, historically rich in RCE-class vulnerabilities

  • RDP (Remote Desktop Protocol) - often exposed at the network edge, target of brute-force attacks and memory exploits

  • SSH - relatively safe but vulnerable to implementation flaws and weak configurations

  • SIP/VoIP - neglected in audits yet exceptionally attractive to attackers

  • Edge devices - routers, IP phones, switches with vulnerable firmware

Exploit technique class

The second axis describes the bug mechanics. In practice pentesters encounter:

  • Buffer overflow - the classic, still present in older systems

  • Use-after-free - a complex technique requiring precision in memory management

  • CVE zero-day - undisclosed vulnerabilities, requiring own research and tooling

  • Protocol logic bugs - e.g. incorrect handling of packet sequences in SIP

  • Privilege escalation chains - a sequence of steps from minimal access to root

Fuzzing techniques, described in detail in the context of fuzzing in pentests, are a key tool for identifying protocol implementation bugs before they end up in public CVEs.

Exploit goal in the attack chain

The third axis - the operational goal - decides where the exploit fits in the attack chain:

  • Gaining initial access to a system or network

  • Privilege escalation from a user account to root or SYSTEM

  • Lateral movement between systems in the internal network

  • Persistence - keeping access after a service or system restart

A good pentester does not look for an exploit that "will work somehow". They look for an exploit that is optimal for a specific attack surface, a specific service version and a specific mission goal. The rest is wasted time and detection risk.

Knowing all three axes lets you build precise test scenarios instead of shooting in the dark. That is the difference between an audit and a real red team engagement.

Examples of exploits against SMB, RDP and SSH

With the classification framework in hand, it is time to discuss key real-world examples from various network services. SMB, RDP and SSH are the three pillars of Windows/Linux infrastructure that regularly appear as attack vectors in pentest reports.

SMB: CVE-2008-4834 and the buffer overflow vulnerability class

A critical buffer overflow in SMB represents a class of flaws where the attacker can execute arbitrary code remotely on the target system without authentication. CVE-2008-4834 affects the Microsoft SMB implementation and allows stack overflow via a malformed Transaction2 packet. In pentest practice this means the ability to obtain a SYSTEM session on an unpatched Windows host without any credentials.

The mechanics of this exploit are as follows:

  1. The attacker scans the network for an open port 445 (SMB)

  2. Sends a specially crafted Transaction2 packet with an overflowed field

  3. The SMB server writes data past the buffer boundary, overwriting the return address

  4. Control of the instruction pointer passes to the attacker's shellcode

  5. The shellcode opens a reverse shell or downloads a stage-2 payload

Comparison table of exploits against SMB, RDP and SSH

Service Example CVE Bug type Authentication required Effect
SMB CVE-2008-4834 Buffer overflow No RCE as SYSTEM
SMB CVE-2017-0144 (EternalBlue) Buffer overflow No RCE, worm-capable
RDP CVE-2019-0708 (BlueKeep) Use-after-free No RCE as SYSTEM
RDP CVE-2012-0002 Heap overflow No RCE
SSH CVE-2023-38408 Agent forwarding RCE Partial RCE via the agent
SSH Brute-force / weak keys Logical / configuration Yes (weak) Account access

Threat statistics: According to data on global incidents from 2023, more than 60% of successful ransomware attacks in Europe used unsecured RDP services or unpatched SMB implementations as the entry vector. These services remain a priority target due to their ubiquity and long patching cycles in production environments.

RDP: attack techniques and bypassing authentication

RDP attacks fall into two categories. The first is protocol-level exploits like BlueKeep (CVE-2019-0708) that only require access to port 3389. The second is attacks on the authentication layer: credential stuffing, pass-the-hash and brute-force using popular password lists.

Detection-evasion techniques during an RDP attack include:

  • TCP traffic fragmentation at the network layer

  • Using legitimate system tools (LOLBins) after gaining access

  • Limiting brute-force speed below SIEM alert thresholds

  • Tunneling the protocol over HTTPS or Tor

SSH: traffic analysis and vulnerability detection

For SSH services, vulnerability analysis focuses mainly on OpenSSH library versions with implementation bugs, weak RSA keys generated on embedded devices, and misconfigured agent forwarding.

An IT specialist examining SSH protocol network traffic, analysing its details.

It is also worth remembering that malware often manipulates system libraries, and attacking DLLs in a network context is a technique commonly used after gaining access via SSH or RDP, to maintain persistence without modifying core system files.

Pro tip: Before launching an SSH exploit, check the daemon version with ssh -v target or an Nmap scan with the ssh-auth-methods script. The OpenSSH version often reveals the system distribution, which lets you narrow the list of effective CVEs to a few specific vectors.

