External Pentest

Type of External Pentest

The Type of External Penetration Test to be conducted should be clearly defined

Blackbox External Pentest :

This test is expected to be conducted without any knowledge of the Internet facing IP addresses,the website, or web application.

White Box External Pentest :

This test is expected to be conducted with the knowledge of the organization's Internet facing IP addresses,the website,web application, or some other range of IP public addresses that will be shared with you by the organization.

The type of the external penetration test must be clearly stated in the rules of engagement.

Rules of engagement

The doc should be signed and as a pentester you should have a copy

Verify scope

Step 1

Scan the IP addess with this to verify it actually belongs to the company

Step 2

Subdomain Finders

This will help identify a lot of IPs and web application for scoping and testing purposes
- subdomainfinder
- phonebook

Using Google Dork

Type in google
- site:nameofcompany.com -www
- site : nameofcompany.com
- site: *.nameofcompany.com

Subdomain tools

AMASS
SubBrute
Knock
DNSRecon
Sublist3r
AltDNS
Axiom
Haktrails
Check out this article on securitytrails to see how to use the above tools

Vuln Scan

Todo first thing in the morning

OSINT

Hunting breach credentials

Identifying Emails & Employees

Get info on the naming convention for email (firstname.lastname or else)
Phonebook, find email address
Look for the company on Linkedin, use tools to scrape Linkedin and put them together using the deducted naming convention
- We can use Namely to put them together and specify a naming convention that will be applied to the whole list

Enumerating valid accounts

Check login form or password reset forms for user enum

Other useful info

Job postings (info about app used at the company)
Google dork to find password policy (site:target)

How to check a host OS

Time to Live (TTL) A typical response from a Windows host will either be 32 or 128. A response of or around 128 is the most common response you will see. This value may not always be exact, especially if you are not in the same layer three network as the target.
Default Device TTL values
sudo nmap -v -O TARGET-IP nmap OS Detection Scan
sudo nmap -v 192.168.86.39 --script banner.nse Banner Grab to Enumerate Ports

Password strategy: currentSeasonOrMonth+currentYear+aSpecialChar, location, address, company name, ...

O365

Password Spraying
- TREVORspray
- We use the email list from the reconnaissance phase
- Good to start with a delay of 15 --delay 15
- --no-current-ip will proxy through each machine, more stealthy
- Careful with account lockout = good to know account lockout policy prior to pentest
- Using AWS we can make multiple ubuntu machine for free
- Trevorspray is going to ssh first we have to accept fingerprinting everytime and then it is going to password spray
- Trevorspsray will remember which pass previously used

OWA (Outlook Web Access)

Password Spraying
- Metasploit: Scanner owa_login
- set a password
- set an RHOST (IP adr of target)
- set user_file
- checkout owa version to be sure it is the same
- Even if pass does not work we will get a list of valid users

Other portals

Burp Suite Intruder (works better with pro version)
- Intercept a request and set the vars
- Check out the error message and add it in intruder options (Grep Match)
- Launch intruder

Bypassing MFA

MFASweep

Escalating Access

If we get an email account, office for instance we can look for info or creds in the mailbox
portal.azure.com if you login with a user you found you can find other accounts
Then password spray with previous password found
Be creative

Common pentest findings

Insufficient Authentication Controls

Bypass MFA
No MFA

Weak Password Policy

Recommand deny list
Recommand NIST or OWASP Guidelines

Insufficient Patching

Some unpatch software have high severity CVE

Default Credentials

Insufficient Encryption

In case of http
Weak ciphers
TestSSL
SSLLabs Note: Make sure to check "Do not show results on boad" for the confidentiality of your customer

Information Disclosure

Verbose error message
Verbose stack trace
mDNS
Server version and languages in response header

Username Enumeration

Most of the time visible through login portals with msg like "Invalid username"
Possible also through reset password forms

Default Web Pages

Apache Pages
IIS Page

Open Mail Relay

How to test for Open mail relays - BlackHills Infosec

IKE Aggressive Mode

Could capture a preshared key of a vpn to access the network (most of the time hard to exploit)
ike-scan

Unexpected Perimeter Services

RDP
Telnet
etc.

Insufficient Traffic Blocking

Shotsherpa
Geo-blocking not in place
Limits attack surface
Depends on the customer location of the client

Undetected Malicious Activity

Bruteforce login attacks
Nmap
Nessus
Web enum bruteforce
etc.

Historical Account Compromises

Published breaches
haveibeenpawned

Resources

PreviousMITRE ATT&CK NextIntroduction to HTTP and web

Last updated 2 years ago

hashtagType of External Pentest

hashtagRules of engagement

hashtagVerify scope

hashtagStep 1

hashtagStep 2

hashtagSubdomain Finders

hashtagUsing Google Dork

hashtagSubdomain tools

hashtagVuln Scan

hashtagOSINT

hashtagHunting breach credentials

hashtagIdentifying Emails & Employees

hashtagEnumerating valid accounts

hashtagOther useful info

hashtagHow to check a host OS

hashtagAttack login portals

hashtagO365

hashtagOWA (Outlook Web Access)

hashtagOther portals

hashtagBypassing MFA

hashtagEscalating Access

hashtagCommon pentest findings

hashtagInsufficient Authentication Controls

hashtagWeak Password Policy

hashtagInsufficient Patching

hashtagDefault Credentials

hashtagInsufficient Encryption

hashtagInformation Disclosure

hashtagUsername Enumeration

hashtagDefault Web Pages

hashtagOpen Mail Relay

hashtagIKE Aggressive Mode

hashtagUnexpected Perimeter Services

hashtagInsufficient Traffic Blocking

hashtagUndetected Malicious Activity

hashtagHistorical Account Compromises

hashtagResources