External Penetration Testing 101: Breaking Down the Methodology (Part-1)

Greeting Readers !!

In my latest blog post, I shared some insights into the basics of external penetration testing. If you haven’t checked it out yet, I suggest giving it a read right here.

In this blog, let’s delve deeper into the methodology of conducting an external pentest. It’s important to note that what I’m sharing is my personal approach, and methodologies can vary from person to person. I suggest using my methodology as a starting point, researching additional techniques to refine your own, and don’t forget to share your insights. As a novice, I’m eager to learn from your experiences.

We will be covering the following steps in this blog

Now without a further ado, let’ s dive in.

Verifying The Scope: Know before you go !!!!

The initial step in any external penetration test involves verifying the testing scope. Some may question the necessity when the client has already defined it, but human error is always a factor. Additionally, crossing the line can be truly daunting for a pentester — definitely not the punchline they were expecting!

As a longtime fan of Darknet Diaries, I came across a real-life scenario in which a penetration tester faced the same issue I’ve mentioned above. The details of this encounter are discussed in an episode, which you can listen to here.

We can verify our scope using different online tools like BGP toolkit, MX Tool Box etc.

Finding Subdomains: Probing the Landscape

After verifying our scope, it’s time to hunt some subdomains.

Hunting subdomains is important for several reasons in the context of cybersecurity:

1. Expanded Attack Surface: Subdomains can represent additional entry points for potential attackers. Identifying and understanding the full scope of subdomains helps in assessing the overall attack surface of an organization.
2. Uncovered Vulnerabilities: Subdomains may host different services, applications, or systems, each with its own set of vulnerabilities. By hunting for subdomains, security professionals can uncover potential weak points that might be overlooked otherwise.
3. Asset Discovery: Subdomain enumeration aids in discovering assets and resources that might not be explicitly mentioned in an organization’s documentation. This helps in maintaining an accurate inventory of digital assets.
4. Third-Party Risks: Organizations often use third-party services and vendors, each with its subdomains. Hunting for subdomains ensures that all associated risks, including those related to third-party integrations, are identified and addressed.
5. Phishing Protection: Cybercriminals often set up phishing sites on subdomains to mimic legitimate services. Identifying and monitoring subdomains can help in early detection and prevention of phishing attacks.

Now, there are two methods to enumerate subdomains. Scraping and Brute-forcing.

Scraping: it is a passive method where enumeration is done by gathering information from publicly available sources, such as search engine results, certificate transparency logs, and DNS records. This method involves collecting data without actively sending requests to the target’s infrastructure, making it less likely to trigger security alerts.

Some of the tools for scraping include shodan, Subfinder, Censys, Wayback-URL, crt.sh etc.

Brute-forcing: In contrast, brute-forcing is an active method that involves systematically generating and testing various subdomain names to discover valid entries. This approach relies on the idea that subdomains may follow predictable patterns or naming conventions. While effective, brute-forcing can be resource-intensive and may trigger security mechanisms if done without caution.

Some of the brute-forcing tools include amass, massDNS, pureDNS, sudomy etc.

Types of subdomain Enumeration

I recently stumbled upon an outstanding resource for delving deeper into subdomain enumeration. If you’re interested in exploring this topic at a more comprehensive level, you can access the resource here.

Deep-Subdomains-Enumeration-Methodology

Directory Busting : From Paths to Secrets

Now that we’ve identified our domain and subdomains, it’s time to delve into directory hunting.

In straightforward terms, directory busting is the method of uncovering concealed directories and files existing on a website.

Hunting directories proves crucial for various reasons:

1. Uncovering Hidden Content & Sensitive Files: Revealing content not linked from the main website, including potentially sensitive information and undisclosed files.
2. Identifying Misconfigurations: Spotting misconfigurations in web servers or content management systems that may inadvertently expose directories, enhancing overall security.
3. Preventing Unauthorized File Access: Mitigating the risk of unauthorized access to files by actively hunting for and securing directories that might be exploited by malicious actors.
4. API Endpoints and Information Leakage: Recognizing potential API endpoints that could leak information, minimizing the risk of data exposure.
5. Discovering Login Pages and Web Portals: Locating login pages and web portals that may be hidden, ensuring comprehensive security coverage.

For effective directory busting, various tools come into play, including gobuster, ffuf and more. These tools assist in systematically exploring the website’s directory structure, unveiling hidden paths and potential security vulnerabilities.

Finding Vulnerabilities: Unmasking Weaknesses

Now that we have uncovered some subdomains along with some directories it’s time to find some vulnerabilities.

Now, Finding vulnerabilities can sometimes be impacted due to scope and duration of a project. Vulnerabilities can be found both automatically or manually.

Since manual finding requires a lot of experience and time consuming, we will be focusing on automated Tools.

So there are two tools which are really useful in finding vulnerabilities:

1. Nuclei
2. Nessus

Nuclei

Nuclei serves as a potent tool for sending targeted requests across diverse hosts using customizable templates, ensuring minimal false positives and swift scanning across extensive host networks.

Img: Nuclei

Its versatile scanning capabilities extend to various protocols, encompassing TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless, Code, and more. Fueled by robust and adaptable templating, Nuclei empowers users to model a wide array of security checks with precision and efficiency.

Key features of Nuclei include:

1. Template-Based Scanning: Nuclei uses templates to define security checks. Templates can cover a wide range of protocols, including HTTP, DNS, SSL, and more.
2. Extensibility: Users can create and customize their own templates, making Nuclei highly adaptable to different testing scenarios and target environments.
3. Fast and Scalable: Nuclei is designed for speed and scalability, making it suitable for scanning a large number of hosts quickly.
4. Minimal False Positives: The tool aims to reduce false positives by tailoring security checks based on the defined templates, leading to more accurate results.
5. Community Contributions: Nuclei has an active community that contributes to the development of templates, expanding the tool’s coverage for various security checks.

You can check out the tool here.

Nessus

Nessus is a widely used vulnerability scanning tool that is often employed for both internal and external security assessments, including penetration testing.

TryHackMe provides a Free room where users can learn about Nessus, a widely-used vulnerability scanning tool. This free learning space offers valuable insights and hands-on experience with Nessus. To access this resource, click here.

Img: Nessus Scan

Key features of Nessus include:

1. Vulnerability Identification: Nessus is adept at identifying vulnerabilities in network services, applications, and systems. During external penetration testing, it can scan external-facing assets to uncover potential weaknesses.
2. Comprehensive Scanning: It supports a wide range of protocols and can conduct comprehensive scans for various vulnerabilities, including those related to web applications, network services, and operating systems.
3. Policy Compliance Checks: Nessus can assess systems against security policies and compliance standards, providing insights into whether external assets adhere to established security benchmarks.
4. Scanning Automation: Nessus is known for its ability to automate the scanning process, which is valuable when dealing with a large number of external hosts.

Now that we have identified vulnerabilities, it’s time to delve into exploitation. Up to this point, we’ve addressed the initial four steps of my methodology.

However, before venturing into the exploitation phase, let’s hit pause for a moment. The details of the exploitation process will be the focus of the next blog, as it’s essential to take this journey one step at a time.

Once again, I kindly request that you refrain from conducting any testing without proper legal and ethical permissions. If you enjoy bars, consider listening to rap songs.

If you enjoyed this blog, I appreciate a clap and encourage you to share it for maximum benefit. Feel free to follow or connect with me through the following social media handles if you have any questions or feedback.

Twitter:- https://twitter.com/n1chr0x

Linkedin:- https://www.linkedin.com/in/n1chr0x