External Network Penetration Testing

Purpose

Conduct comprehensive external network penetration testing including OSINT reconnaissance, subdomain enumeration, exposed service discovery, vulnerability scanning, and exploitation of internet-facing assets. This methodology covers the full external assessment lifecycle.

Prerequisites

Required Tools

• Nmap for network scanning

• Amass/Subfinder for subdomain enumeration

• Shodan/Censys for passive recon

• Recon-ng for OSINT framework

• Nuclei/Nessus for vulnerability scanning

Required Knowledge

• Network protocols and services

• DNS and certificate transparency

• Cloud infrastructure concepts

• OSINT techniques

Outputs and Deliverables

• Attack Surface Report - Complete external footprint

• Subdomain Inventory - All discovered subdomains

• Exposed Services - Internet-facing services and versions

• Vulnerability Assessment - Identified security issues

Core Workflow

Phase 1: OSINT Reconnaissance

Gather intelligence without direct target interaction:

Google Dorks

site:company.com -site:www.company.com site:*.company.com filetype:pdf site:company.com inurl:admin site:company.com intitle:"index of" site:company.com

Bing Dorks

site:company.com -site:www.company.com

Certificate Transparency

curl -s "https://crt.sh/?q=%25.company.com&output=json" | jq -r '.[].name_value' | sort -u

ASN Lookup

amass intel -org "Company Name" whois -h whois.radb.net -- '-i origin AS12345'

Using bgp.he.net

https://bgp.he.net/dns/company.com

Shodan search

shodan search "ssl.cert.subject.CN:company.com" shodan search "hostname:company.com"

OSINT tools:

SpiderFoot - automated OSINT

spiderfoot -s company.com -o output.html

theHarvester

theHarvester -d company.com -b all

Maltego - visual OSINT

Use GUI for comprehensive link analysis

Phase 2: Passive Reconnaissance

Discover assets without active scanning:

DNS History

SecurityTrails, DNSdumpster, ViewDNS.info

Web Archive

waybackurls company.com | sort -u > archived_urls.txt

Pastebin monitoring

https://github.com/carlospolop/Pastos

Credential leaks check

dehashed, breach-parse, HaveIBeenPwned

Social networks

LinkedIn - employee enumeration

python3 linkedin2username.py -c "Company Name"

Hunter.io - email discovery

curl "https://api.hunter.io/v2/domain-search?domain=company.com&api_key=KEY"

Phase 3: Subdomain Enumeration

Comprehensive subdomain discovery:

Amass - comprehensive enumeration

amass enum -d company.com -o subdomains.txt amass enum -d company.com -passive -o passive_subs.txt

Subfinder - fast passive enumeration

subfinder -d company.com -o subfinder.txt

DNS brute-force

aiodnsbrute -t 20 company.com -w subdomains-top1million.txt

DNScan

python3 dnscan.py -d company.com -w subdomains.txt

Combine and dedupe

cat amass.txt subfinder.txt | sort -u > all_subs.txt

Certificate Transparency with ct-exposer

python3 ct-exposer.py -d company.com

TLSX for SAN extraction

echo "10.0.0.0/8" | tlsx -san -silent

Resolve live subdomains

cat all_subs.txt | httpx -o live_subs.txt

Phase 4: Subdomain Takeover Testing

Check for vulnerable subdomains:

Subjack

subjack -w subdomains.txt -t 100 -timeout 30 -o takeover.txt -ssl

Nuclei subdomain takeover templates

nuclei -l subdomains.txt -t takeovers/

Manual checks for:

- CNAME pointing to unclaimed services

- Azure/AWS/Heroku/GitHub Pages misconfigurations

- Expired domain CNAMEs

Common vulnerable services:

AWS S3, Azure, Heroku, GitHub Pages, Shopify

Zendesk, Fastly, Pantheon, Tumblr, WordPress

Phase 5: Active Reconnaissance

Direct target scanning:

Masscan - fast port discovery

masscan -p1-65535 --rate 10000 -iL targets.txt -oG masscan.out

Nmap - service enumeration

nmap -sV -sC -p- -iL live_hosts.txt -oA nmap_full

NSE script categories

nmap --script=default,vuln,discovery -p 22,80,443 target.com

Shodan integration

shodan host <IP> shodan search "hostname:company.com"

Censys

censys search "parsed.names: company.com"

HTTP/HTTPS screenshots

gowitness file -f live_subs.txt -P screenshots/ eyewitness -f live_subs.txt --web aquatone -out aquatone_output < live_subs.txt

Phase 6: Exposed Services Testing

HTTP/HTTPS

Technology fingerprinting

whatweb https://target.com wappalyzer https://target.com

Directory enumeration

gobuster dir -u https://target.com -w directory-list.txt feroxbuster -u https://target.com -w wordlist.txt

Virtual host discovery

gobuster vhost -u https://target.com -w vhosts.txt

IIS specific

java -jar iis_shortname_scanner.jar https://iiswebsite.com

Check aspnet_client folder

curl https://target.com/aspnet_client/

Email Services (SMTP)

