Skills
skills/zebbern/secops-cli-guides/External Network Penetration Testing

External Network Penetration Testing

SKILL.md

External Network Penetration Testing

Purpose

Conduct comprehensive external network penetration testing including OSINT reconnaissance, subdomain enumeration, exposed service discovery, vulnerability scanning, and exploitation of internet-facing assets. This methodology covers the full external assessment lifecycle.

Prerequisites

Required Tools

  • Nmap for network scanning
  • Amass/Subfinder for subdomain enumeration
  • Shodan/Censys for passive recon
  • Recon-ng for OSINT framework
  • Nuclei/Nessus for vulnerability scanning

Required Knowledge

  • Network protocols and services
  • DNS and certificate transparency
  • Cloud infrastructure concepts
  • OSINT techniques

Outputs and Deliverables

  1. Attack Surface Report - Complete external footprint
  2. Subdomain Inventory - All discovered subdomains
  3. Exposed Services - Internet-facing services and versions
  4. Vulnerability Assessment - Identified security issues

Core Workflow

Phase 1: OSINT Reconnaissance

Gather intelligence without direct target interaction:

# Google Dorks
site:company.com -site:www.company.com
site:*.company.com
filetype:pdf site:company.com
inurl:admin site:company.com
intitle:"index of" site:company.com

# Bing Dorks
site:company.com -site:www.company.com

# Certificate Transparency
curl -s "https://crt.sh/?q=%25.company.com&output=json" | jq -r '.[].name_value' | sort -u

# ASN Lookup
amass intel -org "Company Name"
whois -h whois.radb.net -- '-i origin AS12345'

# Using bgp.he.net
# https://bgp.he.net/dns/company.com

# Shodan search
shodan search "ssl.cert.subject.CN:company.com"
shodan search "hostname:company.com"

OSINT tools:

# SpiderFoot - automated OSINT
spiderfoot -s company.com -o output.html

# theHarvester
theHarvester -d company.com -b all

# Maltego - visual OSINT
# Use GUI for comprehensive link analysis

Phase 2: Passive Reconnaissance

Discover assets without active scanning:

# DNS History
# SecurityTrails, DNSdumpster, ViewDNS.info

# Web Archive
waybackurls company.com | sort -u > archived_urls.txt

# Pastebin monitoring
# https://github.com/carlospolop/Pastos

# Credential leaks check
# dehashed, breach-parse, HaveIBeenPwned

# Social networks
# LinkedIn - employee enumeration
python3 linkedin2username.py -c "Company Name"

# Hunter.io - email discovery
curl "https://api.hunter.io/v2/domain-search?domain=company.com&api_key=KEY"

Phase 3: Subdomain Enumeration

Comprehensive subdomain discovery:

# Amass - comprehensive enumeration
amass enum -d company.com -o subdomains.txt
amass enum -d company.com -passive -o passive_subs.txt

# Subfinder - fast passive enumeration
subfinder -d company.com -o subfinder.txt

# DNS brute-force
aiodnsbrute -t 20 company.com -w subdomains-top1million.txt

# DNScan
python3 dnscan.py -d company.com -w subdomains.txt

# Combine and dedupe
cat amass.txt subfinder.txt | sort -u > all_subs.txt

# Certificate Transparency with ct-exposer
python3 ct-exposer.py -d company.com

# TLSX for SAN extraction
echo "10.0.0.0/8" | tlsx -san -silent

# Resolve live subdomains
cat all_subs.txt | httpx -o live_subs.txt

Phase 4: Subdomain Takeover Testing

Check for vulnerable subdomains:

# Subjack
subjack -w subdomains.txt -t 100 -timeout 30 -o takeover.txt -ssl

# Nuclei subdomain takeover templates
nuclei -l subdomains.txt -t takeovers/

# Manual checks for:
# - CNAME pointing to unclaimed services
# - Azure/AWS/Heroku/GitHub Pages misconfigurations
# - Expired domain CNAMEs

# Common vulnerable services:
# AWS S3, Azure, Heroku, GitHub Pages, Shopify
# Zendesk, Fastly, Pantheon, Tumblr, WordPress

Phase 5: Active Reconnaissance

Direct target scanning:

# Masscan - fast port discovery
masscan -p1-65535 --rate 10000 -iL targets.txt -oG masscan.out

# Nmap - service enumeration
nmap -sV -sC -p- -iL live_hosts.txt -oA nmap_full

# NSE script categories
nmap --script=default,vuln,discovery -p 22,80,443 target.com

# Shodan integration
shodan host <IP>
shodan search "hostname:company.com"

# Censys
censys search "parsed.names: company.com"

# HTTP/HTTPS screenshots
gowitness file -f live_subs.txt -P screenshots/
eyewitness -f live_subs.txt --web
aquatone -out aquatone_output < live_subs.txt

Phase 6: Exposed Services Testing

HTTP/HTTPS

# Technology fingerprinting
whatweb https://target.com
wappalyzer https://target.com

# Directory enumeration
gobuster dir -u https://target.com -w directory-list.txt
feroxbuster -u https://target.com -w wordlist.txt

# Virtual host discovery
gobuster vhost -u https://target.com -w vhosts.txt

# IIS specific
java -jar iis_shortname_scanner.jar https://iiswebsite.com
# Check aspnet_client folder
curl https://target.com/aspnet_client/

Email Services (SMTP)

