Internal Network Pentesting Using Kali Linux-part 1
Internal Network Scanning Using Kali Linux – A Real-World Professional Guide
In a real corporate environment, hacking does not start with attacking. It starts with understanding the network. Every professional penetration tester first performs internal network scanning to identify systems, services, and security controls.
This blog explains internal network scanning using Kali Linux in a professional, real-world scenario-based approach, while still keeping the explanation simple and beginner-friendly.
⚠️ Legal Disclaimer
This content is strictly for educational and ethical purposes. Perform these techniques only on systems you own or have written permission to test.
Real-World Scenario: Corporate Internal Security Assessment
Imagine a company with 50 employees. Most employees use Windows systems, connected to a single internal network.
The company hires a security team to test whether an attacker who gains internal access (for example, via infected USB, Wi‑Fi access, or insider threat) can discover sensitive systems.
This is where internal network scanning becomes critical.
Lab Requirements (Simulating a Real Office Network)
- Kali Linux – Security tester system
- Windows 7 – Employee workstation (Victim)
- Both systems running simultaneously
Use virtualization tools such as VirtualBox, VMware, or UTM.
Network Mode: Bridged or Internal Network
Professional analogy:
This setup mimics two office computers connected to the same corporate switch.
Why Internal Network Scanning Is Mandatory in Pentesting
A penetration tester never attacks blindly. Before exploitation, three critical questions must be answered:
- Which systems exist inside the network?
- Which systems are currently active?
- Which system provides the best attack surface?
Professional example:
Just like a fire safety officer maps exits before inspection,
a pentester maps systems before exploitation.
This phase is called Internal Network Penetration Testing.
Step 1: Identifying the Network Interface (Kali Linux)
ifconfig
This command lists all network interfaces available on Kali Linux.
Common interfaces include:
eth0– Wired Ethernet (Corporate LAN)wlan0– Wireless Network
Real-world relevance:
In an office, using the wrong interface is like testing
the guest Wi‑Fi instead of the employee network.
Step 2: Discovering Devices in the Network
sudo netdiscover -i eth0
Netdiscover performs ARP scanning to identify devices connected to the same internal network.
It reveals:
- IP address
- MAC address
- Device vendor
Professional scenario:
This is similar to checking which employee systems
are currently logged into the office network.
Windows systems often reveal recognizable vendor names such as Dell, HP, or Lenovo.
Step 3: Understanding the Network IP Range
10.22.13.0 – 10.22.13.255
This represents the internal subnet. Only devices within this range can communicate directly.
- .0 → Network identifier
- .255 → Broadcast address
- Remaining addresses → Hosts
Real-life analogy:
Like knowing which house numbers exist in a company campus.
Step 4: Scanning the Network by Range
sudo netdiscover -i eth0 -r 10.22.13.1/24
This scan ensures that no system is missed, even those that did not respond initially.
Professional insight:
Some corporate systems restrict responses for stealth,
yet still remain vulnerable.
Step 5: Identifying Live Hosts Using Nmap
sudo nmap -sn 10.22.13.*
This scan identifies active systems without touching ports.
Professional scenario:
This is like checking which employee PCs are powered ON.
From this scan, the tester identifies the target system:
Target IP: 10.22.13.22
Step 6: Operating System Identification
Ping-Based OS Fingerprinting
ping 10.22.13.22
The TTL value provides clues about the operating system.
- TTL 128 → Windows
- TTL 64 → Linux
Professional analogy:
Just like recognizing a company laptop
based on its configuration behavior.
Confirming OS Using TTL Reference
Reference: https://subinsb.com/default-device-ttl-values/
This avoids assumptions and increases accuracy.
OS Detection Using Nmap
sudo nmap -O 10.22.13.22
Nmap performs TCP/IP fingerprinting to identify the OS and version.
Corporate relevance:
Older Windows versions often indicate
patch management weaknesses.
Step 7: Open Port Scanning (Attack Surface Identification)
Ports represent services. An open port means a service is accessible internally.
Professional analogy:
An unlocked server room door inside an office.
Default Port Scan
nmap 10.22.13.22
Quick scan of commonly exposed services.
Complete Port Scan
nmap -p- 10.22.13.22
Identifies hidden or non-standard services.
Enterprise relevance:
Developers often expose test services internally.
Service Version Detection
nmap -sV 10.22.13.22
Service versions help identify known vulnerabilities.
Example:
Outdated SMB or FTP services are common attack vectors.
Firewall Detection
nmap -sA 10.22.13.22
Filtered responses indicate firewall rules.
Corporate scenario:
Firewall misconfigurations are common inside LANs
due to trust assumptions.
Step 8: Firewall Bypass Techniques (Basic Awareness)
Fragmented Packet Scan
nmap -f -sV 10.22.13.22
Older firewalls may fail to reassemble fragmented packets.
SYN Stealth Scan
nmap -sS 10.22.13.22
Avoids full TCP handshake, reducing logging and detection.
Decoy IP Technique
nmap -sS -D RND:7 10.22.13.22
Multiple fake IPs confuse security monitoring systems.
Router IP Spoofing
nmap -sS -D 10.22.13.1 10.22.13.22
Firewalls often trust router traffic, making this technique effective in weak networks.
Conclusion
Internal network scanning is the backbone of ethical hacking. Without proper scanning, exploitation becomes unreliable.
Professional penetration testers rely on accurate discovery, not guesswork.
Next Article: Enumeration, Vulnerability Scanning, Metasploit, and Privilege Escalation in Real Environments.
Comments
Post a Comment