Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

External Recon and Enumeration Principles

External reconnaissance is performed before an Active Directory pentest to gather publicly accessible information that can affect the outcome of the engagement. Goals include:

  • Validating information in the scoping document
  • Ensuring actions are taken against the correct scope
  • Identifying publicly accessible information such as leaked credentials

What to Look For

Data PointDescription
IP SpaceValid ASN, netblocks, cloud presence, hosting providers, DNS record entries
Domain InformationDNS records, subdomains, publicly accessible services (mail servers, VPN portals, etc.), defenses in place (SIEM, AV, IPS/IDS)
Schema FormatEmail accounts, AD usernames, password policies — useful for building username lists for password spraying, credential stuffing, brute forcing
Data DisclosuresPublicly accessible files (.pdf, .ppt, .docx, .xlsx) containing intranet links, user metadata, shares, credentials in code repos, AD username formats in document metadata
Breach DataPublicly released usernames, passwords, or other critical information

Where to Look

ResourceExamples
ASN / IP RegistrarsIANA, ARIN (Americas), RIPE (Europe), BGP Toolkit
Domain Registrars & DNSDomainTools, PTRArchive, ICANN, manual DNS queries against well-known servers (e.g. 8.8.8.8)
Social MediaLinkedIn, Twitter, Facebook, regional social media, news articles
Public-Facing Company WebsitesNews articles, embedded documents, “About Us” and “Contact Us” pages
Cloud & Dev StorageGitHub, AWS S3 buckets, Azure Blob storage, Google Dorks
Breach Data SourcesHaveIBeenPwned, Dehashed — search for corporate emails with cleartext passwords or crackable hashes to test against exposed login portals (Citrix, RDS, OWA, O365, VPN, VMware Horizon, etc.)

Finding Address Spaces

Use the BGP Toolkit (Hurricane Electric) to research address blocks and ASNs for an organization. Key considerations:

  • Large corporations often self-host infrastructure and have their own ASN
  • Smaller organizations typically host with third-party providers (Cloudflare, GCP, AWS, Azure)
  • Always verify you are not interacting with infrastructure outside your scope
  • Some hosting providers (e.g. AWS) have specific penetration testing guidelines; others (e.g. Oracle) require a Cloud Security Testing Notification
  • When in doubt, escalate before attacking any external-facing services you are unsure of

DNS Enumeration

Use sites like DomainTools and ViewDNS.info to:

  • Validate scope and find undisclosed reachable hosts
  • Retrieve DNS resolution data, DNSSEC status, and accessibility info
  • Discover additional subdomains residing on in-scope IP addresses
  • Cross-validate IP/ASN search results

Public Data

Social Media & Job Postings

  • Sites like LinkedIn, Indeed, and Glassdoor can reveal organizational structure, technology stack, software versions, and security implementations
  • Job postings may disclose specific software versions (e.g. SharePoint 2013/2016), which hints at potential upgrade-in-place vulnerabilities

Company Websites

  • Gather contact emails, phone numbers, org charts, published documents
  • Embedded documents may contain links to internal infrastructure or intranet sites
  • Check for data inadvertently leaked on GitHub, AWS cloud storage, or other web platforms
  • Tools: Trufflehog (credential scanning in repos), Greyhat Warfare (public cloud storage search)

Username Harvesting

Use tools like linkedin2username to scrape a company’s LinkedIn page and generate username permutations:

  • flast
  • first.last
  • f.last

These can be added to password spraying target lists.

Credential Hunting

Dehashed can be used to search for cleartext credentials and password hashes in breach data:

sudo python3 dehashed.py -q inlanefreight.local -p

Results may include email, username, cleartext password, hashed password, and the source database. Test discovered credentials against exposed login portals using AD authentication.

Google Dorking Examples

PurposeDork
Find PDF files on targetfiletype:pdf inurl:targetdomain.com
Find email addresses on targetintext:"@targetdomain.com" inurl:targetdomain.com

Overarching Enumeration Principles

Enumeration is an iterative process repeated throughout a penetration test:

  1. Start with passive resources, wide in scope, and narrow down
  2. Exhaust passive enumeration, examine results
  3. Move into active enumeration

Example Enumeration Workflow

  1. Check ASN/IP & Domain Data — Use BGP Toolkit to find IP addresses, mail servers, nameservers
  2. Validate findings — Cross-reference with ViewDNS.info, nslookup, etc.
  3. Harvest public data — Google Dorks for files and email addresses on the target domain
  4. Scrape usernames — LinkedIn and other sources
  5. Search breach data — Dehashed, HaveIBeenPwned for credential leaks
  6. Build wordlists — Combine findings for targeted password spraying

Key Takeaways

  • Always save files, screenshots, scan output, and tool output as soon as you find them
  • If stuck during a pentest, revisit passive recon for additional leads (e.g. breach data for VPN access)
  • The majority of internal AD enumeration can be performed with just low-privilege domain user credentials
  • A thorough external recon phase can mean the difference between days of brute-forcing and a quick foothold