External Pentest

Note: This External Pentest section is in progress.

External Pentest Methodology

  • An external pentest is an attempt to hack into a client’s network from an external location outside of the network.
  • You take on the role of an external threat but your goal is only to break into the network and discover vulerabilities.
  • This doesn’t mean pwning anyone. All you have to do is find all of the vulnerabilities, put them into a report and present them to the client.

The Process

  • Information gathering
  • Open Source intelligence

Steps

  • Collect and organize all of the information about employees.
  • Guess and discover passwords and their format.
  • Find passwords that have been used before.
  • Break into email accounts, VPN accounts and the network.
  • Bypass protections, security, multi-factor, 2FA, etc.
  • Once you’re on the network you need to elevate permissions.

Goals

  • Try keeping the mindset that you’re hacker and you want hack into the network to get sensitive information.
  • To be successful you must completely understand the attack methodology of an external pentest.
  • You must have a strong skillset, good client relations, understand the rules of engagement and report writing.

Subsections of External Pentest

Preparation

Outline of the Process

  1. You’re testing how good the security is from an external location outside the network.
    • You were supplied with a scope of work and you should only test the items within the scope.
    • Are you able to compromise or break into any services from outside the network?
    • It’s OK if you can’t, because that’s not the true objective. You’re only simulating the attack as an evaluation of the security.
    • You are looking for any potential vulnerabilities, but it doesn’t mean you have to take advantage of a vulnerability.
    • Your ultimate objective is to protect the client from real world hackers who are trying to do harm to the organization.
  2. Make sure you understand all the steps you need to take and things you need to do before starting.
  3. Gather as much open source intelligence (OSINT) as possible and try to use it to take advantage of a service.
    • Attack any log in portals you find.
    • Connect to the network and try to escalate privileges.
  4. It’s very possible that you might find and identify vulnerabilities as you make progress.
    • Maybe there is no multifactor authentication, no rate limiting on login portals, etc.
  5. Go over your checklists and make sure you check on every single thing that you need to do.
  6. When you are finished you have to write a report and provide all information and the highest quality of service to the client.
  7. Double or triple check everything. Go over it all thoroughly even if it doesn’t mean you find a way to break in.
  8. At the end you may have to debrief the client and discuss what you found.

Subsections of Preparation

Checklists

Checklists

Source: External-Pentest-Checklist

LibreOffice - if you don’t have Excel or want to use it.

Excel tabs

  1. To Do’s,
  2. Scope
  3. Targets
  4. Password Spraying
  5. Breached Accounts
  6. Login Portals
  7. Findings & Strengths

To Do’s

To Do’s Status Comments
Ensure ROE is signed by client Outstanding
Add IPs in scope to Scope tab Outstanding
Verify customer scope Outstanding
Send kickoff email Outstanding
Conduct vulnerability scanning with Nessus Outstanding
Identify e-mails/users/pass in breach databases (Dehashed, breach-parse, etc.) Outstanding
Identify employees & email address format (LinkedIn, phonebook.cz, clearbit, hunter.io, etc.) Outstanding
Identify client’s website(s) and search for any data useful to help attack (job posting, system information, password policy, etc.) Outstanding
Attempt to enumerate any accounts on portals, password reset functions, etc. Outstanding
Run web app scans, if necessary Outstanding
Conduct manual testing and exploitation on targets Outstanding
Validate scanning tool vulnerabilities Outstanding
Conduct password spraying guessing and brute force on login portals Outstanding
Escalate access from external to internal Outstanding
Validate previous year findings have been resolved Outstanding
Cleanup Outstanding

Scope

IP Range Comments
192.168.66.0/24

Targets

Host IP URL Status Open Port Comments/Findings
192.168.66.21 domain.com/admin Compromised 8080 Password easy to guess

Password Spraying

Site Account List Passwords Tried
domain.com/portal See usernames.txt See passwords.txt

Breached Accounts

Users Password from Breach
Zomby H4x0r$Un173
Admin 123456789

Login Portals

Login Pages Comments
domain.com No credentials
domains.com Found credentials

Findings and Strengths

Finding/Issue System/IP Name Screenshot Comment
Strengths System/IP Name Screenshot Comment

Roe

Rules of Engagement

This is a document that you will have to sign with the client after the quote and they sign the master of service agreement. The quote and master of service isn’t important to you. You will only be concerned about the rules of engagement.

The rules of engagement defines the roles and responsibilities and the details of the test agreement. It will tell you what you can and can’t do.

Contents

  • Dates of the test
  • Disclosure
  • Status updates
  • External Penetration test
    • IP address
  • Malware test
    • Cobalt Strike, Meterpreter
  • Bounds of the test
  • Stop Point
  • Keeping Access
  • Announcement
  • Project Closure
  • Post Mortem
  • Out of Scope (Important!)

Communication

  • You will receive a customer point of contact (CPOC).
  • You will provide a point of contact to the customer.

Disclaimer

Acceptance

Verify Scope

Verifying Scope

Before starting any type of pentest you need to verify your scope.

