Hey everybody! I made this repo to share with you how I conduct an External Penetration test for my clients, what tools and methodologies I use and how I gain access (or not) to the Intranet of a company. This isn't like an OSINT investagion, now you have to interact with your target directly and it comes with a lot of organization and significantly more paperwork. Make sure to state the type of the penetration test in the ROI, which in this case is an External Penetration test.
BEFORE SIGNING THE CONTRACT, THE NDA, THE ROI (RULES OF ENGAGEMENT) AND SENDING OUT THE KICKOFF EMAIL DON'T TOUCH ANYTHING. IT'S NOT THAT IMPORTANT WHAT YOUR CLIENT SAYS OR HOW URGENT IT IS, THE LEGAL PAPERWORK IS THE FIRST!
DISCLAIMER: Only conduct a Penetration Test if you have explicit permission from the client to do so. Use the tools and techniques at your own responsability. I am NOT accountable for any possible damage you make. Be ethical folks!
After signing the ROI, the contract and sending out the kickoff email to your contact we can begin our tests. If you haven't conducted an OSINT research on the company, this is a perfect oppurtunity to do so.
- Identify the target's website
- Identify the public addresses owned by the client (firewalls, machines in the cloud, websites, login portals, IoT stuff)
- Obtain the used email address format by the company (look for email addresses on their socials, use hunter.io, clearbit...etc)
- Obtain email addresses from the employees and put them in a file.
- Validate the email addresses (email-checker, email-hippo)
- Check if any of the found email addresses show up in a data breach (dehashed, haveibeenpwnd...etc)
- Download and scrap through all of their files hosted on their website (FOCA is an amazing tool for this task)
- Organize your findings in your notes and make a graph to visualize it for your report. (I use Maltego, but use whatever tool you like)
At this point you should have an email.txt with working email addresses and some passwords. You should have a list of the internet facing IP addresses of your client, a domain name and a login portal. Make sute to save the output of FOCA, so you can go through it manually as well. Sometimes you can extract the versions of the printer from a pdf or word file, which can help you in future engagements. It's awesome that nobody ever asked the question: "Why the printer sends http requests to the web server?"
After identifying the public facing assets, making sure that they are up and running we start to enumerate them.
- Use shodan or cenys for firewalls and IoT devices
- Use Nessus or OpenVAS for domains and login portals
- Some people use nmap as well for the built-in scripts, I don't like because it's noisy and almost never come back with anything useful, but up to you.
- BurpSuite and OWASP ZAP can be amazing as well. The more tools you use the more things you find!
So by now, you should have enumerated IP addresses, you know what ports are open on them, what services they provide, version numbers... Now you can look up for public exploits. Think outside of the box, sometimes you can downgrade the version numbers of firewalls to make them vulnerable (close the TFTP port guys, pls) or abuse their DNS server.
Before exploiting make sure to read again the ROI, try to respect the CIA triad, if you bring down the client's firewall and they stop making money that's gonna be your fault and they never gonna call you back. If you find a vulnerability which has the possibility to crash a device (kernel exploits, firmware exploits..etc) the first thing you do is call your contact or the ITops and inform them. Critical vulnerabilites are always reported before terminating the engagement. If you are doing a full assesment ask for a white card instead of bringing down their whole infrastucture, okay?
- Start with IoT devices, IP cameras, smart fridges, anything which is connected to the Internet. Look for default credentials, common passwords (password, 12345, qwerty..etc) and try to guess it. After installing a device like this they almost never change their default passwords.
- Follow up with the web application, abuse file upload functions, use public-exploits, gain a shell on the machine. Give it only a good hour, you don't have to enumerate and test their web apps, remember, you are doing an Externel Pentest not a web app assesment.
- Use the login portal to validate the obtained email addresses, use the password reset function. Check if they have MFA implemented, the type of it...etc.
- Try to login with the obtained email addresses and the breached passwords. ALWAYS check if they have some fail2ban system implemented and do NOT lockout their users. If after 5 failed login attempts, they got banned go for 4 only. For this task I use a technique called password spraying, and burpsuite is my go tool. But you can use any brute force program like Hydra, trevorspray or write your own tool for the task.
- If MFA is present try to bypass it using public exploits. Some MFA systems are more vulnerable than others. Also, feel free to just send an authentication message to the employees, sometimes they just accept it. Don't use MFAFatique or Social Engineering if they are not clearly stated in the ROI.
Stay frosty, after gaining initial access you don't have to go any further, you don't have to persist, nothing, just stop. Make good notes and screenshots about your findings, if you happen to find a critical vulnerability (although, it's not likely) inform the company before anything else. Organize your notes, screenshots and prepare for report writing.
Your report should have the following things:
- Cover page (put your logo here or just put External Penetration test here)
- Table of contents (goes without explanation)
- Confidelity statement (Refer to the ROI and the NDA)
- Contact information (Point of contact from the client and from your company)
- Assesment Overview (x was tasked by y to research z, this includes…etc)
- Type of the assesment (External penetration test, prohibited / allowed techniques)
- Scope of the engagement (domains, IPs, login portals)
- Executive Summary (use numbers, during the engagements we identified x vulnerabilites, y breached users...we managed to gain access via...)
- Findings (use CVSS to assess risk, IP addresses with vulns, breached users, login portal with vulns)
- Technical evidence (Here you put the technique you used, a link to the tool you used, the steps you followed to obtain the results, additional notes and a screenshot about the findings as a PoC.)
- Recommendations (refer to security frameworks like NIST or MITRE.)
Common findings:
- Default creds (mostly amongst IoT devices)
- Weak Password Policy (if you can login with 123456 you can put this in your report)
- Insufficient Authentication Controls (login portal, web app uses HTTP instead of HTTPS)
- Insuficient patching (Usage of outdated services like Apache or PHP v4.0...etc)
- Information disclosure (Most of your finding will belong to this category)
- Open Mail Relays (If you happent to find an SMTP server, and you can send an email through it put this as well in your report)
- Default web pages (goes without explanition)
- Unexpected perimeter services (RDP,telnet...etc)
- Undetected Malicious Activity (If you brute force the login portal and they cannot detect you make sure to put this in your report)
- Histrocial Account Compromises (for breached accounts)
If you want to learn more about this type of engagements make sure to check out this amazing course by TCM security dedicated to this topic: