(PT0-002) Modue 3 : Footpringting and Gathering Intelligence (Study guide and Exam preparation materials for the CompTIA PENTEST+

(PT0-002) Modue 3 : Footpringting and Gathering Intelligence (Study guide and Exam preparation materials for the CompTIA PENTEST+

(PT0-002) Modue 3 : Footpringting and Gathering Intelligence (Study guide and Exam preparation materials for the CompTIA PENTEST+ Certificate (PT0-002) from CertMaster Group

Case Study: Penetration Testing Engagement for CompTIA Academy

Overview:
CertMaster, a leading cybersecurity consulting firm, has been hired by CompTIA Academy, an online learning platform for IT certifications, to conduct a comprehensive penetration testing engagement. The primary objective is to identify and assess potential vulnerabilities within CompTIA Academy's external-facing infrastructure and web applications. The CertMaster PenTest team will perform a series of reconnaissance and information gathering techniques to map the attack surface and provide recommendations for remediation.

Scope:
The scope of the penetration testing engagement includes:
- CompTIA Academy's public-facing website (comptia.academy)
- Associated subdomains and web applications
- Externally accessible network infrastructure
- Publicly available information related to CompTIA Academy

Methodology:
The CertMaster PenTest team will follow a structured approach aligned with industry best practices and the PTES (Penetration Testing Execution Standard) methodology. The engagement will be divided into the following phases:

1. Footprinting and Reconnaissance
- Perform OSINT (Open-Source Intelligence) gathering using public sources
- Identify key personnel, technologies, and potential attack vectors
- Utilize tools such as WHOIS, DNS queries, and search engines for data collection

2. Scanning and Enumeration
- Conduct port scans and service enumeration using Nmap
- Identify web technologies and potential vulnerabilities using Nikto and dirb
- Analyze SSL/TLS configurations and certificate details using sslyze

3. Vulnerability Assessment
- Perform automated vulnerability scans using industry-standard tools
- Manually validate and prioritize identified vulnerabilities
- Assess the potential impact and likelihood of exploitation

4. Exploitation and Post-Exploitation
- Attempt to exploit identified vulnerabilities in a controlled manner
- Gain unauthorized access to systems or sensitive information
- Demonstrate the potential impact of successful exploitation

5. Reporting and Remediation
- Document all findings and recommendations in a comprehensive report
- Provide a prioritized list of vulnerabilities and remediation actions
- Present the results to CompTIA Academy's stakeholders and provide guidance

Tools and Techniques:
The CertMaster PenTest team will employ a variety of tools and techniques throughout the engagement, including:
- OSINT frameworks: Maltego, Recon-ng, theHarvester
- Port scanning and enumeration: Nmap, Nikto, dirb
- Vulnerability scanning: Nessus, Burp Suite, OWASP ZAP
- Exploitation frameworks: Metasploit, SQLMap, BeEF
- Custom scripts and utilities for specific tasks

Expected Outcomes:
By the end of the penetration testing engagement, CompTIA Academy can expect:
- A comprehensive understanding of their external attack surface
- Identification of potential vulnerabilities and security weaknesses
- Prioritized recommendations for remediation and risk mitigation
- Guidance on improving overall security posture and resilience against cyber threats

The CertMaster PenTest team is committed to delivering high-quality results and helping CompTIA Academy strengthen its cybersecurity defenses. The team's expertise, coupled with industry-leading tools and methodologies, will provide valuable insights and actionable recommendations to enhance the security of CompTIA Academy's digital assets.

##################

##################

Here is the detailed guidance document with practical examples, tool usage, and commands based on the slide content, authored as the pentest team lead:

Footprinting and Gathering Intelligence
By CertMaster PenTest Team

1. Discover the Target

For pentesters, footprinting and reconnaissance are key to identifying critical information for a successful penetration test. Gather data on key contacts, technologies, and the target organization (e.g., comptia.academy) by searching:

- Online articles, press releases
- Social media profiles
- Public code repositories

Example: Query GitHub for "comptia.academy" to potentially discover exposed credentials or sensitive data in code.

