Domain overview
Internal work is rarely about a single exploit. It is about how hosts, services, credentials, protocols and trust assumptions combine into movement paths. This domain is designed to keep that picture coherent.
Related certification context
These certifications are useful orientation points for this domain and are included as context, not as gatekeeping.
- OffSec OSCP+ / PEN-200Foundational penetration-testing workflow, exploitation discipline and reporting under pressure.
- OffSec OSEP / PEN-300Advanced internal operations, evasion, pivoting and mature operator tradecraft.
Selected public references
- Nmap Reference Guidenmap.org/book/man.html
- BloodHound Documentationbloodhound.specterops.io/
- GitHub ยท fortra / Impacketgithub.com/fortra/impacket
- MITRE ATT&CKattack.mitre.org/
- NetExec Wikinetexec.wiki/
Topic index
Introduction
This domain is about internal enterprise work: host and service discovery, trust mapping, credential abuse, lateral movement, pivoting, command infrastructure and evidence capture. The objective is controlled movement with a clear explanation of what enabled it.
Network Pentesting Theory
This domain is about internal enterprise work: host and service discovery, trust mapping, credential abuse, lateral movement, pivoting, command infrastructure and evidence capture. The objective is controlled movement with a clear explanation of what enabled it.
Network Pentesting Practice
This domain is about internal enterprise work: host and service discovery, trust mapping, credential abuse, lateral movement, pivoting, command infrastructure and evidence capture. The objective is controlled movement with a clear explanation of what enabled it.
Password Cracking
Offline and online credential recovery, hash handling and validation trade-offs.
Active Directory Pentesting
Trust mapping, authentication abuse and attack-path validation inside Windows estates.
Active Directory Pentesting Quick Reference
Trust mapping, authentication abuse and attack-path validation inside Windows estates.
C2 Frameworks
Operator infrastructure, beacon behaviour and command tradecraft in defended environments.
Thick Client Pentesting
This domain is about internal enterprise work: host and service discovery, trust mapping, credential abuse, lateral movement, pivoting, command infrastructure and evidence capture. The objective is controlled movement with a clear explanation of what enabled it.
Exploit Pack
This domain is about internal enterprise work: host and service discovery, trust mapping, credential abuse, lateral movement, pivoting, command infrastructure and evidence capture. The objective is controlled movement with a clear explanation of what enabled it.
Persistence
Mechanisms that retain execution or access after the first foothold, and how to validate them cleanly.
Pivoting & Portforwarding
Movement through constrained network paths, tunnelling choices and access extension logic.
PowerView Quick Reference
Trust mapping, authentication abuse and attack-path validation inside Windows estates.
Cobalt Strike Quick Reference
Operator infrastructure, beacon behaviour and command tradecraft in defended environments.
Quick Reference
This domain is about internal enterprise work: host and service discovery, trust mapping, credential abuse, lateral movement, pivoting, command infrastructure and evidence capture. The objective is controlled movement with a clear explanation of what enabled it.
Eptp - Pentesting Certification
This domain is about internal enterprise work: host and service discovery, trust mapping, credential abuse, lateral movement, pivoting, command infrastructure and evidence capture. The objective is controlled movement with a clear explanation of what enabled it.