(PT0-002) Modue 3 : Footpringting and Gathering Intelligence (Study guide and Exam preparation materials for the CompTIA PENTEST+ Certificate (PT0-002) from CertMaster Group
Case Study: Penetration Testing Engagement for CompTIA Academy
Overview:
CertMaster, a leading cybersecurity consulting firm, has been hired by CompTIA Academy, an online learning platform for IT certifications, to conduct a comprehensive penetration testing engagement. The primary objective is to identify and assess potential vulnerabilities within CompTIA Academy's external-facing infrastructure and web applications. The CertMaster PenTest team will perform a series of reconnaissance and information gathering techniques to map the attack surface and provide recommendations for remediation.
Scope:
The scope of the penetration testing engagement includes:
- CompTIA Academy's public-facing website (comptia.academy)
- Associated subdomains and web applications
- Externally accessible network infrastructure
- Publicly available information related to CompTIA Academy
Methodology:
The CertMaster PenTest team will follow a structured approach aligned with industry best practices and the PTES (Penetration Testing Execution Standard) methodology. The engagement will be divided into the following phases:
1. Footprinting and Reconnaissance
- Perform OSINT (Open-Source Intelligence) gathering using public sources
- Identify key personnel, technologies, and potential attack vectors
- Utilize tools such as WHOIS, DNS queries, and search engines for data collection
2. Scanning and Enumeration
- Conduct port scans and service enumeration using Nmap
- Identify web technologies and potential vulnerabilities using Nikto and dirb
- Analyze SSL/TLS configurations and certificate details using sslyze
3. Vulnerability Assessment
- Perform automated vulnerability scans using industry-standard tools
- Manually validate and prioritize identified vulnerabilities
- Assess the potential impact and likelihood of exploitation
4. Exploitation and Post-Exploitation
- Attempt to exploit identified vulnerabilities in a controlled manner
- Gain unauthorized access to systems or sensitive information
- Demonstrate the potential impact of successful exploitation
5. Reporting and Remediation
- Document all findings and recommendations in a comprehensive report
- Provide a prioritized list of vulnerabilities and remediation actions
- Present the results to CompTIA Academy's stakeholders and provide guidance
Tools and Techniques:
The CertMaster PenTest team will employ a variety of tools and techniques throughout the engagement, including:
- OSINT frameworks: Maltego, Recon-ng, theHarvester
- Port scanning and enumeration: Nmap, Nikto, dirb
- Vulnerability scanning: Nessus, Burp Suite, OWASP ZAP
- Exploitation frameworks: Metasploit, SQLMap, BeEF
- Custom scripts and utilities for specific tasks
Expected Outcomes:
By the end of the penetration testing engagement, CompTIA Academy can expect:
- A comprehensive understanding of their external attack surface
- Identification of potential vulnerabilities and security weaknesses
- Prioritized recommendations for remediation and risk mitigation
- Guidance on improving overall security posture and resilience against cyber threats
The CertMaster PenTest team is committed to delivering high-quality results and helping CompTIA Academy strengthen its cybersecurity defenses. The team's expertise, coupled with industry-leading tools and methodologies, will provide valuable insights and actionable recommendations to enhance the security of CompTIA Academy's digital assets.
##################
##################
Here is the detailed guidance document with practical examples, tool usage, and commands based on the slide content, authored as the pentest team lead:
Footprinting and Gathering Intelligence
By CertMaster PenTest Team
1. Discover the Target
For pentesters, footprinting and reconnaissance are key to identifying critical information for a successful penetration test. Gather data on key contacts, technologies, and the target organization (e.g., comptia.academy) by searching:
- Online articles, press releases
- Social media profiles
- Public code repositories
Example: Query GitHub for "comptia.academy" to potentially discover exposed credentials or sensitive data in code.
