3 - External Pentest Playbook

Goal:

Test the security from an outside perspective

Provide quality of service to the client

Preparation

Checklist:

- Ensure ROE is signed by client
- Add IPs in scope to Scope tab
- Verify customer scope
- Send kickoff email
- Conduct vulnerability scanning with Nessus or other
- Identify emails/users/pass in breach databases (dehashed, breach-parse, etc)
- Identify employees & email address format (linkedin, phonebook.cz, clearbit, etc)
- Identify client's websites and search for any data useful to help attack (job posting, system information, password policy, etc)
- Attempt to enumerate any accounts on portals, password reset function, etc
- Run web app scans, if necessary
- Conduct manual testing and exploitation on targets
- Validate scanning tool vulnerabilities
- Conduct password spraying guessing and brute force on login portals
- Escalate access from external to internal
- Validate previous year findings have been resolved
- Cleanup

ROE - Rules of engagement:

- This document summarizes the rules of engagement for the cybersecurity assessment offered by <company>. 
- The intent of this document is to clearly define the roles and responsabilities and the details of the test agreement.
- if ROE its not signed, do not start the pentest!

Verifying Scope:

- bgp.he.net

Client Communication:

- if you find a critical vulnerability, tell your client because they need to patch immediately.

Attack strategy

- Think of external pentest like home security
- Low change of RCE, high chance of weak passwords
- OSINT is your best friend (and logical guessing)

Vulnerability Scanning

Nessus

Advanced Scan:

General Settings
we can Schedule

Discovery: 
- host: default
- port: all ports 1-65535
- service: default

Assesment:
- enable web application if necessary

Reviewing & Extracting Information

Export the Nessus File
Generate a Report (Executive Summary & Custom) to PDF and HTML

Optional

www.melcara.com
Nessus Parser:
- pearl parse_nessus_xml.v24.pl -f <nessus file>

Information Gathering / OSINT

Hunting Breached Credentials

Run breach-parser:

get emails and password that have been breached before
get the max information you can
later we can password spray or credential spray to try to get access to something using the emails found earlier

Run Dehashed or others tools:

gather more information

Do not attack out of scope domains

but you can use the password breached from others domains and try to use in the scope domain

same with emails breached, we can rockyou or something similar like summer2021 etc

Identifying Employees and Emails

clearbit - browser extension
hunter.io
phonebook.cz
-search for domains/emails
Linkedin > employees

Enumerating Valid Accounts

identify login portals - 'take note'
go to login portal of the domain scope 
try to reset an invalid login to show the error 
try to reset or login with emails that you gathered and see if the error changes

Others useful information

Look at job posting, system information, password policy

Attacking Login Portals

By this point, you should have identified:

- Login portals to attack
- List of possible employees/emails
- Password strategies to employ

Password strategy

Could be:

- season + year + special character
- past season + year + special character
- month + year 
- company name + number/year/something
- city or address location
- sports team of the city 

Password Spraying Office365

Majority of clients uses microsoft, because AD

One spray pass Tool example

trevorspray.py -e <list of emails> -passwords 'winter20!' --delay 10 --no-current-ip --ssh user@ip -k <key>.pem (aws key pair)

# delay = time to try again
# no-current-ip = not set our ip 
# a couple of user@ip because will spray one at time
# if the delay is 10sec and you have 10 accounts, after 100secs the spray will come back to the first, so its a good practice to not block the account.

• Be aware of the lock out password policy
• If you get lock account error, stop the spraying
• If the lock out policy is lets say 5 tries, try 4 times then try another 4 an hour later

Sign in for AWS

Go to aws management console:

ec2 > launch VM
ubuntu > free tier eligible
launch instances
grab the public IP
and put in the script user@ip after spraying in the ip of the target

Password Spraying OWA (outlook web app)

metasploit > search owa
use auxiliary/scanner/http/owa_login
set options

Attacking Other Portals

- With other type of portals we go to Burp
- set scope > options AND target scope 
- intercept the request
- send to intruder/repeater
- intruder > options > grep - match > add the login error
- in options > set the password as variable
- sniper attack > payloads > add some common passwords (winter2021!, summer2021@ etc)
- look at the length/status code/the grep match of the login error

If you wanna try credential stuffing:

this will try the first username with the first password, the second with the second etc

- set the username to variable as well
- set the attack type to pitchfork
- in payloads > list > add logins/usernames/login too

We can use the attack type cluster bomb:

This will try every username with every password
- the pitchfork option is better to not lock out the account

Bypassing MFA (multi factor authentication)

MFASweep:

Invoke-MFASweep -Username <user> -Password <pass>

For example:

- We could ask the client, to create an account For us.
- and then we try to log in only with the password, without the MFA.
- If the company set the MFA correctly, this should not work.

