How does an internal penetration test work?

Sherlock Forensics conducts internal penetration tests using ShadowTap, a pre-configured device shipped to your office. The methodology follows eight phases: device deployment, passive network reconnaissance (sniffing broadcast traffic, ARP, DHCP), identity assessment (credential harvesting from network traffic), covert tunnel establishment, active testing (AD enumeration, service scanning), lateral movement, data exfiltration simulation and comprehensive reporting. The full engagement is included in the Comprehensive Security Assessment at $12,000 CAD.

Why is ShadowTap more realistic than VPN-based internal testing?

VPN-based internal testing connects through your firewall with a legitimate, authorized connection. It skips the physical access attack scenario entirely. ShadowTap simulates what happens when an attacker plugs a rogue device into your network: it must discover the network layout passively, harvest credentials from broadcast traffic and establish a covert outbound channel without triggering detection. This tests your NAC, NDR and egress controls in ways that VPN-based testing cannot.

What does the internal penetration test report include?

The report includes CVSS-scored findings with business impact context, a phase-by-phase narrative of the test progression, Active Directory security assessment, credential exposure analysis, network segmentation evaluation, lateral movement path documentation, detection system assessment showing what was caught and what was missed, remediation roadmap prioritized by risk and an executive summary for non-technical stakeholders.

How long does an internal penetration test take?

Active testing typically runs 3-5 business days after ShadowTap is plugged in. Including device shipping, tunnel establishment and report writing, the full engagement takes 10-15 business days from kickoff to final report delivery. Expedited timelines are available for urgent engagements.

Internal Penetration Testing Methodology

How Internal Pentests Work

Eight phases, from plugging in a device to handing you the report.

Sherlock Forensics conducts internal penetration tests using ShadowTap, a pre-configured device shipped to your office. The methodology follows eight phases: device deployment, passive network reconnaissance, identity assessment, covert tunnel establishment, active testing with AD enumeration and service scanning, lateral movement, data exfiltration simulation and comprehensive reporting. ShadowTap simulates physical access attacks more realistically than VPN-based testing because it must discover the network, harvest credentials and establish covert channels just like a real attacker. Internal testing is included in the Comprehensive Security Assessment at $12,000 CAD.

Order Comprehensive Assessment About ShadowTap

Phase 1

Device Deployment

Pre-Configuration

ShadowTap is configured for your specific engagement before shipping. Tunnel endpoints are set, testing scope parameters are loaded and rules of engagement are programmed into the device. No client-side software installation or IT configuration is required.

Shipping and Placement

The device ships via tracked courier to your designated contact. Upon arrival, your team plugs it into any available network port in the agreed-upon location. Common placements include general office areas, server rooms and branch office locations. Each placement simulates a different physical access scenario.

What This Tests

The moment ShadowTap connects, the test begins. Does your network access control (NAC) block the unknown MAC address? Does your switch port security reject the connection? Does your network detection system alert on a new device? If ShadowTap gets an IP address and network access without any alerts firing, that is your first finding.

Phase 2

Passive Network Reconnaissance

Broadcast Sniffing

ShadowTap listens to all broadcast traffic on the local network segment. This includes ARP announcements, DHCP requests, NetBIOS name queries, mDNS advertisements and SSDP discovery messages. From broadcast traffic alone, ShadowTap builds a map of active hosts, their IP addresses, MAC addresses, operating systems and running services.

ARP and DHCP Analysis

ARP traffic reveals the relationship between IP and MAC addresses on the segment. DHCP exchanges reveal the network configuration: default gateway, DNS servers, domain name, lease times and available address space. This information tells us how the network is structured, which subnets exist and where the critical infrastructure lives.

Zero Packets Sent

During passive reconnaissance, ShadowTap does not send a single packet. It receives only. This makes it invisible to signature-based detection systems that look for scanning activity. Behavioral detection systems like Darktrace should flag the new device, but many environments have too much noise for this to trigger a meaningful alert.

Phase 3

Identity Assessment

Credential Harvesting from Traffic

Network traffic often contains credentials in various forms. NTLM authentication exchanges expose hashed credentials that can be cracked offline. LLMNR and NBT-NS poisoning allows ShadowTap to intercept authentication attempts meant for other systems. Cleartext protocols like FTP, Telnet, HTTP Basic Auth and SNMP community strings are captured directly.

Kerberos Analysis

Kerberos traffic reveals the Active Directory domain structure, service principal names (SPNs) and user account names. Kerberoasting attacks target service accounts with weak passwords. AS-REP roasting targets accounts without pre-authentication. These techniques extract encrypted material that can be cracked offline without generating failed login alerts.

What This Reveals

The identity assessment phase often produces the most impactful findings. Organizations are frequently surprised by the volume of credentials and identity information available on their network to anyone who plugs in a device and listens. This phase directly informs the credential security and network segmentation sections of the final report.

Phase 4

Tunnel Establishment

Multi-Tunnel Strategy

ShadowTap attempts to establish an encrypted tunnel back to our lab using five tunnel types in sequence: SSH reverse tunnels, Cloudflare Zero Trust, Iodine DNS tunnels, ICMP tunnels via ptunnel and JML ICMP timing channels. The device tries each method until one succeeds. Which tunnel works tells us about your egress controls.

Egress Control Testing

If SSH succeeds, your firewall allows outbound SSH. If only DNS tunneling works, your egress filtering is strong but DNS is not inspected. If only ICMP timing works, your network is highly restrictive but ICMP echo is permitted. If nothing works, congratulations: your egress controls stopped a determined attacker. That is rare.