Record findings in a spreadsheet:
Start | Asset | Test | Findings | Next Test
--- | --- | --- | --- | ---
| comptia.academy | WHOIS lookup | IP: 104.26.2.192 | Nmap scan
| comptia.academy emails | TheHarvester | User list: joe@, sarah@ | Phishing
| comptia.academy site | dirb tool | Dirs: /admin, /backup | Web vuln scan
WHOIS lookups reveal IP addresses and DNS info. Example using WHOIS CLI:
```
whois comptia.academy
...
Registrar URL: http://www.godaddy.com
Updated Date: 2022-01-28T16:49:28Z
Creation Date: 2003-04-09T21:36:13Z
Registrar: GoDaddy.com, LLC
```
Examine DNS MX, NS, SRV records for more intel:
```
dig comptia.academy MX
...
comptia.academy. 3600 IN MX 10 aspmx2.googlemail.com.
comptia.academy. 3600 IN MX 10 aspmx3.googlemail.com.
```
Shows comptia.academy uses Google mail servers.
2. Gather Essential Data
Public repos like GitHub are goldmines but risky. Devs can expose secrets in code/configs.
Use Google dork operators for targeted web searches:
```
site:comptia.academy filetype:pdf
inurl:comptia.academy/admin
```
For older page versions, use Google Cache, Wayback Machine or browser extensions.
Image recon via reverse image search on Google Images:
1. Go to images.google.com
2. Click camera icon and upload/paste image URL
3. Review visually similar image results
Set Google Alerts for "comptia.academy" to monitor new content.
3. Compile Website Information
Enumerate websites with tools for vuln discovery:
- Nmap port scans: `nmap -sV -p- comptia.academy`
- Nikto web scan: `nikto -h comptia.academy`
- dirb forced browsing: `dirb http://comptia.academy /usr/share/wordlists/dirb/common.txt`
Assess comptia.academy's supply chain by testing partner and subsidiary sites.
Analyze robots.txt for improper restrictions:
```
http://comptia.academy/robots.txt
User-agent: *
Disallow: /admin
Disallow: /backups
```
Misconfigured robots.txt reveals sensitive directories.
Check SSL/TLS cert details using sslyze:
```
sslyze comptia.academy
...
Subject Alternative Name: *.comptia.academy, comptia.academy
Valid Until: 2023-01-01 12:00:00
```
SANs indicate cert scope. Browse CT logs on crt.sh to find more domains.
Understand OCSP stapling - server validates its own cert with CA.
4. Discover OSINT Tools
Leverage OSINT frameworks for deeper reconnaissance:
Maltego - Transforms data into graph for analysis
1. Open Maltego > New Graph
2. Drag "Domain" onto graph, enter comptia.academy
3. Run "To DNS Name - DNS" transform
4. Further pivot on each DNS entity
Recon-ng - Modular recon framework
```
recon-ng
[recon-ng][default] > workspaces add comptia.academy
[recon-ng][comptia.academy] > use recon/domains-hosts/hackertarget
[recon-ng][comptia.academy][hackertarget] > set SOURCE comptia.academy
[recon-ng][comptia.academy][hackertarget] > run
```
theHarvester - Subdomain and email enumeration
```
theHarvester -d comptia.academy -b google,bing,linkedin
...
========== Emails Found: ===========
joe@comptia.academy
sarah@comptia.academy
====== Subdomains Found: ======
mail.comptia.academy
webmail.comptia.academy
```
Shodan - Search engine for exposed devices/servers
```
shodan search org:"comptia.academy"
...
ISP: Amazon.com
Hostnames: ec2-104-26-2-192.compute-1.amazonaws.com
IP: 104.26.2.192
```
In conclusion, combine passive OSINT with active scanning to map the target's attack surface. Tools like Maltego, Recon-ng, theHarvester and Shodan streamline the process.
The CertMaster team highly recommends training with CompTIA's official CertMaster Learn, Labs and Practice products for the PenTest+ exam. Visit certmaster.org to access these study materials at an exclusive discount and elevate your penetration testing skills!