Internal Network Penetration Testing

A penetration test identifies your organization's weaknesses the same way an attacker would — by hacking it. This enables organizations to better understand and ultimately minimize the risk associated with IT assets. During an internal network penetration test, Praetorian identifies vulnerabilities for internal, intranet systems. Praetorian examines any identified vulnerabilities to determine whether they can be exploited by an attacker to compromise targeted systems or used to gain access to sensitive information.

As an option, Praetorian will send its iPentest™ device(s) to your headquarters, which you simply plug into the network. The device allows our security experts to perform the onsite work remotely. This minimizes logistics, travel costs, and consultant fatigue.

Methodologies for Internal Penetration Testing

Penetration Methodology Steps

Host and service discovery compiles a complete list of all accessible systems and their respective services with the goal of obtaining as much information about your internal, Intranet assets as possible. This includes initial live host detection, service enumeration, and operating system and application fingerprinting. In particular, the discovery process will focus on identifying critical assets and major technologies in the environment such as Active Directory, ACS, and critical applications and databases.

With the information collected from the discovery phase in hand, security testing transitions to identifying vulnerabilities in externally facing systems and applications using automated scans and manual testing techniques. Praetorian begins the vulnerability identification process with commercial and open source vulnerability scanners. Automated scans are good at identifying known and common vulnerabilities; however, automated scans are not good at detecting complex security issues, uncovering system and application specific vulnerabilities, developing attack chains, or validating the findings reported. For this reason, automated scans represent only a small facet of the overall security assessment with the majority of vulnerability testing focused on manual testing and verification. Finally, risk priorities are assigned to each vulnerability according to Praetorian's comprehensive risk rating scale.

The third, final, and sometimes optional phase includes exploitation of the underlying vulnerabilities. Because of the small potential for disruption, some clients may elect to omit this phase of the testing process and simply have a vulnerability assessment performed. For those customers that are interested in a proof of concept phase, once initial findings have been verified, Praetorian exploits the underlying issues to serve as proof the issues exist and to demonstrate the critical nature of the vulnerabilities. Praetorian will chain attacks to compromise as much of the environment as possible or focus on meeting specific objectives the client requests under a capture the flag scenario. Vulnerabilities may culminate in pilfering sensitive data such as patient records, customer credit cards numbers, and intellectual property.

What You Get

Upon completion of the assessment Praetorian shall provide a single electronic report deliverable. The report will provide an analysis of the current state of the assessed security controls. The analysis will identify areas that need to be resolved in order to achieve an adequate level of security. The detailed contents of the deliverable are described below.


The report deliverable will include the following high level sections in a format suitable for management:

  • Purpose of the engagement including project's scope and approach
  • Positive security controls that were identified
  • Tactical resolutions to immediately reduce risk in the environment
  • Strategic recommendations for preventing similar issues from recurring
  • An industry comparison based on consultancy experience and results from similar previous engagements

The report deliverable will also include the following in-depth analysis and recommendations for technical staff to understand the underlying risks and recommendations:

  • A technical description and classification of each vulnerability
  • Anatomy of exploitation including steps taken and proof in the form of screenshots
  • Business or technical risk inherent in the vulnerability
  • Vulnerability classification that describes the risk level as a function of vulnerability impact and ease of exploitation
  • Technical description of how to mitigate the vulnerability

Success Story: Internal Penetration Test

A banking institution hired Praetorian to perform an internal penetration test as part of a comprehensive assessment. During the host and service identification phase of the assessment, Praetorian identified a lab network connected to the internal network via VPN. Unlike other VPN connections which facilitated remote access for users and instituted strong access controls on the resources available to them, the VPN tunnel connecting the lab network to the internal corporate network operated on a persistent connection and no network segmentation was in place to protect the company intranet from the attacks coming from the VPN network.

Praetorian was able to enumerate user accounts on a Linux system running on the VPN network and guess the password of a low privileged user. Praetorian logged into the Linux server with the compromised account and began mining the file system. While searching through the server, the consultant identified a large 2GB tar file which the compromised account had read access. Using the strings utility the consultant searched through the data and found instances of what he believed to be plaintext passwords. The consultant then examined the /etc/passwd file to identify other users on the local system and attempted the possible password list against each account. The brute force attack was successful and Praetorian was able to compromise several other user accounts on the system.

The results were passed on to another onsite consultant who was working to penetrate the primary Windows environment and recognized the account that had been compromised was also listed as a Domain Admin user within the primary Windows domain. Using the same password the consultant was able to authenticate to the Domain Controller with the domain admin account which gave Praetorian access to 13,000 Windows workstations and servers. Once the Windows environment fell, the network and database environments soon followed.

Praetorian later learned the VPN connection that linked the home lab environment to the corporate network was an unauthorized connection a network administrator had created so he could perform testing and troubleshooting from home.

The findings and subsequent report demonstrated the risk the weakest link can present to an environment and how a relatively low value test environment can lead to a company-wide compromise. The findings also forced the bank to rethink how security policies are defined, communicated, and enforced.


Explore more Praetorian success stories →

Frequently Asked Questions


  1. How much does an internal penetration test cost?

    Cost is dependent on the size and complexity of the network and the level of rigor in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.

  2. How is size and complexity determined?

    Size is determined by the size of the network ranges and the number of live hosts within them. An internal penetration test has three phases: 1) host and service discovery, 2) vulnerability identification and verification, and 3) exploitation. Exploitation of the environment is the most complex and time consuming phase. Other factors impacting engagement complexity include which attack vectors will be employed such as network, application, and social engineering.

  3. How long does an internal penetration test take to complete?

    The time to completion depends on the size and complexity of the network and the level of rigor in which it is performed. A small network with a low level of testing rigor can be completed in a few days. For large networks that require a high level of testing rigor, internal penetration testing can take up to two weeks. On average, the typical duration of an internal penetration test is one and a half (1.5) weeks.

  4. What is the difference between an internal penetration test and an internal vulnerability assessment?

    An internal penetration test has three phases: 1) host and service discovery, 2) vulnerability identification and verification, and 3) exploitation. The primary objectives of an internal penetration test are to obtain sensitive information and/or gain unauthorized access. An internal vulnerability assessment, on the other hand, only includes the first two phases: 1) host and service discovery and 2) vulnerability identification and verification. During an internal vulnerability assessment the "proof of concept" phase that demonstrates the impact of the vulnerabilities identified is not performed.



Ready to get started?

Contact us at 1 (800) 675-5152 to get started with your Internal Penetration Testing needs, or request a callback by submitting the form below.