Cybersecurity News
Cybersecurity

Network Penetration Testing: The Complete Guide to Internal and External Assessments

Network Penetration Testing: The Complete Guide to Internal and External Assessments

Networkpenetration testing evaluates the security of an organization's network infrastructure by simulating attacks against systems, services, and configurations. Unlike web application testing that focuses on specific applications, network testing examines the broader infrastructure—firewalls, servers, network services, Active Directory, and the relationships between systems that attackers exploit for lateral movement and privilege escalation.

This guide covers both external network penetration testing (assessing perimeter defenses from an outside attacker's perspective) and internal network penetration testing (simulating an attacker who has gained initial access to the internal network through phishing, physical access, or other means).

External Network Penetration Testing

External testing simulates attacks from the internet against an organization's public-facing infrastructure. The goal is to identify vulnerabilities that would allow an external attacker to breach the perimeter and gain access to internal systems or data.

External Testing Scope

Common external targets include perimeter firewalls and routers, public-facing web servers and applications, mail servers and email gateways, VPN concentrators and remote access solutions, DNS servers and zone security, FTP and file sharing services, and remote management interfaces. Any service exposed to the internet represents potential attack surface.

External Reconnaissance

DNS Enumeration: Identify all DNS records including A, AAAA, MX, NS, TXT, and SRV records. Zone transfers (if allowed) expose internal hostnames and network structure. Look for subdomain patterns that reveal naming conventions and potentially forgotten or development systems.

OSINT Gathering: Search for exposed credentials in breach databases and paste sites, leaked documents containing sensitive information, organizational details through LinkedIn and job postings that reveal technologies, and technical information in forums, code repositories, and presentations.

ASN and IP Range Mapping: Identify all IP ranges belonging to the organization through BGP data, WHOIS records, and related domain research. Organizations often have IP space beyond their primary documented ranges.

Comprehensive Port Scanning: Thorough port scanning identifies all exposed services. Use Nmap for detailed service detection, version identification, and script-based vulnerability checking. Consider full 65535-port scans for thorough coverage of non-standard ports.

Scan your external network with Security Infinity.

External Vulnerability Assessment

CVE Scanning: Check all identified services against known vulnerability databases. Outdated software with public exploits is surprisingly common on external networks. Focus on critical vulnerabilities with available exploit code.

Default Credentials: Test administrative interfaces for default or common credentials. Network devices, web applications, remote access solutions, and management interfaces are frequent targets. Tools like Hydra and Medusa automate credential testing.

SSL/TLS Testing: Evaluate encryption configurations for weak ciphers, deprecated protocols (SSLv3, TLS 1.0, TLS 1.1), certificate issues, and vulnerabilities like Heartbleed. Tools like testssl.sh provide comprehensive analysis.

Service-Specific Testing: Each service type has specific vulnerabilities. Mail servers may allow open relay or user enumeration. VPN concentrators may have authentication bypasses. Remote access solutions may have known exploits.

Internal Network Penetration Testing

Internal testing simulates an attacker who has already breached the perimeter—perhaps through phishing, physical access, a compromised VPN, or a rogue employee. The goal is to demonstrate how far an attacker could progress within the internal network and what they could access or compromise.

Internal Testing Scope

Internal testing typically targets Active Directory infrastructure including domain controllers, DNS, DHCP, and certificate services, internal servers including file servers, database servers, and application servers, user workstations and their security configurations, network segmentation controls between different network zones, internal applications and databases, and privileged accounts and service accounts.

Internal Discovery and Enumeration

Host Discovery: Identify live systems through ARP scanning on local networks, ICMP and TCP/UDP probes across subnets, and network traffic analysis. Large networks may require sampling strategies to balance coverage with time constraints.

Service Enumeration: Identify services running on discovered hosts. Focus on services that facilitate lateral movement or privilege escalation—SMB, RDP, WinRM, SSH, database services, and web interfaces.

SMB/LDAP Enumeration: Windows networks expose significant information through SMB and LDAP. Enumerate network shares and their permissions, user and group memberships, group policy objects and settings, organizational unit structure, and computer objects and service accounts.

