Antisyphon KB

1. External Checklist

Nov 04, 20245 min read

External Penetration Test Checklist

title: Want to Add Stuff to the External Testing Section of the KB? Modify the checklist? Add tools?
 
Reach out to one of the subject matter experts (SMEs) to ensure the content additions align with testing expectations and deliverables. Or, depending on your confidence, go for it!
 
Current External Network SMEs:
- Jordan jordan@blackhillsinfosec.com
- Alyssa alyssa@blackhillsinfosec.com
- Phil phil@blackhillsinfosec.com
- David david@blackhillsinfosec.com

Before testing begins

Recent Note (2023-11-20 or so)

  • Nessus might miss some web application related things.
  • You should try to use Common Nuclei Usage as well, and this may become a requirement in the future.
    • share your results whether better or worse, etc.
    • Nuclei is part of what GoRecon does, as of late November, 2023.
  • Nuclei is here!

One week before the test

  • Ensure that your customer has provided in-scope URLs, IP addresses, and related information
    • Do at least a cursory verification that all provided addresses are owned or controlled by the client.
    • Be alert for ambiguities in notation: If you see 10.10.123.45/24, is that just one host on that /24 network, or does it mean all possible hosts on that /24 network? Ask the customer. Nessus interprets that as as the whole /24 network: 10.10.123.0-255
  • Configure Nessus scan per schedule defined during RoE
    • Basic scan
    • Discovery: Port scan (all ports)
    • Assessment: Scan for all web vulnerabilities (quick) - OK to use “Scan for known web vulnerabilities” or disable web entirely when scope is large: the “all web vuln” item can add up to 5 minutes per webapp test per host.

Test start

  • Review the ROE notes for special requests/requirements, status update requests, etc.
  • Send the Start email to the customer.
  • Start the Nessus scan (or verify that it started successfully, if you scheduled it).
  • Open your report
    • Create a new engagement folder in SharePoint
    • Associate your screenshot tool with the engagement folder - clean!
  • Launch a Digital Ocean node and provide the IP to PoC

Requirements

Summary - Five things required:

  1. Reconnaissance
  2. Vulnerability Scan all listed assets and potentially any discovered during recon
  3. Web services triage
  4. Password sprays, credential stuffing
  5. Triage of vulnerabilities with exploitation and validation on selected high interest issues

Reconnaissance

  • Identify domain
  • Research address space, identify AS number, report additional networks to PoC. Ask if the scope should change to include these discoveries.
  • Perform DNS research
  • Identify mail services including:
    • mail platform
    • protections
    • pattern for email address format
  • Investigate leaked credentials
  • Perform metadata investigations against public files (PowerMeta?)
  • Looking for more resources ?

Vulnerability Scan

  • Run vulnerability scan against customer provided assets
  • Review Nessus vulnerability scan results
    • Triage vulnerabilities and exploit and validate selected high interest findings
    • Review Low and Informational findings for things like web directory enumeration, Cisco Smart Install
    • Limited results?
      • Check the web apps for vulnerable components
      • Include a Key Positive Finding in the executive summary to call out what the customer is doing well
      • Be creative and think like an adversary

Web Service Triage

  • Use EyeWitness to take screenshots of web servers (feed it the .nessus file and it’ll find web servers on common web ports)
    • Review this report through Burp Suite so you can see the HTTP traffic
    • Document any and all login portals you can find
      • Password spray targets?
      • Any way of identifying single-factor authentication? Add a finding!
  • If time allows, document application framework components (Use Burp + retire.js)
    • Report unpatched and components with known vulnerabilities accordingly
      • Provide exact URIs to where components were observed

Credential Attacks

Typically we perform password guessing attacks at a rate of no more than 1 guess per user per hour

Optionals

  • Review open ports and services - there should be a business process or function behind open services.
    • The following are optional and could be used to supplement Nessus’s scan results
      • nmap -sVSC -Pn -iL scopeList -oA outputFilename

Test Wrap-up

Did you compromise something? anything?

  • Be sure to inform the customer of any compromises via a Post Test Cleanup Finding

Notes from a Senior Tester

  1. Consider the results of the recon while doing the external testing. There might be helpful information there.
  2. As with other test types, the goal while reporting is to demonstrate risk, show your steps (including command syntax) and make sure you write up the methodology and findings in a way that is helpful to the customer. Ideally, the report provides them enough information to perform remediation of issues.
  3. All issues that rise to the level of a finding should be discussed/addressed in the methodology too.
  4. Include footnote links to less common tools (tools considered common are built-in Kali tools, Nessus, Nmap, Metasploit and others that most people (blue teamers) will have heard of and know how to find). If you are not sure, include the link. If you want to check your footnotes, switch the Word document to Outline view, click on References and select “Show Notes”. This will give you a numbered list of all the footnotes in the document.
  5. Make sure to check the scope provided by the customer. If any of the IP ranges don’t look like they belong to the customer, double check with them. For scope items that you can’t independently confirm, get an email confirmation from the customer.
  6. Do not add items to scope without explicit permission from the customer.

Graph View

Backlinks

  • No backlinks found