Pentesting for Internal Networks
Even if your internal network is shielded by firewalls and virtual private networks (VPNs), isolating it from the open internet – it remains vulnerable to threats. If not properly secured, internal networks can be compromised by threat actors such as nation-state advanced persistent threat (APT) groups, ransomware gangs, or malicious insiders. With limited or no segmentation, these networks offer a direct path for attackers to move laterally, escalate privileges, and ultimately access your most sensitive data. To safeguard internal networks, HackerOne offers a methodology-driven penetration testing (pentesting) solution delivered via a Pentest as a Service (PTaaS) model. This approach connects organizations with a heavily vetted cohort of a global ethical hacker community for comprehensive, end-to-end pentesting.
Testing Methodologies
HackerOne's testing methodologies are grounded in the principles of the PTES, OSSTMM, NIST SP 800-115, and CREST and can be tailored to various assessment types including internal networks. Our methodology is continuously evolving to ensure comprehensive coverage for each pentesting engagement. This approach stems from:
- Consultations with both internal and external industry experts.
- Leveraging and adhering to recognized industry standards.
- Gleaning insights from a vast array of global customer programs, spanning both time-bound and ongoing engagements.
- Detailed analysis of millions of vulnerability reports we receive through our platform.
Threats are constantly evolving, so our methodology can't remain stagnant. HackerOne’s Delivery team, including experienced Technical Engagement Managers (TEMs), constantly refine and adapt based on feedback and real-world experiences, delivering unparalleled security assurance.
Common Internal Network Vulnerabilities
General Network Security Issues
Network segmentation is the practice of isolating portions of the network to enhance security. By partitioning the network into portions based on characteristics such as organization department or privilege requirements, adversaries will be cordoned off from the network in its entirety in the event of unauthorized network access. This means additional attack techniques will be required to pivot between sections. This can be achieved through the use of components such as firewalls, switches, and routers.
Misconfigurations in network ingress and egress points can result in devastating security incidents. For instance, applications and databases meant for internal usage can expose sensitive data if accidentally placed into a subnet with a routing table and gateway that allows for public access over the Internet. Insufficient segmentation can also lead to non-compliance with applicable industry regulations such as GDPR, HIPAA, or NIST 800-53.
Using unencrypted protocols that transmit data across a network in plaintext can also lead to security breaches. Any malicious attackers that gain local access can utilize network traffic inspection tools in order to obtain sensitive data without needing to convert it into a human-readable format. Protocols such as the File Transfer Protocol (FTP) and Network File System (NFS) should be replaced with their secure, encrypted variants (SFTP, SNFS).
A lack of credential security best practices can and often causes security breaches. By not enforcing security measures such as credential rotation schedules, strength requirements, and Multi-Factor Authentication (MFA), accounts can be hijacked trivially using techniques such as dictionary attacks.
Vulnerabilities Specific to Microsoft Environments
Microsoft Active Directory (AD) is one of the most widespread technologies in internal networks. AD services are used for centralizing, inventory management, and configuring machines and users across an organization. AD is often tied to Microsoft 365/Azure via various hybrid models.
The use of outdated protocols, insecure cryptography, and a myriad of access control misconfigurations can lead to vulnerabilities that result in stolen credentials, domain/privilege escalation, and persistence.
ADCS
Active Directory Certificate Services (ADCS) is a Windows Server role used to issue and manage public-key infrastructure (PKI) certificates. These certificates are used to encrypt and digitally sign data and also provide a means of authentication by linking certificate keys with computer, user, or device accounts on the network. Through the use of certificate templates, administrators can specify settings such as:
- How long a certificate is valid for
- The purpose of a certificate (client/server authentication, code signing, etc.)
- How the account is identified
- Who is allowed to request a certificate
When a client requests a certificate, they generate asymmetric keys and include the public key in a Certificate Signing Request (CSR). The CSR also includes the name of the desired template and the identity of the requesting client. Certificates are issued by the Enterprise Certificate Authority (CA) only after it verifies that the client is permitted to request the certificate based on the settings of the template. If the client’s request is permitted, the CA signs the certificate and sends it to the client. These asymmetric keys can then be used as proof to ensure certain operations are only executed by the intended entities.
