Overview:
- Think of external pentests like home security
- Low chance of RCE, high chance of weak passwords (or weak password policies), lack of MFA (or not properly configured. Also called partial MFA).
- OSINT is your best friend (and logical guessing)
A hospital he did pentest for had MFA on VPN but let you login to email and see sensitive information like patient records
Don’t focus on web app attacks (XSS for example) if the assessment is focused on external infrasturcture (external pentest)
Login portal and get SQL? Sure
Default credentials on things like Jenkins? Sure
^these lead directly to access