Network Penetration Testing: External, Internal, and Active Directory Attack Simulation Explained

Infrastructure Security · Technical Guide · April 2026

Network penetration testing remains one of the most critical assessments an organization can invest in. This guide explains the three core types — external, internal, and Active Directory — the modern attack chains testers simulate, and what your report should contain when the engagement is done right.

💫 Key Takeaways

• External testing finds what attackers see from the internet; internal testing reveals the blast radius after a breach
• In 87% of our internal network engagements, we achieve Domain Admin within 48 hours of starting
• Active Directory attacks like Kerberoasting, AS-REP Roasting, and DCSync are the most common privilege escalation paths in enterprise environments
• Network segmentation is the single most effective control against lateral movement — and the most commonly misconfigured
• A network pentest that only runs Nessus and presents the output is a vulnerability scan, not a penetration test
• Modern network pentests must include VPN, wireless, and remote access testing — the perimeter has fundamentally changed

Each type of network penetration test addresses a different threat scenario and attack surface. Most mature organizations need all three, but understanding their distinct purposes helps you prioritize based on your current risk posture.

These three types are complementary, not alternatives. External testing reveals what an attacker can reach from the internet. Internal testing shows the damage after initial access is achieved. AD-focused testing specifically targets the identity infrastructure that controls access to everything in a Windows enterprise environment. Organizations that only perform external testing are blind to the attack paths that matter most once a single phishing email succeeds.

Real attackers do not scan your network and present a list of CVEs. They chain vulnerabilities and misconfigurations together into attack paths that escalate from low-privilege access to full domain compromise. A quality network pentest simulates these chains. Here is the typical progression:

Phase 1: Initial Access. The tester identifies externally exposed services (VPN gateways, web applications, mail servers, RDP endpoints) and attempts to gain a foothold. Common techniques include credential spraying against Office 365 or VPN portals using breached credential databases, exploiting vulnerabilities in unpatched edge devices (VPN concentrators are a frequent entry point), or leveraging exposed management interfaces. In an internal test, this phase is simulated by granting the tester network access as if they were a compromised employee or a plugged-in device.

Phase 2: Discovery and Reconnaissance. Once on the internal network, the tester maps the environment: enumerating Active Directory users, groups, computers, and trusts; identifying network segmentation boundaries (or the lack thereof); discovering file shares, databases, and sensitive services; and locating high-value targets like domain controllers, certificate authorities, and backup servers. Tools like BloodHound map AD relationships to identify the shortest path to Domain Admin before a single exploit is attempted.

Phase 3: Lateral Movement. The tester moves between systems using captured credentials, pass-the-hash attacks, relay attacks (NTLM relay, SMB relay), or by exploiting trust relationships between systems. Misconfigured network segmentation is frequently the difference between an attacker being contained to a single subnet and having free movement across the entire enterprise. Common lateral movement techniques include WMI execution, PsExec, RDP, and SSH with stolen credentials.

Phase 4: Privilege Escalation. The tester escalates from standard user to administrative access. On Windows systems, this frequently involves Active Directory attacks (detailed in the next section), exploiting misconfigured services running as SYSTEM, abusing token privileges, or leveraging Group Policy misconfigurations. On Linux systems, common escalation paths include SUID binaries, sudo misconfigurations, cron job exploitation, and kernel vulnerabilities.

Phase 5: Domain Compromise and Impact Demonstration. The final phase demonstrates the real business impact. The tester achieves Domain Admin, extracts the NTDS.dit database (all domain password hashes), accesses sensitive file shares, databases, and backup systems, and documents what a real attacker could do with this level of access. This is where the report transitions from technical findings to business risk: "with Domain Admin access, an attacker could encrypt every system in the domain with ransomware, exfiltrate all customer data from the SQL Server, and modify financial records in the ERP system."

Active Directory is the identity backbone of virtually every enterprise Windows environment. It controls who can access what, how authentication works, and where trust relationships exist. Because of this centrality, AD is the primary target in nearly every internal penetration test. Here are the most common and impactful AD attack techniques we use in engagements:

Kerberoasting. Any authenticated domain user can request a Kerberos service ticket (TGS) for any service account registered with a Service Principal Name (SPN). The ticket is encrypted with the service account's password hash. The tester extracts this ticket and cracks it offline using tools like Hashcat. Because service accounts frequently have weak passwords and elevated privileges (some are Domain Admin), Kerberoasting is often the fastest path to privilege escalation. We successfully Kerberoast service accounts in approximately 70% of our AD assessments.

AS-REP Roasting. Accounts configured with "Do not require Kerberos preauthentication" allow any user to request an encrypted AS-REP response without authenticating first. This response can be cracked offline to recover the account's password. While less common than Kerberoasting targets, AS-REP Roasting often catches accounts that were misconfigured during legacy migrations or by administrators who did not understand the security implications of the setting.

DCSync. An attacker with the Replicating Directory Changes and Replicating Directory Changes All permissions (typically held by Domain Admins, Enterprise Admins, and the domain controller machine accounts) can simulate a domain controller replication request and extract all password hashes from the domain, including the krbtgt hash. With the krbtgt hash, the attacker can create Golden Tickets that grant unlimited, persistent access to any resource in the domain.

NTLM Relay Attacks. When NTLM authentication is used (which it frequently is as a fallback even in Kerberos environments), authentication messages can be relayed from a victim to a target server. If SMB signing is not required, LDAP signing is not enforced, or web servers accept NTLM, the tester can relay credentials to gain access to systems the victim is authorized to use. Tools like Responder and ntlmrelayx automate this process.

