External Pentest
Type of External Pentest
The Type of External Penetration Test to be conducted should be clearly defined
Blackbox External Pentest :
This test is expected to be conducted without any knowledge of the Internet facing IP addresses,the website, or web application.
White Box External Pentest :
This test is expected to be conducted with the knowledge of the organization's Internet facing IP addresses,the website,web application, or some other range of IP public addresses that will be shared with you by the organization.
The type of the external penetration test must be clearly stated in the rules of engagement.
Rules of engagement
The doc should be signed and as a pentester you should have a copy
Verify scope
Step 1
Step 2
Subdomain Finders
This will help identify a lot of IPs and web application for scoping and testing purposes
Using Google Dork
Type in google
site:nameofcompany.com -www
site : nameofcompany.com
site: *.nameofcompany.com
Subdomain tools
AMASS
SubBrute
Knock
DNSRecon
Sublist3r
AltDNS
Axiom
Haktrails
Check out this article on securitytrails to see how to use the above tools
Vuln Scan
Todo first thing in the morning
OSINT
Hunting breach credentials
Identifying Emails & Employees
Get info on the naming convention for email (firstname.lastname or else)
Phonebook, find email address
Look for the company on Linkedin, use tools to scrape Linkedin and put them together using the deducted naming convention
We can use Namely to put them together and specify a naming convention that will be applied to the whole list
Enumerating valid accounts
Check login form or password reset forms for user enum
Other useful info
Job postings (info about app used at the company)
Google dork to find password policy (site:target)
How to check a host OS
Time to Live (TTL)
A typical response from a Windows host will either be 32 or 128. A response of or around 128 is the most common response you will see. This value may not always be exact, especially if you are not in the same layer three network as the target.sudo nmap -v -O TARGET-IP
nmap OS Detection Scansudo nmap -v 192.168.86.39 --script banner.nse
Banner Grab to Enumerate Ports
Attack login portals
Password strategy: currentSeasonOrMonth+currentYear+aSpecialChar, location, address, company name, ...
O365
Password Spraying
We use the email list from the reconnaissance phase
Good to start with a delay of 15
--delay 15
--no-current-ip
will proxy through each machine, more stealthyCareful with account lockout = good to know account lockout policy prior to pentest
Using AWS we can make multiple ubuntu machine for free
Trevorspray is going to ssh first we have to accept fingerprinting everytime and then it is going to password spray
Trevorspsray will remember which pass previously used
OWA (Outlook Web Access)
Password Spraying
Metasploit: Scanner owa_login
set a password
set an RHOST (IP adr of target)
set user_file
checkout owa version to be sure it is the same
Even if pass does not work we will get a list of valid users
Other portals
Burp Suite Intruder (works better with pro version)
Intercept a request and set the vars
Check out the error message and add it in intruder options (Grep Match)
Launch intruder
Bypassing MFA
Escalating Access
If we get an email account, office for instance we can look for info or creds in the mailbox
portal.azure.com if you login with a user you found you can find other accounts
Then password spray with previous password found
Be creative
Common pentest findings
Insufficient Authentication Controls
Bypass MFA
No MFA
Weak Password Policy
Recommand deny list
Recommand NIST or OWASP Guidelines
Insufficient Patching
Some unpatch software have high severity CVE
Default Credentials
Insufficient Encryption
In case of http
Weak ciphers
SSLLabs Note: Make sure to check "Do not show results on boad" for the confidentiality of your customer
Information Disclosure
Verbose error message
Verbose stack trace
mDNS
Server version and languages in response header
Username Enumeration
Most of the time visible through login portals with msg like "Invalid username"
Possible also through reset password forms
Default Web Pages
Apache Pages
IIS Page
Open Mail Relay
IKE Aggressive Mode
Could capture a preshared key of a vpn to access the network (most of the time hard to exploit)
Unexpected Perimeter Services
RDP
Telnet
etc.
Insufficient Traffic Blocking
Geo-blocking not in place
Limits attack surface
Depends on the customer location of the client
Undetected Malicious Activity
Bruteforce login attacks
Nmap
Nessus
Web enum bruteforce
etc.
Historical Account Compromises
Published breaches
Resources
Last updated