The digital perimeter is increasingly porous. The question is no longer "How do we keep them out?" but "What can they do once they are in?"
Modern security leadership must operate under the philosophy of "Assumed Breach." Whether via a successful phishing campaign, a compromised third-party laptop, or a rogue insider, an adversary will eventually find a foothold.
At Mongoose, our Internal Network Penetration Testing focuses on the "Soft Centre"; identifying and neutralising the paths an attacker uses to escalate privileges and achieve total domain dominance.
Many organisations possess a hard outer shell but a flat internal network with over-privileged identity services. During a recent engagement for a UK enterprise, we demonstrated the impact of a single compromised workstation:
Starting with the permissions of a standard, non-privileged employee, we audited the internal Active Directory Certificate Services (AD CS). We identified a misconfigured certificate template (ESC1) that allowed any domain user to request a certificate with an arbitrary Subject Alternative Name (SAN). By requesting a certificate as a Domain Administrator, we were able to authenticate as that user and achieve full domain takeover within two hours of gaining our initial foothold. This proved that even with robust endpoint protection (EDR), a single logical flaw in identity governance can lead to total organisational failure.
Active Directory (AD) is the backbone of the corporate network, making it the primary target for ransomware operators looking to deploy payloads across an entire estate. Our methodology moves beyond simple patch checking to stress-test the logical architecture of your identity governance.
The Intelligence Gap
Automated tools focus on "known-knowns"; common software signatures and unpatched services. They are incapable of:
Authentication Coercion:
Exploiting legacy RPC functions to force machines and Domain Controllers to authenticate to our controlled devices.
Kerberos Protocol Exploitation:
Identifying service accounts vulnerable to Kerberoasting or AS-REP Roasting, allowing for offline credential cracking of high-privilege accounts.
AD CS Misconfigurations:
Probing Certificate Services for ESC vulnerabilities that allow for instant privilege escalation and persistence.
Our internal engagements are built upon the CREST framework, incorporating the technical rigour of NIST SP 800-115 and the Penetration Testing Execution Standard (PTES).
Identity Infrastructure Stress Testing
We perform a deep-logic review of your Active Directory configuration to identify the misconfigurations that lead to domain takeover in 80% of audited environments. We audit Group Policies, weak Access Control Lists (ACLs), and service account vulnerabilities that facilitate credential theft.
Lateral Movement & Pivot Analysis
We simulate a persistent adversary to see how far a single compromised workstation can take us. This includes testing for:
NTLM Relaying:
Credential Re-use:
Privilege Escalation & Attack Path Mapping
Our consultants map the logical paths an attacker takes to elevate from a standard user to a high-privileged account. We move you away from "flat" permissions towards an administrative tiering model (Tier 0, 1, 2) that limits the "blast radius" of a single device compromise.
Network Segmentation Validation
We verify if your VLANs and internal firewall rules actually stop an attacker. By probing the boundaries between user networks, server zones, and restricted environments, we determine if a compromised peripheral or guest device can communicate with your core production databases.
We provide the technical depth required by IT teams and the strategic clarity needed by stakeholders.
Zero False Positives:
Every attack path we identify is manually verified. We provide clear Proof-of-Concept evidence for every lateral movement step.
Strategic ROI:
We provide a narrative of impact that explains exactly how a single breach leads to total production shutdown, giving you the leverage needed to secure budget for infrastructure hardening.
Actionable Remediation:
Our reports provide the exact technical steps required to enforce the Principle of Least Privilege and secure your internal environment.
What is the difference between an Internal Pentest and an AD Audit?
Can you perform this testing remotely?
Will testing cause disruption to our internal users?
Why do we need an internal test if our external perimeter is secure?
Ready to see the gaps others are missing?
Don't wait for a real adversary to find the pathway. Contact our team today to discuss a tailored manual assessment for your organisation.