Exploits of edge devices and VoIP systems

Beyond standard protocols, edge devices and VoIP are increasingly targeted, requiring a separate approach. In a typical corporate infrastructure, dozens of IP phones, SIP gateways and edge routers go without regular firmware updates for months, even years.

Grandstream GXP1600: RCE without authentication

CVE-2026-2329 in Grandstream GXP1600 is a vulnerability allowing remote code execution without any authentication. After a successful exploit the attacker obtains a Meterpreter session with root privileges on the device. This is a critical scenario, because an IP phone with root access enables:

  1. Eavesdropping on SIP calls in real time

  2. Hijacking configuration and credentials for the VoIP server

  3. Using the device as a pivot for further lateral movement in the network

  4. Modifying firmware to plant a persistent backdoor

Comparison table of attack types on VoIP and edge devices

Attack vector Technique Target Difficulty Post-exploitation effect
Authentication bypass HTTP API logic bug Router, SIP gateway Low Admin panel without password
Buffer overflow in SIP Malformed INVITE packet IP phone Medium RCE, root
SIP credential theft Capturing UDP traffic PBX server Low Access to SIP accounts
Firmware RCE CVE in the web interface Edge device High Full device control
Default credentials Brute-force / default passwords Any VoIP Very low Administrative access

Attack paths: step by step for VoIP

A typical VoIP system compromise scenario in pentests looks as follows:

  1. Reconnaissance - scanning the network for open ports 5060 (SIP) and 5061 (SIP-TLS) and identifying device models

  2. Fingerprinting - reading the firmware version from SIP OPTIONS headers or the web interface

  3. CVE search - matching the version to known vulnerabilities in NVD and Exploit-DB databases

  4. Module preparation - configuring the appropriate Metasploit module or own script

  5. Exploitation - executing the attack with minimal network noise

  6. Post-exploitation - dumping SIP configuration, passwords, certificates and contact lists

Pro tip: VoIP devices rarely have EDR or advanced logging. This makes attack detection harder for the defender, but it also means your traces may be discovered during a forensic audit. Always document the test scope and collect evidence of activity before launching an exploit.

A key element of evaluation is the firmware version. The same Grandstream model with firmware 1.0.4.22 may be vulnerable, while 1.0.4.30 has a patch. Always verify the exact version before choosing an exploit, do not assume a device is unpatched just because it is old.

Most exploited CVEs and exploit prioritisation heuristics

To automate and optimise selection, it is worth knowing practical benchmarks and tracking threat statistics. Exploit prioritisation is a skill that distinguishes an experienced pentester from someone mechanically running a scanner.

Qualys Top 20: what attackers actually use

Qualys Top 20 Exploited Vulnerabilities is one of the most important rankings for a pentester, because it shows not what is theoretically dangerous but what is actually being exploited in live attacks. The ranking is dominated by:

  • Log4Shell (CVE-2021-44228) - Java logging, RCE, mass-exploited by APT and ransomware groups

  • Zerologon (CVE-2020-1472) - critical Netlogon vulnerability, escalation to Domain Admin without a password

  • ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) - Exchange Server vulnerability chain, pre-auth RCE

  • PrintNightmare (CVE-2021-1675) - Print Spooler service, LPE and RCE in Windows environments

  • Fortinet FortiOS - multiple SSL-VPN vulnerabilities, pre-auth access

"Prioritising exploits based on real attack usage is the fastest way to demonstrate critical risk in a pentest report. If a CVE is in the Qualys Top 20, the client must treat it as urgent regardless of their own risk assessment."

Exploit selection heuristic for the test

An effective heuristic is based on several criteria evaluated together:

  • CVSS Score is not enough - look for exploits with confirmed use cases (Exploit-DB, GitHub PoC)

  • Module availability in Metasploit significantly shortens preparation time and reduces implementation error risk

  • Number of affected systems in the scanned network - the more hosts, the higher the priority

  • Lack or delay in patching - check the dates of recent updates of systems within the pentest scope

  • Presence in CISA KEV (Known Exploited Vulnerabilities) - this is a signal that the flaw is actively exploited by APT groups

Example exploit table by category

Category CVE Type Service Priority
RCE pre-auth CVE-2021-44228 JNDI injection Log4j (Java) Critical
Escalation to DA CVE-2020-1472 Logical Netlogon/AD Critical
Pre-auth Exchange RCE CVE-2021-34473 SSRF chain Exchange Critical
Buffer overflow SMB CVE-2008-4834 Stack overflow SMB High
VoIP RCE CVE-2026-2329 No auth Grandstream SIP High
RDP pre-auth RCE CVE-2019-0708 Use-after-free RDP High
Network DoS CVE-2018-0171 Buffer overflow Cisco Smart Install Medium

Tracking updates is just as important as testing itself. Watch the Metasploit repositories on GitHub, Feedly channels with CVE feeds and mailing lists like Full Disclosure. A new Metasploit module for a fresh CVE can appear within 24 hours of a public exploit being published.

