shield_lock
金大哥
返回 Skill 列表
extension
分类: 开发与工程无需 API Key

External Network Penetration Testing

当用户要求“执行外部渗透测试”、“进行外部网络评估”、“枚举外部攻击面”、“执行OSINT侦察”或“测试边界安全”时,应使用此技能。它提供了全面的外部网络渗透测试方法。

person作者: jakexiaohubgithub
open_in_new仓库download下载资源包

External Network Penetration Testing

Purpose

Conduct comprehensive external network penetration testing including OSINT reconnaissance, subdomain enumeration, exposed service discovery, vulnerability scanning, and exploitation of internet-facing assets. This methodology covers the full external assessment lifecycle.

Prerequisites

Required Tools

  • Nmap for network scanning
  • Amass/Subfinder for subdomain enumeration
  • Shodan/Censys for passive recon
  • Recon-ng for OSINT framework
  • Nuclei/Nessus for vulnerability scanning

Required Knowledge

  • Network protocols and services
  • DNS and certificate transparency
  • Cloud infrastructure concepts
  • OSINT techniques

Outputs and Deliverables

  1. Attack Surface Report - Complete external footprint
  2. Subdomain Inventory - All discovered subdomains
  3. Exposed Services - Internet-facing services and versions
  4. Vulnerability Assessment - Identified security issues

Core Workflow

Phase 1: OSINT Reconnaissance

Gather intelligence without direct target interaction:

# Google Dorks
site:company.com -site:www.company.com
site:*.company.com
filetype:pdf site:company.com
inurl:admin site:company.com
intitle:"index of" site:company.com

# Bing Dorks
site:company.com -site:www.company.com

# Certificate Transparency
curl -s "https://crt.sh/?q=%25.company.com&output=json" | jq -r '.[].name_value' | sort -u

# ASN Lookup
amass intel -org "Company Name"
whois -h whois.radb.net -- '-i origin AS12345'

# Using bgp.he.net
# https://bgp.he.net/dns/company.com

# Shodan search
shodan search "ssl.cert.subject.CN:company.com"
shodan search "hostname:company.com"

OSINT tools:

# SpiderFoot - automated OSINT
spiderfoot -s company.com -o output.html

# theHarvester
theHarvester -d company.com -b all

# Maltego - visual OSINT
# Use GUI for comprehensive link analysis

Phase 2: Passive Reconnaissance

Discover assets without active scanning:

# DNS History
# SecurityTrails, DNSdumpster, ViewDNS.info

# Web Archive
waybackurls company.com | sort -u > archived_urls.txt

# Pastebin monitoring
# https://github.com/carlospolop/Pastos

# Credential leaks check
# dehashed, breach-parse, HaveIBeenPwned

# Social networks
# LinkedIn - employee enumeration
python3 linkedin2username.py -c "Company Name"

# Hunter.io - email discovery
curl "https://api.hunter.io/v2/domain-search?domain=company.com&api_key=KEY"

Phase 3: Subdomain Enumeration

Comprehensive subdomain discovery:

# Amass - comprehensive enumeration
amass enum -d company.com -o subdomains.txt
amass enum -d company.com -passive -o passive_subs.txt

# Subfinder - fast passive enumeration
subfinder -d company.com -o subfinder.txt

# DNS brute-force
aiodnsbrute -t 20 company.com -w subdomains-top1million.txt

# DNScan
python3 dnscan.py -d company.com -w subdomains.txt

# Combine and dedupe
cat amass.txt subfinder.txt | sort -u > all_subs.txt

# Certificate Transparency with ct-exposer
python3 ct-exposer.py -d company.com

# TLSX for SAN extraction
echo "10.0.0.0/8" | tlsx -san -silent

# Resolve live subdomains
cat all_subs.txt | httpx -o live_subs.txt

Phase 4: Subdomain Takeover Testing

Check for vulnerable subdomains:

# Subjack
subjack -w subdomains.txt -t 100 -timeout 30 -o takeover.txt -ssl

# Nuclei subdomain takeover templates
nuclei -l subdomains.txt -t takeovers/

# Manual checks for:
# - CNAME pointing to unclaimed services
# - Azure/AWS/Heroku/GitHub Pages misconfigurations
# - Expired domain CNAMEs

# Common vulnerable services:
# AWS S3, Azure, Heroku, GitHub Pages, Shopify
# Zendesk, Fastly, Pantheon, Tumblr, WordPress

Phase 5: Active Reconnaissance

Direct target scanning:

# Masscan - fast port discovery
masscan -p1-65535 --rate 10000 -iL targets.txt -oG masscan.out

# Nmap - service enumeration
nmap -sV -sC -p- -iL live_hosts.txt -oA nmap_full

# NSE script categories
nmap --script=default,vuln,discovery -p 22,80,443 target.com

# Shodan integration
shodan host <IP>
shodan search "hostname:company.com"

# Censys
censys search "parsed.names: company.com"

# HTTP/HTTPS screenshots
gowitness file -f live_subs.txt -P screenshots/
eyewitness -f live_subs.txt --web
aquatone -out aquatone_output < live_subs.txt

Phase 6: Exposed Services Testing

HTTP/HTTPS

# Technology fingerprinting
whatweb https://target.com
wappalyzer https://target.com

# Directory enumeration
gobuster dir -u https://target.com -w directory-list.txt
feroxbuster -u https://target.com -w wordlist.txt

# Virtual host discovery
gobuster vhost -u https://target.com -w vhosts.txt

# IIS specific
java -jar iis_shortname_scanner.jar https://iiswebsite.com
# Check aspnet_client folder
curl https://target.com/aspnet_client/

Email Services (SMTP)