Invoke-SelfSearch -Mailbox <email> -ExchHostname <hostname> -remote

Usually social engineering is out of scope, so this method is useful to test their MFA

Escalating Access - Strategy

Here we have some sort of access and want to escalate

Look at azure portal, share point, vpns access, emails

• Enumeration is they key

Report Writing

Examples:

https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report

https://tcm-sec.com/wp-content/uploads/2021/10/TCMS-Demo-Corp-Security-Assessment-Findings-Report.pdf

If its a web pentest we should put : OWASP references If its a external: NIST reference

Common Pentest Findings

Insufficient Authentication Controls:

- client do not have MFA
- in case you didn't find the MFA, you can ask the client
- therefore you can recommend in the report anyways

Weak Password Policy:

- client need to understand that they need to improve de pass policy
- again,  if you didn't find the pass policy, just ask the client
- so you can help them improve that

Insufficient Patching:

- Provide the mitigation with there is no patch available for that vulnerability
- even if you didnt explore in time, add in the report cause they need to mitigate
- check the versions of services to find these kind of patching issues
- nessus is great for that also

Default Credentials:

Check default credentials of every service: emails, printers, web servers, router, etc

Insufficient Encryption:

client uses HTTP: they should migrate to HTTPS and turnoff http
web issues: SSL, TLS, SWEET32, RC4, Self-Signed Certificate
mitigation: disable weak ciphers on public web services

Information Disclosure:

information leaked through errors
mitigation: disable debug reporting / properly handle invalid users
unnecessary information via mDNS on UDP port 5353
mitigation: filter incoming traffic to UDP port 5353
unnecessary information within http responde headers
mitigation: remove unnecessary information from http headers
verbose error messages 403 & 404
mitigation: disable verbose error message in the server config

Username Enumeration:

Forgot password errors: synchronize valid/invalid account messages

Default Web Pages:

apache, IIS, etc - the attacker will inventory the software version for future attacks
mitigation: replace the default pages with terms of service.

Open Mail Relays:

https://www.blackhillsinfosec.com/how-to-test-for-open-mail-relays/

IKE Aggressive Mode:

in aggressive mode enable we could capture the PSK (pre-shared key) of a VPN
tool: ike-scan
mitigation: synchronize error messages. error messages should be consistent with valid and invalid users
the likelyhood of exploiting this is very low, close to zero. but is a common finding and potential risk.

Unexpected Perimeter Services:

rdp, telnet enable to the external network
talk to the client, if thats is intentional 

Insufficient Traffic Blocking:

tool: Shotsherpa
block unnecessary traffics like others countries, if possible
perhaps not blocking, but limiting traffic in certain way

Undetected Malicious Activity:

nmap scan, nessus scan, web enumeration brute force 
make sure the client knows where they need to improve

Historical Account Compromises:

Accounts that have been breached before

Remediation:
- Avoid password reuse between sites.
- Train users to not use work emails for site registrations unless necessary.
- enforcing password rotation with strict password complexity requirements.
- its recommended ‘haveibeenpwned.com’ subscription for proactive alerting of compromised comporate accounts.

Wrapping Up

Client Debriefs

Explain the report
Keep simple like you are explain to a non technical people
Its normal not know something or question they ask
Our job is to help find securities vulnerabilities before the attacker and help the company to solve those issues and improve their network
	
- You need to be technical, explain things at high level
- Able to write well
- Sociable enough to debrief a report in front of people

Attestation Letters

After the pentest in finished, we send a letter to summarizes the activities performed

Retesting

We can offer the company 60~90 days of retesting, that means they have some time to fix the problems we found. 
Then we go there and retest the vulnerabilities
We do not take off the vulnerabilties found in the last pentest, we just add remetiate if the company fixed the issue.