Page cover image

🌐External Pentesting

ROE (Rules of Engagement)

  • This doc should be signed and have a copy of it ; }

Verify Scope

  1. Scan the IPs to verify that we are not attacking another company

  2. Subdomains (amass, assetfinder, DNSRecon, Subfinder )

Use Google Dorking:

  • site: domain.com -www

  • site: domain.com

  • site: *.domain.com

Vulnerability Scan

First thing todo before start with the big part.

External OSINT

Breach Creds

Identifying Emails & Employees

Enumerating valid accounts

Attacking

Attacking Login Portals

  • Password Strategy: currentSeason + currentYear + SpecialChar + location + address + companyname

OWA (Outlook Web Access)

  • Password Spray

  • msf: scanner owa_login

  • Check the OWA Version

Other Portals

  • Burpsuite Intruder

  • FFuF

  • Wfuzz

Bypassing MFA

  • ike-scan

Escalating Privileges

  • Office for instance we can look for other accounts.

  • if portal.azure.com find other accounts.

  • Password spray with previous password found.

Common Findings

Insufficient Auth Controls

  • Bypass MFA

  • No MFA

Weak Password Policy

  • Recommend Guidelines, NIST, OWASP

Insufficient Patching

  • Unpatched software or services that needs an update.

Default Credentials

  • SecLists

  • Cirt

Insufficient Encryption

  • Weak ciphers

  • Test the SSL Certificate

Information Disclosure

  • Verbose error messages

  • Verbose stack trace

  • mDNS

  • Server Version, languages, response headers etc.

Username Enum

  • Some Broken Authentication finding like "Invalid Username"

Default Pages

  • Apache default pages

  • IIS default page

IKE Aggressive Mode

  • ike-scan

Unexpected Open Ports

  • RDP

  • Telnet

Insufficient traffic Blocking

  • Geo blocking not in place

  • Limits attack surface

  • Depends on the customer location of the client

Undetected Malicious Activity

  • Brute-Force Attacks

  • Nmap

  • Nessus

  • Web Enum

Historical account compromised

  • Have I been Pwned

Last updated