Internal Network Penetration Test

Mixed Windows & web environment assessment focused on trust failures, credential reuse, lateral movement paths, and practical remediation.

  • Public-safe write-up (no creds, no sensitive artifacts)
  • Client-style structure: scope → findings → impact → fixes
  • Shows real methodology, not “look at my tools”
← Back to Case Studies Jump to findings

Tags

  • Internal
  • Windows (Win7/8/10 + Server/DC)
  • SMB / RDP
  • HTTP/HTTPS (Juice Shop + DVWA)

Executive Summary

The environment exposed systemic trust and authentication weaknesses that enabled administrative control without relying on complex exploitation. The primary risks were credential reuse across systems, legacy remote access posture, and overly permissive file sharing. These conditions would allow a realistic attacker to expand access rapidly once any valid credentials are obtained.

Scope and Rules of Engagement

In scope

  • Windows 7, Windows 8, Windows 10 endpoints
  • Windows Server (Domain Controller role)
  • Internal web apps: OWASP Juice Shop + DVWA
  • Services: SMB, RDP, HTTP/HTTPS

Out of scope

  • Denial-of-service testing
  • Destructive payloads
  • Publishing sensitive credentials or personal data

Environment Overview

This lab simulates a small organization network with mixed OS maturity and internal web apps. The key lesson: patching alone does not save you when identity hygiene and trust boundaries are weak.

Asset Role Primary services Risk theme
Windows 7 Legacy workstation SMB, RDP Legacy remote access posture
Windows 8 User workstation SMB, RDP Inconsistent hardening
Windows 10 Modern workstation SMB Credential trust defeats patching
Windows Server (DC) Crown jewels AD services Risk amplification
OWASP Juice Shop Internal web app HTTP/HTTPS Trust & logic abuse
DVWA Legacy web app HTTP Maintenance debt
Diagram placeholder
Drop your network diagram image here later.

Key Findings

Credential reuse enabled lateral movement across multiple hosts

Critical

Valid credentials were accepted across multiple systems via SMB/RDP, demonstrating weak identity hygiene and a high likelihood of rapid compromise expansion without requiring software exploitation.

Impact

  • Full endpoint compromise
  • High probability of “reach” into servers if extended

Recommendations

  • Unique local admin passwords (e.g., LAPS)
  • Reduce lateral protocols between workstations
  • MFA for privileged access where possible

Legacy RDP posture reduced security baselines

High

Legacy systems required weaker negotiation and/or reduced protections, increasing susceptibility to credential-based compromise and expanding attacker options for interactive control.

Recommendations

Overly permissive SMB shares increased sensitive data exposure and execution risk

High

SMB share sprawl exposed user data and increased the likelihood of indirect execution risk when trusted files (scripts/configs) are writable by inappropriate identities.

Recommendations

Internal web apps relied on trust assumptions that can be abused

Medium

Internal web applications often trust authenticated users and client-side controls. Logic and authorization flaws can allow unauthorized access paths even in “internal-only” deployments.

Recommendations

Attack Narrative (Public-safe)

  1. Discovery: services were identified across endpoints and internal web applications.
  2. Trust validation: credential acceptance and share access confirmed identity hygiene issues.
  3. Expansion: reuse of valid credentials enabled access across multiple hosts via SMB/RDP.
  4. Impact: administrative control was achievable without relying on complex exploitation.

Note: specific exploit steps, credentials, and sensitive artifacts are intentionally omitted.

Request an assessment View services