# External Pentest ## Type of External Pentest The Type of External Penetration Test to be conducted should be clearly defined * **Blackbox External Pentest** : This test is expected to be conducted without any knowledge of the Internet facing IP addresses,the website, or web application. * **White Box External Pentest** : This test is expected to be conducted with the knowledge of the organization's Internet facing IP addresses,the website,web application, or some other range of IP public addresses that will be shared with you by the organization. > The type of the external penetration test must be clearly stated in the rules of engagement. ## Rules of engagement * The doc should be signed and as a pentester you should have a copy ## Verify scope ### Step 1 * [Scan the IP addess with this to verify it actually belongs to the company](https://bgp.he.net/) ### Step 2 #### Subdomain Finders * This will help identify a lot of IPs and web application for scoping and testing purposes * [subdomainfinder](https://subdomainfinder.c99.nl/) * [phonebook](https://phonebook.cz/) #### Using Google Dork * Type in google * `site:nameofcompany.com -www` * `site : nameofcompany.com` * `site: *.nameofcompany.com` ### Subdomain tools * AMASS * SubBrute * Knock * DNSRecon * Sublist3r * AltDNS * Axiom * Haktrails * Check out [this article](https://securitytrails.com/blog/subdomain-scanner-find-subdomains) on securitytrails to see how to use the above tools ## Vuln Scan Todo first thing in the morning * [OpenVAS - Open Source](https://www.openvas.org/) * [Nessus](https://fr.tenable.com/products/nessus?tns_redirect=true) ## OSINT ### Hunting breach credentials * [breach-parse](https://github.com/hmaverickadams/breach-parse) * [Dehashed](https://dehashed.com/) * [Have I been Pwned](https://haveibeenpwned.com/) * [Hudson Rock](https://www.hudsonrock.com/threat-intelligence-cybercrime-tools) ### Identifying Emails & Employees * Get info on the naming convention for email (firstname.lastname or else) * [Phonebook](https://phonebook.cz/), find email address * Look for the company on Linkedin, use tools to scrape Linkedin and put them together using the deducted naming convention * We can use [Namely](https://github.com/OrielOrielOriel/namely) to put them together and specify a naming convention that will be applied to the whole list ### Enumerating valid accounts * Check login form or password reset forms for user enum ### Other useful info * Job postings (info about app used at the company) * Google dork to find password policy (site:target) ## How to check a host OS * `Time to Live (TTL)` A typical response from a Windows host will either be 32 or 128. A response of or around 128 is the most common response you will see. This value may not always be exact, especially if you are not in the same layer three network as the target. * [Default Device TTL values](https://subinsb.com/default-device-ttl-values/) * `sudo nmap -v -O TARGET-IP` nmap OS Detection Scan * `sudo nmap -v 192.168.86.39 --script banner.nse` Banner Grab to Enumerate Ports ## Attack login portals * Password strategy: currentSeasonOrMonth+currentYear+aSpecialChar, location, address, company name, ... ### O365 * Password Spraying * [TREVORspray](https://github.com/blacklanternsecurity/TREVORspray) * We use the email list from the reconnaissance phase * Good to start with a delay of 15 `--delay 15` * `--no-current-ip` will proxy through each machine, more stealthy * Careful with account lockout = good to know account lockout policy prior to pentest * Using AWS we can make multiple ubuntu machine for free * Trevorspray is going to ssh first we have to accept fingerprinting everytime and then it is going to password spray * Trevorspsray will remember which pass previously used ### OWA (Outlook Web Access) * Password Spraying * Metasploit: Scanner owa\_login * set a password * set an RHOST (IP adr of target) * set user\_file * checkout owa version to be sure it is the same * Even if pass does not work we will get a list of valid users ### Other portals * Burp Suite Intruder (works better with pro version) * Intercept a request and set the vars * Check out the error message and add it in intruder options (Grep Match) * Launch intruder ### Bypassing MFA * [MFASweep](https://github.com/dafthack/MFASweep) ## Escalating Access * If we get an email account, office for instance we can look for info or creds in the mailbox * portal.azure.com if you login with a user you found you can find other accounts * Then password spray with previous password found * Be creative ## Common pentest findings ### Insufficient Authentication Controls * Bypass MFA * No MFA ### Weak Password Policy * Recommand deny list * Recommand NIST or OWASP Guidelines ### Insufficient Patching * Some unpatch software have high severity CVE ### Default Credentials * [List of default creds - SecLists](https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials) * [Default Passwords - Cirt](https://cirt.net/passwords) * [Default creds cheat sheet - ihebski](https://github.com/ihebski/DefaultCreds-cheat-sheet/blob/main/DefaultCreds-Cheat-Sheet.csv) ### Insufficient Encryption * In case of http * Weak ciphers * [TestSSL](https://github.com/drwetter/testssl.sh) * [SSLLabs](https://www.ssllabs.com/ssltest/) ***Note: Make sure to check "Do not show results on boad" for the confidentiality of your customer*** ### Information Disclosure * Verbose error message * Verbose stack trace * mDNS * Server version and languages in response header ### Username Enumeration * Most of the time visible through login portals with msg like "Invalid username" * Possible also through reset password forms ### Default Web Pages * Apache Pages * IIS Page ### Open Mail Relay * [How to test for Open mail relays - BlackHills Infosec](https://www.blackhillsinfosec.com/how-to-test-for-open-mail-relays/) ### IKE Aggressive Mode * Could capture a preshared key of a vpn to access the network (most of the time hard to exploit) * [ike-scan](https://github.com/royhills/ike-scan) ### Unexpected Perimeter Services * RDP * Telnet * etc. ### Insufficient Traffic Blocking * [Shotsherpa](https://shotsherpa.com/) * Geo-blocking not in place * Limits attack surface * Depends on the customer location of the client ### Undetected Malicious Activity * Bruteforce login attacks * Nmap * Nessus * Web enum bruteforce * etc. ### Historical Account Compromises * Published breaches * [haveibeenpawned](https://haveibeenpwned.com/) ## Resources {% embed url="" %} TCM Academy - External Pentest Playbook {% endembed %} {% embed url="" %} TREVORspray {% endembed %} {% embed url="" %} MFASweep {% endembed %} {% embed url="" %} Mailsniper {% endembed %} {% embed url="" %} List of default creds - SecLists {% endembed %} {% embed url="" %} Default Passwords - Cirt {% endembed %} {% embed url="" %} Default creds cheat sheet - ihebski {% endembed %} {% embed url="" %} How to test for Open mail relays - BlackHills Infosec {% endembed %} {% embed url="" %} ike-scan {% endembed %} {% embed url="" %} haveibeenpawned {% endembed %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csbygb.gitbook.io/pentips/external-pentest/external-pentest.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.