CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Type of External Pentest
  • Rules of engagement
  • Verify scope
  • Step 1
  • Step 2
  • Subdomain tools
  • Vuln Scan
  • OSINT
  • Hunting breach credentials
  • Identifying Emails & Employees
  • Enumerating valid accounts
  • Other useful info
  • How to check a host OS
  • Attack login portals
  • O365
  • OWA (Outlook Web Access)
  • Other portals
  • Bypassing MFA
  • Escalating Access
  • Common pentest findings
  • Insufficient Authentication Controls
  • Weak Password Policy
  • Insufficient Patching
  • Default Credentials
  • Insufficient Encryption
  • Information Disclosure
  • Username Enumeration
  • Default Web Pages
  • Open Mail Relay
  • IKE Aggressive Mode
  • Unexpected Perimeter Services
  • Insufficient Traffic Blocking
  • Undetected Malicious Activity
  • Historical Account Compromises
  • Resources
  1. External Pentest

External Pentest

PreviousMITRE ATT&CKNextIntroduction to HTTP and web

Last updated 2 years ago

Type of External Pentest

The Type of External Penetration Test to be conducted should be clearly defined

  • Blackbox External Pentest :

This test is expected to be conducted without any knowledge of the Internet facing IP addresses,the website, or web application.

  • White Box External Pentest :

This test is expected to be conducted with the knowledge of the organization's Internet facing IP addresses,the website,web application, or some other range of IP public addresses that will be shared with you by the organization.

The type of the external penetration test must be clearly stated in the rules of engagement.

Rules of engagement

  • The doc should be signed and as a pentester you should have a copy

Verify scope

Step 1

Step 2

Subdomain Finders

  • This will help identify a lot of IPs and web application for scoping and testing purposes

Using Google Dork

  • Type in google

    • site:nameofcompany.com -www

    • site : nameofcompany.com

    • site: *.nameofcompany.com

Subdomain tools

  • AMASS

  • SubBrute

  • Knock

  • DNSRecon

  • Sublist3r

  • AltDNS

  • Axiom

  • Haktrails

Vuln Scan

Todo first thing in the morning

OSINT

Hunting breach credentials

Identifying Emails & Employees

  • Get info on the naming convention for email (firstname.lastname or else)

  • Look for the company on Linkedin, use tools to scrape Linkedin and put them together using the deducted naming convention

Enumerating valid accounts

  • Check login form or password reset forms for user enum

Other useful info

  • Job postings (info about app used at the company)

  • Google dork to find password policy (site:target)

How to check a host OS

  • Time to Live (TTL) A typical response from a Windows host will either be 32 or 128. A response of or around 128 is the most common response you will see. This value may not always be exact, especially if you are not in the same layer three network as the target.

  • sudo nmap -v -O TARGET-IP nmap OS Detection Scan

  • sudo nmap -v 192.168.86.39 --script banner.nse Banner Grab to Enumerate Ports

Attack login portals

  • Password strategy: currentSeasonOrMonth+currentYear+aSpecialChar, location, address, company name, ...

O365

  • Password Spraying

    • We use the email list from the reconnaissance phase

    • Good to start with a delay of 15 --delay 15

    • --no-current-ip will proxy through each machine, more stealthy

    • Careful with account lockout = good to know account lockout policy prior to pentest

    • Using AWS we can make multiple ubuntu machine for free

    • Trevorspray is going to ssh first we have to accept fingerprinting everytime and then it is going to password spray

    • Trevorspsray will remember which pass previously used

OWA (Outlook Web Access)

  • Password Spraying

    • Metasploit: Scanner owa_login

    • set a password

    • set an RHOST (IP adr of target)

    • set user_file

    • checkout owa version to be sure it is the same

    • Even if pass does not work we will get a list of valid users

Other portals

  • Burp Suite Intruder (works better with pro version)

    • Intercept a request and set the vars

    • Check out the error message and add it in intruder options (Grep Match)

    • Launch intruder

Bypassing MFA

Escalating Access

  • If we get an email account, office for instance we can look for info or creds in the mailbox

  • portal.azure.com if you login with a user you found you can find other accounts

  • Then password spray with previous password found

  • Be creative

Common pentest findings

Insufficient Authentication Controls

  • Bypass MFA

  • No MFA

Weak Password Policy

  • Recommand deny list

  • Recommand NIST or OWASP Guidelines

Insufficient Patching

  • Some unpatch software have high severity CVE

Default Credentials

Insufficient Encryption

  • In case of http

  • Weak ciphers

Information Disclosure

  • Verbose error message

  • Verbose stack trace

  • mDNS

  • Server version and languages in response header

Username Enumeration

  • Most of the time visible through login portals with msg like "Invalid username"

  • Possible also through reset password forms

Default Web Pages

  • Apache Pages

  • IIS Page

Open Mail Relay

IKE Aggressive Mode

  • Could capture a preshared key of a vpn to access the network (most of the time hard to exploit)

Unexpected Perimeter Services

  • RDP

  • Telnet

  • etc.

Insufficient Traffic Blocking

  • Geo-blocking not in place

  • Limits attack surface

  • Depends on the customer location of the client

Undetected Malicious Activity

  • Bruteforce login attacks

  • Nmap

  • Nessus

  • Web enum bruteforce

  • etc.

Historical Account Compromises

  • Published breaches

Resources

Check out on securitytrails to see how to use the above tools

, find email address

We can use to put them together and specify a naming convention that will be applied to the whole list

Note: Make sure to check "Do not show results on boad" for the confidentiality of your customer

Scan the IP addess with this to verify it actually belongs to the company
subdomainfinder
phonebook
this article
OpenVAS - Open Source
Nessus
breach-parse
Dehashed
Have I been Pwned
Phonebook
Namely
Default Device TTL values
TREVORspray
MFASweep
List of default creds - SecLists
Default Passwords - Cirt
Default creds cheat sheet - ihebski
TestSSL
SSLLabs
How to test for Open mail relays - BlackHills Infosec
ike-scan
Shotsherpa
haveibeenpawned
External Pentest Playbook
TCM Academy - External Pentest Playbook
GitHub - blacklanternsecurity/TREVORspray: TREVORspray is a modular password sprayer with threading, clever proxying, loot modules, and more!GitHub
TREVORspray
GitHub - dafthack/MFASweep: A tool for checking if MFA is enabled on multiple Microsoft ServicesGitHub
MFASweep
GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.GitHub
Mailsniper
SecLists/Passwords/Default-Credentials at master · danielmiessler/SecListsGitHub
List of default creds - SecLists
Default Passwords | CIRT.net
Default Passwords - Cirt
Logo
Logo
Logo
DefaultCreds-cheat-sheet/DefaultCreds-Cheat-Sheet.csv at main · ihebski/DefaultCreds-cheat-sheetGitHub
Default creds cheat sheet - ihebski
Logo
How to Test for Open Mail Relays - Black Hills Information SecurityBlack Hills Information Security
How to test for Open mail relays - BlackHills Infosec
GitHub - royhills/ike-scan: The IKE ScannerGitHub
ike-scan
Logo
Logo
Have I Been Pwned: Check if your email has been compromised in a data breach
haveibeenpawned
Logo
Logo
Logo
Logo