Claude-skill-registry External Network Penetration Testing
This skill should be used when the user asks to "perform external pentesting", "conduct external network assessment", "enumerate external attack surface", "perform OSINT reconnaissance", or "test perimeter security". It provides comprehensive external network penetration testing methodologies.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/external-network-pentesting" ~/.claude/skills/majiayu000-claude-skill-registry-external-network-penetration-testing && rm -rf "$T"
manifest:
skills/data/external-network-pentesting/SKILL.mdsource content
External Network Penetration Testing
Purpose
Conduct comprehensive external network penetration testing including OSINT reconnaissance, subdomain enumeration, exposed service discovery, vulnerability scanning, and exploitation of internet-facing assets. This methodology covers the full external assessment lifecycle.
Prerequisites
Required Tools
- Nmap for network scanning
- Amass/Subfinder for subdomain enumeration
- Shodan/Censys for passive recon
- Recon-ng for OSINT framework
- Nuclei/Nessus for vulnerability scanning
Required Knowledge
- Network protocols and services
- DNS and certificate transparency
- Cloud infrastructure concepts
- OSINT techniques
Outputs and Deliverables
- Attack Surface Report - Complete external footprint
- Subdomain Inventory - All discovered subdomains
- Exposed Services - Internet-facing services and versions
- Vulnerability Assessment - Identified security issues
Core Workflow
Phase 1: OSINT Reconnaissance
Gather intelligence without direct target interaction:
# Google Dorks site:company.com -site:www.company.com site:*.company.com filetype:pdf site:company.com inurl:admin site:company.com intitle:"index of" site:company.com # Bing Dorks site:company.com -site:www.company.com # Certificate Transparency curl -s "https://crt.sh/?q=%25.company.com&output=json" | jq -r '.[].name_value' | sort -u # ASN Lookup amass intel -org "Company Name" whois -h whois.radb.net -- '-i origin AS12345' # Using bgp.he.net # https://bgp.he.net/dns/company.com # Shodan search shodan search "ssl.cert.subject.CN:company.com" shodan search "hostname:company.com"
OSINT tools:
# SpiderFoot - automated OSINT spiderfoot -s company.com -o output.html # theHarvester theHarvester -d company.com -b all # Maltego - visual OSINT # Use GUI for comprehensive link analysis
Phase 2: Passive Reconnaissance
Discover assets without active scanning:
# DNS History # SecurityTrails, DNSdumpster, ViewDNS.info # Web Archive waybackurls company.com | sort -u > archived_urls.txt # Pastebin monitoring # https://github.com/carlospolop/Pastos # Credential leaks check # dehashed, breach-parse, HaveIBeenPwned # Social networks # LinkedIn - employee enumeration python3 linkedin2username.py -c "Company Name" # Hunter.io - email discovery curl "https://api.hunter.io/v2/domain-search?domain=company.com&api_key=KEY"
Phase 3: Subdomain Enumeration
Comprehensive subdomain discovery:
# Amass - comprehensive enumeration amass enum -d company.com -o subdomains.txt amass enum -d company.com -passive -o passive_subs.txt # Subfinder - fast passive enumeration subfinder -d company.com -o subfinder.txt # DNS brute-force aiodnsbrute -t 20 company.com -w subdomains-top1million.txt # DNScan python3 dnscan.py -d company.com -w subdomains.txt # Combine and dedupe cat amass.txt subfinder.txt | sort -u > all_subs.txt # Certificate Transparency with ct-exposer python3 ct-exposer.py -d company.com # TLSX for SAN extraction echo "10.0.0.0/8" | tlsx -san -silent # Resolve live subdomains cat all_subs.txt | httpx -o live_subs.txt
Phase 4: Subdomain Takeover Testing
Check for vulnerable subdomains:
# Subjack subjack -w subdomains.txt -t 100 -timeout 30 -o takeover.txt -ssl # Nuclei subdomain takeover templates nuclei -l subdomains.txt -t takeovers/ # Manual checks for: # - CNAME pointing to unclaimed services # - Azure/AWS/Heroku/GitHub Pages misconfigurations # - Expired domain CNAMEs # Common vulnerable services: # AWS S3, Azure, Heroku, GitHub Pages, Shopify # Zendesk, Fastly, Pantheon, Tumblr, WordPress
Phase 5: Active Reconnaissance
Direct target scanning:
# Masscan - fast port discovery masscan -p1-65535 --rate 10000 -iL targets.txt -oG masscan.out # Nmap - service enumeration nmap -sV -sC -p- -iL live_hosts.txt -oA nmap_full # NSE script categories nmap --script=default,vuln,discovery -p 22,80,443 target.com # Shodan integration shodan host <IP> shodan search "hostname:company.com" # Censys censys search "parsed.names: company.com" # HTTP/HTTPS screenshots gowitness file -f live_subs.txt -P screenshots/ eyewitness -f live_subs.txt --web aquatone -out aquatone_output < live_subs.txt
Phase 6: Exposed Services Testing
HTTP/HTTPS