Issues arise when these certificate templates are misconfigured. For convenience, Subject Alternative Names (SAN) can be used to attach cross-domain users to a certificate. While this simplifies access control to domain resources, if misconfigured, malicious attackers could arbitrarily define the SAN and gain privileged access across domains and services within the AD. Additionally, under certain conditions, if a certificate template includes the Any Purpose Extended Key Usage (EKU) attribute or lacks EKU settings, an attacker can abuse it to perform any sensitive action.
NTLM
Windows New Technology LAN Manager (NTLM), is an older authentication protocol suite with known vulnerabilities and is considered outdated. Despite this, it is still supported and widely used in order to maintain backward compatibility with legacy systems.
NTLM authentication produces hash digests of user-supplied credentials. These hash values are then used to satisfy challenges enforced by servers that are part of a three-way handshake. An infamous attack against this method of authentication is known as the NTLM Relay attack. In this attack, adversaries position themselves using Man-in-the-Middle (MitM) techniques to sniff network traffic. Due to the fact that the three-way handshake of the challenge process is transmitted unencrypted, if an attacker is able to intercept a valid challenge response and relays it to the target server – they will be authenticated in place of the legitimate client. This completely avoids the need for “cracking” a hash to discover its plaintext equivalent.
If network devices have open Server Message Block (SMB) ports and signing is either disabled or not enforced, this vantage point can lead to the attacker gaining file system and code execution on impacted systems.
Kerberos
Kerberos is the latest authentication protocol used in AD, utilizing a number of various components in order to identify entities and provide information about the privileges they hold. While this information is provided, the responsibility of verifying resource access falls on the service itself. Kerberos differs from NTLM as it leverages encryption rather than hash digests. It is composed of two main components: Agents and Tickets.
Agents represent the entities involved. Clients access services that are hosted by Application Servers (AP). Tickets are used to perform actions and are issued by the Key Distribution Center (KDC). The KDC receives Ticket Granting Ticket (TGT) requests for tickets used to authenticate against services. The tickets used for authentication are known as Ticket Granting Service (TGS) tickets. Included in the majority of tickets is what is known as a Privilege Attribute Certificate (PAC). The PAC specifies the privileges of the associated user and is signed with the KDC key.
To facilitate all of this communication, messages are used within the Kerberos environment. Messages contain information such as the username, timestamp, and service, and authentication is achieved through the transmission and processing of messages.
There are a variety of different attacks against Kerberos, though all seek to gain unauthorized access to services. If a malicious attacker is able to obtain tokens such as a user’s hash or session key, Overpass the Hash/Pass the Key attacks can be used to impersonate the victim user. Hashes can be extracted from SAM and NTDS.DIT files as well as from process memory. If an attacker is local and performs a MitM attack to obtain issued tickets, users can also be impersonated in a Pass the Ticket attack. Tickets can also be forged in certain cases when threat actors perform Golden Ticket and Silver Ticket attacks. In addition to all these, account passwords can be cracked in Kerberoasting and ASREPRoast attacks.
DACL
Access rights to objects in AD are defined using Access Control Entries (ACE) which define the permissions associated with an entity. Discretionary Access Control Lists (DACL) are then attached to objects and list the ACEs protecting them. If permissions are misconfigured, unauthorized access to resources can occur.
ACE permission constants that can lead to vulnerabilities include:
- ADS_RIGHT_DELETE (DE): Allows for the deletion of the object.
- ADS_RIGHT_WRITE_DAC (WD): Grants the right to modify the object’s DACL.
- ADS_RIGHT_DS_WRITE_PROP (WP): The right to edit an object’s attributes.
- ADS_RIGHT_DS_CONTROL_ACCESS (CA): Allows for “Extended rights” to be performed.
- User-Force-Change-Password (00299570-246d-11d0-a768-00aa006e0529): This allows for the password protecting the object to be changed without knowledge of the current password.
Internal Network Testing Best Practices
Careful Scoping
Having the right scope is crucial to a successful pentest. The scope you set should align with your testing goals. For exhaustiveness, it's best to allow pentesters as much room as possible to move around in your network and include anything they can discover.
However, with limited resources and time, certain attacks and tests should be prioritized to save time and focus on what's more important. You can also set specific desirable goals for them to focus on, such as gaining access to customer data from an internal account or breaching high-level corporate employees. HackerOne evaluates your assets to accurately determine the appropriate pentest conditions and provides a customized quote tailored to your specific pentest requirements.