SPF/DKIM/DMARC check

python3 spoofy.py -d company.com -o stdout ./spoofcheck.py company.com

Open relay testing

nmap --script smtp-open-relay -p 25 target.com

User enumeration

smtp-user-enum -M VRFY -U users.txt -t target.com

DNS

Zone transfer

dig @ns1.target.com axfr target.com fierce --domain target.com

DNS reconnaissance

dnsrecon -d target.com -t std dnsenum target.com

SNMP

Community string brute-force

onesixtyone -c community.txt target.com

SNMP enumeration

snmpwalk -v2c -c public target.com

VPN/Remote Access

IKE Aggressive Mode

ike-scan -M -A target.com

SSL VPN enumeration

nmap --script ssl-enum-ciphers -p 443 target.com

Phase 7: Cloud Enumeration

AWS S3 buckets

aws s3 ls s3://company-backup --no-sign-request python3 cloud_enum.py -k company

Azure blob storage

https://company.blob.core.windows.net/

GCP storage

https://storage.googleapis.com/company-bucket

MicroBurst (Azure)

Invoke-EnumerateAzureBlobs -Base company

CloudFlare bypass

python3 CloudUnflare.py -d target.com

Phase 8: Vulnerability Scanning

Nuclei - template-based scanning

nuclei -l targets.txt -t nuclei-templates/ -o nuclei_results.txt

Nessus (commercial)

Use external scan profile

Web vulnerability scanning

nikto -h https://target.com wpscan --url https://target.com/wordpress joomscan -u https://target.com/joomla

SSL/TLS testing

testssl.sh https://target.com sslscan target.com

Phase 9: Password Attacks

Password spraying against external services:

CredMaster - multi-service spraying

python3 credmaster.py --plugin o365 -u users.txt -p "Winter2024!"

O365/Azure

python3 MSOLSpray.py -u users.txt -p "Password123!" trevorspray -e emails.txt --passwords passwords.txt --delay 15

OWA

msfconsole use auxiliary/scanner/http/owa_login set RHOSTS mail.company.com set USER_FILE users.txt set PASS_FILE passwords.txt run

VPN

python3 checkpointSpray.py -u users.txt -p "Winter2024!" -t vpn.company.com

IP rotation for evasion

Use AWS API Gateway rotation

Fireprox: https://github.com/ustayready/fireprox

Phase 10: Exploitation

Exposed Credentials

Git repository secrets

gitleaks detect --source . -v trufflehog git https://github.com/company/repo shhgit --live

.git folder exposure

curl -s https://target.com/.git/config git-dumper https://target.com/.git/ output_dir/

Default Credentials

Check common defaults

https://cirt.net/passwords

https://datarecovery.com/rd/default-passwords/

Common services:

Jenkins: admin/admin

Tomcat: tomcat/tomcat

Grafana: admin/admin

phpMyAdmin: root/<blank>

RCE Vulnerabilities

Search for RCE-as-a-feature

Jenkins script console

Serv-U FTP server

Application deployment endpoints

Nuclei RCE templates

nuclei -l targets.txt -t cves/ -severity critical,high

Metasploit

msfconsole search type:exploit cve:2024

Quick Reference

Reconnaissance Commands

Tool Command

Amass amass enum -d domain.com

Subfinder subfinder -d domain.com

Shodan shodan search "hostname:domain.com"

crt.sh curl "https://crt.sh/?q=%25.domain.com"

theHarvester theHarvester -d domain.com -b all

Port Scanning

Scan Type Command

Fast discovery masscan -p1-65535 --rate 10000 target

Service scan nmap -sV -sC -p- target

UDP scan nmap -sU --top-ports 100 target

Vuln scan nmap --script=vuln target

Web App Testing

Test Tool/Command

Directory enum gobuster dir -u URL -w wordlist.txt

Tech fingerprint whatweb URL

Screenshots gowitness file -f subs.txt

Vuln scan nuclei -l targets.txt -t templates/

Common External Services

Port Service Test Focus

21 FTP Anonymous login, version vulns

22 SSH Password spraying, weak keys

25 SMTP Open relay, user enum

53 DNS Zone transfer

80/443 HTTP/S Web vulnerabilities

445 SMB Null sessions, vulns

3389 RDP Password spray, BlueKeep

Constraints and Limitations

Scope Considerations

• Only test authorized IP ranges

• Respect rate limits and service availability

• Avoid DoS conditions

• Document all testing activities

Legal Requirements

• Written authorization mandatory

• Stay within defined scope

• Notify ISPs if required

• Follow rules of engagement

Technical Limitations

• WAF may block scanning

• Rate limiting on services

• Geo-restrictions may apply

• Some services may require credentials

Troubleshooting

No Subdomains Found

Solutions:

• Use multiple enumeration tools

• Try certificate transparency

• Check DNS history services

• Search for mentions on social media

• Try reverse WHOIS lookups

Scans Being Blocked

Solutions:

• Reduce scan rate

• Use IP rotation

• Try different source IPs

• Use passive reconnaissance first

• Schedule scans during off-hours

Password Spray Lockouts

Solutions:

• Increase delay between attempts

• Respect lockout thresholds

• Use IP rotation

• Target multiple services

• Check MFA requirements first