Internal Network Penetration Test

Tip: Start with ARP scanning on the local subnet - it's fast, reliable, and works even when ICMP is blocked. Use Nmap's -sn flag for ping sweeps across known ranges. Masscan can sweep large ranges quickly but is noisy. Check for VLAN hopping opportunities if you're on a trunk port. Document the network topology as you discover it.

Tip: RustScan finds open ports in seconds, then hands off to Nmap for service detection. fscan is excellent for rapid internal scanning with built-in vulnerability checks. Use Nmap's -sV for version detection and -sC for default scripts. Don't skip UDP scanning (-sU) - SNMP (161), TFTP (69), and NTP (123) are frequently overlooked attack vectors.

Tip: Nmap's NSE vulnerability scripts (--script vuln) catch common issues quickly. Metasploit's auxiliary scanners test for specific vulnerabilities across multiple hosts. Hydra tests for default and weak credentials on services like SSH, FTP, SMB, and web interfaces. Check for eternal blue (MS17-010) on SMB services - it's still surprisingly common on internal networks.

Tip: Responder captures NTLMv2 hashes passively by poisoning name resolution requests - run it and wait. CrackMapExec can spray passwords across SMB, WinRM, LDAP, and MSSQL simultaneously. Crack captured hashes with Hashcat using GPU acceleration. Start password spraying with seasonal patterns (Summer2024!, Company123) before moving to large wordlists.

Tip: CrackMapExec tests credentials across the network in seconds and can execute commands on accessible hosts. Impacket's wmiexec, smbexec, and psexec provide different execution methods with different forensic footprints. Chisel and Ligolo-ng create tunnels for pivoting through compromised hosts. Keep a credentials spreadsheet mapping which creds work on which hosts.

Tip: Mimikatz extracts plaintext passwords, hashes, and Kerberos tickets from Windows memory. Check for AlwaysInstallElevated registry keys on Windows. On Linux, LinPEAS automates privilege escalation enumeration. Look for credentials in configuration files, environment variables, and command history. Service accounts often have higher privileges than expected.

Tip: CrackMapExec can enumerate and access shares across the network. Use Impacket's mssqlclient to access database servers with captured credentials. Document everything you access with screenshots and timestamps. Focus on data that resonates with business leadership - customer PII, financial data, and intellectual property.

Tip: Structure the report as an attack narrative that non-technical executives can follow. Include a one-page executive summary with the worst-case business impact. Map each finding to a remediation action with effort estimates. Group remediations by effectiveness - fixing credential reuse and LLMNR poisoning eliminates more attack paths than patching individual CVEs.