While automation should not be relied on too heavily, it can assist when scanning the external perimiter of an organization during a penetration test to quickly identify low-hanging fruits. In this specific instance, I am referring to Nuclei from Project Discovery, however, other tooling to automate your penetration tests exists such as leveraging a vulnerability scanner like Burp Suite's Active Scan or Nessus.
To further improve your penetration test workflow, creating custom templates with Nuclei is highly recommended for common findings. For example, during a penetration test I observed several devices leveraging the same default credentials - a check for this can be quickly automated using Nuclei's scanner:
id: yealink-default-login
info:
name: Yealink CTP18 - Default Login
author: parzival
severity: high
description: |
Yealink CTP18 Default Administrator Credentials Discovered.
reference:
- https://support.yealink.com
metadata:
fofa-query: Yealink CTP18
max-request: 1
verified: true
tags: default-login,yealink
http:
- raw:
- |
POST /api/auth/login?p=Login&t=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/plain, */*
username={{username}}&pwd={{password}}
attack: pitchfork
payloads:
username:
- admin
password:
- '0000'
host-redirects: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"ret":"ok","data":"ok"}'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200