Most enterprise breaches don't start with a clever zero-day. They start with something that was set up wrong and never reviewed: a switch still using admin/admin, SNMP answering to the community string "public," or a flat network where one compromised laptop can reach the domain controllers. Verizon's breach research and CISA advisories keep pointing at the same boring root causes year after year.
This post catalogs the network security misconfigurations testers find on nearly every internal engagement, why each one matters, and how to fix it. Think of it as the defender's counterpart to our internal network penetration testing guide and external network penetration testing checklist.
Network security misconfigurations are settings, defaults, and architectural choices that weaken a network without being a software vulnerability per se. There's no CVE to patch; the device is working exactly as configured, and that configuration is the problem. This makes them easy to miss with a scanner that only reports missing patches.
They span every layer: default or weak credentials on devices, unencrypted or unsigned protocols, overly permissive firewall and ACL rules, missing segmentation, and exposed administrative interfaces. Because they require judgment to spot and context to prioritize, misconfigurations are where manual penetration testing earns its keep over automated scanning alone.
Default credentials remain the most common network finding because devices ship with them and busy teams never change them. Switches, routers, printers, iLO/iDRAC/IPMI baseboard controllers, IP cameras, and PBXs all arrive with documented defaults, and lists like the SecLists default-credentials set make checking them trivial.
A tester sprays known defaults with NetExec and protocol-specific checks, and the hit rate is depressingly high. The fix is procedural, not technical: a hardening baseline that mandates credential changes at provisioning, plus periodic checks. The same applies to default SNMP communities, where snmpwalk -v2c -c public <host> or onesixtyone against the "public" and "private" strings often dumps full device configs, routing tables, and sometimes credentials in cleartext.
Insecure protocol settings turn ordinary network traffic into an attack vector. The headline example is SMB signing not being required, which lets an attacker relay captured NTLM authentication straight to another host with impacket's ntlmrelayx. Combined with LLMNR and NBT-NS being enabled (the Windows default), Responder poisons name resolution and feeds that relay chain.
The same theme repeats across protocols: cleartext Telnet and FTP where SSH and SFTP belong, unencrypted LDAP instead of LDAPS, missing 802.1X so anyone with a network jack gets a DHCP lease, and unencrypted SIP and RTP on the voice network. Each is a default that prioritizes compatibility over security. Disabling LLMNR/NBT-NS and enforcing SMB signing alone closes the most reliable internal credential-theft path, the same one detailed in our Active Directory penetration testing checklist.
A flat network turns a single compromised host into access to everything, which is why segmentation is the highest-leverage architectural fix. When user workstations, servers, management interfaces, and voice systems all share one broadcast domain, a foothold anywhere reaches the crown jewels with no further effort.
Testers prove this by pivoting: from a phished workstation to the domain controllers, the SAN management interface, or the hypervisor console, all reachable because nothing blocks the path. Proper segmentation isolates user, server, and management VLANs, restricts traffic between them with ACLs, and puts a jump host in front of administrative planes. This is also a core control in frameworks like NIST and the CIS Controls, and it dramatically shrinks blast radius.
Exposed management and administrative interfaces are the first thing to hunt because they offer the most control for the least work. An nmap sweep for the usual suspects (nmap -p 22,23,80,443,623,2379,3389,5985,8006,8443,9443,10250 <range>) surfaces switch admin panels, IPMI/BMC interfaces on 623, Proxmox and ESXi consoles, etcd on 2379, the Kubernetes kubelet on 10250, and WinRM on 5985.
Each of these is a control plane. An unauthenticated kubelet or an IPMI controller with default creds is game over for the workloads behind it. The fix is to keep management interfaces off general-access networks entirely, require strong unique credentials and MFA, and restrict access to a bastion. Because new devices and services appear constantly, these exposures reappear between annual tests; agentic pentesting is the continuous way to catch a newly exposed interface within days instead of months.
