Low chance/high chance of RCE (remote code execution), or weak passwords.
OSINT and logical guessing are your best friends.
External Pentest
There should be good software/system patching.
There might be alarm systems or other protections in place.
The network facing the outside world is the most vulnerable point.
The chances of RCE (remote code execution) are very low.
Once someone breaks into the network from an external location, there a lot less defense mechanisms.
Weak password policies, weak security, and the lack of multi factor authentication are some of the most common vulnerabilities. If you can get into an email, then the chances are you will be able to get into other things that aren’t protected enough. Sometimes you will see partial multi factor which is not enough. Just finding sensitive information is bad, even if you don’t get onto the network.
There may be web portal logins, but don’t start pen testing a web app. You are looking to get onto the internal network. You can try default credentials or SQLi, but that’s about it.