EXTERNAL PENETRATION TESTING

External Penetration Testing Methodology

Nairuz Abulhul
R3d Buck3T
Published in
8 min readJan 11, 2023

--

How to run an External Pentest Assessment

Credit:yamasaniStock

An external penetration test is a security assessment that simulates an attack on an organization’s systems and defenses from the internet. The assessment goal is to provide the tested organization with a profile of potential attacks that could be carried out against the organization’s systems and assets.

During an external pentest assessment, the pentester will use various tools and techniques to scan and test the organization’s systems; this may include using automated scanners and manual testing to identify those weaknesses and attempt to exploit them.

This post will share my current external pentesting methodology. I recently took training at TCM Academy and Antisyphontraining. I modified the methodology with the new things I learned from the training and additional research. If anyone is interested in taking the mentioned training, check the Resouces section.

I’ll update the post regularly to include new tips and resources.

External Pentest Assessment Phases

Planning Phase

Credit:DedMityayiStock

The planning phase is an essential part of an external pentest assessment, as it sets the stage for the rest of the assessment and helps ensure keeping everything organized. The planning phase includes the following items:

Engagement Scope refers to the systems, networks, and assets included in the pentest assessment. In this step, the pentester would work with the client to define the scope they want to evaluate. The scope usually consists of IP addresses/ranges (CIDR notations), domains, subdomains, vhosts, cloud assets, API endpoints, etc.

After the client provides the needed information for the scope, the pentester verifies the scope to ensure the accuracy of the client’s information.

Standard tools for verification are:

Rules of Engagement (RoE) are guidelines that outline acceptable actions and tests during a security assessment. The client should approve the document before the beginning of the assessment. The RoE document usually includes the essential information the pentester and client agree on, such as:

  • Assessment Scope includes the client’s assets, networks, and endpoints.
  • Assessment Objectives include the goals and expectations the client expects from the pentester during the security evaluation.
  • Timeline of the engagement includes key milestones and deadlines.
  • Communication Rules include establishing clear communication channels with the client, discussing how the pentester will keep them informed throughout the engagement, and notifying them of any significant findings.

📌 Tip: Any high or critical finding should be communicated to the client immediately after the pentester verifies the result. It is crucial to inform the client quickly; if the pentester could breach the client’s network via the external network, there is a high chance the client is breached. Informing them will allow them to take critical measures to fix and patch the issue.

  • Deliverables include the comprehensive report the testing team delivers to the client at the end of the assessment — the report contains a summary of the findings and recommendations for addressing the found vulnerabilities or weaknesses.
  • Contact information of both sides (testing team and client POCs).
  • Kick-off communications provide an opportunity to establish a relationship with the client, set expectations, and ensure everyone is on the same page. There are usually two (2) types of communication with the clients at the beginning of an engagement:
    A kick-off meeting includes a meeting with the client, usually after verifying the engagement scope. The pentester meets with the client, introduces themselves, and discusses the scope and the assessment objectives.
    A kick-off email is sent to the client at the beginning of the engagement to notify the client of starting the pentesting activities on the agreed scope.

Execution Phase

R3d Buck3t, https://medium.com/r3d-buck3t, hacking, code, infosec, red team, security, cybersecurity
Credit:seamartiniiStock

Once the test has officially begun, the pentester will conduct passive and active reconnaissance to identify any information that may help during the following testing phases: email addresses, usernames, software information, user manuals, forum posts, etc.

This phase includes:

  • Reconnaissance
    – Passive Recon (OSINT)
    – Active Recon
  • Manual Testing and Exploitation
  • Password Attacks

Passive Recon

Passive recon, known as Open-Source Intelligence (OSINT), refers to gathering information about the targets from publicly accessible resources like social media, search engines, public records, breach data, etc., without interacting with them. As the name suggests, this type of recon is passive and does not leave noticeable traces.

Examples of what to look for in passive recon:

  • Organization’s Website:
    – Employee names and emails to use for password spraying, or social engineering activities (Red teaming)
    – Job postings to understand the technologies and infrastructure used within the organization.
  • Password Policy from the Sign-up functionality of the web portals.
  • Public Records, including archives
  • Social Media platforms (LinkedIn, Twitter, Facebook)
  • Breach Databases
  • Source Code platforms
  • Cloud Storage platforms (S3 Buckets, Azure Blobs)

Tools & Resources:

Active Recon

Active recon gathers information through probing, scanning, and fingerprinting the targets. This type of recon is very noisy and easily detected; the pentester is advised to exercise caution when scanning clients’ targets to prevent triggering unexpected responses or bringing the targets down.

