How to Prepare for Your Internal Network Pen Test

Famous detectives throughout history have always been thrown into cases. That’s the nature of their job—the situation to create the case occurred, and it’s up to Sherlock Holmes to follow a trail of clues to determine the solution.

When you perform an internal network pen test, the nature of the work is similar, but there are a few things you can do to help these cyber “detectives” maximize your knowledge gained and action items moving forward.

Schellman’s Pen Test Team is experienced, and we often get asked to perform this specific type of evaluation. Having gone into these sorts of engagements many times before, we want to share some helpful insight specific to this kind of test.

In this article, we’ll define clearly what an internal network pen test is—including the two different scenarios to choose from—and what’s involved during testing. That will include a list of things to check off ahead of your test, as well as some additional tips.

Leveraging all this information will help you get off to a smooth start during your internal network pen test, giving your team more time to get you results.

What is an Internal Network Penetration Test?

During an external network pen test, your tester acts as an attacker on the Internet would in attempting to breach your web-facing assets—during an internal network test, they begin once they’re already past them.

Like a detective that begins within the circumstances of a case, an internal pen test positions your Pen Test Team positioned already inside your network. The goal here is to identify the vulnerabilities on the internal network and exploit them to determine what a malicious attacker could do if they gained access.

Your Pen Test Team may “follow the clues” to see what all they can manipulate, but please note that testing will not include exploiting any vulnerabilities that could likely result in a Denial of Service (DoS) condition. These issues are verified as much as possible but without active exploitation.

2 Choices to Make Ahead of Your Internal Network Pen Test

So then, how do you get ready to let a Pen Test Team past your perimeter defenses to see what areas you need to shore up? Here are two decisions you should make to prepare for your internal network pen test:

1. Deployment: Either a Virtual Machine (VM) or a Physical Device (Small Form-Factor PC)

The first thing you need to choose is which of these you want to use in your test.

If you opt for a VM, make these secondary decisions and technical preparations:

  • Choose what technology will be used—VMware ESXi or Microsoft Hyper-V.
  • Will a static IP address be required or is assignment via Dynamic Host Configuration Protocol (DHCP) acceptable?
    • If static addressing is required, be ready to provide the following to your pen testers:
      • IP Addresses
      • Subnet Mask
      • DNS
      • Gateway
    • Ensure the VM will have a network adapter attached with Internet access.
    • Confirm OpenVPN is allowed outbound from the IP of the VM.

If choosing to deploy a physical device (small form-factor PC), please confirm the following and make these technical preparations ahead of your test:

  • The shipping address and the point of contact to whom your device should be sent.
  • Whether static IP addressing is required or if DHCP assignment is acceptable.
    • If static is required, please be ready to provide the IP addresses, subnet mask, DNS, and gateway.
  • If port authentication or MAC address filtering is in place, please alert your pen testers before they ship you the device so that can provide the information needed.
  • Upon receiving the device, connect it to a network jack with Internet access. Additionally, ensure that the device will not be powered off by staff.
  • Ensure OpenVPN is allowed outbound from the IP of the device.

2. Select a Scenario

When it comes to internal pen tests, you have options on how your assessment is performed. The two most common scenarios your Pen Test Team will present are:

  1. Act as a 3rd party vendor (e.g., a cleaning crew) that has access to your office and has plugged a device into your network after hours.
  • You won’t need to provide credentials for this scenario.
  1. Act as an insider threat (e.g., an employee with access).
    • For Active Directory networks, you will need to provide Active Directory credentials as you would to a newly onboarded employee. 

It’s also possible and beneficial to perform testing from both of these perspectives, should you so choose, particularly if your pen testers don’t identify any vulnerabilities when executing the first scenario.

Additional Tips for Your Internal Pen Test

If you take all the above steps to get ready for your internal pen test, you should be in good shape when testing begins. To help you streamline your experience further, here’s a bit more insight:

  • Let the security operations center (SOC) or network operations center (NOC) know that an internal pen test is scheduled and provide them with the IP address assigned to the test device.
    • As this is not a Red Team assessment, your pen testers will not be as stealthy or stay undetected during testing. Their job is to highlight as many issues as possible and provide actionable feedback within the limited timeframe available, which will go smoother without interference from your security personnel (who may if unalerted, otherwise believe a real attack is happening).
  • Do not restrict the scope or exclude hosts from your penetration test.
    • If this pen test is to serve a compliance initiative, it’s better to have a wider scope than a narrower one. You don’t want to end up in a position to have to run another test—spending more money and time—to include these hosts in the future. It’s best to just include them now.
  • Identify sweet spots and tell your Pen Test Team about them.
    • If specific hosts within your network are known to be sensitive, let the pen testers know so they can act accordingly. 

Next Steps for Your Internal Pen Test

Making all these moves ahead of your internal network pen test will help pave a clear path forward for your chosen Pen Test Team to conduct their work. In acting out this post-breach situation, they’ll be able to tell you where you’re vulnerable, as well as how vulnerable you are should an attacker make it past your perimeter defenses.

If you’re interested in using Schellman’s Pen Test Team for this type of assessment—or “detective work”—check out these articles for more insight into our specific process and team:

Once you’ve read through those, please contact us to start a more detailed discussion regarding how we can help your organization.


About the Author

Josh Tomkiel

Josh Tomkiel is a Senior Manager and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads the Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.

More Content by Josh Tomkiel
Previous Video
What to Expect from Your FedRAMP Penetration Test
What to Expect from Your FedRAMP Penetration Test

Next Article
How to Prepare for Your Schellman Penetration Test
How to Prepare for Your Schellman Penetration Test

Getting ready for your penetration test with Schellman's team? Here are 6 common issues you'll want to avoi...