CompTIA PenTest+ domain 2: Information gathering and vulnerability scanning
What are information gathering and vulnerability scanning?
Reconnaissance is a vital part of the pentesting process. Pentesters use various tools, techniques and skills to collect the information required to plan and execute their attacks. During reconnaissance, a pentester may gather information from public sources, perform vulnerability and other scans against the target network, and use the results of these scans to develop a plan of attack.
Information gathering and scanning career skills
This domain tests a candidate’s ability to collect information about an organization and distill it into threat intelligence used during an attack. Performing the same activities on the defensive side enables the blue team to identify security gaps and sensitive data leaks that must be addressed.
What’s covered in PenTest+ domain 2 of the exam?
Reconnaissance is an important part of pentesting. It is the second-largest domain of the PenTest+ exam, accounting for 22% of a candidate’s score. This domain is broken up into the following four sections.
Given a scenario, perform passive reconnaissance
Passive reconnaissance refers to collecting information about a target environment without directly interacting with that environment. Often, this involves collecting information from publicly available sources on the internet.
The PenTest+ exam tests a candidate’s knowledge of how to passively collect a range of data, including:
- DNS lookups: DNS lookups provide information about the domains and IP addresses associated with an organization and can give clues about the purpose of certain systems.
- Identify contacts: an organization’s technical and administrative contacts are often public information and can be useful for targeting attacks or as part of a social engineering pretext.
- Cloud vs. self-hosted: determining whether an organization’s IT infrastructure is cloud-based or self-hosted is essential for targeting attacks and determining likely attack vectors (such as misconfigured cloud permissions).
- Social media scraping: corporate, professional and personal social media profiles can provide key details about an organization. For example, job postings may describe the organizational structure and provide clues about an organization’s technology stack.
- Cryptographic flaws: insecure or revoked Secure Sockets Layer (SSL) certificates may provide opportunities for man-in-the-middle (MitM) attacks or indicate other security weaknesses.
- Corporate security posture: publicly available corporate security scores or other information may provide insight into a company’s security posture and potential attack vectors.
- Data: sensitive data about a company may be leaked in password dumps, files accidentally exposed to the public internet, source code repositories or cached versions of websites.
- Open-source intelligence (OSINT): OSINT tools such as Shodan can enable a penetration tester to collect vulnerability information on a target system without a direct vulnerability scan.
Given a scenario, perform active reconnaissance
Active scanning involves direct interaction with the target environment to gather information. In general, this approach enables a penetration tester to gather intelligence that may not be available via passive reconnaissance, but it is more prone to detection.
PenTest+ tests knowledge of the following topics for active reconnaissance:
- Enumeration: identify hosts, services, domains, users and URLs associated with the target organization.
- Website reconnaissance: analyze a website using crawlers, scrapers and manual analysis of certain pages (such as robots.txt).
- Packet crafting: python’s scapy library aids in the creation of custom packets to fingerprint a service or test for certain vulnerabilities.
- Defense detection: detecting the presence of web application firewalls (WAFs), antivirus and other security tools is essential for identifying potential attack vectors.
- Tokens: authentication tokens can be used to gain access to accounts. Searching for exposed tokens can identify the services used by an organization and potentially provide access to their accounts.
- Wardriving: wardriving attempts to identify insecure wireless networks that could be exploited in an attack.
- Network traffic: sniffing web traffic and capturing API requests and responses can aid in identifying and analyzing target systems and services.
- Cloud asset discovery: as companies increasingly adopt cloud-based infrastructure, mapping an organization’s entire cloud deployment is essential for identifying vulnerabilities and potential targets.
- Third-party hosted services: services hosted by third parties may introduce attack vectors and may also be out of scope for an assessment.
- Detection avoidance: after identifying security tools and other detection mechanisms, a penetration tester can identify means to avoid detection during their attack.
Given a scenario, analyze the results of a reconnaissance exercise
The ability to run tools is not enough for reconnaissance. A penetration tester needs to know how to interpret the results of these tools and use them to plan the rest of the engagement.
In this section, PenTest+ tests knowledge of the following:
- Fingerprinting: the tools used in active and passive reconnaissance should ideally provide the information necessary to determine operating systems, map parts of the target network structure, and identify services running on target systems.
- Analyze tool output: a penetration tester should read the output produced by reconnaissance tools and techniques and extract useful intelligence for planning an attack.
Given a scenario, perform vulnerability scanning
Vulnerability scanning enables a penetration tester to identify potentially exploitable security flaws in a target environment. The vulnerabilities detected in this phase are often used to gain initial access to a target environment.
Key concepts for vulnerability scanning include:
- Considerations of vulnerability scanning: the effectiveness and detectability of a vulnerability scan depend on when and where it is run. Additionally, certain vulnerability scans may overwhelm low-bandwidth connections or crash fragile and legacy systems.
- Scan identified targets for vulnerabilities: a penetration tester should be familiar with vulnerability scanners and configure and execute a vulnerability scan against a target system.
- Set scan settings to avoid detection: certain types of scans are more or less likely to be detected. For example, a low-rate full connection scan may be less detectable than an aggressive XMAS scan.
- Scanning methods: a penetration tester should be familiar with the main types of vulnerability scans (SYN, stealth, full connect etc.) and the differences between credentialed and non-credentialed scans.
- Nmap: Nmap is one of the most widely used port scanners. The exam tests common Nmap flags and the Nmap Scripting Engine (NSE).
- Vulnerability testing tools that facilitate automation: Some vulnerability scanning tools facilitate automated scanning. For example, NSE makes it possible to automate complex scans rather than manually configure them.
For more information on the PenTest+ exam, see the full CompTIA PenTest+ (PT0-002) exam objectives.
- CompTIA PenTest+, CompTIA
- CompTIA PenTest+ Certification Exam Objectives, CompTIA
- CompTIA PenTest+: Everything you need to know about the exam, Infosec Edge