Internal network penetration tests (IPTs) assess network services and access controls that are maintained by organizations, with a primary objective of accessing critical data. The standard attack path is to compromise accounts or servers, escalate privileges, and find a way to reach the target data. Reviewing the varied success of past engagements can provide actionable guidance for all organizations to prioritize strategies that reduce real risk and highlight successful offensive security techniques. This talk will examine the specifics of three IPT engagements from 2024 and the lessons demonstrated through the individual and collective approaches and successes.

An Energy sector concern evaluating overall data exposure in which poor password policies and management ultimately led to local privilege escalation and the compromise of proprietary data such as blueprints, financial, and customer data.

A Hospitality entity evaluating payment data security, where missing authentication and insecure credential management led ultimately to full control of the Active Directory environment - but only limited data compromise.

A Hospitality organization also evaluating payment data where poor password policies and management led to account compromise, privilege escalation, and partial data compromise, but full privilege escalation and access to the target data was unsuccessful.