External

Once we have performed OSINT, we can start more enumeration, and testing such as, Look at all http/https pages for login pages, information disclosure, and default login credentials. Some of this external stuff can bleed into a small bit of Cloud Pentesting, but nothing too in depth.

Enumeration

FTP

Checking if FTP is open, and if anonymous login is enabled.

sudo nmap -p 21 --script ftp-anon -iL 21.txt

SSH

Checking if SSH is open and if it takes password authentication.

sudo nmap -p 21 --script ftp-anon -iL 21.txt

Password Spraying

We can password spray using the usernames, and emails we obtained using OneDrive User Enum and usernames, emails, and passwords from Dehashed-API-Tool. I typically spray with passwords found from Dehashed-API-Tool, and WeakPasswords.net

This tool will require an Amazon AWS Account to utilize their API. This tool uses Fireprox APIs to rotate IP addresses, stay anonymous, and beat throttling. This tool can spray against multiple environments, but the most common ones I run into are:

  • AzureSSO

python3 credmaster.py --config config.json --plugin azuresso --domain domain.com -u users.txt -p wordlist.txt --region us-east-1 --delay 20 --randomize --trim -o OUTFILE
  • OWA

python3 credmaster.py --config config.json --plugin owa --domain domain.com -u users.txt -p wordlist.txt --region us-east-1 --delay 20 --randomize --trim -o OUTFILE
  • Okta

python3 credmaster.py --config config.json --plugin okta --domain domain.com -u users.txt -p wordlist.txt --region us-east-1 --delay 20 --randomize --trim -o OUTFILE

SSH

hydra -L users.txt -P passwords.txt ssh://IP

Last updated