Testing the Waters: A Guide to External Penetration Testing Methodology

As part of a security assessment, an external penetration test simulates an attack on an organization’s systems and defenses from the internet. The ultimate goal is to provide the tested organization with a profile of potential attacks that could be carried out against its systems and assets.

During an external pentest assessment, the pentester will use a variety of tools and techniques to scan and test the organization’s systems. This could involve using automated scanners and manual testing to identify any weaknesses and attempt to exploit them.

In this post, I would like to share my current external pentesting methodology. After completing training at TCM Academy and Antisyphontraining, I updated the methodology to include new findings and additional research. If you’re interested in taking the mentioned training, you can check the Resources section.

External penetration testing involves multiple phases to fully evaluate an organization’s security from an external perspective. These phases include:

• Planning
• Execution
• Post-Execution

The planning phase is an essential part of an external pentest assessment, as it sets the stage for the rest of the assessment and helps ensure keeping everything organized. The planning phase includes the following items:

Engagement Scope refers to the systems, networks, and assets included in the pentest assessment. In this step, the pentester would work with the client to define the scope they want to evaluate. The scope usually consists of IP addresses/ranges (CIDR notations), domains, subdomains, vhosts, cloud assets, API endpoints, etc.

After the client provides the needed information for the scope, the pentester verifies the scope to ensure the accuracy of the client’s information.

Standard tools for verification are:

• Whois ARIN
• Hurricane Electric Internet Services

Rules of Engagement (RoE) are guidelines that outline acceptable actions and tests during a security assessment. The client should approve the document before the beginning of the assessment. The RoE document usually includes the essential information the pentester and client agree on, such as:

• Assessment Scope includes the client’s assets, networks, and endpoints.
• Assessment Objectives include the goals and expectations the client expects from the pentester during the security evaluation.
• Timeline of the engagement includes key milestones and deadlines.
• Communication Rules include establishing clear communication channels with the client, discussing how the pentester will keep them informed throughout the engagement, and notifying them of any significant findings.
• Deliverables include the comprehensive report the testing team delivers to the client at the end of the assessment — the report contains a summary of the findings and recommendations for addressing the found vulnerabilities or weaknesses.
• Contact information of both sides (testing team and client POCs).
• Kick-off communications provide an opportunity to establish a relationship with the client, set expectations, and ensure everyone is on the same page. There are usually two (2) types of communication with the clients at the beginning of an engagement:
  – A kick-off meeting includes a meeting with the client, usually after verifying the engagement scope. The pentester meets with the client, introduces themselves, and discusses the scope and the assessment objectives.
  – A kick-off email is sent to the client at the beginning of the engagement to notify the client of starting the pentesting activities on the agreed scope.

Once the test has officially begun, the pentester will conduct passive and active reconnaissance to identify any information that may help during the following testing phases: email addresses, usernames, software information, user manuals, forum posts, etc.

This phase includes:

• Reconnaissance
  – Passive Recon (OSINT)
  – Active Recon
• Manual Testing and Exploitation
• Password Attacks

Passive Recon

Passive recon, known as Open-Source Intelligence (OSINT), refers to gathering information about the targets from publicly accessible resources like social media, search engines, public records, breach data, etc., without interacting with them. As the name suggests, this type of recon is passive and does not leave noticeable traces.

Examples of what to look for in passive recon:

• Organization’s Website:
  – Employee names and emails to use for password spraying, or social engineering activities (Red teaming)
  – Job postings to understand the technologies and infrastructure used within the organization.
• Password Policy from the Sign-up functionality of the web portals.
• Public Records, including archives
• Social Media platforms (LinkedIn, Twitter, Facebook)
• Breach Databases
• Source Code platforms
• Cloud Storage platforms (S3 Buckets, Azure Blobs)

Tools & Resources:

• Search Engines (Google, Bing, Shodan, Censys, VirusTotal, IntelX, PhoneBook, Security Trail)
• IP/Domain Lookups:
  – ARIN
  – Hurricane Electric Internet Services
  – Whois Lookups
• Internet Archives (Wayback Machine)
• Source Code platforms (GitHub, Bitbucket, Pastebin)
• Website profiles (BuiltWith, Wapplyzer)
• Data Breaches (Dehashed, Have I been Pwned)

Active Recon

Active recon gathers information through probing, scanning, and fingerprinting the targets. This type of recon is very noisy and easily detected; the pentester is advised to exercise caution when scanning clients’ targets to prevent triggering unexpected responses or bringing the targets down.

Examples of what to look for in active recon:

• Login Portal such as Outlook Web Application (OWA), Citrix, VPN, SharePoint, or any web portal
• IoT devices (Cameras, medical devices, Industrial control systems)
• SSL Certificate Information, encryption, and cipher issues.

