The pentesting team was dropped into an internal subnet with Kali, some intel but no asset inventory. Our directive was to act as a internal threat, map the attack surface, and exploit any discovered vulnerabilities. This particular company had grown through acquisition. It was the digital equivalent of a garage during the move to a new home, full of unknown endpoints, mystery services, and the occasional surprise.

We began, as always, by enumerating the network. But here’s the twist: in modern hybrid environments, not every device is fair game. Many employees have phones, personal devices, and even home printers connected. This can be a minefield for unauthorized probes. So, we had to be careful about what doors we knocked on.

To fingerprint the environment, we first needed speed. For this we used masscan, the internet's fastest port scanner. A scalpel when wielded wisely.

sudo masscan 10.0.0.0/24 -p0-1024 --rate=1000 -oL discovered_hosts.txt

This scans the first 1,024 TCP ports across a /24 subnet with a controlled packet…