External Pentest
Horizon3.ai® External Pentest is a new & easy way to gain an additional perspective on your environment. Unlike our internal pentests, our external pentest does not need you to set up any hosts or run any curl scripts. Instead, you will discover and authorize assets for external pentesting.
Log Into the Portal
Click here to navigate to our Portal and log in with your credentials.
Run an External Pentest
To run an external pentest you need to Discover your Assets, Authorize Domains you want to pentest and then Run an External Pentest against those authorized domains. This documentation takes you through each step. Alternatively, jump to one of the following steps to pick up where you left off or to get a refresher:
- Getting Started – Discover your assets
- Asset Discovery has Completed – Authorize your domains
- Run an External Pentest
1. Getting Started
On the Pentest page, in the top right, click Run an External Pentest to open the Pentest Configuration.
2. Navigate to External Assets to create an asset group
Before you can run an external pentest, you will need to create an asset group, which is used to scope the external pentest.
3. Click Create Asset Group
On the external asset page, click create asset group in the top right to open the asset group configuration.
4. Configure your asset group
Name the asset group and list your top-level domain(s). Multiple top-level domains can be added to the configuration. Then click Next
Optionally, add your Git and AWS Accounts
To add a Git Account, select + Add Account. To add an AWS Account, type the 12-digit AWS Account ID in the box listed below. Listing these accounts allows us to confirm ownership of these accounts and run deeper enumeration of assets.
Add OSINT Information
In Advanced Configuration you can include company name(s) which will be used for Open Source Intelligence (OSINT) gathering tools and techniques to harvest company information. In Advanced Configuration you can include company name(s) which will be used for Open Source Intelligence (OSINT) gathering tools and techniques to harvest company information. You also have the option to brute force subdomains, which authorizes the system to search for well known subdomains that may not surface through OSINT discovery. We recommend leaving the Brute Force unchecked when creating your first asset group to decrease time required for the asset discovery scan. If time is not an issue, we recommend enabling Brute Force to increase the depth of the scan.
Then click Create Asset Group
You’ve created an asset group! 🎉
5. Run Asset Discovery on your new asset group
Now that you’ve created an asset group, click run asset discovery. NodeZero’s External Asset Discovery is a passive enumeration capability that leverages DNS and Open Source Intelligence (OSINT) gathering capabilities and services to find assets linked to your organization.
6. Asset Discovery is in progress
Once your asset discovery is complete you will receive an email notifying you.
Important
You will have 72 hours after asset discovery completes to authorize and run an external pentest before you will need to rerun the asset discovery scan in case of environmental drift. Rerun asset discovery for an asset group by clicking Run Asset Discovery in the top right of your asset group page.
7. Asset Discovery has completed
Now that asset discovery has completed, navigate to External Assets.
8. Click your new asset group
Click the external assets group that you have created and discovered.
9. Review & add discovered top-level domain(s) to your configuration
During asset discovery, we identify top-level domains that could belong to your company. If you would like to pentest domains within this top-level domain, select the top-level domain(s) that you want to pentest and click Take Action to add them to the external pentest configuration. After doing so, you will need to rerun asset discovery to locate domains with the updated configuration.
10. Review & authorize discovered assets
On the domains tab you should review any sub-domains located during asset discovery and can authorize/deauthorize for the external pentest. After you have reviewed and selected the sub domains that you would like to and are legally authorized to externally pentest, click to Take Action and then Authorize for Pentest.
Assets with Warnings
Some of the discovered assets have warnings because they are hosted on third party infrastructure and therefore you may not be legally allowed to pentest these assets. View the Third Party or IP Address details or screenshots to help determine if you are legally allowed to pentest the subdomain. Here are some reasons why you might see a warning and should ensure that the asset is yours and you are authorized to pentest it.
- Asset links to services such as Rackspace and Digital Ocean don’t provide their pentesting guidance and NodeZero cannot confirm.
- Asset links to some unknown third-party service and you need to determine if it’s allowed or not based on your terms and conditions with the third-party service.
If you selected any assets with a warning…
This warning pops up to verify you are aware that you are authorizing assets that may fall outside of your own domain or reside on third party infrastructure . Click Authorize if you are legally allowed to pentest all the assets listed.
11. Git & AWS Accounts
The Git Accounts tab and AWS Accounts tab is also where you can view any accounts you added to the asset group configuration. To add or remove Git or AWS accounts, edit the asset group configuration by clicking the edit (pencil) button in the top right of the asset group.
12. Run an External Pentest
Now that you’ve authorized assets in your asset group you can run an external pentest. Navigate to the Pentests page or click Run External Pentest on a pop-up in the top right corner.
13. Click Run an External Pentest
Click Run an External Pentest to open the Pentest Configuration.
14. Configure your external pentest
Select a template and provide a name for your external pentest. Select the asset group with authorized assets. You may save the template to make use of our quick pentest configuration in the future.
Advanced Configuration
From the advanced configuration window, customize your external pentest and choose which advanced attack methods to run during the pentest. The default template comes recommended from Horizon3.ai®, however you have the ability to decide what to include and exclude based on your environment.
Start your external pentest
Once you have finished your configuration settings you must click the box that acknowledges you have the legal authority to conduct Horizon3.ai®’s external penetration test on the list of assets you’ve provided after selecting the box you will then run your external pentest.
Woo! External Pentest Started! 🎉
Once your external pentest starts, you will be able to see the NodeZero IP address. You will receive an email notifying you when your external pentest is complete. You can view the external pentest report alongside your internal pentest reports.