Important rule: do not test exploits you do not understand. Every Metasploit module has source code worth reading before running. Understanding the attack mechanics lets you modify parameters, work around configuration restrictions and create variants tailored to a specific environment.

What to watch out for when judging exploit usefulness: an expert's perspective

When we know the priorities, the question of effectiveness and limitations of practical exploit use remains. And this is where the pentester's real work begins, not just running ready-made modules.

One of the biggest pitfalls in pentests is the assumption that an identical CVE works the same way on all devices from the same vendor. Reality is different. Exploit variability depending on device version is one of the key "edge cases" of every serious pentest. A perfect example is Cisco IOS XE, where different system versions have different code paths in handling the web interface, so an exploit working on version 17.3.1 may completely fail on 17.3.4.

This variability is intentional or accidental. Intentional, when the vendor introduces a patch only for a specific subset of versions. Accidental, when code refactoring changes the memory layout and the exploit does not hit the expected offset. That is why every serious pentester must have access to test environments with device versions matching the test scope. Testing on VMware with a "similar" system version is not the same as testing on real firmware.

Routine is the enemy of effectiveness. We see this regularly: pentesters run the same Metasploit modules in the same order without checking whether anything has changed in the target environment. Meanwhile edge cases - rare configurations, custom builds, modified protocol implementations - are exactly where defence is weakest. Administrators think they are safe because they patched "standard" CVEs, but their non-standard configuration creates a new attack surface.

The practical recommendation is simple: update tools before every test, not once a quarter. Check Metasploit's GitHub for new pull requests for services in the pentest scope. Read security patch changelogs from the target device vendor. It takes an hour, but can change the outcome of a whole week-long project.

Equally important is documenting edge cases for the client. If an exploit works on firmware X but not on firmware Y (although Y is also theoretically vulnerable), write that explicitly in the report. It builds trust and shows depth of analysis, and the client gets practical information about which systems are critically exposed and which are only potentially.

Tools and hardware for effective network exploit testing

You already know what to look for - now meet the hardware that will really increase the effectiveness of your tests.

Effective network exploit testing requires not only software but also the right hardware backbone. SIP traffic analysis, radio protocol testing, cloning RFID cards used in authentication - these are tasks you cannot accomplish with a Kali Linux laptop alone.

https://sapsan-sklep.pl

In Sapsan's offering you will find hardware dedicated to testing network infrastructure and wireless protocols. HackRF Pro is the flagship SDR tool for pentesters working with radio and wireless protocols - listening, replay and wideband analysis, with improvements over the original HackRF One (better oscillator, lower noise). For more elaborate antenna setups (band switching, input multiplexing) the Opera Cake for HackRF works well. For RFID/NFC and SubGHz layer testing, including cloning of contactless cards in controlled lab conditions, use Flipper Zero - a multitool with 125 kHz / 13.56 MHz / SubGHz / iButton support. For LAN segmentation tests and passive eavesdropping of traffic between VLANs, the LAN Turtle and Packet Squirrel Mark II come in handy - both allow silent interposition on an Ethernet cable and inline traffic analysis. The full pentest hardware lineup is in the Network category, with delivery across Europe and fast B2B order fulfilment.

Frequently asked questions

How to effectively pick an exploit type for testing a specific service?

Analyse the attack surface, the service version and the bug type - use current CVEs and benchmarks. According to exploit classification criteria, the optimal choice considers module availability, confirmed PoC and the popularity ranking of the vulnerability in active attacks at the same time.

Which SMB exploits are most used today?

The most dangerous remain buffer overflow exploits. CVE-2008-4834 and the SMB overflow class enable remote code execution without authentication, and EternalBlue (CVE-2017-0144) still appears as an active vector in networks with unpatched Windows systems.

Why doesn't every exploit work on all software versions?

Differences in implementation and code paths make exploit effectiveness depend on the device model and version. Edge cases in exploit testing, as in the Cisco IOS XE case, show that even a minor release can completely change the memory layout and invalidate the exploit.

Which tools best support network exploit testing?

Metasploit Framework, fuzzing tools (Boofuzz, Peach Fuzzer) and SDR hardware are the most popular choices. They enable test automation, exploration of new attack vectors and analysis of network protocols at both the software and the radio layer.

Previous article How Metasploit improves penetration testing - a guide
Next article How to safely test your own router: a practical guide

BY HACKERSFOR HACKERS