Examples of what to look for in active recon:

  • Login Portal such as Outlook Web Application (OWA), Citrix, VPN, SharePoint, or any web portal
  • IoT devices (Cameras, medical devices, Industrial control systems)
  • SSL Certificate Information, encryption, and cipher issues.

Tools & Resources:

Manual Testing and Exploitation

The manual testing and exploitation involve reviewing the scan results from the active recon step and identifying signs of vulnerabilities or weaknesses that look interesting for additional investigation. This step includes mapping all exposed services — port number, service name, and possibly version number and looking for known vulnerabilities for the discovered application or services. 🖊️ Check out Scanning and Probing Cheatsheet

It is important to remember that the pentester should NOT rely only on the vulnerability scanner results, as they don’t always show the correct software version or service type. Instead, the results must be manually validated to siphon and filter the valid ones.

Another thing to highlight in the section is that the pentester has to be always careful in testing production environments; if they encounter a vulnerable system that can be exploited with a public/custom exploit but is not sure what the impact on that system would be, ask the client if it ok to exploit that system. Some clients would agree to allow the pentester to exploit it, and some won’t, as it would disrupt the environment. Or sometimes, they would agree, but without specific instructions, like testing off-hours when the network traffic is slowed down.

📌 Tip: When using a public or custom exploit, you must understand what the exploit is doing behind the scene. You don’t want to be in a situation where the client is asking you about the technical details of the exploit, and you would answer, I don’t know; I just got it from GitHub. Also, only use tools verified and vetted ahead of time before the assessment.

Password Attacks

Another fundamental portion of external penetration testing is password attacks; below are the attack types used during assessments:

  • Password spraying is trying a single common password against many users’ accounts. (one password vs. multiple accounts).
  • Brute-forcing is trying every possible combination of characters, symbols, and words in an attempt to guess the correct password.
  • Credential stuffing is trying a list of compromised usernames and passwords one by one until the right match is found. This attack is often successful because many people reuse the same passwords across multiple accounts.

💡 It is crucial to note that password attacks lead to lockouts. Therefore, if the client does not provide the password policy they use in the organization, the pentester should be cautious when performing those attacks.

Examples of where to use password attacks:

  • Web login portals such OWA, O365.
  • Management utilities like SSH, SNMP, FTP, Telnet

Tools & Resources:

Post-Execution Phase

R3d Buck3t — https://medium.com/r3d-buck3t , infosec, security, board, meeting, hacking
Credit:lovro77 iStock

Reporting

A report is a deliverable the tester provides to clients after completing the assessment. It is usually a comprehensive report consisting of a high-level non-technical executive summary of what was accomplished during the security assessment timeline and the findings.

The report includes the assessment scope, objectives, a description of the methods used during the engagement, a list of findings and recommendations, and supporting documentation such as screenshots or logs.

📌 Tip: start reporting while testing; create a draft report with the testing notes and screenshots. Trust me; it will save a lot of time and effort. Also, the screenshots should be clear and include the run commands and their outputs.

Debriefing

A debrief is a review of the findings and recommendations from the performed security assessment. During the debrief meeting, the pentester/pentesting team meets with the client’s relevant parties — management, IT staff, and other stakeholders to discuss the identified vulnerabilities during the assessment and provide recommendations for how to address and mitigate the found issue. The debrief may be presented as a report or a presentation and conducted in person or remotely.

Common External Pentest Findings

Several findings may arise during an external pentest. Below are the most common ones in external assessments:

  • Insufficient Authentication Controls.
  • Anonymous access to protocols like FTP, Telnet, and SMB.
  • Exposed Management Protocols- systems configured to be accessible via the internet without a VPN like SSH, SNMP, FTP, Telnet, RDP, etc.
  • Weak Password Policies
  • Default credentials or weak passwords.
  • Known vulnerabilities (CVEs)
  • Weak/ Insufficient Encryption includes:
    – Unencrypted communication on Web applications.
    – Weak SSL protocols.
    – Weak Ciphers like (RC4 and DES-CBC).
    – Expired SSL Certificates.
  • Insufficient Patching.
  • Information disclosures, Verbose error messages on web applications.
  • Exposed API endpoints with sensitive information.
  • Username Enumeration through Forgot Password functionality.

With that, we reached the end of the post. Today, we learned about the standard methodology for approaching external pentesting assessment. Following a methodology ensures that the pentest evaluation is thorough and systematic, covering all relevant areas and test cases. It also helps the pentester stay organized and focused, reducing the risk of missing essential vulnerabilities.

As mentioned above, I’ll update this post every now and then to keep it aligned with the mythology in the External Pentest MethodologyNotion Page.

Thanks all for reading!!

--

--

Nairuz Abulhul
R3d Buck3T

I spend 70% of the time reading security stuff and 30% trying to make it work !!! aka Pentester [+] Publication: R3d Buck3T