An internal network penetration test starts from the assumption that the perimeter has already failed. You get a network drop, a low-privilege account, or a compromised laptop, and your job is to prove how far that foothold reaches. In most Windows enterprises the honest answer is: all the way to domain admin, usually in hours, through misconfigurations nobody knew were there.
This guide walks the methodology a tester actually follows on an internal engagement: discovery, enumeration, credential access, and lateral movement. We name the exact tools and commands at each step so you can reproduce the work or read a report and know what happened. For the wider context, start with our network penetration testing overview.
Internal network penetration testing is an authorized attack launched from inside your network, modeling what a malicious insider or an attacker who already breached the perimeter could do. The external test answers "can someone get in?" The internal test answers the scarier question: "once they're in, how bad does it get?"
The two are complementary, not interchangeable. An external network penetration test probes your internet-facing edge; the internal test assumes that edge is bypassed and measures blast radius. Scope usually includes Active Directory, file shares, internal apps, and the segmentation (or lack of it) between user, server, and management VLANs.
Testers typically work in an assumed-breach posture: you hand over a standard domain user account so they spend budget finding real escalation paths instead of re-running the phishing campaign you already know works.
Start with host discovery and service enumeration, because you can't attack what you can't see. masscan sweeps a /16 for live hosts in seconds (masscan 10.0.0.0/16 -p445,3389,88 , rate 10000), then nmap fingerprints the interesting ones in detail.
A typical nmap pass against the live set looks like nmap -sV -sC -p- -oA internal 10.0.5.0/24, which grabs versions and runs default scripts. For Active Directory, port 88 (Kerberos), 389/636 (LDAP), and 445 (SMB) are your map. Use nxc smb 10.0.5.0/24 (NetExec, the maintained successor to CrackMapExec) to sweep SMB, identify signing status, and spot the domain controllers.
enum4linux-ng or rpcclient.public, private) with snmpwalk or onesixtyone to pull configs and routes.The fastest path to your first credentials on a Windows network is name-resolution poisoning. When a host asks for a name DNS can't resolve, Windows falls back to LLMNR and NBT-NS broadcasts, and Responder answers "that's me," capturing the NetNTLMv2 hash the victim sends.
Run responder -I eth0 and wait. You'll collect hashes you can crack offline with hashcat (hashcat -m 5600 hashes.txt rockyou.txt) or, better, relay live. If a target has SMB signing disabled, skip cracking entirely: relay the authentication straight to it with impacket's ntlmrelayx.py -tf targets.txt -smb2support and dump SAM or execute commands as the relayed user. That single LLMNR-plus-relay chain is still the most reliable internal foothold in 2026.
Other credential sources worth checking early: cleartext passwords in open file shares and Group Policy Preferences (the cpassword bug), and AS-REP roasting any account with Kerberos pre-auth disabled.
Lateral movement is about turning one credential into many, and the planning starts with BloodHound. Run the SharpHound collector (SharpHound.exe -c All) or the Python ingestor to snapshot every user, group, session, and ACL, then load it into BloodHound and ask for the shortest path from your owned account to Domain Admins.
BloodHound turns a permissions maze into a literal graph: it'll show you that your foothold user is in a group with GenericWrite over a service account that can DCSync. With a path in hand, NetExec does the moving (nxc smb <subnet> -u user -H <hash> , local-auth) using pass-the-hash, and impacket's psexec.py, wmiexec.py, or smbexec.py give you remote execution. mimikatz or its in-memory cousins dump fresh credentials from LSASS on each new host, and the chain repeats until you reach a domain controller.
The Active Directory specific abuse (Kerberoasting, delegation, ADCS) deserves its own checklist; see our Active Directory penetration testing checklist for the full sequence.
The findings cluster into a short, fixable list, and fixing the top four kills most attack paths. Disable LLMNR and NBT-NS via Group Policy so Responder has nothing to answer. Enforce SMB signing everywhere to break NTLM relay. Use the Local Administrator Password Solution (LAPS) so a single dumped local hash doesn't unlock the whole fleet.
Then prune Active Directory: remove the GenericWrite, DCSync, and unconstrained-delegation rights BloodHound flagged, and rotate the krbtgt account. Defenders should read our guide on securing against Active Directory attacks. Because these misconfigurations creep back with every new GPO and group change, point-in-time testing leaves gaps; agentic pentesting is the modern, continuous way to keep checking these paths as your environment drifts.