Vulnerability Assessment & Penetration Testing

Internal Network Penetration Testing

  • May 10, 2025
  • 0

🏢 Sherlocked Security – Internal Network Penetration Testing

Discover Vulnerabilities Within Your Internal Infrastructure Before Threat Actors Do

📄 1. Statement of Work (SOW)

Service Name: Internal Network Penetration Testing
Client Type: Enterprises, Data Centers, BFSI, Gov, SaaS, IT Infra Providers
Service Model: On-site or Remote VPN-based Assessment
Compliance Coverage: ISO 27001, NIST 800-53, CIS Benchmarks, PCI-DSS, SOC 2
Testing Scope Includes:

  • Workstations, Servers, Active Directory
  • Internal Web Apps, Databases
  • Network Devices, Printers, and IoT
  • VLAN Segmentation, Lateral Movement
  • Credential & Access Abuse

🧠 2. Our Approach

🔹 Credential Harvesting & Privilege Escalation
🔹 Lateral Movement & AD Enumeration
🔹 Exploitable Services & Patch Gaps

[Initial Access] → [Enumeration & Recon] → [Privilege Escalation] → [Lateral Movement] → [Domain Compromise] → [Data Discovery] → [Reporting & Retesting]

🧪 3. Methodology

 

[Kickoff Meeting] → [Network Scanning] → [Host/Service Enumeration] → [Vulnerability Identification] → [Credential Attacks] → [Privilege Escalation] → [Pivoting & Movement] → [Domain Compromise] → [Proof-of-Concept & Report] → [Retest]

📦 4. Deliverables to the Client

  1. ✅ Vulnerability Risk Matrix
  2. 🧾 Statement of Work (SOW)
  3. 📘 Technical Report with:
    • Vulnerability Title
    • Description & Risk (CVSS v3.1)
    • Host/IP & Affected Service
    • Exploitation Proofs (Screenshots)
    • Recommendations + References
  4. 📊 Network Topology & Attack Path Mapping
  5. 🎥 Optional Walkthrough for IT Team
  6. 🧑‍💻 Fix Support via Slack/Teams
  7. 🔁 1 Free Round of Retesting
  8. 🎓 Pen Test Certification (After Patch Verification)

🤝 5. What We Need from You (Client Requirements)

  • ✅ List of in-scope IPs/subnets
  • ✅ VPN or On-site Access
  • ✅ Test credentials (Optional for Gray Box)
  • ✅ Admin account (Optional for white-box testing)
  • ✅ Duration/timings for testing window
  • ✅ IT POC for troubleshooting
  • ✅ Any device/application exceptions

🧰 6. Tools & Technology Stack

  • 🔍 Nmap, NetDiscover, Masscan
  • 🔐 CrackMapExec, Mimikatz, BloodHound
  • 🛠️ Responder, Impacket, Rubeus
  • 🧪 Nessus, OpenVAS, LinPEAS/WinPEAS
  • 🧠 Custom scripts for LLMNR/NBT-NS poisoning
  • 🔧 ADEnum, SharpHound, Kerbrute
  • 💻 Wireshark, ARP spoofing tools
  • 📁 SMB, LDAP, DNS analyzers

🚀 7. Engagement Lifecycle (Lead → Closure)

1. Discovery Call → 2. NDA & SoW → 3. Network Details Received → 4. VPN Setup or Onsite Visit → 5. Testing (5–10 days) → 6. Draft Report → 7. Feedback & Remediation Call → 8. Final Report + Certificate

🌟 8. Why Sherlocked Security? (Our USP)

Feature Sherlocked Advantage
🔐 Real AD Attack Simulation Kerberoasting, NTLM Relay, LLMNR Poisoning
🧪 Custom Payloads Bypass AV/EDR stealthily
📘 Dev + IT Friendly Reports Reproducible PoC + MITRE Mapping
🎯 Lateral Movement Simulation Domain takeover scenarios
🔁 Free Retesting 1 full revalidation round included
🎓 Certification Post remediation validation cert

📚 9. Real-World Case Studies

🔓 LLMNR Poisoning → Domain Admin

Issue: Unhardened internal DNS & Responder vulnerable setup
Impact: NTLM hash relay → Domain Admin credentials capture
Outcome: Hardened DNS & disabled LLMNR/NetBIOS org-wide

🧪 CVE Exploit on Internal Print Server

Vuln: CVE-2021-34527 (PrintNightmare)
Impact: Privilege escalation on multiple Windows servers
Fix: Patch deployment + GPO hardening assisted by Sherlocked

🛡️ 10. SOP – Standard Operating Procedure

  1. Kickoff & Scope Setup
  2. VPN / Onsite Network Access
  3. Network Recon & Asset Identification
  4. Vulnerability Discovery
  5. Credential Testing (SMB/NTLM/LDAP/AD)
  6. Privilege Escalation
  7. Domain Lateral Movement
  8. Data Discovery & PoC
  9. Report Draft + Walkthrough
  10. Fix Support + Retesting + Certification

📋 11. Internal Security Checklist (Preview)

  1. Discover and map all internal assets.
  2. Enumerate open ports and services.
  3. Perform vulnerability scanning.
  4. Attempt privilege escalation on discovered hosts.
  5. Test for SMB, RDP, and other protocol weaknesses.
  6. Analyze password policies and credentials.
  7. Evaluate patch levels and OS configurations.
  8. Identify and exploit unprotected shares or files.
  9. Test for lateral movement possibilities.
  10. Document all accessible and compromised systems.

📬 Contact Us or 📅 Book a Consultation

Bluetooth Low Energy (BLE) Security Testing
Sherlocked Security – Cloud Configuration VAPT (AWS / Azure / GCP)