Network penetration testing means attacking a company's infrastructure the way a real intruder would: scanning for open ports, exploiting weak services, cracking recovered credentials, and moving from one compromised machine to the next until you reach something that matters. It is the oldest branch of penetration testing and still the one that turns a single phished laptop into a domain-wide breach. This guide covers the methodology, tools, and findings that show up in real internal and external network engagements. Work through the same scan-to-domain-admin workflow in HackerDNA's Network Penetration Testing course as you read.
If you already know the basics of penetration testing, network testing is the natural next specialty after web applications. It rewards patience over cleverness: a tester who methodically enumerates every service on every host beats one who jumps straight to Metasploit. This guide breaks down internal versus external testing, the methodology used on real engagements, the tools that matter, and the vulnerabilities that show up in almost every internal network.
TL;DR: Network penetration testing follows reconnaissance, scanning and enumeration, service exploitation, credential attacks, and lateral movement toward domain compromise. Nmap, Metasploit, Responder, and a password cracker handle most of the work. Weak credentials and default protocol trust, not zero-days, are still how most testers reach domain admin.
What Is Network Penetration Testing?
Network penetration testing is a security assessment where a tester attacks an organization's infrastructure, including servers, workstations, firewalls, and Active Directory, to find exploitable weaknesses and demonstrate how far an attacker could get inside the environment. Unlike web application testing, which focuses on a single application, network testing evaluates dozens or hundreds of hosts and the trust relationships between them.
The goal is not just finding one open port running a vulnerable service. A network pentest measures how a single foothold, say a low-privilege shell on one workstation, turns into domain administrator access. That escalation path matters more to a CISO than any individual finding, because it shows the real blast radius of one unpatched laptop or one reused password.
MITRE ATT&CK tracks this escalation as its own tactic category. Lateral Movement (TA0008) alone covers nine distinct techniques, from pass-the-hash to exploiting remote services, which is a good indication of how many ways a tester (or an attacker) can pivot once inside a network. In practice, most internal engagements use two or three of these techniques at most. Credential reuse and protocol-level trust do most of the work; exotic techniques are rarely necessary.
Internal vs External Network Penetration Testing
Every network penetration testing engagement falls into one of two categories, and the assumptions behind each are different enough that mixing them up wastes budget.
External network penetration testing assesses what an attacker can reach from the internet with no prior access: perimeter firewalls, VPN gateways, exposed RDP or SSH endpoints, and any service that got published to a public IP by mistake. Scope here is usually a list of public IP ranges. The realistic threat model is an opportunistic attacker scanning the entire internet for one specific vulnerable service, so external tests spend real time on patch level and exposed-service discovery.
Internal network penetration testing assumes the attacker already has a foothold: plugged into an ethernet port in a conference room, connected over a compromised VPN account, or running as a payload from a successful phishing email. This is the more finding-rich engagement, because internal networks are built with far less hardening than the perimeter. Internal tests focus heavily on Active Directory: privilege escalation paths, Kerberos misconfigurations, and the protocol-level trust that lets one compromised laptop poison traffic for the entire subnet.
In practice, organizations get more value from an internal test first. Perimeter defenses have improved enormously over the past decade, but the assumption that "nobody can get inside" if the firewall holds is exactly the assumption that turns one phished employee into a domain-wide breach.
Network Penetration Testing Methodology
A network engagement follows a consistent methodology regardless of whether it is scoped internal or external. Each stage feeds the next, and skipping enumeration to chase an exploit early is the most common way testers miss the finding that actually matters.
Reconnaissance and Host Discovery
Internal engagements start with host discovery on the connected subnet. An ARP scan or a ping sweep identifies which IPs are alive before you spend time scanning dead addresses. A quick nmap -sn 10.10.10.0/24 or arp-scan --localnet gives you the live host list in seconds. External engagements start with passive reconnaissance instead: WHOIS records, certificate transparency logs, and DNS enumeration to map the attack surface without touching the target directly.
Scanning and Service Enumeration
Once you know which hosts are live, Nmap identifies what is running on each. A full TCP scan with version and default script detection, nmap -sV -sC -p- target, takes longer but catches services on non-standard ports that a top-1000 scan misses. Our Nmap cheat sheet lists the flag combinations worth memorizing for each phase.
Enumeration goes deeper per service. SMB shares get queried with smbclient -L //target/ and enum4linux, revealing share names, null session access, and sometimes usernames outright. Nmap 7.94's SMB scripts (smb-enum-shares, smb-os-discovery) automate much of this. A misconfigured share with "Everyone: Full Control" permissions is one of the most common ways testers find their first foothold.
Exploiting Services and Gaining a Foothold
Exploitation on a network engagement is rarely a zero-day. It is a known CVE against an unpatched service, a default credential nobody changed, or a misconfiguration like anonymous FTP or an exposed NFS share with weak permissions. Metasploit's module database covers most public exploits, and msfvenom generates the payload once you have a working delivery method. Our msfvenom cheat sheet documents the payload syntax for common platforms.
The CISA Known Exploited Vulnerabilities Catalog is worth checking before an engagement. It lists vulnerabilities confirmed as actively exploited in the wild, and internal networks frequently run services matching entries that have had a patch available for months or years. Study the boring, common flaws first. They are what gets exploited in practice, not the exotic ones.
Credential Attacks and Lateral Movement
Once a tester has one foothold, credentials become the fastest path to more access. Windows networks that still have LLMNR and NBT-NS enabled will happily answer any host that claims to be the resource being searched for. A tool like Responder listens passively and captures NTLMv2 hashes from every workstation that mistypes a share name or has a misconfigured proxy setting, no exploitation required.