Here’s a reference on what could happen: darknetdiaries.com/episode/22/

Find out who owns the subnet in the scope: bgp.he.net/

You have to make absolutely sure the network that you’re going to run a pentest on is the network it’s really supposed to be.

Communication

Client Communication

If the engagement is going well and there are not any critical findings, you may only reach out to the client a couple times. If there are no findings, everything is low importance, there may not be any reason to reach out to them that much.

If you run into something critical, break into the network, log into a web server, get any kind of RCE, you need to let them know immediately. If you can breach the external network, there is a chance that someone else has already done it. They will need to patch the vulnerability asap.

Kick off email example:

Good Morning Jacky Chan,

The external pentest is about to begin. Per our agreement, we will be testing the following IPs/ranges:

200.120.30.0/24

All pentesting activity will be performed from the following IP address:

192.168.1.1

If out testing triggers any alerting for you, please notify us at your earliest convenience so we can notate this in the report.

Finally, if you need anything at all during the testing, you can reach me at this email or by the phone number listed below.

Thank you,
Hacker Bob

Hacker Joes's Hacking
Hacker Joe, Pen Testing Engineer 
555-555-1212 | email@domain.com

You can automate the process, set up emails to be sent and scans to start before you sit down to start work so you have some data to start looking at right away. Just make sure you keep the client happy so they don’t go to someone else for pentests. Communication is a high priority.

Begin

When you kick off a pentest you will start implimenting you attack strategy, begin scanning for vulnerabilities, and start extracting information.

Subsections of Begin

Strategy

Attack Strategy

Overview

  • Think of external pentests like home security.
    • cameras, lighting, dogs, alarm system.
  • Low chance/high chance of RCE (remote code execution), or weak passwords.
  • OSINT and logical guessing are your best friends.

External Pentest

  • There should be good software/system patching.
  • There might be alarm systems or other protections in place.
  • The network facing the outside world is the most vulnerable point.
  • The chances of RCE (remote code execution) are very low.
  • Once someone breaks into the network from an external location, there a lot less defense mechanisms.
  • Weak password policies, weak security, and the lack of multi factor authentication are some of the most common vulnerabilities. If you can get into an email, then the chances are you will be able to get into other things that aren’t protected enough. Sometimes you will see partial multi factor which is not enough. Just finding sensitive information is bad, even if you don’t get onto the network.
  • There may be web portal logins, but don’t start pen testing a web app. You are looking to get onto the internal network. You can try default credentials or SQLi, but that’s about it.

Scanning

Vulnerability Scanning

By this point you should be ready to start and already have completed these things:

  1. Signed Rules of Engagement
  2. Scoping information
  3. Validated scope
  4. Sent kickoff email

Nessus

tenable.com/products/nessus $$$

Nessus Essentials is free:
tenable.com/products/nessus/nessus-essentials

Alternatives to Nessus

  1. Astra Pentest
  2. Indusface WAS
  3. Invicti (formerly Netsparker)
  4. Intruder
  5. ManageEngine Vulnerability Manager Plus
  6. Acunetix
  7. Open VAS
  8. Metasploit
  9. Burp Suite
  10. Qualys Cloud Platform
  11. Tennable.io
  12. OpenSCAP
  13. Tripwire

Scan Demo

Demo is based on tesla at bugcrowd. bugcrowd.com/tesla
To use bugcrowd.com you needs an account set up and configured.

Note: In this case you would need to find out if automated scanning is out of scope.

Steps

Interface is probably different now and steps may have changed.

  • Nessus - Advanced Scan
    • Name, description.
    • Targets: paste in IP address from scope.
    • Schedule: you can set when it will run.
    • Discovery: usually left at default for external.
    • Port Scanning: 1-65535
    • Service Discovery: leave as default.
    • Web Applications: Turn on Scan web applications.
    • Check through the rest of the settings and understand what they are for.

Information

Reviewing and Extracting Information

Nessus

Note: These instructions might be different in new versions.

When the scan is finished

  • Click on it to see the results
  • Check Hosts, Vulnerabilities and History
  • Export results (drop down)
    • Click Nessus to export
  • Report (drop down)
    • Click PDF to export
      • Executive Summary
      • Custom Summary with everything
    • Click HTML to export

Nessus Parsers

melcara.com - last updated in 2017
perl parse_nessus_xml.v24.pl -f Tesla_mbpjyt.nessus
It will create a spreadsheet file.

github.com/Ebryx/Nessus_Map

git clone https://github.com/Ebryx/Nessus_Map
cd Nessus_Map
mkdir env
cd env
python3 -m venv .
source bin/activate
cd ..
pip install -r requirements.txt
python manage.py runserver

Osint

OSINT/Information Gathering Overview

What you are looking for:

  1. Breached data in website tools and databases.
  2. Valid usernames and emails addresses.
  3. Job postings, resumes.

OSINT Intelligence Lifecycle

  1. Planning and Direction
  2. Collection
  3. Processing and Exploitation
  4. Analysis and Production
  5. Dissemination and Integration

See OSINT for more info.

Note: To be continued…