💾
kurare
  • 🤸Welcome!
  • 🔤Alphabet Soup
  • Training
    • CTFs & Labs
  • Directory Traver
  • Reporting
  • Toolbox
  • Rando Links
  • GRC (The box-checkers)
  • Common Software Repository
  • Social Networking
  • Penetration Testing Frameworks
  • Playbooks
    • Playbook: Figuring out software versions
    • Playbook: web applications
    • Playbook: Finding exploits
    • Playbook: Cloud Environments
  • Testing out credentials
  • Active Directory
  • Checklists
    • Pretest phase
    • Host Discovery
    • Website (external)
    • Black-box External Test
    • Host Enumeration
    • SMB enumeration
    • Page
  • Reporting
  • Services
    • VOIP / SIP
Powered by GitBook
On this page
  1. Checklists

Black-box External Test

Scope Discovery

  • Document intial information (any domains provided, etc)

  • Find additional subdomains

    • Tool: subfinder

    • Tool: sn1per

    • Tool: sublist3r Checks search engines and APIs to find subdomains sublist3r -d <domain> -b -v

    • Tool: amass amass enum -d <domain>

    • Website: dnsdumpster.com

    • Website: mxtoolbox.com

  • Look through the range of their IP addresses that map to subdomains, and investigate IP addresses within the gaps

OSINT

  • Check social media sites (Twitter, Facebook, LinkedIn)

  • Identify employees via LinkedIn

  • Tools:

    • dehashed (for compromised accounts and passwords)

    • TheHarvester (limited utility as APIs change)

Port / Service Discovery

  • Perform nmap scan on the external surface sudo nmap -Pn -A- -p- -iL scope.txt -oX external_scan.xml

  • Make it pretty:

PreviousWebsite (external)NextHost Enumeration

Last updated 1 year ago