Skip to content

Run an Internal Pentest

This guide will help you understand how to configure and run an internal penetration test using NodeZero. It will walk you through the steps to set up the test, define the scope, customize the parameters, and analyze the results to improve your network’s security posture.

What is an Internal Pentest?

A NodeZero Internal Penetration Test is a simulated attack on your organization’s internal network designed to identify vulnerabilities that could be exploited by attackers within your own infrastructure. This test mimics the behavior of a malicious actor attempting to exploit weaknesses in your internal systems, applications, and devices. By performing this test, you can gain insights into potential security gaps before they are discovered and exploited by real-world threats.

Instructions

Follow these steps to run an internal pentest within your network.

1. Access NodeZero Portal

After setting up your NodeZero Host, log in to the NodeZero Portal and click the Pentests button. Select Pentests from the dropdown menu.

Dropdown to select NodeZero Pentest screenshot

2. Select Internal Pentest

Choose the option to + Run Pentest.

Name section - Template and Name fields are required.

Select Infrastructure Attack Test. Then, select Internal Pentest.

Internal Pentest Select Infrastructure Attack Surface screenshot

3. Configure internal pentest

3.1 Name the internal pentest

Assign a meaningful name to the Internal Pentest and select an appropriate pentest template.

Naming Conventions

Establish a consistent naming convention to easily identify pentests in your pentest list.

Example Naming Convention: [date]|[location/network]|[NodeZero source]|[scope]

Example: 2021-09-01|East-Coast-Bizops|NodeZero|Full This name indicates that the NodeZero host was placed in the East Coast BizOps network, and the scope covered the entire enterprise.

Internal Pentest Naming Convention screenshot

3.2 Select scope

The pentest scope defines the IPs and/or subnets where you want to run the pentest. A broader scope yields more comprehensive results. Unlike traditional vulnerability scanners, NodeZero assesses your environment holistically, using discovered data and context to identify and exploit vulnerabilities, misconfigurations, and poor cybersecurity practices.

  • Configure the following scope options:

Internal Pentest Configure scope screenshot

  • Intelligent scope This feature utilizes the IP of the NodeZero host from which the test is deployed, enumerating and testing against the /16 subnet it belongs to. NodeZero then expands into adjacent /23 subnets, continuously identifying and testing nearby assets. The cycle repeats until no additional devices are detected. The scope of the test depends on the level of privilege and access NodeZero has, either through capture or granted permissions.

    Tip

    Great for scenario-based testing - assess what an attacker can view and do from the perspective of your NodeZero host.

  • Add full private IP space: Adds the following IP address range to the scope (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

    • Selecting this option allows NodeZero to enumerate your local network looking for any RFC 1918 address, which should not be publicly routable.
    • RFC 1918 is a standard published by the Internet Engineering Task Force (IETF) that defines private IP address spaces for use in internal networks. These IP addresses are not routable over the public internet, meaning they are used for local communication within private networks.

    Tip

    Ideal for comprehensive coverage – understanding what’s in your infrastructure and prioritizing from an attacker’s viewpoint.

  • Auto-expand scope If selected, NodeZero will automatically include any additional devices it can discover during the test. While NodeZero can be scoped to specific IP addresses, it’s recommended to broaden the scope for better coverage. This approach helps identify potential vulnerabilities across a wider range of devices, improving the overall effectiveness of the test.

  • Included scope The include section in an internal penetration test lets you specify specific areas or systems within your network that you want to focus the test on. This is useful when you want to target particular assets, such as high-value servers or applications, for in-depth testing. By using the Include section, you ensure that only the designated parts of your infrastructure are tested, while other areas are not affected.

    Tip

    Example: If your environment uses 192.168.0.1 with a subnet mask of 255.255.255.0, add 192.168.0.0/24 to the Include section.

    Example
    For segmented environments, use comma-separated CIDR notation to cover multiple subnets.
    192.168.0.0/16,172.16.10.0/24,10.0.0.0/8

    In more complex environments, set the scope to include as many subnets as possible. Consult your Network Administrator for a list of subnets in CIDR notation.

  • Excluded scope The exclude section in an internal penetration test allows you to specify areas of your network or systems that should be excluded from testing. This feature is useful when you want to avoid testing sensitive systems, applications, or environments that should not be tested for security reasons, such as production environments or systems with critical data.

    Use this section to specify IPs or subnets that NodeZero should avoid scanning or exploiting. Excluded IPs may still appear in the Out of Scope list in the pentest results if they are discovered during the test. Exclusions require CIDR notation.

Once you're satisfied with the scope, proceed to the next step.

3.3 Amazon Web Service (AWS) Accounts

Optionally, add AWS accounts here. All cloud resources under these accounts will be treated as in scope.

Internal Pentest Amazon Web Service (AWS) Accounts

3.4 Add open-source intelligence

Optionally add details such as domains, company names, weak password terms, or Git account information.

Internal Pentest Add open-source intelligence screenshot

3.5 Tripwires (Optional)

Not required for Quickstart.

If your organization has purchased Tripwires, enable this option to allow NodeZero to deploy tokens in exploitable assets during the pentest. A maximum of 100 tripwires will be deployed per test.

Internal Pentest Add Tripwires screenshot

3.6 Attack configuration

Choose the specific services and vulnerabilities that NodeZero should enumerate and exploit during the pentest.

Internal Pentest Advanced configuration options screenshot

3.7 Duration

Specify a minimum or maximum duration to provide more time for certain attacks to execute effectively.

Internal Pentest Duration Setting Screenshot

3.8 Runner (Optional)

Not required for Quickstart.

Choose a NodeZero Runner to automatically deploy NodeZero on your Docker host.

Internal Pentest Duration Setting Screenshot

3.9 Review config

Once you’ve finalized your pentest selections, confirm your review of all advanced configuration settings by checking the designated box.

Finally, click Run Pentest to initiate the internal pentest.

Review pentest config screenshot

4. Deploy NodeZero

As the pentest provisions, a one-time-use curl script is prepared for deployment on your NodeZero host.

Deploy NodeZero pentest screenshot

Deployment instructions:

  1. Copy the launch script
  2. Execute the script in the shell of your NodeZero host

The script will: - Validate the Docker installation. - Download the latest NodeZero Docker image. - Initiate the pentest.

In the Portal: - The pentest status will update from Ready to Running. - An email notification will be sent by NodeZero once the internal pentest is completed.

Pentest list screenshot

5. Monitor in Real-Time

Click Real-Time View to track the progress of the pentest, watch identified vulnerabilities, and gain instant feedback on any issues that arise.

6. Review Test Results

After the pentest is complete, review the findings to identify vulnerabilities, misconfigurations, and potential attack vectors.

7. Take Action

Prioritize and address the vulnerabilities identified during the pentest. NodeZero provides recommendations and remediation steps to help you secure your environment.

Additional Options

Inject Credentials

Gain deeper insights by running the pentest from an authenticated perspective.

For a more comprehensive test, you can Inject Credentials to simulate an attacker with authenticated access. This gives you deeper insights into the potential impact of compromised credentials.


Congratulations, you've completed an internal pentest.

You've successfully completed the step-by-step guide to running an internal pentest with NodeZero. You're now ready to assess and improve the security of your network environments. Continue exploring NodeZero for further guidance and advanced features to stay ahead of potential threats.


home Go to Portal home chevron_right
policy Go to Test Types chevron_right