External
Once we have performed OSINT, we can start more enumeration, and testing such as, Look at all http/https pages for login pages, information disclosure, and default login credentials. Some of this external stuff can bleed into a small bit of Cloud Pentesting, but nothing too in depth.
Enumeration
FTP
Checking if FTP is open, and if anonymous login is enabled.
sudo nmap -p 21 --script ftp-anon -iL 21.txt
SSH
Checking if SSH is open and if it takes password authentication.
sudo nmap -p 21 --script ftp-anon -iL 21.txt
Password Spraying
We can password spray using the usernames, and emails we obtained using OneDrive User Enum and usernames, emails, and passwords from Dehashed-API-Tool. I typically spray with passwords found from Dehashed-API-Tool, and WeakPasswords.net
This tool will require an Amazon AWS Account to utilize their API. This tool uses Fireprox APIs to rotate IP addresses, stay anonymous, and beat throttling. This tool can spray against multiple environments, but the most common ones I run into are:
AzureSSO
python3 credmaster.py --config config.json --plugin azuresso --domain domain.com -u users.txt -p wordlist.txt --region us-east-1 --delay 20 --randomize --trim -o OUTFILE
OWA
python3 credmaster.py --config config.json --plugin owa --domain domain.com -u users.txt -p wordlist.txt --region us-east-1 --delay 20 --randomize --trim -o OUTFILE
Okta
python3 credmaster.py --config config.json --plugin okta --domain domain.com -u users.txt -p wordlist.txt --region us-east-1 --delay 20 --randomize --trim -o OUTFILE
SSH
Using hydra
hydra -L users.txt -P passwords.txt ssh://IP
Last updated