AD Certificate Services (AD CS) Abuse. Microsoft's Active Directory Certificate Services is a frequently overlooked attack surface. Misconfigured certificate templates can allow a standard user to request a certificate that grants Domain Admin privileges. ESC1 through ESC8 (the eight classes of AD CS misconfiguration identified by SpecterOps) are present in a surprisingly high percentage of enterprise environments. We find exploitable AD CS misconfigurations in roughly 40% of our assessments.

Delegation Abuse. Kerberos delegation (unconstrained, constrained, and resource-based constrained delegation) allows services to impersonate users when accessing other services. Misconfigured delegation settings can allow an attacker who compromises a server with unconstrained delegation to capture the TGT of any user who authenticates to that server — including domain administrators. Resource-based constrained delegation (RBCD) abuse has become a staple technique for privilege escalation from any user who can modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on a computer object.

A manufacturing company with 3,200 employees engaged us for a combined internal network and Active Directory penetration test. They had been conducting annual external vulnerability scans for years but had never tested their internal network. Their CISO suspected their AD environment had configuration debt from 15 years of organic growth, acquisitions, and administrator turnover. He was right.

We started the engagement at 9:00 AM on a Monday with a standard domain user account and a laptop plugged into a network port in a conference room. By 1:15 PM the same day — four hours and fifteen minutes later — we had full Domain Admin access and could have deployed ransomware to every system in the domain. Here is the attack chain:

9:00 AM — Reconnaissance. We ran BloodHound to map the AD environment and identify attack paths. Within 30 minutes, BloodHound identified that a service account named svc_sqlbackup had an SPN, was a member of the Server Operators group, and had constrained delegation configured to two domain controllers.

9:45 AM — Kerberoasting. We requested a service ticket for svc_sqlbackup and extracted the encrypted TGS. We loaded it into Hashcat running against a rule-based dictionary. The password cracked in 8 minutes: Summer2019!. The account password had not been changed in six years.

10:30 AM — Lateral Movement. Using the svc_sqlbackup credentials, we connected to the SQL backup server. The service account had local administrator rights on this server. We extracted additional credentials from memory using Mimikatz, including the NTLM hash of an IT administrator who had recently logged in.

11:30 AM — Privilege Escalation. The IT administrator account was a member of the Account Operators group, which had write access to several organizational units containing computer objects. We used resource-based constrained delegation (RBCD) abuse to impersonate a Domain Admin to a domain controller.

1:15 PM — Domain Compromise. With Domain Admin access, we performed a DCSync attack and extracted all 3,200 user password hashes, including the krbtgt hash. We demonstrated the ability to create Golden Tickets for persistent access, access the CEO's email and file shares, read the HR database containing Social Security numbers, and access the ERP system containing financial records. The entire domain was compromised from a single conference room network port in under five hours.

Network segmentation validation tests whether VLANs, firewall rules, and access control lists actually prevent lateral movement between network zones. We frequently discover that segmentation exists on paper but not in practice: firewall rules that were "temporarily" opened years ago and never closed, VLANs that share a trunk without proper ACLs, or management networks accessible from user subnets. Segmentation validation involves attempting to cross every documented boundary and verifying that the controls work as designed.

Wireless penetration testing evaluates the security of Wi-Fi networks, including corporate WPA2/WPA3 Enterprise networks, guest networks, and any rogue access points. Testing includes attempting to capture and crack the handshake, testing for evil twin attacks, verifying guest network isolation, and testing whether wireless clients can reach internal resources they should not. In many organizations, the guest Wi-Fi network was configured on the same VLAN as internal servers during initial setup and never properly segmented.

VPN and remote access testing has become critical since the remote work shift. Testing includes credential spraying against VPN portals, testing MFA bypass techniques, evaluating split tunneling configurations, and verifying that VPN-connected devices receive the same network segmentation as on-premises devices. Many organizations grant full network access to VPN users regardless of device posture, creating a path from a compromised personal device directly to internal infrastructure.

A quality network penetration test report goes far beyond a list of vulnerabilities. It tells the story of how an attacker would compromise your network, step by step, with evidence at every stage. Here is what you should expect:

Executive summary. A non-technical narrative that communicates risk in business terms. This section should describe the overall security posture, the most critical attack paths discovered, the business impact of a successful compromise, and the top three to five strategic recommendations. This is the section your board and executive team will read.

Attack narrative. A chronological account of the attack chain, from initial reconnaissance through domain compromise. This narrative demonstrates how individual vulnerabilities connect into exploitation paths. It is the most valuable section of the report because it shows the real-world risk that individual vulnerability listings cannot convey.

Detailed findings. Each finding should include: a description, affected systems, severity rating with CVSS score, evidence (screenshots, command output, captured data), the specific technique used (mapped to MITRE ATT&CK where applicable), and detailed remediation guidance. Findings should be organized by attack phase (initial access, lateral movement, privilege escalation, impact) to show how they contribute to the overall attack chain.

Network topology observations. A summary of the network architecture as observed during testing, including segmentation effectiveness, trust relationships, and paths between zones. This helps the infrastructure team understand how the tester moved through the environment and where controls failed.

Remediation roadmap. A prioritized remediation plan that sequences fixes by impact and dependency. Some remediations (like disabling SMB signing exemptions) are quick wins that eliminate critical attack paths. Others (like redesigning AD delegation) require planning and change management. The roadmap should help your team sequence the work effectively rather than simply listing everything to fix in severity order.

Ready to Test Your Network Infrastructure?

We conduct external, internal, and Active Directory penetration testing that goes beyond vulnerability scanning. Our testers demonstrate real attack chains, not just CVE lists. Every engagement includes a detailed attack narrative and prioritized remediation roadmap.