Internal network penetration testing answers the question every security team should be asking: what happens after an attacker gets inside? With phishing success rates consistently above 10% and VPN vulnerabilities regularly making headlines, assuming an attacker will eventually reach your internal network is not pessimismit is realistic threat modeling.
Why Internal Testing Matters
Most organizations invest heavily in perimeter defensesfirewalls, email filtering, endpoint detectionbut their internal networks remain relatively flat and permissive. An attacker who compromises a single workstation through phishing can often escalate to domain administrator within hours. Internal penetration testing exposes these attack paths before real attackers find them.
Compliance frameworks recognize this reality. PCI DSS requires segmentation testing from within the network. ISO 27001 expects internal security assessments. SOC 2 auditors look for evidence that internal controls are tested regularly.
Internal Penetration Testing Methodology
Phase 1: Network Reconnaissance
The tester begins by mapping the internal network: identifying subnets, hosts, services, and network topology. ARP scanning, service enumeration, and SNMP queries reveal the network's structure. This phase identifies high-value targetsdomain controllers, database servers, file shares, and management interfaces.
Phase 2: Credential Attacks
In a black-box engagement, the tester must obtain valid credentials. Common techniques include:
- LLMNR/NBT-NS poisoning. Capturing NTLMv2 hashes from broadcast name resolution requests and cracking them offline
- Password spraying. Testing common passwords against all domain accounts with timing designed to avoid lockout policies
- Relay attacks. Relaying captured NTLM authentication to other services, particularly effective against systems without SMB signing
- Kerberoasting. Requesting service tickets for service accounts and cracking them offline to obtain plaintext passwords
Phase 3: Active Directory Exploitation
Active Directory is the backbone of most enterprise networks and the primary target for internal testers. Common attack paths include:
- Misconfigured delegation. Unconstrained or constrained delegation settings that allow impersonation of privileged accounts
- ACL abuse. Excessive permissions in Active Directory that create paths from low-privilege accounts to Domain Admin
- Group Policy exploitation. GPO permissions that allow modifying policies applied to privileged systems
- Certificate Services attacks. Misconfigured ADCS templates that enable privilege escalation or persistence
Phase 4: Lateral Movement
With credentials in hand, the tester moves through the network accessing additional systems. This demonstrates how far an attacker can reach from an initial compromise and what sensitive data becomes accessible. Lateral movement testing validates network segmentation, monitoring capabilities, and access controls.
Phase 5: Privilege Escalation to Domain Admin
The ultimate objective in most internal tests is achieving Domain Administrator access. This level of access gives complete control over the Active Directory environment, including all user accounts, computers, group policies, and connected systems.
Common Internal Penetration Testing Findings
| Finding | Severity | Frequency |
|---|---|---|
| LLMNR/NBT-NS enabled | High | Very Common |
| Weak domain passwords | High | Very Common |
| Missing SMB signing | High | Common |
| Kerberoastable service accounts | High | Common |
| Local admin password reuse | Critical | Common |
| Excessive AD permissions | High | Common |
| Flat network (no segmentation) | High | Common |
| Cleartext credentials in shares | Critical | Moderate |
| Unconstrained delegation | Critical | Moderate |
| ADCS misconfiguration | Critical | Moderate |
Reality check: In our experience, over 90% of internal penetration tests achieve domain administrator access. The question is not whether an attacker can take over your networkit is how quickly they can do it and whether your detection and response capabilities can catch them before they do.
Remediation Priorities
After an internal penetration test, prioritize remediation based on the attack chains identified, not individual findings in isolation. A high-severity finding that is part of an attack chain leading to Domain Admin is more urgent than a critical finding on an isolated system.
- Disable LLMNR and NBT-NS. This single change eliminates the most common initial credential capture technique
- Implement LAPS. Local Administrator Password Solution ensures unique local admin passwords on every machine, preventing lateral movement via local admin reuse
- Enable SMB signing. Prevents NTLM relay attacks across the network
- Review AD permissions. Use BloodHound or similar tools to identify and remove excessive permissions that create attack paths
- Implement network segmentation. Separate critical systems (domain controllers, financial systems, sensitive data) from general user networks
- Deploy EDR. Endpoint detection and response provides visibility into lateral movement and post-compromise activity
Understanding your penetration test report helps prioritize these remediations and communicate risk to leadership effectively.
Need security testing or compliance support?
We provide penetration testing, compliance assessments, and security consulting for organizations at every stage.
