---

name: External Network Penetration Testing description: This skill should be used when the user asks to "perform external pentesting", "conduct external network assessment", "enumerate external attack surface", "perform OSINT reconnaissance", or "test perimeter security". It provides comprehensive external network penetration testing methodologies. version: 1.0.0 tags: [external-pentest, osint, reconnaissance, network-security, enumeration, penetration-testing]

External Network Penetration Testing

Purpose

Conduct comprehensive external network penetration testing including OSINT reconnaissance, subdomain enumeration, exposed service discovery, vulnerability scanning, and exploitation of internet-facing assets. This methodology covers the full external assessment lifecycle.

Prerequisites

Required Tools

• Nmap for network scanning
• Amass/Subfinder for subdomain enumeration
• Shodan/Censys for passive recon
• Recon-ng for OSINT framework
• Nuclei/Nessus for vulnerability scanning

Required Knowledge

• Network protocols and services
• DNS and certificate transparency
• Cloud infrastructure concepts
• OSINT techniques

Outputs and Deliverables

1. Attack Surface Report - Complete external footprint
2. Subdomain Inventory - All discovered subdomains
3. Exposed Services - Internet-facing services and versions
4. Vulnerability Assessment - Identified security issues

Core Workflow

Phase 1: OSINT Reconnaissance

Gather intelligence without direct target interaction:

Copy# Google Dorks
site:company.com -site:www.company.com
site:*.company.com
filetype:pdf site:company.com
inurl:admin site:company.com
intitle:"index of" site:company.com

# Bing Dorks
site:company.com -site:www.company.com

# Certificate Transparency
curl -s "https://crt.sh/?q=%25.company.com&output=json" | jq -r '.[].name_value' | sort -u

# ASN Lookup
amass intel -org "Company Name"
whois -h whois.radb.net -- '-i origin AS12345'

# Using bgp.he.net
# https://bgp.he.net/dns/company.com

# Shodan search
shodan search "ssl.cert.subject.CN:company.com"
shodan search "hostname:company.com"

OSINT tools:

Copy# SpiderFoot - automated OSINT
spiderfoot -s company.com -o output.html

# theHarvester
theHarvester -d company.com -b all

# Maltego - visual OSINT
# Use GUI for comprehensive link analysis

Phase 2: Passive Reconnaissance

Discover assets without active scanning:

Copy# DNS History
# SecurityTrails, DNSdumpster, ViewDNS.info

# Web Archive
waybackurls company.com | sort -u > archived_urls.txt

# Pastebin monitoring
# https://github.com/carlospolop/Pastos

# Credential leaks check
# dehashed, breach-parse, HaveIBeenPwned

# Social networks
# LinkedIn - employee enumeration
python3 linkedin2username.py -c "Company Name"

# Hunter.io - email discovery
curl "https://api.hunter.io/v2/domain-search?domain=company.com&api_key=KEY"

Phase 3: Subdomain Enumeration

Comprehensive subdomain discovery:

Copy# Amass - comprehensive enumeration
amass enum -d company.com -o subdomains.txt
amass enum -d company.com -passive -o passive_subs.txt

# Subfinder - fast passive enumeration
subfinder -d company.com -o subfinder.txt

# DNS brute-force
aiodnsbrute -t 20 company.com -w subdomains-top1million.txt

# DNScan
python3 dnscan.py -d company.com -w subdomains.txt

# Combine and dedupe
cat amass.txt subfinder.txt | sort -u > all_subs.txt

# Certificate Transparency with ct-exposer
python3 ct-exposer.py -d company.com

# TLSX for SAN extraction
echo "10.0.0.0/8" | tlsx -san -silent

# Resolve live subdomains
cat all_subs.txt | httpx -o live_subs.txt

Phase 4: Subdomain Takeover Testing

Check for vulnerable subdomains:

Copy# Subjack
subjack -w subdomains.txt -t 100 -timeout 30 -o takeover.txt -ssl

# Nuclei subdomain takeover templates
nuclei -l subdomains.txt -t takeovers/

# Manual checks for:
# - CNAME pointing to unclaimed services
# - Azure/AWS/Heroku/GitHub Pages misconfigurations
# - Expired domain CNAMEs

# Common vulnerable services:
# AWS S3, Azure, Heroku, GitHub Pages, Shopify
# Zendesk, Fastly, Pantheon, Tumblr, WordPress

Phase 5: Active Reconnaissance

Direct target scanning:

Copy# Masscan - fast port discovery
masscan -p1-65535 --rate 10000 -iL targets.txt -oG masscan.out

# Nmap - service enumeration
nmap -sV -sC -p- -iL live_hosts.txt -oA nmap_full

# NSE script categories
nmap --script=default,vuln,discovery -p 22,80,443 target.com

# Shodan integration
shodan host <IP>
shodan search "hostname:company.com"

# Censys
censys search "parsed.names: company.com"

# HTTP/HTTPS screenshots
gowitness file -f live_subs.txt -P screenshots/
eyewitness -f live_subs.txt --web
aquatone -out aquatone_output < live_subs.txt

