| name | External Network Penetration Testing |
| description | This skill should be used when the user asks to "perform external pentesting", "conduct external network assessment", "enumerate external attack surface", "perform OSINT reconnaissance", or "test perimeter security". It provides comprehensive external network penetration testing methodologies. |
| version | 1.0.0 |
| tags | external-pentest, osint, reconnaissance, network-security, enumeration, penetration-testing |
External Network Penetration Testing
Purpose
Conduct comprehensive external network penetration testing including OSINT reconnaissance, subdomain enumeration, exposed service discovery, vulnerability scanning, and exploitation of internet-facing assets. This methodology covers the full external assessment lifecycle.
Prerequisites
Required Tools
- Nmap for network scanning
- Amass/Subfinder for subdomain enumeration
- Shodan/Censys for passive recon
- Recon-ng for OSINT framework
- Nuclei/Nessus for vulnerability scanning
Required Knowledge
- Network protocols and services
- DNS and certificate transparency
- Cloud infrastructure concepts
- OSINT techniques
Outputs and Deliverables
- Attack Surface Report - Complete external footprint
- Subdomain Inventory - All discovered subdomains
- Exposed Services - Internet-facing services and versions
- Vulnerability Assessment - Identified security issues
Core Workflow
Phase 1: OSINT Reconnaissance
Gather intelligence without direct target interaction:
# Google Dorks
site:company.com -site:www.company.com
site:*.company.com
filetype:pdf site:company.com
inurl:admin site:company.com
intitle:"index of" site:company.com
# Bing Dorks
site:company.com -site:www.company.com
# Certificate Transparency
curl -s "https://crt.sh/?q=%25.company.com&output=json" | jq -r '.[].name_value' | sort -u
# ASN Lookup
amass intel -org "Company Name"
whois -h whois.radb.net -- '-i origin AS12345'
# Using bgp.he.net
# https://bgp.he.net/dns/company.com
# Shodan search
shodan search "ssl.cert.subject.CN:company.com"
shodan search "hostname:company.com"
OSINT tools:
# SpiderFoot - automated OSINT
spiderfoot -s company.com -o output.html
# theHarvester
theHarvester -d company.com -b all
# Maltego - visual OSINT
# Use GUI for comprehensive link analysis
Phase 2: Passive Reconnaissance
Discover assets without active scanning:
# DNS History
# SecurityTrails, DNSdumpster, ViewDNS.info
# Web Archive
waybackurls company.com | sort -u > archived_urls.txt
# Pastebin monitoring
# https://github.com/carlospolop/Pastos
# Credential leaks check
# dehashed, breach-parse, HaveIBeenPwned
# Social networks
# LinkedIn - employee enumeration
python3 linkedin2username.py -c "Company Name"
# Hunter.io - email discovery
curl "https://api.hunter.io/v2/domain-search?domain=company.com&api_key=KEY"
Phase 3: Subdomain Enumeration
Comprehensive subdomain discovery:
# Amass - comprehensive enumeration
amass enum -d company.com -o subdomains.txt
amass enum -d company.com -passive -o passive_subs.txt
# Subfinder - fast passive enumeration
subfinder -d company.com -o subfinder.txt
# DNS brute-force
aiodnsbrute -t 20 company.com -w subdomains-top1million.txt
# DNScan
python3 dnscan.py -d company.com -w subdomains.txt
# Combine and dedupe
cat amass.txt subfinder.txt | sort -u > all_subs.txt
# Certificate Transparency with ct-exposer
python3 ct-exposer.py -d company.com
# TLSX for SAN extraction
echo "10.0.0.0/8" | tlsx -san -silent
# Resolve live subdomains
cat all_subs.txt | httpx -o live_subs.txt
Phase 4: Subdomain Takeover Testing
Check for vulnerable subdomains:
# Subjack
subjack -w subdomains.txt -t 100 -timeout 30 -o takeover.txt -ssl
# Nuclei subdomain takeover templates
nuclei -l subdomains.txt -t takeovers/
# Manual checks for:
# - CNAME pointing to unclaimed services
# - Azure/AWS/Heroku/GitHub Pages misconfigurations
# - Expired domain CNAMEs
# Common vulnerable services:
# AWS S3, Azure, Heroku, GitHub Pages, Shopify
# Zendesk, Fastly, Pantheon, Tumblr, WordPress
Phase 5: Active Reconnaissance
Direct target scanning:
# Masscan - fast port discovery
masscan -p1-65535 --rate 10000 -iL targets.txt -oG masscan.out
# Nmap - service enumeration
nmap -sV -sC -p- -iL live_hosts.txt -oA nmap_full
# NSE script categories
nmap --script=default,vuln,discovery -p 22,80,443 target.com
# Shodan integration
shodan host <IP>
shodan search "hostname:company.com"
# Censys
censys search "parsed.names: company.com"
# HTTP/HTTPS screenshots
gowitness file -f live_subs.txt -P screenshots/
eyewitness -f live_subs.txt --web
aquatone -out aquatone_output < live_subs.txt
Phase 6: Exposed Services Testing
HTTP/HTTPS
# Technology fingerprinting
whatweb https://target.com
wappalyzer https://target.com
# Directory enumeration
gobuster dir -u https://target.com -w directory-list.txt
feroxbuster -u https://target.com -w wordlist.txt
# Virtual host discovery
gobuster vhost -u https://target.com -w vhosts.txt
# IIS specific
java -jar iis_shortname_scanner.jar https://iiswebsite.com
