Reconnaissance (Information Gathering)

More time and effort is required for an external versus an internal penetration test. For the latter, we have already gained access to the internal network. Thus, the most helpful information we may gather externally is the list of staff, exposed data breaches, and a list of internal they may be using.

This is mainly passive reconnaissance (OSINT) using publicly available information (without interacting with them), including target websites and news articles, social media pages, search engines, public records, breach data, etc.

External Penetration Test

Methodology

After completing the

Tools and Resources

Search Engines (Google, Shodan, Censys, VirusTotal, IntelX, PhoneBook, Security Trails)
IP/Domain Lookups:
- ARIN (North America), AFRINIC (Africa), APNIC (Asia), LACNIC (Latin America), RIPE NCC (Europe).
- Whois Lookups
- DNSDumpster
Internet Archives (Wayback Machine)
Source Code Platforms (GitHub, Bitbucket, Pastebin)
Website Profiles (BuiltWith, Wapplyzer)
Data Breaches (Dehashed, Have I been Pwned)

Google Dorking

intext

intext:"SQL syntax near" OR intext:"syntax error has occurred" OR intext:"incorrect syntax near"

intext:" Powered by phpBB" inurl:/viewtopic.php

intext:" MyBB SQL Error" site:example.com

intext:"WordPress" inurl:"wpconfig.php" filetype.log

filetype

filetype:config site:example.com

filetype:perm private key site:example.com

filetype:xls site:example.com

filetype:doc site:example.com

Page updated

Google Sites

Report abuse