Skip to content
Submit a request
  • There are no suggestions because the search field is empty.

Internal Pentest Methodology

An internal penetration test assesses the security of an organization's internal network by simulating attacks from an insider's perspective (an attacker who has already gained a foothold within the network). The goal is to identify potential vulnerabilities that could be exploited to escalate privileges, move laterally, or access sensitive data. Our internal penetration test consists of four key phases:

1 | Reconnaissance phase

We gather information about the internal network environment and AD infrastructure as possible (if AD is present). Since we’re inside the network, this phase is more active and includes:

  • Network Discovery
    Using tools like Nmap to discover hosts, services, and open ports within the internal network.
     
  • If AD is present Active Directory Enumeration (Passive)
    Identifying key AD information, such as the domain name, user accounts, and AD structure.
     
  • Technology Identification
    Gaining insight into the operating systems, software versions, and patch levels across the environment.
  • Publicly Accessible Shares
    Searching for shared drives, folders, or files that are open for access without authentication.
     

2 | Fingerprinting phase

The goal here is to identify exploitable technologies and gather more detailed information about AD and internal services (If AD is present).

In this phase, we actively probe the identified systems to map services and technologies, looking for potential weaknesses. Key activities include:

  • Service Enumeration
    Actively identifying services running on internal machines (e.g., file servers, web services, database servers) and the software or protocols in use.
     
  • If AD is present Active Directory Enumeration (Active)
    Using tools like BloodHound, AD Explorer, and PowerView to enumerate AD users, groups, GPOs, and their relationships. This phase also identifies high value targets like domain admins or sensitive groups.
     
  • Credential Gathering
    Checking for stored or hardcoded credentials in configuration files, scripts, or within publicly accessible shares.
     

3 | Exploitation phase

In this phase, we attempt to exploit vulnerabilities identified in earlier phases, including attacks specifically targeting AD infrastructure. Common exploitation techniques include:

  • Password Cracking & Credential Reuse:
     

    > Password Spraying: Attempting common or weak passwords on multiple accounts across the network.

    > Cracking Hashes: Using tools like Mimikatz or LSA Secrets to dump password hashes from memory and attempt offline cracking using Hashcat or John the Ripper.

    > Pass-the-Hash (PtH): Using stolen password hashes to authenticate and move laterally without needing plaintext passwords.

  • Privilege Escalation
    > Exploiting misconfigurations or unpatched vulnerabilities to escalate from a low-privilege user to an admin.
    > Kerberoasting: Extracting service account hashes from AD to crack them offline and gain access to privileged accounts.
    > Exploiting GPO Misconfigurations: Identifying weak Group Policy settings that could allow privilege escalation or lateral movement.
  • Lateral Movement
    > Pass-the-Ticket: Using Kerberos tickets to authenticate as another user across the network.
    > Remote Code Execution (RCE): Exploiting vulnerabilities in services like SMB, RDP, or WMI to move between hosts.
    > Admin Access to AD: Attempting to gain access to Domain Admin accounts, either through privilege escalation or lateral movement.
  • Active Directory Attacks
    > DCShadow Attack: Injecting malicious data into the AD schema by mimicking a Domain Controller.
    > DCSync Attack: Using tools like Mimikatz to simulate a Domain Controller and request user password hashes, including for privileged accounts.
    > Golden Ticket Attack: Creating a forged Kerberos ticket that grants administrative access to the domain.
    > Silver Ticket Attack: Creating service specific forged Kerberos tickets to gain control over particular services within the domain.
     

4 | Reporting phase

After completing the penetration test, we compile all findings into a detailed report , following Red Sentry's standardized template. This includes:

  • A summary of the identified vulnerabilities
  • The methods used to exploit them
  • Recommendations for remediation

This methodology ensures a comprehensive assessment of your internal environment helping identify and address any vulnerabilities, before they can be exploited by malicious internal actors.