Preparation

Outline of the Process

  1. You’re testing how good the security is from an external location outside the network.
    • You were supplied with a scope of work and you should only test the items within the scope.
    • Are you able to compromise or break into any services from outside the network?
    • It’s OK if you can’t, because that’s not the true objective. You’re only simulating the attack as an evaluation of the security.
    • You are looking for any potential vulnerabilities, but it doesn’t mean you have to take advantage of a vulnerability.
    • Your ultimate objective is to protect the client from real world hackers who are trying to do harm to the organization.
  2. Make sure you understand all the steps you need to take and things you need to do before starting.
  3. Gather as much open source intelligence (OSINT) as possible and try to use it to take advantage of a service.
    • Attack any log in portals you find.
    • Connect to the network and try to escalate privileges.
  4. It’s very possible that you might find and identify vulnerabilities as you make progress.
    • Maybe there is no multifactor authentication, no rate limiting on login portals, etc.
  5. Go over your checklists and make sure you check on every single thing that you need to do.
  6. When you are finished you have to write a report and provide all information and the highest quality of service to the client.
  7. Double or triple check everything. Go over it all thoroughly even if it doesn’t mean you find a way to break in.
  8. At the end you may have to debrief the client and discuss what you found.

Subsections of Preparation

Checklists

Checklists

Source: External-Pentest-Checklist

LibreOffice - if you don’t have Excel or want to use it.

Excel tabs

  1. To Do’s,
  2. Scope
  3. Targets
  4. Password Spraying
  5. Breached Accounts
  6. Login Portals
  7. Findings & Strengths

To Do’s

To Do’s Status Comments
Ensure ROE is signed by client Outstanding
Add IPs in scope to Scope tab Outstanding
Verify customer scope Outstanding
Send kickoff email Outstanding
Conduct vulnerability scanning with Nessus Outstanding
Identify e-mails/users/pass in breach databases (Dehashed, breach-parse, etc.) Outstanding
Identify employees & email address format (LinkedIn, phonebook.cz, clearbit, hunter.io, etc.) Outstanding
Identify client’s website(s) and search for any data useful to help attack (job posting, system information, password policy, etc.) Outstanding
Attempt to enumerate any accounts on portals, password reset functions, etc. Outstanding
Run web app scans, if necessary Outstanding
Conduct manual testing and exploitation on targets Outstanding
Validate scanning tool vulnerabilities Outstanding
Conduct password spraying guessing and brute force on login portals Outstanding
Escalate access from external to internal Outstanding
Validate previous year findings have been resolved Outstanding
Cleanup Outstanding

Scope

IP Range Comments
192.168.66.0/24

Targets

Host IP URL Status Open Port Comments/Findings
192.168.66.21 domain.com/admin Compromised 8080 Password easy to guess

Password Spraying

Site Account List Passwords Tried
domain.com/portal See usernames.txt See passwords.txt

Breached Accounts

Users Password from Breach
Zomby H4x0r$Un173
Admin 123456789

Login Portals

Login Pages Comments
domain.com No credentials
domains.com Found credentials

Findings and Strengths

Finding/Issue System/IP Name Screenshot Comment
Strengths System/IP Name Screenshot Comment

Roe

Rules of Engagement

This is a document that you will have to sign with the client after the quote and they sign the master of service agreement. The quote and master of service isn’t important to you. You will only be concerned about the rules of engagement.

The rules of engagement defines the roles and responsibilities and the details of the test agreement. It will tell you what you can and can’t do.

Contents

  • Dates of the test
  • Disclosure
  • Status updates
  • External Penetration test
    • IP address
  • Malware test
    • Cobalt Strike, Meterpreter
  • Bounds of the test
  • Stop Point
  • Keeping Access
  • Announcement
  • Project Closure
  • Post Mortem
  • Out of Scope (Important!)

Communication

  • You will receive a customer point of contact (CPOC).
  • You will provide a point of contact to the customer.

Disclaimer

Acceptance

Verify Scope

Verifying Scope

Before starting any type of pentest you need to verify your scope.

Here’s a reference on what could happen: darknetdiaries.com/episode/22/

Find out who owns the subnet in the scope: bgp.he.net/

You have to make absolutely sure the network that you’re going to run a pentest on is the network it’s really supposed to be.

Communication

Client Communication

If the engagement is going well and there are not any critical findings, you may only reach out to the client a couple times. If there are no findings, everything is low importance, there may not be any reason to reach out to them that much.

If you run into something critical, break into the network, log into a web server, get any kind of RCE, you need to let them know immediately. If you can breach the external network, there is a chance that someone else has already done it. They will need to patch the vulnerability asap.

Kick off email example:

Good Morning Jacky Chan,

The external pentest is about to begin. Per our agreement, we will be testing the following IPs/ranges:

200.120.30.0/24

All pentesting activity will be performed from the following IP address:

192.168.1.1

If out testing triggers any alerting for you, please notify us at your earliest convenience so we can notate this in the report.

Finally, if you need anything at all during the testing, you can reach me at this email or by the phone number listed below.

Thank you,
Hacker Bob

Hacker Joes's Hacking
Hacker Joe, Pen Testing Engineer 
555-555-1212 | email@domain.com

You can automate the process, set up emails to be sent and scans to start before you sit down to start work so you have some data to start looking at right away. Just make sure you keep the client happy so they don’t go to someone else for pentests. Communication is a high priority.