Internal Network Pentest: The Four Stages We Run

Cybersecurity

An internal pentest is not a CTF. It is a repeatable workflow of recon, enumeration, AD attack, and lateral movement. Here is the kit and the detection signals at each stage.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 25, 2025 · 9 min read

Drop a laptop on a corporate VLAN with no credentials. Within four hours, most engagements have Domain Admin. The path is consistent enough that we run it as a four-stage playbook, with the same tooling and the same detection opportunities at each stage.

Stage 1: Passive recon and unauthenticated wins

Start Responder in analyze mode for 15 minutes to map LLMNR, NBT-NS, and mDNS chatter without poisoning. Then flip to active and capture NetNTLMv2 hashes from broken name resolution. mitm6 against IPv6-enabled clients almost always lands a relay path. NetExec (the maintained nxc fork of CrackMapExec) sweeps SMB null sessions, signing posture, and anonymous LDAP.

• responder -I eth0 -wd: poison LLMNR/NBT-NS, capture hashes for offline cracking with hashcat -m 5600.
• ntlmrelayx.py -tf targets.txt -smb2support: relay captured auth to SMB hosts without signing required.
• nxc smb 10.0.0.0/24 --gen-relay-list relay.txt: build the target list automatically.
• mitm6 -d corp.local: rogue DHCPv6, then relay to LDAPS for ACL abuse.

Stage 2: AD enumeration with a low-priv account

Once you have any domain user, BloodHound becomes the map. Run SharpHound or the bloodhound.py collector. Look for kerberoastable accounts, AS-REP-roastable accounts, ACL paths, GenericAll on group memberships, and shadow credentials opportunities. Certipy enumerates AD CS templates for ESC1 through ESC15.

Stage 3: Credential attacks and lateral movement

Kerberoasting service accounts with weak passwords usually yields one or two cleartexts. Use those for password spraying with kerbrute. With local admin on any host, dump LSASS via lsassy or comsvcs.dll and hunt for cached domain admin sessions. PsExec, WMI, and WinRM move you laterally; pick the one with the lowest detection footprint for the target environment.

Stage 4: Persistence and impact

With Domain Admin, the goal is to demonstrate impact, not to install backdoors. Dump the krbtgt hash for a documented Golden Ticket capability proof, list crown-jewel data access (file shares, database servers), and snapshot the BloodHound graph showing the path. Persistence is theoretical for the report; never leave artifacts.

Detection by stage

Stage 1 is the cheapest to catch: LLMNR poisoning produces obvious traffic patterns and Responder's NTLM challenges have known characteristics. Stage 2 enumeration creates 4662 events for unusual LDAP queries when SACLs are configured. Stage 3 hash dumping triggers Sysmon Event ID 10 on lsass.exe access from non-system processes. Stage 4 should not happen if Tier 0 is segmented.

Remediation

1. Disable LLMNR and NBT-NS via GPO. Disable mDNS where not required. Block IPv6 on networks that do not route IPv6.
2. Enforce SMB signing on all servers, not just domain controllers. Require LDAP signing and channel binding.
3. Tier your administrative model. Domain admins log in only from Privileged Access Workstations. No browsing or email from Tier 0.
4. Rotate krbtgt twice on a schedule. Set strong, randomized passwords on service accounts and use group Managed Service Accounts where possible.
5. Audit AD CS templates against the ESC1-15 list. Disable EnrolleeSuppliesSubject on templates that do not need it.
6. Deploy EDR with credential theft detections (lsass access, SAM hive read, DCSync events) and tune for low false positives.
7. Require MFA on RDP and VPN. Where MFA is not feasible, enforce conditional access by source network.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.