Detection Validation

Tunnel establishment is a critical detection point. An internal device establishing an encrypted channel to an unknown external destination is textbook command-and-control behavior. Your NDR, IDS or SIEM should catch this. Our report documents whether it did, how long detection took and what alert was generated.

Phase 5

Active Testing

Active Directory Enumeration

With network access established, we enumerate the Active Directory environment: domain controllers, organizational units, group policies, trust relationships, user accounts, service accounts, group memberships and delegated permissions. AD misconfigurations are the most common source of privilege escalation paths in enterprise environments.

Service Scanning

We identify all reachable services across the internal network: web servers, databases, file shares, remote desktop services, SSH servers, management interfaces and application servers. Each service is assessed for known vulnerabilities, default credentials, misconfigurations and unnecessary exposure.

Vulnerability Exploitation

Identified vulnerabilities are exploited to demonstrate business impact. This includes unpatched services, SQL injection in internal applications, weak passwords on critical systems, misconfigured permissions on file shares and exposed management interfaces. Every exploitation attempt is documented with CVSS scoring and business context.

Phase 6

Lateral Movement

Credential Reuse

Credentials harvested in earlier phases are used to authenticate to other systems. Pass-the-hash, pass-the-ticket and token impersonation techniques simulate how real attackers move through networks using stolen credentials. Each successful authentication expands the scope of access and is documented as a lateral movement finding.

Privilege Escalation

From each foothold, we attempt to escalate privileges: local administrator to domain user, domain user to domain admin, standard account to service account. Common paths include Kerberoasting, unconstrained delegation abuse, GPP password extraction, LAPS bypass and exploiting misconfigured ACLs on AD objects.

Segmentation Testing

We test whether network segmentation actually prevents lateral movement between zones. Can the general office network reach the server VLAN? Can a compromised workstation access the database subnet? Can a guest network device pivot to the corporate network? Segmentation failures are among the most critical findings in internal assessments.

Phase 7

Data Exfiltration Simulation

Sensitive Data Identification

We identify accessible sensitive data across compromised systems: customer records, financial data, intellectual property, credentials, configuration files and backup archives. We do not exfiltrate actual sensitive data. We document what is accessible, from which systems and with which credentials to demonstrate the business impact of the access achieved.

Exfiltration Path Testing

We test whether data could be extracted through the established tunnel, through alternative channels (email, cloud storage, DNS encoding) or through removable media. Each path is tested and documented. DLP systems, email gateways and cloud access security brokers are validated during this phase.

Phase 8

Reporting

Technical Findings

Each vulnerability is documented with CVSS scoring, proof of exploitation, affected systems, business impact assessment and specific remediation steps. Findings are organized by severity and by attack phase so your team can understand both the risk level and the attack narrative.

Detection Assessment

Every testing phase is cross-referenced against your detection systems. What was caught? What was missed? How long did detection take? This section transforms a penetration test into a detection validation exercise, giving you twice the value from a single engagement.

Executive Summary

A non-technical summary written for executive leadership, board members and non-security stakeholders. It covers business risk in plain language, investment recommendations prioritized by impact and a clear assessment of the organization's internal security posture.

Comparison

ShadowTap vs VPN-Based Internal Testing

Factor	ShadowTap	VPN-Based
Attack realism	Simulates physical access attacker	Simulates authorized remote user
NAC testing	Tests port security and MAC filtering	Bypasses NAC entirely
Egress testing	Tests egress controls with real tunnels	Uses pre-authorized VPN connection
Detection testing	Tests full detection stack	VPN traffic is typically whitelisted
Passive recon	Full broadcast traffic capture	Limited by VPN routing
Setup complexity	Plug in device, no IT involvement	Requires VPN account provisioning
Cost	Included in Comprehensive ($12,000 CAD)	Similar price, less realistic results

Frequently Asked Questions

Internal Pentest Methodology FAQs

How does an internal penetration test work?: We ship ShadowTap to your office. You plug it into your network. It passively maps your network, harvests credentials from broadcast traffic, establishes an encrypted tunnel back to our lab and then our team conducts full active testing: AD enumeration, service scanning, lateral movement and privilege escalation. You receive a detailed report within five business days of testing completion.
Why is ShadowTap more realistic than VPN-based testing?: VPN-based testing uses a pre-authorized connection that bypasses your perimeter controls, NAC and egress filtering. ShadowTap simulates a physical access attacker: plugging in a rogue device, discovering the network passively, harvesting credentials and establishing covert outbound channels. This is the scenario that matters for organizations concerned about insider threats, physical security breaches and rogue device attacks.
What does the report include?: CVSS-scored findings with business impact, phase-by-phase attack narrative, AD security assessment, credential exposure analysis, segmentation evaluation, lateral movement paths, detection system assessment, remediation roadmap and executive summary. Compliance mapping is available for SOC 2, PCI DSS and other frameworks.
How long does the engagement take?: Active testing runs 3-5 business days after ShadowTap is deployed. Including shipping, tunnel establishment and report writing, total engagement time is 10-15 business days from kickoff to final report. Expedited timelines are available.

Get Tested

Find out what an attacker would find on your internal network.

Internal penetration testing via ShadowTap is included in the Comprehensive Security Assessment at $12,000 CAD. External testing, internal testing, detection validation and full reporting.

Order Comprehensive Assessment

Scope Your Internal Penetration Test

Tell us about your network environment and we will scope an internal assessment. Multi-site deployments, specific compliance requirements and custom objectives are all supported.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Related Pages: ShadowTap · Darktrace Testing · All Pentest Services