# Check aspnet_client folder
curl https://target.com/aspnet_client/
Email Services (SMTP)
# SPF/DKIM/DMARC check
python3 spoofy.py -d company.com -o stdout
./spoofcheck.py company.com
# Open relay testing
nmap --script smtp-open-relay -p 25 target.com
# User enumeration
smtp-user-enum -M VRFY -U users.txt -t target.com
DNS
# Zone transfer
dig @ns1.target.com axfr target.com
fierce --domain target.com
# DNS reconnaissance
dnsrecon -d target.com -t std
dnsenum target.com
SNMP
# Community string brute-force
onesixtyone -c community.txt target.com
# SNMP enumeration
snmpwalk -v2c -c public target.com
VPN/Remote Access
# IKE Aggressive Mode
ike-scan -M -A target.com
# SSL VPN enumeration
nmap --script ssl-enum-ciphers -p 443 target.com
Phase 7: Cloud Enumeration
# AWS S3 buckets
aws s3 ls s3://company-backup --no-sign-request
python3 cloud_enum.py -k company
# Azure blob storage
# https://company.blob.core.windows.net/
# GCP storage
# https://storage.googleapis.com/company-bucket
# MicroBurst (Azure)
Invoke-EnumerateAzureBlobs -Base company
# CloudFlare bypass
python3 CloudUnflare.py -d target.com
Phase 8: Vulnerability Scanning
# Nuclei - template-based scanning
nuclei -l targets.txt -t nuclei-templates/ -o nuclei_results.txt
# Nessus (commercial)
# Use external scan profile
# Web vulnerability scanning
nikto -h https://target.com
wpscan --url https://target.com/wordpress
joomscan -u https://target.com/joomla
# SSL/TLS testing
testssl.sh https://target.com
sslscan target.com
Phase 9: Password Attacks
Password spraying against external services:
# CredMaster - multi-service spraying
python3 credmaster.py --plugin o365 -u users.txt -p "Winter2024!"
# O365/Azure
python3 MSOLSpray.py -u users.txt -p "Password123!"
trevorspray -e emails.txt --passwords passwords.txt --delay 15
# OWA
msfconsole
use auxiliary/scanner/http/owa_login
set RHOSTS mail.company.com
set USER_FILE users.txt
set PASS_FILE passwords.txt
run
# VPN
python3 checkpointSpray.py -u users.txt -p "Winter2024!" -t vpn.company.com
# IP rotation for evasion
# Use AWS API Gateway rotation
# Fireprox: https://github.com/ustayready/fireprox
Phase 10: Exploitation
Exposed Credentials
# Git repository secrets
gitleaks detect --source . -v
trufflehog git https://github.com/company/repo
shhgit --live
# .git folder exposure
curl -s https://target.com/.git/config
git-dumper https://target.com/.git/ output_dir/
Default Credentials
# Check common defaults
# https://cirt.net/passwords
# https://datarecovery.com/rd/default-passwords/
# Common services:
# Jenkins: admin/admin
# Tomcat: tomcat/tomcat
# Grafana: admin/admin
# phpMyAdmin: root/<blank>
RCE Vulnerabilities
# Search for RCE-as-a-feature
# Jenkins script console
# Serv-U FTP server
# Application deployment endpoints
# Nuclei RCE templates
nuclei -l targets.txt -t cves/ -severity critical,high
# Metasploit
msfconsole
search type:exploit cve:2024
Quick Reference
Reconnaissance Commands
| Tool | Command |
|---|---|
| Amass | amass enum -d domain.com |
| Subfinder | subfinder -d domain.com |
| Shodan | shodan search "hostname:domain.com" |
| crt.sh | curl "https://crt.sh/?q=%25.domain.com" |
| theHarvester | theHarvester -d domain.com -b all |
Port Scanning
| Scan Type | Command |
|---|---|
| Fast discovery | masscan -p1-65535 --rate 10000 target |
| Service scan | nmap -sV -sC -p- target |
| UDP scan | nmap -sU --top-ports 100 target |
| Vuln scan | nmap --script=vuln target |
Web App Testing
| Test | Tool/Command |
|---|---|
| Directory enum | gobuster dir -u URL -w wordlist.txt |
| Tech fingerprint | whatweb URL |
| Screenshots | gowitness file -f subs.txt |
| Vuln scan | nuclei -l targets.txt -t templates/ |
Common External Services
| Port | Service | Test Focus |
|---|---|---|
| 21 | FTP | Anonymous login, version vulns |
| 22 | SSH | Password spraying, weak keys |
| 25 | SMTP | Open relay, user enum |
| 53 | DNS | Zone transfer |
| 80/443 | HTTP/S | Web vulnerabilities |
| 445 | SMB | Null sessions, vulns |
| 3389 | RDP | Password spray, BlueKeep |
Constraints and Limitations
Scope Considerations
- Only test authorized IP ranges
- Respect rate limits and service availability
- Avoid DoS conditions
- Document all testing activities
Legal Requirements
- Written authorization mandatory
- Stay within defined scope
- Notify ISPs if required
- Follow rules of engagement
Technical Limitations
- WAF may block scanning
- Rate limiting on services
- Geo-restrictions may apply
- Some services may require credentials
Troubleshooting
No Subdomains Found
Solutions:
- Use multiple enumeration tools
- Try certificate transparency
- Check DNS history services
- Search for mentions on social media
- Try reverse WHOIS lookups
Scans Being Blocked
Solutions:
- Reduce scan rate
- Use IP rotation
- Try different source IPs
- Use passive reconnaissance first
- Schedule scans during off-hours
Password Spray Lockouts
Solutions:
- Increase delay between attempts
- Respect lockout thresholds
- Use IP rotation
- Target multiple services
- Check MFA requirements first