Reconnaissance (Information Gathering)

More time and effort is required for an external versus an internal penetration test. For the latter, we have already gained access to the internal network. Thus, the most helpful information we may gather externally is the list of staff, exposed data breaches, and a list of internal they may be using.

This is mainly passive reconnaissance (OSINT) using publicly available information (without interacting with them), including target websites and news articles, social media pages, search engines, public records, breach data, etc.

External Penetration Test

Methodology

After completing the

Tools and Resources

• Search Engines (Google, Shodan, Censys, VirusTotal, IntelX, PhoneBook, Security Trails)

• IP/Domain Lookups:

  • ARIN (North America), AFRINIC (Africa), APNIC (Asia), LACNIC (Latin America), RIPE NCC (Europe).

  • Whois Lookups

  • DNSDumpster

• Internet Archives (Wayback Machine)

• Source Code Platforms (GitHub, Bitbucket, Pastebin)

• Website Profiles (BuiltWith, Wapplyzer)

• Data Breaches (Dehashed, Have I been Pwned)