Tools & Resources:

• Network and Web Vulnerability Scanners
  – Nessus
  – Nmap (TCP &UDP scans)
  – BurpSuite Pro
  – Nuclei
• Domain Enumeration
  – Sublist3r
  – Subfinder
  – Amass
  – Httpstatus
  – Webchk
  – Eyewitness
• SSL Scans
  – SSLScan
  – Sslyze
• Usernames/Emails Enumeration
  – Scope Creep

Manual Testing and Exploitation

The manual testing and exploitation involve reviewing the scan results from the active recon step and identifying signs of vulnerabilities or weaknesses that look interesting for additional investigation. This step includes mapping all exposed services — port number, service name, and possibly version number and looking for known vulnerabilities for the discovered application or services. 🖊️ Check out Scanning and Probing Cheatsheet

It is important to remember that the pentester should NOT rely only on the vulnerability scanner results, as they don’t always show the correct software version or service type. Instead, the results must be manually validated to siphon and filter the valid ones.

Another thing to highlight in the section is that the pentester has to be always careful in testing production environments; if they encounter a vulnerable system that can be exploited with a public/custom exploit but is not sure what the impact on that system would be, ask the client if it ok to exploit that system. Some clients would agree to allow the pentester to exploit it, and some won’t, as it would disrupt the environment. Or sometimes, they would agree, but without specific instructions, like testing off-hours when the network traffic is slowed down.

📌 Tip: When using a public or custom exploit, you must understand what the exploit is doing behind the scene. You don’t want to be in a situation where the client is asking you about the technical details of the exploit, and you would answer, I don’t know; I just got it from GitHub. Also, only use tools verified and vetted ahead of time before the assessment.

Password Attacks

Another fundamental portion of external penetration testing is password attacks; below are the attack types used during assessments:

• Password spraying is trying a single common password against many users’ accounts. (one password vs. multiple accounts).
• Brute-forcing is trying every possible combination of characters, symbols, and words in an attempt to guess the correct password.
• Credential stuffing is trying a list of compromised usernames and passwords one by one until the right match is found. This attack is often successful because many people reuse the same passwords across multiple accounts.

💡 It is crucial to note that password attacks lead to lockouts. Therefore, if the client does not provide the password policy they use in the organization, the pentester should be cautious when performing those attacks.

Examples of where to use password attacks:

• Web login portals such OWA, O365.
• Management utilities like SSH, SNMP, FTP, Telnet

Tools & Resources:

• TREVORspray
• Metasploit Modules
  – Auxiliary/Scanner/owa_login
  – Auxiliary/Scanner/owa_ews_login
• MailSniper
• SprayingToolkit
• Go365
• Oh365UserFinder

Reporting

A report is a deliverable the tester provides to clients after completing the assessment. It is usually a comprehensive report consisting of a high-level non-technical executive summary of what was accomplished during the security assessment timeline and the findings.

The report includes the assessment scope, objectives, a description of the methods used during the engagement, a list of findings and recommendations, and supporting documentation such as screenshots or logs.

📌 Tip: start reporting while testing; create a draft report with the testing notes and screenshots. Trust me; it will save a lot of time and effort. Also, the screenshots should be clear and include the run commands and their outputs.

Debriefing

A debrief is a review of the findings and recommendations from the performed security assessment. During the debrief meeting, the pentester/pentesting team meets with the client’s relevant parties — management, IT staff, and other stakeholders to discuss the identified vulnerabilities during the assessment and provide recommendations for how to address and mitigate the found issue. The debrief may be presented as a report or a presentation and conducted in person or remotely.

Common External Pentest Findings

Several findings may arise during an external pentest. Below are the most common ones in external assessments:

• Insufficient Authentication Controls.
• Anonymous access to protocols like FTP, Telnet, and SMB.
• Exposed Management Protocols- systems configured to be accessible via the internet without a VPN like SSH, SNMP, FTP, Telnet, RDP, etc.
• Weak Password Policies
• Default credentials or weak passwords.
• Known vulnerabilities (CVEs)
• Weak/ Insufficient Encryption includes:
  – Unencrypted communication on Web applications.
  – Weak SSL protocols.
  – Weak Ciphers like (RC4 and DES-CBC).
  – Expired SSL Certificates.
• Insufficient Patching.
• Information disclosures, Verbose error messages on web applications.
• Exposed API endpoints with sensitive information.
• Username Enumeration through Forgot Password functionality.

With that, we reached the end of the post. We learned about the standard methodology for approaching external pentesting assessment. Following a methodology ensures that the pentest evaluation is thorough and systematic, covering all relevant areas and test cases. It also helps the pentester stay organized and focused, reducing the risk of missing essential vulnerabilities.

Thanks all for reading!!

• https://academy.tcm-sec.com/p/external-pentest-playbook
• https://www.antisyphontraining.com/on-demand-courses/introduction-to-pentesting/
• https://inteltechniques.com/book1.html