If you know the internal IP ranges of a company it is easy enough to craft an IP packet to access an internal resource, using the router as a gateway.

Part of a true hackers task (not script kiddies) is what is called "fingerprinting" this is basically gathering information about the intended victim.
One good source for IP owner information is a site like Sam Spade which gives you the ability to queiry registration databases for IP range ownership.

Also get yourself some good books on the subject - Hacking Exposed I find is an excellent source of information.

PS - I am an IT Security Manager for a large company - not a hacker

Golam