Captured hashes get cracked offline rather than online, since offline cracking generates no failed-login noise and runs at whatever speed your hardware supports. Our hash cracking tutorial and walkthrough on how to use John the Ripper cover the workflow from captured hash to cleartext password. In practice, a password policy that allows an eight-character minimum still yields cracked passwords within hours against a modern GPU, because users reuse patterns like a season and a year.
With one set of valid credentials, the Impacket suite (psexec.py, wmiexec.py, secretsdump.py) lets a tester execute commands and dump credentials on any host where those credentials have local admin rights. Chaining this across a network, credential dump on host A reveals a service account with admin on host B, is how a single low-privilege foothold becomes domain admin within a single engagement day. Pivoting tools like Chisel or proxychains extend this reach into network segments that are not directly routable from the tester's machine.
Common Vulnerabilities Found in Network Assessments
After running internal assessments repeatedly, the same handful of issues account for most critical findings.
- LLMNR/NBT-NS poisoning: legacy name resolution protocols enabled by default on Windows, letting any host on the network capture credentials from broadcast requests.
- Weak or reused credentials: service accounts with passwords that never expire, and the same local administrator password reused across every workstation from a single imaging process.
- Unpatched, internet-facing-grade services running internally: SMBv1 still enabled, outdated web servers, and management interfaces (like printer or hypervisor consoles) left on default credentials.
- Excessive Active Directory privileges: service accounts kerberoastable and configured with domain admin rights they do not need, turning a single cracked service account password into full domain compromise.
Kerberoasting deserves a specific mention because it needs no exploit at all. Any authenticated domain user can request a service ticket for any account with a registered Service Principal Name, and that ticket is encrypted with the service account's password hash. Request tickets for every SPN in the domain, crack them offline, and a weak service account password becomes a valid set of domain credentials without ever touching an exploit or triggering an alert tied to failed logins.
Essential Network Penetration Testing Tools
A short toolset covers the majority of network engagement work. You need depth with these more than breadth across dozens of tools.
- Nmap handles host discovery, port scanning, and service enumeration. It is the first tool run on every engagement, internal or external.
- Metasploit and msfvenom provide a searchable exploit database and payload generation for delivering shells once a vulnerable service is confirmed.
- Responder captures NTLM hashes passively by answering LLMNR, NBT-NS, and mDNS broadcast requests before the legitimate server does.
- Impacket is a Python toolkit for executing commands, dumping credentials, and performing Kerberos attacks once you hold valid credentials.
- Hashcat and John the Ripper crack the password hashes recovered along the way, with Hashcat winning on GPU-accelerated speed.
- Chisel and proxychains tunnel traffic into network segments the tester's machine cannot route to directly, extending reach after the first pivot.
Skip the temptation to run every Metasploit auxiliary scanner against every host. It generates enormous log noise and rarely beats a targeted Nmap script plus manual enumeration. Save Metasploit for confirmed, specific exploitation, not blind scanning.
Network Penetration Testing Certifications
Three certifications validate network testing skill specifically, each at a different depth.
OSCP (Offensive Security Certified Professional) remains the most recognized entry point. Its 24-hour practical exam compromises a network of machines, not a single application, which makes it directly relevant to this specialty. Our OSCP preparation guide covers how to prepare.
PNPT (Practical Network Penetration Tester) from TCM Security is built around a full internal Active Directory network with a written report requirement, closely mirroring a real client engagement. See our PNPT certification guide for the exam format and cost.
CompTIA PenTest+ covers network testing alongside web and cloud at a broader, more theoretical level, useful as a foundation before a fully practical exam.
My recommendation: if network and Active Directory testing is your specialty, the PNPT tests closer to the actual job than a multiple-choice exam ever could. Pair it with the OSCP once you want the credential that opens the most doors with hiring managers.
Legal and Ethical Considerations
Critical reminder: Always get explicit written authorization before testing any network you do not own. Unauthorized access to computer systems is a criminal offense under the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent laws in most countries. Verbal permission is not sufficient. Get a signed scope document that names the IP ranges, hosts, and techniques you are authorized to use.
Stay inside the documented scope at all times. Internal engagements often turn up hosts or subnets that were not part of the original agreement. Document what you find, notify the client, and do not touch it without an updated authorization. Tools like Responder and NTLM relay attacks are especially easy to run beyond scope by accident, since they capture traffic passively from the entire broadcast domain rather than a single targeted host.
For safe, legal practice, HackerDNA's labs give you a corporate network built for exploitation, without the legal exposure of running these techniques against a real environment. The NIST SP 800-115 testing framework is a useful reference once you move from lab practice to a formal, scoped engagement.
Your Next Steps
Network penetration testing rewards the tester who enumerates thoroughly before reaching for an exploit. The methodology stays the same across engagements: discover hosts, enumerate services, gain a foothold, capture and crack credentials, then move laterally toward the systems that matter. What changes each time is the specific misconfiguration that gets you there.
Start with the Internal lab to practice enumeration and lateral movement against a live corporate network, then work through HackerDNA's full Network Penetration Testing course for the complete scan-to-domain-admin workflow with Nmap, Metasploit, Responder, and Chisel. If you want the full multi-stage chain from web foothold to root, the Hack the Box lab is one of the most popular challenges on the platform.
HackerDNA's free tier gives you browser-based labs with no credit card and no VPN setup. Open a browser, pick a lab, and start scanning.
Part of the Penetration Testing series
Related articles: