i Penetration Test – External Scanning – All things in moderation

Penetration Test – External Scanning

In the previous post, we already know how to set up an environment for  penetration testing. Like Sun Tzo said: “If you know neither the enemy nor yourself, you will succumb in every battle.”, so you must know and analyze your target carefully before you run any tests. Even you are professional tester or just beginning, scanning has been always the first attempt. My post is divided into 3 parts: External Scanning, Internal Scanning and Web Application Scanning.

In this follow section, I will introduce you both passive and active tools that be able to identify almost everything about your targets servers, services.

1.Begin with Passive Discovery, which will help you collect information about the target, clients, network without touching them. It is useful because we just use resources on the Internet so it isn’t alert any suspicious activity to the target. Sometimes, when you use Google Hacking or some websites like Shodan ( https://www.shodan.io/ ), you could find some exploits on it but it leads us to a different story.

There are many different tools that we can use it for passive network or information discovery on Kali. Looking the image below, we could see it. It is within the OSINT ( Open Source INTlligence ) folder.

pentest external scanning


Here is some tools that I have used for years:

  • Hoovers – Search over 85 million companies within 900 industry segments; Hoover’s Reports Easy-to-read reports on key competitors, financials, and executives
  • Market Visual – Search Professionals by Name, Company or Title
  • FoxOne Scanner – Non- Invasive and Non-Detectable WebServer Reconnaissance Scanner
  • Creepy – creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services.
  • Spokeo – People search engine and free white pages finds phone, address, email, and photos. Find people by name, email, address, and phone for free.
  • theHarvester – This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.
  • Foca – FOCA 3.2 Free is a fingerprinrint and information gathering tool for pentesters. It searchs for servers, domains, URLS and public documents and print out discoverd information in a network tree. It also searches for data leaks such as metadata, directory listing, unsecure HTTP methods, .listing or .DS_Store files, actived cache in DNS Serves, etc…
  • Shodan – Search for computers based on software, geography, operating system, IP address and more
  • Maltego – Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.
  • Deep Magic – Search for DNS records and other fun stuff
  • Jigsaw – Jigsaw is a prospecting tool used by sales professionals, marketers and recruiters to get fresh and accurate sales leads and business contact information.
  • Recorded Future – Recorded Future intelligence analysis tools help analysts understand trends in big data, and foresee what may happen in the future. Groundbreaking algorithms extract temporal and predictive signals from unstructured text. Recorded Future organizes this information, delineates results over interactive timelines, visualizes past trends, and maps future events– all while providing traceability back to sources. From OSINT to classified data, Recorded Future offers innovative, massively scalable solutions.
  • MobiStealth – Mobistealth Cell Phone Spy Software empowers you to get the answers you truly want and deserve. Including a host of advanced surveillance features, our Cell Phone Spy Software secretly monitors all cell phone activities and sends the information back to your Mobistealth user account.
  • Snoopy – Snoopy is a distributed tracking and profiling framework
  • Stalker – STALKER is a tool to reconstruct all captured traffic (wired or wireless alike) and parse out all of the “interesting” information disclosures.  It goes beyond just grabbing passwords and emails out of the air as it attempts to build a complete profile of your target(s).  You would be amazed at how much data you can collect in 15 minutes.
  • LinkedIn Maps – Your professional world. Visualized. Map your professional network to understand the relationships between you and your connections
  • LittleSis – LittleSis is a free database of who-knows-who at the heights of business and government.
  • Entity Cube – EntityCube is a research prototype for exploring object-level search technologies, which automatically summarizes the Web for entities (such as people, locations and organizations) with a modest web presence.
  • TinEye – TinEye is a reverse image search engine currently in beta. Give it an image and it will tell you where the image appears on the web.
  • Google Hacking DB – Google Search Query Fu to find the secret sauce
  • ServerSniff – ServerSniff.net – Your free “Swiss Army Knife” for networking, serverchecks and routing with many many little toys and tools for administrators, webmasters, developers, powerusers und security-aware users.
  • MyIPNeighbours – My IP Neighbors lets you find out if any other web sites (“virtual hosts”) are hosted on a given web server.
  • Social Mention – Social Mention is a social media search engine that searches user-generated content such as blogs, comments, bookmarks, events, news, videos, and more
  • Glass Door – Search jobs then look inside. Company salaries, reviews, interview questions, and more – all posted anonymously by employees and job seekers.
  • NameCHK – Check to see if your desired username or vanity url is still available at dozens of popular Social Networking and Social Bookmarking websites.
  • Scythe – The ability to test a range of email addresses (or account names) across a range of websites (e.g. social media, blogging platforms, etc) to find where those targets have active accounts.
  • Recon-NG – A nice Python Script that automates recon on LinkedIn, Jigsaw, Shodan and some search engine fu.
  • Pushpin – Awesome little Python script that will identify every tweet, flicker pic and Youtube video within an area of a specific Geo address.
  • Silobreaker – Enterprise Semantic Search Engine, allows virtualisation of data, analytics and exploration of key data.
  • Google Trends – See what are the popular related topics people are searching for. This will help widen your search scope.
  • Google Alerts – Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your queries.
  • Addict-o-matic – Nice little search aggregator. Allows you to enter a search term and build a page from search and social networking sites.
  • PasteLert – PasteLert is a simple system to search pastebin.com and set up alerts (like google alerts) for pastebin.com entries. This means you will automatically recieve email whenever your term(s) is/are found in new pastebin entries!
  • Kurrently – Real Time Search Engine for Social Media.
  • Searchcode – Handy source code search engine to find code thats been shared online. May contain usernames, passwords, specific strings, etc.
  • Echosec – Location-based search platform based on social media and other information.
  • Sublist3r – Python tool that is designed to enumerate subdomains of websites using search engines.
  • Knowem – KnowEm allows you to check for the use of your brand, product, personal name or username instantly on over 500 popular and emerging social media websites.
  • Tinfoleak – Get detailed info about Twitter users with this handy python script
  • CheckUsernames – Check for usernames across 160 Social Networking Sites.
  • Whos Talkin – social media search tool that allows users to search for conversations surrounding the topics that they care about most.
  • 192 – Search for People, Businesses and Places in the UK.
  • Esearchy – Esearchy is a small library capable of searching the internet for email addresses. It can also search for emails within supported documents.
  • TouchGraph SEO – Java based tool for importing and visualising various data types.
  • Tweet Archivist – Tweets are ephemeral. Tweets disappear. Why? That’s the way Twitter is designed. Tweet Archivist can save those tweets before they’re gone. Now, to be clear, Tweet Archivist is not an archive of every tweet ever tweeted. It doesn’t have a database of all tweets.
  • Whoisology – Handy little search engine based on Whois data to identify domains owned by a specific contact.
  • Carrot2 – Nice little visualisation search engine.
  • iSeek – Another handy search engine that break results down into easy to manage categories.
  • GlobalFileSearch – An FTP Search Engine that may come in handy.
  • NerdyData – Neat search engine that works at the source code level.
  • OneMillionTweetMap – Provides visual confirmation of tweets where geotags are enabled, also provides heatmaps for heavy tweet areas.
  • SpiderFoot – The main objective of SpiderFoot is to automate this process to the greatest extent possible, freeing up a penetration tester’s time to focus their efforts on the security testing itself.
  • Username Search – Handy site that will search multiple sites for usernames, email addresses and phone numbers.
  • PlaTO – Searchable list for sites that store credentials in plaintext (taken from Plaintext Offenders)
  • GitRob – Handy OSINT tool for finding interesting things related to an organisation in GitHub
  • LeakedIn – Aggregator site for data samples lost or disclosed online
  • Default Passwords List – Great list on CIRT.net of default passwords for various devices which often comes in handy.
  • Facebook, of course. 😀

2.However, the problem is we have a variety of tools and it takes time to learn how to use it. Fortunately, we have a guy who put almost all of them into a single tool.

A discovery framework has been developed to effectively identify passive information about a company or network, it is so-call Back Track script. We can find it here: https://github.com/leebaird/discover by Lee Baird. Take this as an example, we can search people within an organization or domains on all harvesting sites or use common tools ( like: goog-mail, theHarvester, my dnstools ) and like their result to other 3rd party tools to perform another searching. Now, we try this tool.
We type some following commands after installing it:
– cd /opt/discover
– ./discover
We will see something like this:

– Type 1 for Domain, the same for Passive
– Plus, we type the company name and its domain ( e.g reddit.com )

pentest external scanning

After it finishes, we types:
– firefox/root/[domain]/index.htm
An index.htm will be created inside the “root/data/reddit.com” folder, it shows the results of this scan by html. Personally, I think it is one of comprehensive and effective tool for reconnaissance. This results come from the domains, Whois, IP, files, emails,  and some Google Dork.

Now, looking at our scanning results. On the top right, we could find all of their sub domains. This is very important in Doppelganger attack in Social Engineering.

pentest external scanning

Besides, Google Dork helps us to find sensitive documents for this company. They also hosted old legacy misconfigured files on a server that aren’t supposed to be public, just sitting on a server being crawled by scanners. For the email contacts, we could use it for phishing campaigns.

pentest external scanning

Finally, we can look at the final report which shows you all their findings.

pentest external scanning


In a few seconds,we have already got a ton of information about this company. I think that is enough for today, we will find more useful information in the next post – Active Discovery.

Leave a Reply