--- name: External Network Penetration Testing description: This skill should be used when the user asks to "perform external pentesting", "conduct external network assessment", "enumerate external attack surface", "perform OSINT reconnaissance", or "test perimeter security". It provides comprehensive external network penetration testing methodologies. version: 1.0.0 tags: [external-pentest, osint, reconnaissance, network-security, enumeration, penetration-testing] --- # External Network Penetration Testing ## Purpose Conduct comprehensive external network penetration testing including OSINT reconnaissance, subdomain enumeration, exposed service discovery, vulnerability scanning, and exploitation of internet-facing assets. This methodology covers the full external assessment lifecycle. ## Prerequisites ### Required Tools - Nmap for network scanning - Amass/Subfinder for subdomain enumeration - Shodan/Censys for passive recon - Recon-ng for OSINT framework - Nuclei/Nessus for vulnerability scanning ### Required Knowledge - Network protocols and services - DNS and certificate transparency - Cloud infrastructure concepts - OSINT techniques ## Outputs and Deliverables 1. **Attack Surface Report** - Complete external footprint 2. **Subdomain Inventory** - All discovered subdomains 3. **Exposed Services** - Internet-facing services and versions 4. **Vulnerability Assessment** - Identified security issues ## Core Workflow ### Phase 1: OSINT Reconnaissance Gather intelligence without direct target interaction: ```bash # Google Dorks site:company.com -site:www.company.com site:*.company.com filetype:pdf site:company.com inurl:admin site:company.com intitle:"index of" site:company.com # Bing Dorks site:company.com -site:www.company.com # Certificate Transparency curl -s "https://crt.sh/?q=%25.company.com&output=json" | jq -r '.[].name_value' | sort -u # ASN Lookup amass intel -org "Company Name" whois -h whois.radb.net -- '-i origin AS12345' # Using bgp.he.net # https://bgp.he.net/dns/company.com # Shodan search shodan search "ssl.cert.subject.CN:company.com" shodan search "hostname:company.com" ``` OSINT tools: ```bash # SpiderFoot - automated OSINT spiderfoot -s company.com -o output.html # theHarvester theHarvester -d company.com -b all # Maltego - visual OSINT # Use GUI for comprehensive link analysis ``` ### Phase 2: Passive Reconnaissance Discover assets without active scanning: ```bash # DNS History # SecurityTrails, DNSdumpster, ViewDNS.info # Web Archive waybackurls company.com | sort -u > archived_urls.txt # Pastebin monitoring # https://github.com/carlospolop/Pastos # Credential leaks check # dehashed, breach-parse, HaveIBeenPwned # Social networks # LinkedIn - employee enumeration python3 linkedin2username.py -c "Company Name" # Hunter.io - email discovery curl "https://api.hunter.io/v2/domain-search?domain=company.com&api_key=KEY" ``` ### Phase 3: Subdomain Enumeration Comprehensive subdomain discovery: ```bash # Amass - comprehensive enumeration amass enum -d company.com -o subdomains.txt amass enum -d company.com -passive -o passive_subs.txt # Subfinder - fast passive enumeration subfinder -d company.com -o subfinder.txt # DNS brute-force aiodnsbrute -t 20 company.com -w subdomains-top1million.txt # DNScan python3 dnscan.py -d company.com -w subdomains.txt # Combine and dedupe cat amass.txt subfinder.txt | sort -u > all_subs.txt # Certificate Transparency with ct-exposer python3 ct-exposer.py -d company.com # TLSX for SAN extraction echo "10.0.0.0/8" | tlsx -san -silent # Resolve live subdomains cat all_subs.txt | httpx -o live_subs.txt ``` ### Phase 4: Subdomain Takeover Testing Check for vulnerable subdomains: ```bash # Subjack subjack -w subdomains.txt -t 100 -timeout 30 -o takeover.txt -ssl # Nuclei subdomain takeover templates nuclei -l subdomains.txt -t takeovers/ # Manual checks for: # - CNAME pointing to unclaimed services # - Azure/AWS/Heroku/GitHub Pages misconfigurations # - Expired domain CNAMEs # Common vulnerable services: # AWS S3, Azure, Heroku, GitHub Pages, Shopify # Zendesk, Fastly, Pantheon, Tumblr, WordPress ``` ### Phase 5: Active Reconnaissance Direct target scanning: ```bash # Masscan - fast port discovery masscan -p1-65535 --rate 10000 -iL targets.txt -oG masscan.out # Nmap - service enumeration nmap -sV -sC -p- -iL live_hosts.txt -oA nmap_full # NSE script categories nmap --script=default,vuln,discovery -p 22,80,443 target.com # Shodan integration shodan host shodan search "hostname:company.com" # Censys censys search "parsed.names: company.com" # HTTP/HTTPS screenshots gowitness file -f live_subs.txt -P screenshots/ eyewitness -f live_subs.txt --web aquatone -out aquatone_output < live_subs.txt ``` ### Phase 6: Exposed Services Testing #### HTTP/HTTPS ```bash # Technology fingerprinting whatweb https://target.com wappalyzer https://target.com # Directory enumeration gobuster dir -u https://target.com -w directory-list.txt feroxbuster -u https://target.com -w wordlist.txt # Virtual host discovery gobuster vhost -u https://target.com -w vhosts.txt # IIS specific java -jar iis_shortname_scanner.jar https://iiswebsite.com # Check aspnet_client folder curl https://target.com/aspnet_client/ ``` #### Email Services (SMTP) ```bash # SPF/DKIM/DMARC check python3 spoofy.py -d company.com -o stdout ./spoofcheck.py company.com # Open relay testing nmap --script smtp-open-relay -p 25 target.com # User enumeration smtp-user-enum -M VRFY -U users.txt -t target.com ``` #### DNS ```bash # Zone transfer dig @ns1.target.com axfr target.com fierce --domain target.com # DNS reconnaissance dnsrecon -d target.com -t std dnsenum target.com ``` #### SNMP ```bash # Community string brute-force onesixtyone -c community.txt target.com # SNMP enumeration snmpwalk -v2c -c public target.com ``` #### VPN/Remote Access ```bash # IKE Aggressive Mode ike-scan -M -A target.com # SSL VPN enumeration nmap --script ssl-enum-ciphers -p 443 target.com ``` ### Phase 7: Cloud Enumeration ```bash # AWS S3 buckets aws s3 ls s3://company-backup --no-sign-request python3 cloud_enum.py -k company # Azure blob storage # https://company.blob.core.windows.net/ # GCP storage # https://storage.googleapis.com/company-bucket # MicroBurst (Azure) Invoke-EnumerateAzureBlobs -Base company # CloudFlare bypass python3 CloudUnflare.py -d target.com ``` ### Phase 8: Vulnerability Scanning ```bash # Nuclei - template-based scanning nuclei -l targets.txt -t nuclei-templates/ -o nuclei_results.txt # Nessus (commercial) # Use external scan profile # Web vulnerability scanning nikto -h https://target.com wpscan --url https://target.com/wordpress joomscan -u https://target.com/joomla # SSL/TLS testing testssl.sh https://target.com sslscan target.com ``` ### Phase 9: Password Attacks Password spraying against external services: ```bash # CredMaster - multi-service spraying python3 credmaster.py --plugin o365 -u users.txt -p "Winter2024!" # O365/Azure python3 MSOLSpray.py -u users.txt -p "Password123!" trevorspray -e emails.txt --passwords passwords.txt --delay 15 # OWA msfconsole use auxiliary/scanner/http/owa_login set RHOSTS mail.company.com set USER_FILE users.txt set PASS_FILE passwords.txt run # VPN python3 checkpointSpray.py -u users.txt -p "Winter2024!" -t vpn.company.com # IP rotation for evasion # Use AWS API Gateway rotation # Fireprox: https://github.com/ustayready/fireprox ``` ### Phase 10: Exploitation #### Exposed Credentials ```bash # Git repository secrets gitleaks detect --source . -v trufflehog git https://github.com/company/repo shhgit --live # .git folder exposure curl -s https://target.com/.git/config git-dumper https://target.com/.git/ output_dir/ ``` #### Default Credentials ```bash # Check common defaults # https://cirt.net/passwords # https://datarecovery.com/rd/default-passwords/ # Common services: # Jenkins: admin/admin # Tomcat: tomcat/tomcat # Grafana: admin/admin # phpMyAdmin: root/ ``` #### RCE Vulnerabilities ```bash # Search for RCE-as-a-feature # Jenkins script console # Serv-U FTP server # Application deployment endpoints # Nuclei RCE templates nuclei -l targets.txt -t cves/ -severity critical,high # Metasploit msfconsole search type:exploit cve:2024 ``` ## Quick Reference ### Reconnaissance Commands | Tool | Command | |------|---------| | Amass | `amass enum -d domain.com` | | Subfinder | `subfinder -d domain.com` | | Shodan | `shodan search "hostname:domain.com"` | | crt.sh | `curl "https://crt.sh/?q=%25.domain.com"` | | theHarvester | `theHarvester -d domain.com -b all` | ### Port Scanning | Scan Type | Command | |-----------|---------| | Fast discovery | `masscan -p1-65535 --rate 10000 target` | | Service scan | `nmap -sV -sC -p- target` | | UDP scan | `nmap -sU --top-ports 100 target` | | Vuln scan | `nmap --script=vuln target` | ### Web App Testing | Test | Tool/Command | |------|--------------| | Directory enum | `gobuster dir -u URL -w wordlist.txt` | | Tech fingerprint | `whatweb URL` | | Screenshots | `gowitness file -f subs.txt` | | Vuln scan | `nuclei -l targets.txt -t templates/` | ### Common External Services | Port | Service | Test Focus | |------|---------|------------| | 21 | FTP | Anonymous login, version vulns | | 22 | SSH | Password spraying, weak keys | | 25 | SMTP | Open relay, user enum | | 53 | DNS | Zone transfer | | 80/443 | HTTP/S | Web vulnerabilities | | 445 | SMB | Null sessions, vulns | | 3389 | RDP | Password spray, BlueKeep | ## Constraints and Limitations ### Scope Considerations - Only test authorized IP ranges - Respect rate limits and service availability - Avoid DoS conditions - Document all testing activities ### Legal Requirements - Written authorization mandatory - Stay within defined scope - Notify ISPs if required - Follow rules of engagement ### Technical Limitations - WAF may block scanning - Rate limiting on services - Geo-restrictions may apply - Some services may require credentials ## Troubleshooting ### No Subdomains Found **Solutions:** 1. Use multiple enumeration tools 2. Try certificate transparency 3. Check DNS history services 4. Search for mentions on social media 5. Try reverse WHOIS lookups ### Scans Being Blocked **Solutions:** 1. Reduce scan rate 2. Use IP rotation 3. Try different source IPs 4. Use passive reconnaissance first 5. Schedule scans during off-hours ### Password Spray Lockouts **Solutions:** 1. Increase delay between attempts 2. Respect lockout thresholds 3. Use IP rotation 4. Target multiple services 5. Check MFA requirements first