# Technology fingerprinting whatweb https://target.com wappalyzer https://target.com # Directory enumeration gobuster dir -u https://target.com -w directory-list.txt feroxbuster -u https://target.com -w wordlist.txt # Virtual host discovery gobuster vhost -u https://target.com -w vhosts.txt # IIS specific java -jar iis_shortname_scanner.jar https://iiswebsite.com # Check aspnet_client folder curl https://target.com/aspnet_client/
Email Services (SMTP)
# SPF/DKIM/DMARC check python3 spoofy.py -d company.com -o stdout ./spoofcheck.py company.com # Open relay testing nmap --script smtp-open-relay -p 25 target.com # User enumeration smtp-user-enum -M VRFY -U users.txt -t target.com
DNS
# Zone transfer dig @ns1.target.com axfr target.com fierce --domain target.com # DNS reconnaissance dnsrecon -d target.com -t std dnsenum target.com
SNMP
# Community string brute-force onesixtyone -c community.txt target.com # SNMP enumeration snmpwalk -v2c -c public target.com
VPN/Remote Access
# IKE Aggressive Mode ike-scan -M -A target.com # SSL VPN enumeration nmap --script ssl-enum-ciphers -p 443 target.com
Phase 7: Cloud Enumeration
# AWS S3 buckets aws s3 ls s3://company-backup --no-sign-request python3 cloud_enum.py -k company # Azure blob storage # https://company.blob.core.windows.net/ # GCP storage # https://storage.googleapis.com/company-bucket # MicroBurst (Azure) Invoke-EnumerateAzureBlobs -Base company # CloudFlare bypass python3 CloudUnflare.py -d target.com
Phase 8: Vulnerability Scanning
# Nuclei - template-based scanning nuclei -l targets.txt -t nuclei-templates/ -o nuclei_results.txt # Nessus (commercial) # Use external scan profile # Web vulnerability scanning nikto -h https://target.com wpscan --url https://target.com/wordpress joomscan -u https://target.com/joomla # SSL/TLS testing testssl.sh https://target.com sslscan target.com
Phase 9: Password Attacks
Password spraying against external services:
# CredMaster - multi-service spraying python3 credmaster.py --plugin o365 -u users.txt -p "Winter2024!" # O365/Azure python3 MSOLSpray.py -u users.txt -p "Password123!" trevorspray -e emails.txt --passwords passwords.txt --delay 15 # OWA msfconsole use auxiliary/scanner/http/owa_login set RHOSTS mail.company.com set USER_FILE users.txt set PASS_FILE passwords.txt run # VPN python3 checkpointSpray.py -u users.txt -p "Winter2024!" -t vpn.company.com # IP rotation for evasion # Use AWS API Gateway rotation # Fireprox: https://github.com/ustayready/fireprox
Phase 10: Exploitation
Exposed Credentials
# Git repository secrets gitleaks detect --source . -v trufflehog git https://github.com/company/repo shhgit --live # .git folder exposure curl -s https://target.com/.git/config git-dumper https://target.com/.git/ output_dir/
Default Credentials
# Check common defaults # https://cirt.net/passwords # https://datarecovery.com/rd/default-passwords/ # Common services: # Jenkins: admin/admin # Tomcat: tomcat/tomcat # Grafana: admin/admin # phpMyAdmin: root/<blank>
RCE Vulnerabilities
# Search for RCE-as-a-feature # Jenkins script console # Serv-U FTP server # Application deployment endpoints # Nuclei RCE templates nuclei -l targets.txt -t cves/ -severity critical,high # Metasploit msfconsole search type:exploit cve:2024
Quick Reference
Reconnaissance Commands
| Tool | Command |
|---|---|
| Amass | |
| Subfinder | |
| Shodan | |
| crt.sh | |
| theHarvester | |
Port Scanning
| Scan Type | Command |
|---|---|
| Fast discovery | |
| Service scan | |
| UDP scan | |
| Vuln scan | |
Web App Testing
| Test | Tool/Command |
|---|---|
| Directory enum | |
| Tech fingerprint | |
| Screenshots | |
| Vuln scan | |
Common External Services
| Port | Service | Test Focus |
|---|---|---|
| 21 | FTP | Anonymous login, version vulns |
| 22 | SSH | Password spraying, weak keys |
| 25 | SMTP | Open relay, user enum |
| 53 | DNS | Zone transfer |
| 80/443 | HTTP/S | Web vulnerabilities |
| 445 | SMB | Null sessions, vulns |
| 3389 | RDP | Password spray, BlueKeep |
Constraints and Limitations
Scope Considerations
- Only test authorized IP ranges
- Respect rate limits and service availability
- Avoid DoS conditions
- Document all testing activities
Legal Requirements
- Written authorization mandatory
- Stay within defined scope
- Notify ISPs if required
- Follow rules of engagement
Technical Limitations
- WAF may block scanning
- Rate limiting on services
- Geo-restrictions may apply
- Some services may require credentials
Troubleshooting
No Subdomains Found
Solutions:
- Use multiple enumeration tools
- Try certificate transparency
- Check DNS history services
- Search for mentions on social media
- Try reverse WHOIS lookups
Scans Being Blocked
Solutions:
- Reduce scan rate
- Use IP rotation
- Try different source IPs
- Use passive reconnaissance first
- Schedule scans during off-hours
Password Spray Lockouts
Solutions:
- Increase delay between attempts
- Respect lockout thresholds
- Use IP rotation
- Target multiple services
- Check MFA requirements first