# SPF/DKIM/DMARC check
python3 spoofy.py -d company.com -o stdout
./spoofcheck.py company.com

# Open relay testing
nmap --script smtp-open-relay -p 25 target.com

# User enumeration
smtp-user-enum -M VRFY -U users.txt -t target.com

DNS

# Zone transfer
dig @ns1.target.com axfr target.com
fierce --domain target.com

# DNS reconnaissance
dnsrecon -d target.com -t std
dnsenum target.com

SNMP

# Community string brute-force
onesixtyone -c community.txt target.com

# SNMP enumeration
snmpwalk -v2c -c public target.com

VPN/Remote Access

# IKE Aggressive Mode
ike-scan -M -A target.com

# SSL VPN enumeration
nmap --script ssl-enum-ciphers -p 443 target.com

Phase 7: Cloud Enumeration

# AWS S3 buckets
aws s3 ls s3://company-backup --no-sign-request
python3 cloud_enum.py -k company

# Azure blob storage
# https://company.blob.core.windows.net/

# GCP storage
# https://storage.googleapis.com/company-bucket

# MicroBurst (Azure)
Invoke-EnumerateAzureBlobs -Base company

# CloudFlare bypass
python3 CloudUnflare.py -d target.com

Phase 8: Vulnerability Scanning

# Nuclei - template-based scanning
nuclei -l targets.txt -t nuclei-templates/ -o nuclei_results.txt

# Nessus (commercial)
# Use external scan profile

# Web vulnerability scanning
nikto -h https://target.com
wpscan --url https://target.com/wordpress
joomscan -u https://target.com/joomla

# SSL/TLS testing
testssl.sh https://target.com
sslscan target.com

Phase 9: Password Attacks

Password spraying against external services:

# CredMaster - multi-service spraying
python3 credmaster.py --plugin o365 -u users.txt -p "Winter2024!"

# O365/Azure
python3 MSOLSpray.py -u users.txt -p "Password123!" 
trevorspray -e emails.txt --passwords passwords.txt --delay 15

# OWA
msfconsole
use auxiliary/scanner/http/owa_login
set RHOSTS mail.company.com
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

# VPN
python3 checkpointSpray.py -u users.txt -p "Winter2024!" -t vpn.company.com

# IP rotation for evasion
# Use AWS API Gateway rotation
# Fireprox: https://github.com/ustayready/fireprox

Phase 10: Exploitation

Exposed Credentials

# Git repository secrets
gitleaks detect --source . -v
trufflehog git https://github.com/company/repo
shhgit --live

# .git folder exposure
curl -s https://target.com/.git/config
git-dumper https://target.com/.git/ output_dir/

Default Credentials

# Check common defaults
# https://cirt.net/passwords
# https://datarecovery.com/rd/default-passwords/

# Common services:
# Jenkins: admin/admin
# Tomcat: tomcat/tomcat
# Grafana: admin/admin
# phpMyAdmin: root/<blank>

RCE Vulnerabilities

# Search for RCE-as-a-feature
# Jenkins script console
# Serv-U FTP server
# Application deployment endpoints

# Nuclei RCE templates
nuclei -l targets.txt -t cves/ -severity critical,high

# Metasploit
msfconsole
search type:exploit cve:2024

Quick Reference

Reconnaissance Commands

| Tool | Command | |------|---------| | Amass | amass enum -d domain.com | | Subfinder | subfinder -d domain.com | | Shodan | shodan search "hostname:domain.com" | | crt.sh | curl "https://crt.sh/?q=%25.domain.com" | | theHarvester | theHarvester -d domain.com -b all |

Port Scanning

| Scan Type | Command | |-----------|---------| | Fast discovery | masscan -p1-65535 --rate 10000 target | | Service scan | nmap -sV -sC -p- target | | UDP scan | nmap -sU --top-ports 100 target | | Vuln scan | nmap --script=vuln target |

Web App Testing

| Test | Tool/Command | |------|--------------| | Directory enum | gobuster dir -u URL -w wordlist.txt | | Tech fingerprint | whatweb URL | | Screenshots | gowitness file -f subs.txt | | Vuln scan | nuclei -l targets.txt -t templates/ |

Common External Services

| Port | Service | Test Focus | |------|---------|------------| | 21 | FTP | Anonymous login, version vulns | | 22 | SSH | Password spraying, weak keys | | 25 | SMTP | Open relay, user enum | | 53 | DNS | Zone transfer | | 80/443 | HTTP/S | Web vulnerabilities | | 445 | SMB | Null sessions, vulns | | 3389 | RDP | Password spray, BlueKeep |

Constraints and Limitations

Scope Considerations

  • Only test authorized IP ranges
  • Respect rate limits and service availability
  • Avoid DoS conditions
  • Document all testing activities

Legal Requirements

  • Written authorization mandatory
  • Stay within defined scope
  • Notify ISPs if required
  • Follow rules of engagement

Technical Limitations

  • WAF may block scanning
  • Rate limiting on services
  • Geo-restrictions may apply
  • Some services may require credentials

Troubleshooting

No Subdomains Found

Solutions:

  1. Use multiple enumeration tools
  2. Try certificate transparency
  3. Check DNS history services
  4. Search for mentions on social media
  5. Try reverse WHOIS lookups

Scans Being Blocked

Solutions:

  1. Reduce scan rate
  2. Use IP rotation
  3. Try different source IPs
  4. Use passive reconnaissance first
  5. Schedule scans during off-hours

Password Spray Lockouts

Solutions:

  1. Increase delay between attempts
  2. Respect lockout thresholds
  3. Use IP rotation
  4. Target multiple services
  5. Check MFA requirements first