Internal Network & Active Directory · beginner · ~11 min
Run the internal-test workflow from a foothold: discover, enumerate, validate, move.
Internal testing starts from a foothold (assumed breach) and loops: host discovery → service enumeration → validate misconfigs → gather credentials → lateral movement → escalate to the domain. Most internal engagements become Active Directory engagements.
Internal/AD work is what most real jobs involve. A repeatable loop keeps the engagement thorough and in-scope, and recognising that AD ties Windows networks together focuses effort on the highest-impact target.
Assumed breach. Start inside, show impact. The loop. Discover → enumerate → validate → credentials → move → escalate. AD-centric. Internal Windows networks revolve around Active Directory. Care. Gentle scanning, segmentation testing, scope/time awareness.
An internal engagement assumes the attacker is already inside the perimeter (a foothold, a rogue device, or an "assumed breach" start). The goal is to show how far that turns into domain compromise.
Internally you'll see far more: file shares, printers, legacy protocols, and Active Directory, which ties every Windows host together. Most internal engagements become AD engagements.
Internal scanning can disrupt fragile devices (printers, ICS) — scan gently and within scope. Note the time of noisy actions for the client's blue team. Segmentation testing (can subnet A reach subnet B?) is often an explicit objective.
Internal pentesting works a discover-enumerate-validate-credential-move-escalate loop from a foothold, almost always converging on Active Directory as the path to full compromise — conducted carefully and within scope.