Download the Pre-Pentest Checklist to address crucial questions before your next pentest.
Skills-Based Tester Matching
While traditional consultancies may offer dedicated internal network pentesters, they often rely on generalists with limited specialization. However, for effective internal network testing, it’s crucial to engage experts who understand the complexities of Active Directory, lateral movement in hybrid environments, and the nuances of your specific internal technology stack.
HackerOne Pentest, delivered through a Pentest as a Service (PTaaS) model, provides access to a global community of elite, vetted security researchers with specialized skills. These experts are proficient in technologies like Active Directory, Kerberos exploitation, NTLM relay attacks, and navigating complex multi-operating system environments. By tracking each researcher's expertise and certifications—ranging from Windows and Linux infrastructure to advanced privilege escalation techniques—HackerOne ensures the most suitable specialists are matched for each engagement. This tailored approach results in the discovery of high and critical severity findings that often elude more general approaches, delivering the comprehensive and deep coverage internal networks require.
With HackerOne's community-driven PTaaS model, customers receive versatile, high-quality results, uniquely aligned with the specific assets and technology stacks present in their internal networks.
Zero Trust Internal Network Access
Providing a tester adequate access to an internal network environment can be a tricky and frustrating task. In traditional pentest offerings, this can be a major pain point for both the organization and the testers.
Security teams may need to reluctantly adjust firewall rules, add additional VPN accounts, and grant access to virtual desktops, compromising their environment’s security to facilitate testing. This has a big impact on pentester productivity, as slow network access, laggy virtual desktops, and cumbersome configurations waste energy and valuable testing time.
HackerOne's new Gateway offers a Zero Trust tunnel using Cloudflare's WARP technology to connect pentesters in a secure and fast manner to internal target assets. It uses a client installed on the tester's endpoints that authenticates their identity and device to the private network, and allows customers to easily grant, revoke and audit tester access to applications wherever they are in the world. It can be used during an internal network pentest to provision network access for specific internal network ranges, and enable connectivity to any internal services for testing.
The use of Zero Trust Network Access (ZTNA) for pentesting is a rare sight in traditional pentest offerings or even other PTaaS platforms, and greatly enhances both network security and tester productivity during engagements. The HackerOne Gateway offers a significant improvement in performance and security for internal network pentests compared to inconsistent and slow VPNs.
Discover how zero trust control enhances internal network testing.
Case Study: NotPetya
In 2017 the Kremlin linked APT group known as Fancy Bear, unleashed the devastating NotPetya malware upon its neighboring country Ukraine. The malware overwrote the Master Boot Record of affected systems with a malicious payload. When machines rebooted, the inserted code encrypted the files on the system.
NotPetya, a combination of EternalBlue and EternalRomance (exploits developed by the U.S. NSA and leaked by a group known as the Shadow Brokers), alongside a modified Mimikatz integration was able to rapidly spread throughout infected networks using lateral movement techniques. The custom Mimikatz version allowed attackers to steal Windows credentials and execute all the NTLM and Kerberos attacks discussed earlier.
Even though the intended target was Ukraine, due to its worming capabilities, NotPetya propagated beyond the confines of Russia’s neighbor, reaching organizations globally within hours.
Shipping and logistics giant, Maersk, was hit especially hard. The NotPetya malware, according to Maersk’s CISO Andy Powell, nearly wiped out all online backups of the company’s Active Directory.
Maersk’s network, which had been brought to its knees within seven minutes, was only restored using a backup that had been saved in their Nigerian office due to a power outage. The company reported $300 million in losses following the attack. Globally, NotPetya was responsible for over $10 billion in damages.
HackerOne Optimizes Internal Network Pentests Through Community-driven PTaaS
By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven PTaaS model. The HackerOne Platform simplifies pentest requests, asset onboarding, and researcher enlistment, making the process swift and efficient.
Our community of security researchers brings the expertise needed to thoroughly audit your internal networks for vulnerabilities. You will extend your attack surface coverage and be able to address vulnerabilities arising from a variety of technology stacks. With rapid setup, continuous monitoring, and prompt retesting of fixes, HackerOne safeguards your internal network assets in an ever-changing threat landscape.
The 8th Annual Hacker-Powered Security Report