External Network Penetration Testing : The methodology
What is External Network Penetration Testing?
-> External network penetration testing is the act of auditing an organization’s network security from an external perspective. It involves simulating real-world cyber attacks to identify vulnerabilities and weaknesses that malicious actors could exploit to gain unauthorized access to the network.
There are not many CVEs in play!
Many aspiring hackers have a completely wrong perception over external network penetration testing.
HTB like content gives newbies the wrong perception of external hacking!
Many of the challenges that are in the CTF like-world usually involve a lot of CVEs. Basically targets that are running some sort of outdated service which is prone to a known exploit.
That is not the real world!
In the real world, there are bots that are scanning the internet 24/7 looking & finding devices that run outdated services. If we go on Shodan right now, and I look for devices running Vsftpd 2.3.4 (a vulnerable service that leads to RCE) the results will shock you!
Just a quick, effortless search lead me to discover potentially 2.6 thousand devices vulnerable. This just goes to show how easy it is to discover vulnerable services on the internet.
If the client you’re pentesting is running any kind of vulnerable services that lead to RCEs, then they have probably already been doomed.
This does not mean that you won’t encounter CVEs or vulnerabilities in the assets that your client presents you with. Maybe there is an information disclosure vulnerability, or perhaps a vulnerable WordPress plugin in one of their web servers. However, what I wanted to say here, is that you probably won’t have a CVE with Critical/Very-High impact on the external side that could potentially lead to network compromise.
So then, how do we breach the network?
Phases of External Network Pentesting :
- Vulnerability Scanning
- Validate vulnerability scanning software findings manually
- OSINT/Passive Recon
- User Enumeration
- Password spraying & Brute-Force on login portals
- Escalate privileges (Try to get inside the internal network)
After verifying the ROE , you should start off by scanning the IPs in scope. After the vulnerability scanning has been done, manually check those to make sure they are not false-positives.
However, the most common way that we breach networks in external assessments, is by password spraying and brute-forcing login portals. This could mean anything from Azure, OutLook to even SSH and RDP services. Anything that requires a username/e-mail and a password, is the gold mine here.
In these kinds of assessments , OSINT is your best friend. In future articles, I’ll be discussing the techniques to find employee sensitive information , and that is mostly passwords in breached databases, and how to use those to try to breach the network.
So, in the passive recon stage, we try to collect as much information as possible. From e-mails, to passwords in breached databses as well as passwords policies and even job postings. We collect all of this information to build a strong attack strategy.
The next stage, is to try and spray possible passwords/ passwords discovered in public breaches, that are related to the e-mails from the organization that you’re pentesting in the login portals.
If that is successful , the final step is to escalate our privileges, to try to gain access to internal resources.
That would be , in a nutshell an external pentest. In future articles, I ll be going over in more detail over these topics, however for now, this is a nice introduction to the world of breaching networks from the outside :)