Phase 6: Exposed Services Testing

HTTP/HTTPS

Copy# Technology fingerprinting
whatweb https://target.com
wappalyzer https://target.com

# Directory enumeration
gobuster dir -u https://target.com -w directory-list.txt
feroxbuster -u https://target.com -w wordlist.txt

# Virtual host discovery
gobuster vhost -u https://target.com -w vhosts.txt

# IIS specific
java -jar iis_shortname_scanner.jar https://iiswebsite.com
# Check aspnet_client folder
curl https://target.com/aspnet_client/

Email Services (SMTP)

Copy# SPF/DKIM/DMARC check
python3 spoofy.py -d company.com -o stdout
./spoofcheck.py company.com

# Open relay testing
nmap --script smtp-open-relay -p 25 target.com

# User enumeration
smtp-user-enum -M VRFY -U users.txt -t target.com

DNS

Copy# Zone transfer
dig @ns1.target.com axfr target.com
fierce --domain target.com

# DNS reconnaissance
dnsrecon -d target.com -t std
dnsenum target.com

SNMP

Copy# Community string brute-force
onesixtyone -c community.txt target.com

# SNMP enumeration
snmpwalk -v2c -c public target.com

VPN/Remote Access

Copy# IKE Aggressive Mode
ike-scan -M -A target.com

# SSL VPN enumeration
nmap --script ssl-enum-ciphers -p 443 target.com

Phase 7: Cloud Enumeration

Copy# AWS S3 buckets
aws s3 ls s3://company-backup --no-sign-request
python3 cloud_enum.py -k company

# Azure blob storage
# https://company.blob.core.windows.net/

# GCP storage
# https://storage.googleapis.com/company-bucket

# MicroBurst (Azure)
Invoke-EnumerateAzureBlobs -Base company

# CloudFlare bypass
python3 CloudUnflare.py -d target.com

Phase 8: Vulnerability Scanning

Copy# Nuclei - template-based scanning
nuclei -l targets.txt -t nuclei-templates/ -o nuclei_results.txt

# Nessus (commercial)
# Use external scan profile

# Web vulnerability scanning
nikto -h https://target.com
wpscan --url https://target.com/wordpress
joomscan -u https://target.com/joomla

# SSL/TLS testing
testssl.sh https://target.com
sslscan target.com

Phase 9: Password Attacks

Password spraying against external services:

Copy# CredMaster - multi-service spraying
python3 credmaster.py --plugin o365 -u users.txt -p "Winter2024!"

# O365/Azure
python3 MSOLSpray.py -u users.txt -p "Password123!" 
trevorspray -e emails.txt --passwords passwords.txt --delay 15

# OWA
msfconsole
use auxiliary/scanner/http/owa_login
set RHOSTS mail.company.com
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

# VPN
python3 checkpointSpray.py -u users.txt -p "Winter2024!" -t vpn.company.com

# IP rotation for evasion
# Use AWS API Gateway rotation
# Fireprox: https://github.com/ustayready/fireprox

Phase 10: Exploitation

Exposed Credentials

Copy# Git repository secrets
gitleaks detect --source . -v
trufflehog git https://github.com/company/repo
shhgit --live

# .git folder exposure
curl -s https://target.com/.git/config
git-dumper https://target.com/.git/ output_dir/

Default Credentials

Copy# Check common defaults
# https://cirt.net/passwords
# https://datarecovery.com/rd/default-passwords/

# Common services:
# Jenkins: admin/admin
# Tomcat: tomcat/tomcat
# Grafana: admin/admin
# phpMyAdmin: root/<blank>

RCE Vulnerabilities

Copy# Search for RCE-as-a-feature
# Jenkins script console
# Serv-U FTP server
# Application deployment endpoints

# Nuclei RCE templates
nuclei -l targets.txt -t cves/ -severity critical,high

# Metasploit
msfconsole
search type:exploit cve:2024

Quick Reference

Reconnaissance Commands

Port Scanning

Web App Testing

Common External Services

Constraints and Limitations

Scope Considerations

• Only test authorized IP ranges
• Respect rate limits and service availability
• Avoid DoS conditions
• Document all testing activities

Legal Requirements

• Written authorization mandatory
• Stay within defined scope
• Notify ISPs if required
• Follow rules of engagement

Technical Limitations

• WAF may block scanning
• Rate limiting on services
• Geo-restrictions may apply
• Some services may require credentials

Troubleshooting

No Subdomains Found

Solutions:

1. Use multiple enumeration tools
2. Try certificate transparency
3. Check DNS history services
4. Search for mentions on social media
5. Try reverse WHOIS lookups

Scans Being Blocked

Solutions:

1. Reduce scan rate
2. Use IP rotation
3. Try different source IPs
4. Use passive reconnaissance first
5. Schedule scans during off-hours

Password Spray Lockouts

Solutions:

1. Increase delay between attempts
2. Respect lockout thresholds
3. Use IP rotation
4. Target multiple services
5. Check MFA requirements first