Dual-homed computer penetration testing


When we perform penetration testing, we can sometimes find computers which are dual-homed (having 2 network interfaces), exactly like me: I have one IP in 192.168… in my home network and a 10.0… IP on HTB.

Question: how could a penetration tester gain access to both networks, what should be done for that?
Of course the target computer has a strong anti virus, is full patched… So installing a program is unlikely to happen.

Lets say I do internal penetration testing, and I have a 192.168 IP, ok I can ping the target computer. But I would like from my computer, to be able to scan the 10.0 network, the target computer also has access to.

I know how to port forward, but in this case it would rather be “interface forward” (eth0, tun0…).
How can this be done?

Thank you.
Disclaimer: I will use this only on targets that give their consent (official penetration testing engagements, not for illegal activities)

I am not sure if I have understood the question properly - so sorry if I have this wrong.

To summarise - you have a machine with IP on one interface and on another and you are sitting on one of these networks and would like to scan the other one?

The short, over-simplified, answer, is you need to compromise the box first. The layout you describe is often found in DMZ hosts. Unless you have a way to send packets from one subnet to another, you cant scan it. If you can get onto the box, you can use its second interface to scan the new subnet you’ve discovered.

It is a bit more complicated than that as there are protocol attacks that muddy the water here. It largely depends on if you have access to switches or routers. If the “new” subnet is completely isolated to you - other than the target box - there isn’t a lot you can do to see it until you get access to the box.