Active Directory Mapping: Tools like BloodHound map AD relationships, identifying shortest paths from current access to domain administrator. This attack path analysis is central to modern internal testing. BloodHound reveals Kerberoastable accounts with SPNs, users with DCSync rights, nested group memberships that grant unexpected privileges, delegation settings that enable impersonation, and trust relationships between domains.

Internal Attack Techniques

Password Attacks: Password spraying tests a few common passwords against all discovered accounts. This approach evades lockout policies while identifying weak credentials. Focus on passwords related to the organization, seasons, years, and common patterns. Avoid triggering account lockouts by staying below threshold.

Kerberoasting: Request service tickets for accounts with Service Principal Names, then crack the ticket encryption offline to recover passwords. Service accounts often have weak passwords and high privileges—a single Kerberoasted account can lead to domain compromise.

AS-REP Roasting: Target accounts that don't require pre-authentication. Their authentication responses can be cracked offline to recover passwords.

LLMNR/NBT-NS Poisoning: Respond to name resolution broadcasts to capture credential hashes. When systems can't resolve names through DNS, they broadcast requests—and attackers can answer. Tools like Responder automate this attack and capture hashes that can be cracked or relayed.

Credential Relaying: Relay captured authentication attempts to other systems. NTLM relay attacks can turn captured hashes into access on other hosts or even domain controllers if SMB signing isn't enforced.

Pass-the-Hash: Use captured NTLM hashes for authentication without knowing plaintext passwords. Tools like CrackMapExec, Impacket, and Mimikatz enable lateral movement across systems using compromised hashes.

Domain Compromise Techniques

DCSync Attack: With sufficient privileges (Replicating Directory Changes rights), extract all domain password hashes by impersonating a domain controller's replication process. This provides complete credential access for the domain.

Golden Ticket: After compromising the KRBTGT account hash, forge Kerberos Ticket Granting Tickets for any user including Domain Admins. Golden tickets provide persistent domain access even after password resets.

Silver Tickets: Forge service tickets for specific services using compromised service account hashes. Useful for targeted access without the full KRBTGT compromise.

Common Network Vulnerabilities

External Network Findings

Outdated software with known CVEs and public exploits, weak SSL/TLS configurations accepting deprecated protocols, default or weak credentials on exposed services, information disclosure through banners error messages and metadata, exposed internal services that should be firewalled, and missing security patches on public-facing systems.

Internal Network Findings

Weak password policies enabling spraying and guessing attacks, lack of network segmentation allowing unrestricted lateral movement, SMB signing disabled enabling relay attacks, Kerberoastable service accounts with weak passwords, overprivileged user accounts with unnecessary administrative rights, excessive local administrator accounts, unpatched systems with known vulnerabilities, and clear-text credentials in scripts group policies and memory.

Network Penetration Testing Tools

Discovery and Scanning: Nmap and Masscan for port scanning, CrackMapExec for SMB enumeration, Responder for poisoning attacks, BloodHound for Active Directory analysis.

Exploitation: Metasploit Framework for exploitation and post-exploitation, Impacket for Windows protocol attacks, Mimikatz for credential extraction, Rubeus for Kerberos attacks.

Credential Attacks: Hashcat and John the Ripper for password cracking, Hydra and Medusa for online brute forcing, Kerbrute for Kerberos enumeration.

Remediation Priorities

Based on testing findings, prioritize implementing network segmentation to limit lateral movement, enforcing strong password policies and MFA, enabling SMB signing and disabling NTLM where possible, monitoring and alerting on suspicious authentication patterns, regular patching of all systems, reducing administrative privilege sprawl, and protecting service accounts with strong unique passwords and monitoring.

Conclusion

Network penetration testing reveals vulnerabilities that span from perimeter defenses through internal infrastructure. External testing identifies how attackers breach defenses, while internal testing demonstrates the impact of successful compromise. Regular testing, combined with proper remediation and continuous monitoring, strengthens network security against evolving threats.

Start your network assessment with Security Infinity today.