# SPF/DKIM/DMARC check
python3 spoofy.py -d company.com -o stdout
./spoofcheck.py company.com

# Open relay testing
nmap --script smtp-open-relay -p 25 target.com

# User enumeration
smtp-user-enum -M VRFY -U users.txt -t target.com

DNS

# Zone transfer
dig @ns1.target.com axfr target.com
fierce --domain target.com

# DNS reconnaissance
dnsrecon -d target.com -t std
dnsenum target.com

SNMP

# Community string brute-force
onesixtyone -c community.txt target.com

# SNMP enumeration
snmpwalk -v2c -c public target.com

VPN/Remote Access

# IKE Aggressive Mode
ike-scan -M -A target.com

# SSL VPN enumeration
nmap --script ssl-enum-ciphers -p 443 target.com

Phase 7: Cloud Enumeration

# AWS S3 buckets
aws s3 ls s3://company-backup --no-sign-request
python3 cloud_enum.py -k company

# Azure blob storage
# https://company.blob.core.windows.net/

# GCP storage
# https://storage.googleapis.com/company-bucket

# MicroBurst (Azure)
Invoke-EnumerateAzureBlobs -Base company

# CloudFlare bypass
python3 CloudUnflare.py -d target.com

Phase 8: Vulnerability Scanning

# Nuclei - template-based scanning
nuclei -l targets.txt -t nuclei-templates/ -o nuclei_results.txt

# Nessus (commercial)
# Use external scan profile

# Web vulnerability scanning
nikto -h https://target.com
wpscan --url https://target.com/wordpress
joomscan -u https://target.com/joomla

# SSL/TLS testing
testssl.sh https://target.com
sslscan target.com

Phase 9: Password Attacks

Password spraying against external services:

# CredMaster - multi-service spraying
python3 credmaster.py --plugin o365 -u users.txt -p "Winter2024!"

# O365/Azure
python3 MSOLSpray.py -u users.txt -p "Password123!" 
trevorspray -e emails.txt --passwords passwords.txt --delay 15

# OWA
msfconsole
use auxiliary/scanner/http/owa_login
set RHOSTS mail.company.com
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

# VPN
python3 checkpointSpray.py -u users.txt -p "Winter2024!" -t vpn.company.com

# IP rotation for evasion
# Use AWS API Gateway rotation
# Fireprox: https://github.com/ustayready/fireprox

Phase 10: Exploitation

Exposed Credentials

# Git repository secrets
gitleaks detect --source . -v
trufflehog git https://github.com/company/repo
shhgit --live

# .git folder exposure
curl -s https://target.com/.git/config
git-dumper https://target.com/.git/ output_dir/

Default Credentials

# Check common defaults
# https://cirt.net/passwords
# https://datarecovery.com/rd/default-passwords/

# Common services:
# Jenkins: admin/admin
# Tomcat: tomcat/tomcat
# Grafana: admin/admin
# phpMyAdmin: root/<blank>

RCE Vulnerabilities

# Search for RCE-as-a-feature
# Jenkins script console
# Serv-U FTP server
# Application deployment endpoints

# Nuclei RCE templates
nuclei -l targets.txt -t cves/ -severity critical,high

# Metasploit
msfconsole
search type:exploit cve:2024

Quick Reference

Reconnaissance Commands

Tool Command
Amass amass enum -d domain.com
Subfinder subfinder -d domain.com
Shodan shodan search "hostname:domain.com"
crt.sh curl "https://crt.sh/?q=%25.domain.com"
theHarvester theHarvester -d domain.com -b all

Port Scanning

Scan Type Command
Fast discovery masscan -p1-65535 --rate 10000 target
Service scan nmap -sV -sC -p- target
UDP scan nmap -sU --top-ports 100 target
Vuln scan nmap --script=vuln target

Web App Testing

Test Tool/Command
Directory enum gobuster dir -u URL -w wordlist.txt
Tech fingerprint whatweb URL
Screenshots gowitness file -f subs.txt
Vuln scan nuclei -l targets.txt -t templates/

Common External Services

Port Service Test Focus
21 FTP Anonymous login, version vulns
22 SSH Password spraying, weak keys
25 SMTP Open relay, user enum
53 DNS Zone transfer
80/443 HTTP/S Web vulnerabilities
445 SMB Null sessions, vulns
3389 RDP Password spray, BlueKeep

Constraints and Limitations

Scope Considerations

  • Only test authorized IP ranges
  • Respect rate limits and service availability
  • Avoid DoS conditions
  • Document all testing activities

Legal Requirements

  • Written authorization mandatory
  • Stay within defined scope
  • Notify ISPs if required
  • Follow rules of engagement

Technical Limitations

  • WAF may block scanning
  • Rate limiting on services
  • Geo-restrictions may apply
  • Some services may require credentials

Troubleshooting

No Subdomains Found

Solutions:

  1. Use multiple enumeration tools
  2. Try certificate transparency
  3. Check DNS history services
  4. Search for mentions on social media
  5. Try reverse WHOIS lookups

Scans Being Blocked

Solutions:

  1. Reduce scan rate
  2. Use IP rotation
  3. Try different source IPs
  4. Use passive reconnaissance first
  5. Schedule scans during off-hours

Password Spray Lockouts

Solutions:

  1. Increase delay between attempts
  2. Respect lockout thresholds
  3. Use IP rotation
  4. Target multiple services
  5. Check MFA requirements first
Weekly Installs
0
Repository
zebbern/secops-…i-guides
GitHub Stars
14
First Seen
Jan 1, 1970
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail