02 / Network Penetration Testing
Network
Penetration Testing
The wall looks solid. We find the door.
Every network looks hardened from the outside. We test it from the inside out — mapping segmentation failures, trust relationships, and the paths that lead from a foothold to full domain compromise. Methodical. Documented. Actionable.
Methodology
How we test.
External Recon
- ASN & IP range enumeration
- DNS brute-force & zone transfer
- Certificate transparency mining
- Shodan / OSINT surface mapping
External Exploitation
- CVE validation on live services
- VPN & remote access testing
- SPF/DKIM/DMARC analysis
- Exposed management interfaces
Internal Discovery
- Network segment mapping
- SMB/RPC/LDAP anonymous access
- Service & protocol enumeration
- Default credential testing
Active Directory
- Kerberoasting & AS-REP roasting
- BloodHound attack path analysis
- ACL/ACE abuse
- Delegation attack chains
Lateral Movement
- Pass-the-Hash / Pass-the-Ticket
- NTLM relay (Responder)
- WMI/PSExec/DCOM pivoting
- VLAN hopping & segmentation tests
Impact Analysis
- Domain compromise path
- Sensitive data reachability
- Privilege escalation to Domain Admin
- Persistence mechanism identification
Tooling
What we use.
Nessus Professional
Authenticated and unauthenticated vulnerability scanning across all network hosts.
Metasploit Framework
Exploit framework for vulnerability validation and proof-of-concept exploitation.
BloodHound + SharpHound
Active Directory attack path mapping and privilege escalation analysis.
Responder + ntlmrelayx
LLMNR/NBT-NS poisoning and NTLM relay attack execution.
CrackMapExec + Impacket
SMB/RPC enumeration, credential testing, and lateral movement.
Nmap + Masscan
Fast port scanning and service fingerprinting across large IP ranges.
Sample findings
What we find.
Representative findings from past engagements. Client details redacted.
CRITICAL
Domain Admin via Kerberoastable Service Account
Weak password on SQL service account allowed offline cracking and full domain compromise within 4 hours.
HIGH
SMB Relay — Lateral Movement to Finance VLAN
LLMNR poisoning enabling NTLMv2 relay to pivot from guest WiFi into internal finance servers.
HIGH
Firewall Rule Permits Direct RDP to Domain Controller
Perimeter rule allowed external RDP to DC on non-standard port. Undetected for 18 months.
MEDIUM
Excessive ACL Delegation — GenericWrite on 40% of AD Objects
Service accounts with GenericWrite permissions enabling targeted Kerberoasting escalation.
Pricing
Engagement tiers.
Essentials
$3,000 – $8,000
SMB / External only
- External perimeter testing
- Open port & service enumeration
- CVE validation on live services
- Executive summary + findings
- 30-day retest on Critical/High
External scope only. No VPN needed.
Get a QuoteMost common
Standard
$15,000 – $30,000
Mid-market / Full scope
- External + internal testing
- Active Directory assessment
- Network segmentation testing
- Lateral movement simulation
- Compliance-ready report
Full manual methodology. Most common.
Get a QuoteEnterprise
$30,000 – $75,000+
Large org / Complex AD / Multi-site
- Multi-site external + internal
- Full AD attack path via BloodHound
- Assumed breach scenario
- Purple team debrief session
- Executive + technical package
Scoped per engagement.
Get a QuoteFAQ
Common questions.
Do you need on-site access?
No. Internal testing works over VPN with a pivot host. On-site is available if preferred.
How disruptive is active testing?
We test carefully and coordinate on testing windows. DoS-style testing is out of scope unless explicitly requested.
What access do you need?
Signed SOW, RoE, and auth letter. For internal: VPN creds or a jump host, plus a low-privilege domain user account.
What if you find something critical?
We stop and call you. Critical findings are never held for the final report — immediate escalation, every time.