Internal Network Penetration Test

Internal Network Penetration Test


Most organisations assume that attackers are outside their network and therefore only need to take care of their perimeter security. Unfortunately, this assumption is the source of many data leaks affecting organisations. An internal network penetration test can help you better understand how a single malware infected computer, stolen credentials or rogue employees can undermine your organisation’s security.

What do we cover?

The scope of an internal network penetration test can be very broad. The following are some examples of common attack targets that are part of an internal infrastructure penetration test:

  • Active Directory, Windows workstations and servers
  • File servers, Network attached storage (NAS)
  • Linux servers, Spacewalk, FreeIPA
  • Embedded devices such as printers, VoIP equipment, OOB interfaces with IPMI
  • Database servers (e.g. MSSQL, MySQL, PostgreSQL and Oracle)
  • Network and application security appliances such as key distribution servers and intrusion prevention systems

Some of the techniques used are associated with vulnerability scanning to perform tests that need to be automated, such as:

  • Network scanning using various methods (e.g. SYN scans, UDP scans, ACK scans)
  • Vulnerability scanning to identify various low-hanging vulnerabilities
  • Specialised network scanning for specific protocols (such as SIP, IPMI and SNMP)

However, for a Penetration Test to be effective, we perform the a large number of manual tests allowing us to simulate real attackers. This often includes:

  • Man-in-the-Middle attacks which are very effective on most internal networks
  • Well-known attacks against Windows systems, including pass-the-hash (PtH) attacks, lateral movement, NTLM offline bruteforce, credential dumping etc.
  • Exploitation of software that has not been hardened or securely configured
  • Exploitation and demonstration of known vulnerabilities which are typically detected through network scanning but not verified
  • Default or weak credentials, especially affecting certain internal web applications and also a huge number of embedded devices
  • Lack of network access control and proper network segmentation
  • Ways to bypass or abuse security solutions
  • Obvious security issues within the target software (low hanging fruit)

Which methodology is used?

We make use of the Penetration Testing Execution Standard (PTES) and to a certain extent, NIST SP800-115, to ensure a certain level of coverage. However, just like real attackers, we do not limit ourselves to particular rigid methodologies. Instead, we tailor our actions according to the goal of the test.

Many of these tests do not necessarily require us to be on-site. In fact, we have performed a number of Internal penetration tests while stationed at our offices and using a Laptop, an embedded Linux device or a Virtual Machine (provided by us) without requiring our physical presence. This is very similar to when an attacker has compromised a computer on the Internal network.

A number of our clients do, however, prefer us to perform our tests while on-site and we are available for such work within Europe and select countries.

How does the process look like?

Most of our engagements follow these steps:

  1. First step is that you contact us
  2. We ask you a number of questions to understand what you have in mind, the goals for the exercise and the scope
  3. We perform a scoping exercise to better understand the size of the project; in the case of an external penetration test, the scoping exercise often involves port scanning to better understand the exposure and therefore tailor our proposed work to your needs
  4. We verify with you our scope where appropriate
  5. We work on a proposal which describes the goals, the scope, the methodology, deliverables, dates allocated for the project, terms and conditions and the price
  6. The actual work takes place during the allocated dates; your IT staff involved in the project often need to be available during the tests
  7. Upon completing the tests, we work on the reports and often provide a brief report of the main findings so that your staff are informed of the results immediately
  8. The deliverables are provided to you
  9. Often the process also includes testing of the security fixes once applied

What are the deliverables?

To view a public technical report that we published, check out the Bug Bounty Bout 0x01 report.

At the end of the project, the client usually receives the following:

  • Executive report, which is an easy to follow 4 page report that includes information about the penetration test, list of the findings and a short explanation of the security fixes or mitigation techniques
  • Technical report, which includes the following sections:
    • Introduction, which describes the scope, methodology and purpose of the work
    • Methodology, which describes our tests to explain what was covered and how; this would include both tests that led to vulnerability discoveries, and also those that did not
    • Findings and recommendations which are categorised as High security threats, Other security threats and Other concerns and recommendations
    • Each finding that is considered a security threat includes:
      • A description of the security issue as it affects the target system
      • Our assessment of the impact of the vulnerability
      • Details on how to reproduce the issue found
      • Solutions and recommendations, which are tailored for the target audience and can go into quite some detail
  • Other material is sometimes provided such as:
    • Video demonstrations showing exploitation of your systems
    • Dedicated exploit code to reproduce the security issues found
    • When the tests are done on-site, we often brief the involved executives and/or technical team and discuss solutions to the security issues found
    • Similarly, conference calls can be used when the work is done remotely

What costs can one expect?

Prices for similar penetration tests start at 6000 EUR. Cost is dependent on the size and complexity of the system on test and the level of rigor in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.

Get in touch