Internal Network Penetration Testing Service

Internal network penetration testing simulates an attack from inside your network perimeter. This could represent a malicious insider threat, a compromised employee account, or an attacker who has gained initial access through phishing or other means.

We assess what an attacker could achieve once inside your network, including lateral movement, privilege escalation, and access to sensitive data.

External testing simulates an attack from the internet, testing your perimeter defenses (firewalls, exposed services, VPNs). Internal testing assumes the attacker is already inside your network.

Internal testing typically uncovers different vulnerabilities: weak domain credentials, misconfigured Active Directory, unpatched internal systems, excessive file share permissions, and insecure internal applications that aren’t exposed to the internet.

Not necessarily. Testing can be conducted three ways:

• On-site – we physically visit your office with our equipment
• Remote via VPN – you provide us VPN access to simulate a remote employee’s access
• Hybrid – we ship a pre-configured device (drop-box) that you connect to your network, which we access remotely.

Each approach has trade-offs in terms of realism, cost, and logistics.

The minimum requirement is network access. For black box testing, we only need a network connection (physical or VPN).

For grey box testing (recommended), you provide credentials for a standard user account, which allows more realistic and thorough testing.

For white box testing, you’d provide network documentation, system inventory, and administrative credentials to test from a fully informed perspective.

Common findings include:

• weak or reused passwords across accounts
• unpatched systems vulnerable to exploits
• misconfigured Active Directory (GPO issues, excessive permissions)
• privilege escalation paths to Domain Admin
• lateral movement opportunities between systems
• exposed credentials (in files, scripts, memory)
• overly permissive file shares with sensitive data
• vulnerable internal web applications
• weak network segmentation
• insecure internal protocols (LLMNR, NetBIOS, SMB signing)

We use non-destructive testing methods and coordinate activities to minimise disruption.

However, some tests (like exploiting vulnerabilities or password spraying) carry inherent risks. We discuss acceptable risk levels during scoping and can adjust our approach based on your tolerance.

For extremely sensitive environments, we can perform testing in maintenance windows or against isolated segments.

Active Directory assessment is a core component of internal testing.

We examine:

• domain user enumeration and password policies
• Kerberos weaknesses (e.g. Kerberoasting)
• privilege escalation paths (BloodHound analysis)
• Group Policy misconfigurations
• delegation issues and unconstrained delegation
• trust relationships between domains, credential exposure and Group Policy Preferences
• paths to Domain Admin compromise.

We specifically test whether your network segmentation is effective. This includes attempting to: move between VLANs or subnets that should be isolated, access sensitive segments (servers, databases, payment systems) from general workstations, pivot from guest/IoT networks to corporate networks, and bypass segmentation controls through routing or firewall misconfigurations.

In highly secure environments we may often need to gain an initial compromise of an internal server that has network visibility of an adjacent network. For example, in a PCI DSS internal pentest there may be an intermediary server system that is accessible from the “user” network, which requires an initial compromise of an administrative account or the entire Active Directory domain to allow the lateral movement between networks.

Achieving Domain Admin (or equivalent administrative access) is often a goal of internal testing, as it represents full network compromise. If we achieve this, we document the attack path, demonstrate the impact, and continue testing to identify additional vulnerabilities. We don’t perform destructive actions even with administrative access and, instead, we document what would be possible and help you understand the full scope of risk.

However, attaining Domain Admin privileges is not the be-all and end-all of Exploitr’s methodology. Our goal is to understand your business’ security concerns and base our testing methodology on how best to approach providing assurance to your organisation.

Your business concerns may be that you are concerned about a specific internal service becoming compromised, which would impact the business operations – in this scenario the ability to compromise an internal Active Directory domain is a tool for us to use as a stepping stone, and not the final goal.

We recommend performing testing annually at a minimum for compliance and due diligence. Additional testing should be considered after major network infrastructure changes, after merger/acquisition activity that changes your network.

Consider quarterly testing for high-security environments (or check out our PTaaS service), and following any suspected security incident. Many organisations also perform testing before and after major system upgrades or migrations.