# External Pentesting

## ROE (Rules of Engagement)

* This doc should be signed and have a copy of it ; }

## Verify Scope

1. Scan the IPs to verify that we are not attacking another company
2. Subdomains (**amass, assetfinder, DNSRecon, Subfinder** )

Use Google Dorking:

* site: domain.com -www
* site: domain.com
* site: \*.domain.com

## Vulnerability Scan

First thing todo before start with the big part.

* openVAS
* Nessus - <https://www.tenable.com/products/nessus>

## External OSINT

### Breach Creds

* <https://github.com/hmaverickadams/breach-parse>
* <https://dehashed.com/>
* <https://haveibeenpwned.com/>

### Identifying Emails & Employees

* Do some research about naming convention for email (Ex: firstname.lastname)
* Phonebook.cz - <https://phonebook.cz/>
* Scrape Company LinkedIn with tools to put together the 2 conventions.
* LinkedIn2Username - <https://github.com/initstring/linkedin2username>
* LinkedInt - <https://github.com/vysecurity/LinkedInt>

### Enumerating valid accounts

* Check login form or password reset forms for user enumeration.
* CredMaster - <https://github.com/knavesec/CredMaster>
* TrevorSpray - <https://github.com/blacklanternsecurity/TREVORspray>

## Attacking

### Attacking Login Portals

* Password Strategy: currentSeason + currentYear + SpecialChar + location + address + companyname

### OWA (Outlook Web Access)

* Password Spray
* msf: scanner owa\_login
* Check the OWA Version

### Other Portals

* Burpsuite Intruder
* FFuF
* Wfuzz

## Bypassing MFA

* ike-scan

## Escalating Privileges

* Office for instance we can look for other accounts.
* if **portal.azure.com** find other accounts.
* Password spray with previous password found.

## Common Findings

### Insufficient Auth Controls

* Bypass MFA
* No MFA

### Weak Password Policy

* Recommend Guidelines, NIST, OWASP

### Insufficient Patching

* Unpatched software or services that needs an update.

### Default Credentials

* SecLists
* Cirt

### Insufficient Encryption

* Weak ciphers
* Test the SSL Certificate

### Information Disclosure

* Verbose error messages
* Verbose stack trace
* mDNS
* Server Version, languages, response headers etc.

### Username Enum

* Some Broken Authentication finding like "Invalid Username"

### Default Pages

* Apache default pages
* IIS default page

### IKE Aggressive Mode

* ike-scan

### Unexpected Open Ports

* RDP
* Telnet

## Insufficient traffic Blocking

* Geo blocking not in place
* Limits attack surface
* Depends on the customer location of the client

### Undetected Malicious Activity

* Brute-Force Attacks
* Nmap
* Nessus
* Web Enum

## Historical account compromised

* Have I been Pwned


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackzzz.gitbook.io/welcome/everything-about-and-notes/external-pentesting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.