🌐External Pentesting

ROE (Rules of Engagement)

• This doc should be signed and have a copy of it ; }

Verify Scope

1. Scan the IPs to verify that we are not attacking another company

2. Subdomains (amass, assetfinder, DNSRecon, Subfinder )

Use Google Dorking:

• site: domain.com -www

• site: domain.com

• site: *.domain.com

Vulnerability Scan

First thing todo before start with the big part.

• openVAS

• Nessus - https://www.tenable.com/products/nessus

External OSINT

Breach Creds

• https://github.com/hmaverickadams/breach-parse

• https://dehashed.com/

• https://haveibeenpwned.com/

Identifying Emails & Employees

• Do some research about naming convention for email (Ex: firstname.lastname)

• Phonebook.cz - https://phonebook.cz/

• Scrape Company LinkedIn with tools to put together the 2 conventions.

• LinkedIn2Username - https://github.com/initstring/linkedin2username

• LinkedInt - https://github.com/vysecurity/LinkedInt

Enumerating valid accounts

• Check login form or password reset forms for user enumeration.

• CredMaster - https://github.com/knavesec/CredMaster

• TrevorSpray - https://github.com/blacklanternsecurity/TREVORspray

Attacking

Attacking Login Portals

• Password Strategy: currentSeason + currentYear + SpecialChar + location + address + companyname

OWA (Outlook Web Access)

• Password Spray

• msf: scanner owa_login

• Check the OWA Version

Other Portals

• Burpsuite Intruder

• FFuF

• Wfuzz

Bypassing MFA

• ike-scan

Escalating Privileges

• Office for instance we can look for other accounts.

• if portal.azure.com find other accounts.

• Password spray with previous password found.

Common Findings

Insufficient Auth Controls

• Bypass MFA

• No MFA

Weak Password Policy

• Recommend Guidelines, NIST, OWASP

Insufficient Patching

• Unpatched software or services that needs an update.

Default Credentials

• SecLists

• Cirt

Insufficient Encryption

• Weak ciphers

• Test the SSL Certificate

Information Disclosure

• Verbose error messages

• Verbose stack trace

• mDNS

• Server Version, languages, response headers etc.

Username Enum

• Some Broken Authentication finding like "Invalid Username"

Default Pages

• Apache default pages

• IIS default page

IKE Aggressive Mode

• ike-scan

Unexpected Open Ports

• RDP

• Telnet

Insufficient traffic Blocking

• Geo blocking not in place

• Limits attack surface

• Depends on the customer location of the client

Undetected Malicious Activity

• Brute-Force Attacks

• Nmap

• Nessus

• Web Enum

Historical account compromised

• Have I been Pwned