Internal Network Reconnaissance
The process of discovering and mapping internal network resources, services, and vulnerabilities that aren't accessible from the internet.
Short Definition
Internal network recon is like drawing a map of a building from the inside. Once you're in (or can make a server act for you), you scan to find what's there: other servers, databases, admin panels — anything the company thought was hidden.
Full Definition
Internal network reconnaissance is the process of gathering information about resources within a private network that aren't exposed to the internet. This includes:
What's discovered:
- Active hosts (IP addresses)
- Open ports and services
- Operating systems
- Application versions
- Network topology
- Database servers
- Admin interfaces
- API endpoints
Common techniques:
- Port scanning (testing which ports are open)
- Service enumeration (identifying what's running)
- Banner grabbing (reading version info)
- DNS enumeration (finding hostnames)
Through SSRF: Instead of direct access, attackers make the compromised server do the scanning:
1# Test if internal service exists2for port in [80, 443, 8080, 3306, 5432]:3 response = ssrf_request(f"http://192.168.1.1:{port}")4 if response.status_code == 200:5 print(f"Found service on port {port}")
Why It Matters
- Critical first step in lateral movement
- Reveals attack surface invisible from outside
- Identifies high-value targets (databases, admin panels)
- Enables privilege escalation
- In SSRF context, this happens server-side (harder to detect)
How Attackers Use It
Traditional method (requires network access):
- Compromise one system
- Use it as pivot point
- Scan internal network from there
SSRF-based method (no direct access needed):
- Find SSRF vulnerability
- Iterate through private IP ranges
- Check common ports via SSRF
- Map responses (status codes, timing)
- Identify vulnerable services
Example workflow:
1# Scan common private ranges2192.168.0.0/16310.0.0.0/84172.16.0.0/1256# Test common ports722 (SSH), 3306 (MySQL), 5432 (PostgreSQL)86379 (Redis), 27017 (MongoDB), 9200 (Elasticsearch)98080, 8443, 9090 (web admin panels)
How to Detect or Prevent It
Prevention:
- Segment networks properly
- Implement zero-trust architecture
- Require authentication for all internal services
- Use micro-segmentation
- Disable unnecessary services
- Close unused ports
For SSRF specifically:
- Block private IP ranges in outbound requests
- Implement request whitelisting
- Rate limit outbound requests
- Monitor for scanning patterns
Detection:
- Alert on port scans from unexpected sources
- Monitor for sequential port access patterns
- Track connections to unusual internal IPs
- Log all cross-subnet traffic
- Watch for SSRF indicators (metadata access attempts)
Tools:
- IDS/IPS systems (Suricata, Snort)
- Network monitoring (Zeek, Moloch)
- SIEM correlation rules
Common Misconceptions
- "Internal networks don't need monitoring" - Attackers are already inside
- "Firewall blocks everything" - Not internal-to-internal traffic
- "We'll detect port scans" - SSRF scans look like normal app behavior
- "Private IPs can't be reached" - From outside yes, but SSRF bypasses this
Real-World Example
How Capital One recon happened:
- Initial SSRF found: WAF accepted URLs
- Metadata discovered:
http://169.254.169.254/responded - Credentials extracted: Got IAM role credentials
- S3 enumeration: Used AWS CLI to list buckets
bash1aws s3 ls
- Bucket reconnaissance: Found 700+ buckets
- Data exfiltration: Downloaded sensitive buckets
Semi-Blind SSRF recon: Attacker doesn't see full response, only status codes:
- 200 = Service exists and responding
- 403 = Service exists but access denied
- Timeout = No service on that port
By checking hundreds of ports across IP ranges, attacker maps the internal network even without seeing actual data.
Related Terms
SSRF, Port, Endpoint, Status Code, Bypass