External Pentest Playbook: Key Techniques and Tools

By /

Listen to this Post

This article covers essential methodologies and tools used in external penetration testing, focusing on information gathering (OSINT) and attacking login portals.

Information Gathering / OSINT

1. Hunting Breached Credentials

  • Use `h8mail` to search for breached emails:
    h8mail -t [email protected] -bc path/to/breach_compilation/ -o results.txt
  • Check Have I Been Pwned (HIBP) via API:
    curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/[email protected]" -H "hibp-api-key: YOUR_API_KEY"

2. Identifying Employees & Emails

  • Use `theHarvester` for email enumeration:
    theHarvester -d example.com -b google,linkedin -l 500 -f results.html
  • LinkedIn scraping with linkedin2username:
    python3 linkedin2username.py -c "Company Name" -o employees.txt

3. Enumerating Valid Accounts (Pre-Attack)

  • Use `kerbrute` for Active Directory username enumeration:
    ./kerbrute userenum --dc DOMAIN_CONTROLLER -d DOMAIN users.txt

4. Other Useful Information

  • Subdomain enumeration with amass:
    amass enum -d example.com -o subdomains.txt
  • DNS reconnaissance using dnsrecon:
    dnsrecon -d example.com -t axfr -n 8.8.8.8

Attacking Login Portals

1. Attacking O365

  • Password spraying with MSOLSpray:
    python3 MSOLSpray.py -u emails.txt -p 'Password123!' -o valid_logins.txt

2. Attacking OWA (Outlook Web App)

  • Brute-forcing with ruler:
    ruler --email [email protected] --passwords passwords.txt brute

3. Bypassing MFA

  • Exploiting token replay with Modlishka:
    ./modlishka -proxy http://127.0.0.1:8080 -cert cert.pem -certKey key.pem

You Should Know:

  • Always obtain explicit permission before testing.
  • Use rate limiting to avoid detection (-delay in tools).
  • Log findings in a structured report (e.g., `Dradis` or KeepNote).

What Undercode Say

External pentesting requires a balance of automation and manual verification. Tools like amass, kerbrute, and `Modlishka` streamline attacks, but human analysis ensures accuracy. Always:
– Verify false positives (curl -I http://example.com/admin`).
- Document command outputs (tee -a log.txt).
- Stay updated with latest exploits (searchsploit owa`).

Expected Output:

A detailed penetration test report containing:

  • Valid credentials (valid_logins.txt).
  • Subdomains (subdomains.txt).
  • Security misconfigurations (nmap -sV -O -p- target.ip).

Relevant URLs:

References:

Reported By: Todd Mattran – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: