7MS #724: Tales of Pentest Pwnage - Part 85

Hey friends! Today we're going deep on external network pentesting — something I realize we've barely touched in however many episodes we've done. I'm currently in a long stretch of back-to-back external assessments, so it felt like a good time to talk about it.

Here's what we get into:

• Scoping headaches — why the old "count your public IPs and multiply by a big hourly rate" approach drives me crazy, and how we actually scope external tests to be fair to everyone
• Web apps in scope or not? — this needs its own conversation before the test starts, and skipping it causes pain later
• Testing under real conditions — the debate around whether to request an allowlist vs. scanning as-is, and why I lean toward creating the best testing environment possible
• Multi-tool enumeration — why we run Nessus, Project Discovery, and Shodan together, and what each catches that the others miss
• Reporting the surface — why just walking a customer through what's exposed to the internet (ports, services, screenshots) has more value than I used to give it credit for
• SNMP and NTP findings — two protocols that keep showing up open when they really (probably) shouldn't be
• OSINT phase — how we've grown externals to include open-source intelligence work on the customer's domains, not just IP-level scanning
• WordPress hygiene — it keeps coming up on these assessments, and I've got some practical recommendations
• Dorking and metadata searches — using AI to quickly sift through publicly exposed documents for things attackers could use to pretext a social engineering attack
• Subdomain hijacking — a sneaky attack path I've seen in the wild that flies right in the face of all the "check if the URL is spelled right" advice we give users

Even when the technical findings are pretty quiet, there's a lot you can do to punch up an external pentest report with stuff that's genuinely valuable to customers!