Penetration testing the internal infrastructure

​​​​​​​​​Penetration testing the internal infrastructure​​

During penetration testing of the internal infrastructure the focus is on revealing all available network services and components and enumerating them in detail.​



Our story​ 

Whilst carrying out penetration tests on the internal infrastructure, we very often encounter recurring shortcomings: missing updates (security patches for systems/services are not in their latest stable version) and weak password policy. In the majority of cases, estimated around 80%, this combination leads to domain administrator privileges being obtained and a complete compromise of the domain. 
During a financial institution's internal tests, we did not even have unprivileged domain accounts (normal user) or even a machine that was connected to the domain. The only exceptions created were for our test equipment to penetrate the internal network. Overall, the infrastructure at the network level was very well secured. Quite correctly, full access to the part of the infrastructure with servers was denied to non-privileged users, only selected ports were allowed, e.g. for the web application, and all others were filtered out on the firewall. 
However, a thorough enumeration, which is a key phase of all our tests, found one server that was freely accessible and contained a critical vulnerability allowing system commands to be run remotely. After successfully compromising the given machine and extracting the users’ hashes stored on it (local / logged in / in operating memory), we obtained, among other things, the local administrator’s hash with the unchanged default name "Administrator". The we tried to crack the hash with a cracking tool and, in the meantime, used the Pass the Hash technique to check whether the default administrator had the same password on other machines. To our surprise, we found that the same password for the given account was used on several other servers, including domain controllers. The local administrator on the domain controller is also the domain administrator, i.e. the user with the highest possible permissions. Thus, the consequence was a complete compromise of the entire domain. At the same time, the password hash was successfully cracked by a dictionary attack. 
After extracting all user hashes from the Active Directory and an attempt to crack them with a dictionary attack, it was found that nearly 70% of users had weak or easily cracked passwords. Even the passwords of other domain administrators were obtained. 
As it turns out, even a single vulnerable server combined with an insufficiently strict password policy can lead to the complete compromise of an organization's entire domain.

D​etailed description​

When carrying out internal penetration tests, we primarily rely on the current OSSTMM methodology and the testers’ experience with attacks on domain machines, with an emphasis on the following procedures:: ​

Identifying targets, the environment and searching for vulnerabilities 

The initial phase involves recognizing and mapping the individual systems (server types, operating systems, etc.) and services available on the organization's user network. 
This is where we test for security weaknesses related to software bugs, configuration errors, and errors resulting from poor design and service settings.​ 

Identifying active servers, network elements and verifying their security 

The phase involves recognizing active network elements (firewalls, switches, routers, monitoring probes) and checking their security level from the perspective of the organization's overall network design, and from the perspective of the systems themselves. 
The tests are conducted by automated scanning methods that identify the network structure and the inherent vulnerabilities of individual systems according to the service “fingerprints” obtained The impacts on network security are subsequently assessed according to manufacturers' recommendations and recognized best practices.  

An attempt to break into selected identified systems and services - privilege escalation 

Based on the results of the previous phases, the possibilities of escalating the allocated rights and taking full control of the tested systems are identified and verified. 
Each test is carried out using various methods. In particular, password guessing attacks, misuse of any information found (found passwords, scripts) and the use of exploits for specific vulnerabilities found.  

An attempt to compromise the company's domain 

In this stage, an attempt is made to escalate privileges to the level of a domain administrator. The goal is to compromise the company's internal domain. Both classic and the latest attacker techniques, such as Pass the Hash, LSASS Dumping, Kerberoasting, Incognito Token Impersonation and others, are used when carrying out the techniques.

Why AEC?​​

  • ​Patříme mezi zavedené české security firmy, na trhu úspěšně působíme již déle než 30 let. 
  • Máme více než 15 let zkušeností na poli bezpečnosti desktopových aplikací. 
  • Náš tým tvoří specialisté se zkušenostmi ze stovek dílčích projektů. 
  • Jsme držiteli certifikací eMAPT, CISSP, OSCP, OSCE, CEH a celé řady dalších. 
  • Provozujeme vlastní hackerskou laboratoř na výzkum v řadě oblastí, zabývajících se bezpečností různých řešení. 
  • Nasloucháme klientům a přizpůsobujeme testy jejich potřebám a časovým možnostem. 
  • Sledujeme moderní trendy v oblasti bezpečnosti desktopových aplikací. 
  • Při testování klademe důraz na manuální přístup, který vede k odhalení většího množství chyb zejména v business logice aplikací oproti automatizovaným nástrojům.


  • ​SAZKA a.s. 
  • ČSOB Stavební spořitelna, a.s. 
  • Connectronics s.r.o. 
  • JUTA a.s. 
  • Raiffeisenbank, a.s. 
  • Moneta Money Bank

Contact Us