How does an attacker know they have gained access to an internal network?

I’ve always wanted to know, how does an attacker (launching at attack from the Internet) know when they have breached a network’s defenses and gained access to a private / internal network?

Would it be as simple as having a GUI or remote desktop configuration and seeing the desktop or GUI of some device on the internal network?

Or would an attacker conduct a network / port scan to verify that they’re seeing all private IP addresses and use that as evidence that they’re on the inside?


Their interface to the compromised host could be a GUI or some type of command-line interface. It all depends on what type of attack they launched. Once they’re in they are usually going to perform some type of discovery to figure out what they have gotten into. Here’s a list of techniques they would use to figure that out.

1 Like

That’s very interesting and more along the lines of what I was thinking. Thanks for sharing

while many other answers here are valid - another one is to just check to see if you’ve landed on a machine with an rfc1918 address

1 Like

That’s what I was thinking too but it seemed like it was maybe too simple

When a machine gets compromised typically the hacker or hacking group will use some exploit or other method to get code execution on the machine. They will then use this code execution to setup a connection to their c2 and give them a shell. One of the more common toolkits for this is cobaltstrike.

Once they have access to the machine they will begin their reconnaissance. A lot of information can be learned solely by native tools. This is called living off the land. Using native binaries and executables lessens the risk of the hackers getting picked up by av edr or other defense tools.

In a normal ad domain a normal non privileged user can get tons of info about the domain, users,computers all natively and without any special rights necessary.

From there they may perform local privilege escalation, credential dumping, kerberosting, bloodhound scans. Once they have the foothold they can take their time, learn, and map their attack.

1 Like

For linux, look at active connections with netstat or ss for src/dest in private address space. Look at network configuration with ifconfig or ip and routing… Look for past logins from private address space with last . Don’t get confused by private local networks like those used by Docker.

1 Like

I guess it depends on how they gained entry into the network. For example, a common way is by connecting via SSH, and it’s very easy to tell if that worked. You’ll either get a message saying that you couldn’t connect, or you’ll see your terminal change to reflect the account you just signed into (e.g. it’d go from “agentbtz@pc ~$” to “user@12.34.567.89 ~$” or whatever)

1 Like

Depends. Usually most companies run Active Directory. So if you pop a box which is joined to a domain and talks to a domain controller, you’re inside.

Usually attackers know what they are targeting and what’s the end goal. They will enumerate first (OSINT) and then proceed with their attacks. So as soon as they compromise a target, they should know what it is, their network position etc.

Otherwise, just try to move laterally. See which internal networks you are connected to, what other hosts can be accessed and reached.

1 Like

If they are leveraging some vulnerable server, it might be dual homed, which would be a good indication of an internal network.

Other ways could include using user credentials to connect to a VPN, which would pretty obviously give access to an internal network.

1 Like

wow… thanks for all!