At times it may become beneficial to mimic a customer's network in order to perform offline testing prior to the real test. This practice can allow you to sometimes determine the path of least resistance after some simple enumeration.

Let's take a look at the following network example:

Looking at the diagram we can determine that there are at least four known subnets, two firewalls, and six machines that fulfill various duties. Also found are a web application firewall and an intrusion detection system that is located between 192.168.25.0/24 and 192.168.50.0/24 and the DMZ'd Web1 server. It would not take much of a discussion to understand what type of shop we are dealing with and let us assume that this client prides itself in using only the latest and greatest in open source community driven software. Ideally, we would try to emulate the customer environment as closely as possible to determine if there may be any security controls that...