gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

Playbook: External Penetration Test

Scope: External attack surface (internet-facing assets) of a defined organization Prerequisites: Signed scope/authorization letter; IP ranges and/or domain names in scope MITRE Coverage: TA0043 Reconnaissance, T1190 Exploit Public-Facing App, T1566 Phishing, T1078 Valid Accounts

Objective

Identify exploitable attack paths from the internet to internal resources, without prior knowledge (black-box) or with organizational context (grey-box).

Steps

Phase 1: Passive Reconnaissance (Zero Contact with Target)

# Enumerate subdomains (passive)
subfinder -d target.com -o subdomains_passive.txt
amass enum -passive -d target.com -o subdomains_amass.txt
cat *.txt | sort -u > all_subdomains.txt

# Certificate transparency
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u

# ASN / IP range discovery
whois -h whois.radb.net '!gAS<number>'    # Once you find ASN
# Or: search BGP tools (bgp.he.net) for the org name

# Email harvesting (for phishing scope)
theHarvester -d target.com -b all -l 500

# Technology fingerprinting
whatweb https://target.com

# Google dorking
site:target.com filetype:pdf
site:target.com "index of"
site:target.com ext:log OR ext:bak OR ext:conf
"@target.com" inurl:login

Phase 2: Active Reconnaissance (Light Touch)

# Resolve and probe discovered subdomains
cat all_subdomains.txt | dnsx -resp -a -aaaa -cname -o resolved.txt
cat resolved.txt | httpx -title -status-code -tech-detect -o live_hosts.txt

# Port scan external IPs (all in-scope ranges)
nmap -T4 --top-ports 1000 -iL ip_ranges.txt -oA ext_scan

# Full port scan on interesting IPs
nmap -p- -sV -sC -T4 -oA full_scan <ip>

# Service enumeration
nmap --script http-title,http-headers -p 80,443,8080,8443 -iL ip_ranges.txt

Phase 3: Vulnerability Identification

# Nuclei on all live web services
cat live_hosts.txt | nuclei -severity critical,high,medium -o nuclei.txt -stats

# Check for known CVEs in identified services
# Example: if Apache Struts detected → CVE-2017-5638; if Log4j in Java apps → CVE-2021-44228

# Web app fuzzing on each target
feroxbuster -u https://app.target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt

# Default credentials on management interfaces
nxc smb <ip> -u Administrator -p '' --local-auth    # Null session
nxc ssh <ip> -u root -p '' --continue-on-success

Phase 4: Authentication & Credential Attacks

# OWA / O365 / VPN password spraying (LOW AND SLOW — lockout risk)
# Check lockout policy first from public sources (try once with dummy account)
# Use 1 password attempt per 30 minutes to stay safe

# O365 spray (with MSOLSpray or Spray-o-Matic)
Invoke-MSOLSpray -UserList users.txt -Password 'Company2024!'

# LinkedIn → harvest usernames → email format → spray
# Email format discovery: hunter.io, LinkedIn, /etc/motd on found SSH

# Check for credential leaks: DeHashed, HaveIBeenPwned API, GitHub search
trufflehog github --org=TargetOrg
gitleaks detect --source .

Phase 5: Initial Access Attempts

  1. Web exploitation: Test all web apps found (see Web App Pentest).
  2. VPN/RDP credential stuffing: Known breach credentials + sprayed passwords.
  3. Exposed admin interfaces: Citrix, VMware, Confluence, Jira, GitLab, Jenkins.
  4. Phishing (if in scope): Launch phishing campaign to harvest VPN/O365 creds or deliver payload.
  5. Third-party exposure: Cloud storage buckets, exposed APIs, subdomain takeovers.

Phase 6: Subdomain Takeover Checks

# Check for dangling CNAMEs pointing to unclaimed cloud services
nuclei -l all_subdomains.txt -tags takeover -o takeovers.txt
# Manual: check if CNAME target (e.g., *.s3.amazonaws.com, *.github.io) is claimed

Phase 7: Post-Access (If Foothold Achieved)

  • Establish C2 (HTTPS preferred; blend with traffic patterns).
  • Internal recon (see Internal Network Pentest).
  • Document exact access path end-to-end for executive report.

Cleanup / Deconfliction

  • Remove any uploaded shells or payloads on external systems.
  • Deregister any claimed cloud resources (S3 buckets, etc.) after client approval.
  • Report critical external RCE or data exposure to client immediately.

Notes & Gotchas

  • Always confirm exact IP ranges in scope before scanning — scanning out-of-scope IPs can have legal consequences.
  • Email/username enumeration can happen through O365 timing differences even without spraying.
  • MFA is becoming universal on VPN/O365 — account for AiTM phishing if credential capture is the goal.
  • Verify authorization covers all discovered assets (new subdomains may be out of scope — check with client).