Record findings in a spreadsheet:

Start | Asset | Test | Findings | Next Test
--- | --- | --- | --- | ---
| comptia.academy | WHOIS lookup | IP: 104.26.2.192 | Nmap scan
| comptia.academy emails | TheHarvester | User list: joe@, sarah@ | Phishing
| comptia.academy site | dirb tool | Dirs: /admin, /backup | Web vuln scan

WHOIS lookups reveal IP addresses and DNS info. Example using WHOIS CLI:
```
whois comptia.academy
...
Registrar URL: http://www.godaddy.com
Updated Date: 2022-01-28T16:49:28Z
Creation Date: 2003-04-09T21:36:13Z
Registrar: GoDaddy.com, LLC
```

Examine DNS MX, NS, SRV records for more intel:
```
dig comptia.academy MX
...
comptia.academy. 3600 IN MX 10 aspmx2.googlemail.com.
comptia.academy. 3600 IN MX 10 aspmx3.googlemail.com.
```
Shows comptia.academy uses Google mail servers.

2. Gather Essential Data

Public repos like GitHub are goldmines but risky. Devs can expose secrets in code/configs.

Use Google dork operators for targeted web searches:
```
site:comptia.academy filetype:pdf
inurl:comptia.academy/admin
```

For older page versions, use Google Cache, Wayback Machine or browser extensions.

Image recon via reverse image search on Google Images:
1. Go to images.google.com
2. Click camera icon and upload/paste image URL
3. Review visually similar image results

Set Google Alerts for "comptia.academy" to monitor new content.

3. Compile Website Information

Enumerate websites with tools for vuln discovery:
- Nmap port scans: `nmap -sV -p- comptia.academy`
- Nikto web scan: `nikto -h comptia.academy`
- dirb forced browsing: `dirb http://comptia.academy /usr/share/wordlists/dirb/common.txt`

Assess comptia.academy's supply chain by testing partner and subsidiary sites.

Analyze robots.txt for improper restrictions:
```
http://comptia.academy/robots.txt
User-agent: *
Disallow: /admin
Disallow: /backups
```
Misconfigured robots.txt reveals sensitive directories.

Check SSL/TLS cert details using sslyze:
```
sslyze comptia.academy
...
Subject Alternative Name: *.comptia.academy, comptia.academy
Valid Until: 2023-01-01 12:00:00
```

SANs indicate cert scope. Browse CT logs on crt.sh to find more domains.

Understand OCSP stapling - server validates its own cert with CA.

4. Discover OSINT Tools

Leverage OSINT frameworks for deeper reconnaissance:

Maltego - Transforms data into graph for analysis
1. Open Maltego > New Graph
2. Drag "Domain" onto graph, enter comptia.academy
3. Run "To DNS Name - DNS" transform
4. Further pivot on each DNS entity

Recon-ng - Modular recon framework
```
recon-ng
[recon-ng][default] > workspaces add comptia.academy
[recon-ng][comptia.academy] > use recon/domains-hosts/hackertarget
[recon-ng][comptia.academy][hackertarget] > set SOURCE comptia.academy
[recon-ng][comptia.academy][hackertarget] > run
```

theHarvester - Subdomain and email enumeration
```
theHarvester -d comptia.academy -b google,bing,linkedin
...
========== Emails Found: ===========
joe@comptia.academy
sarah@comptia.academy

====== Subdomains Found: ======
mail.comptia.academy
webmail.comptia.academy
```

Shodan - Search engine for exposed devices/servers
```
shodan search org:"comptia.academy"
...
ISP: Amazon.com
Hostnames: ec2-104-26-2-192.compute-1.amazonaws.com
IP: 104.26.2.192
```

In conclusion, combine passive OSINT with active scanning to map the target's attack surface. Tools like Maltego, Recon-ng, theHarvester and Shodan streamline the process.

The CertMaster team highly recommends training with CompTIA's official CertMaster Learn, Labs and Practice products for the PenTest+ exam. Visit certmaster.org to access these study materials at an exclusive discount and elevate your penetration testing skills!

Retour au blog

Laisser un commentaire

Veuillez noter que les commentaires doivent être approuvés avant d'être publiés.