PT0-002 Information Gathering and Vulnerability Scanning
Information Gathering and Vulnerability Scanning
Detailed list of PT0-002 knowledge points
Information Gathering and Vulnerability Scanning Detailed Explanation
This part is crucial as it lays the groundwork for understanding the target system, identifying its vulnerabilities, and determining potential exploitation paths.
2.1 Information Gathering
What is Information Gathering?
Information gathering is the process of collecting as much data as possible about the target system or organization. This data helps the tester understand the target and identify potential entry points for an attack.
Types of Information Gathering
Passive Information Gathering
Passive information gathering involves collecting publicly available information without directly interacting with the target system.
Network Information:
- WHOIS Queries:
- Retrieve details about domain registration, such as:
- Registrar information.
- Administrative contact information.
- DNS servers.
- Example: Using a WHOIS query tool to find out that a company’s website is hosted on AWS.
- Retrieve details about domain registration, such as:
- Google Hacking:
- Use search engines to uncover sensitive data accidentally exposed online.
- Example: Searching for "site:company.com filetype:pdf password" to find files that might contain passwords.
- Social Engineering:
- Collect employee information from social media platforms like LinkedIn or Twitter.
- Example: Identifying an employee who shares too much about their company’s internal processes.
- WHOIS Queries:
Tools for Passive Information Gathering:
- Shodan:
- A search engine that scans the internet for devices connected to it.
- Example: Discovering vulnerable IoT devices like webcams or servers.
- Recon-ng:
- A powerful framework for gathering open-source intelligence (OSINT).
- Example: Automating tasks like WHOIS lookups, DNS enumeration, and social media searches.
- Shodan:
Active Information Gathering
Active information gathering involves direct interaction with the target system to extract data.
Network Scanning:
- Nmap:
- A widely used tool for scanning networks to identify:
- Open ports (e.g., port 80 for HTTP, port 22 for SSH).
- Services running on those ports (e.g., Apache, OpenSSH).
- Operating system and version.
- Example: Scanning a server and discovering that port 21 (FTP) is open and vulnerable.
- A widely used tool for scanning networks to identify:
- Netcat:
- A versatile tool for probing open ports and establishing communication.
- Example: Checking if a port is open by sending custom TCP/UDP packets.
- Nmap:
Service Identification:
- Banner Grabbing:
- Captures the response banner from a service to identify its version and details.
- Example: Using Nmap or Netcat to grab a banner from an HTTP server that reveals it is running Apache 2.4.41.
- Banner Grabbing:
2.2 Vulnerability Scanning
What is Vulnerability Scanning?
Vulnerability scanning involves systematically checking a system for known security weaknesses, such as outdated software, misconfigurations, or unpatched vulnerabilities.
Steps in Vulnerability Scanning
Automated Vulnerability Scanning
Automated tools can quickly scan large systems and networks for vulnerabilities.
- Tools:
- Nessus: A widely used tool for identifying vulnerabilities, misconfigurations, and compliance issues.
- OpenVAS: An open-source vulnerability scanner.
- Qualys: A cloud-based scanner for comprehensive vulnerability management.
- Purpose:
- Identify known vulnerabilities in a system.
- Example: Running Nessus on a server and detecting an outdated version of OpenSSL with a critical vulnerability.
Manual Vulnerability Confirmation
Automated tools often produce false positives or miss complex vulnerabilities. Manual confirmation ensures accurate results.
- Process:
- Review automated scan results.
- Manually test each vulnerability to confirm its presence.
- Example: Verifying that an SQL injection vulnerability exists by manually crafting malicious queries.
Vulnerability Databases
To understand and prioritize vulnerabilities, testers rely on databases that provide standardized information.
- CVE (Common Vulnerabilities and Exposures):
- A database of publicly disclosed vulnerabilities.
- Example: A CVE entry for a specific Apache vulnerability might include its description and remediation steps.
- NVD (National Vulnerability Database):
- Enhances CVE entries with additional data, such as severity scores (CVSS).
- Example: A vulnerability with a CVSS score of 9.8 is considered critical.
2.3 Enumeration
What is Enumeration?
Enumeration is the process of gathering detailed information about services, devices, or users on the target system. This step goes deeper than scanning and focuses on discovering specific details.
Types of Enumeration
Service Enumeration
Identify services running on the target system and their configurations.
- SMB (Server Message Block):
- Used for file and printer sharing.
- Example: Enumerating shared folders on a Windows server using SMB.
- SNMP (Simple Network Management Protocol):
- Provides configuration details about network devices.
- Example: Retrieving router configurations using public SNMP community strings.
User and Group Information
Retrieve details about users and groups on the target system.
- Tools:
- LDAP: Query Lightweight Directory Access Protocol directories to gather user information.
- Active Directory: Identify domain users and their roles.
- Example:
- Enumerating user accounts and group memberships to identify high-privilege users.
Common Enumeration Tools
- Enum4linux:
- A tool for enumerating Windows and Samba shares.
- Example: Listing users and shared folders on a Windows server.
- Medusa:
- A tool for brute-forcing usernames and passwords.
- Example: Attempting to log in to an SSH server using a list of common credentials.
Why is Information Gathering and Vulnerability Scanning Important?
- Understand the Target: Collecting information helps you understand the target system’s structure and weaknesses.
- Plan Attacks: Enumeration provides the necessary details to exploit vulnerabilities effectively.
- Prioritize Risks: Vulnerability scanning helps identify critical issues that require immediate attention.
Summary
This knowledge area teaches you how to gather information passively and actively, scan for vulnerabilities, and enumerate specific details about a target system. These are foundational skills for penetration testers, and mastering them will set you up for success in the later stages of testing.
Information Gathering and Vulnerability Scanning (Additional Content)
1. Types of Vulnerability Scans
What Are the Different Types of Vulnerability Scans?
In vulnerability scanning, it’s important to distinguish between how deep the scan goes, and how much impact it might have. The PenTest+ exam often tests your ability to select the correct type of scan for a given scenario.
Authenticated vs Unauthenticated Scans
| Type | Description |
|---|---|
| Authenticated Scan | The scanner is provided with valid credentials (such as SSH, RDP, or SNMP login) to log in and scan the system as an insider. |
| Unauthenticated Scan | The scan is performed without any credentials, simulating an external attacker with no access. |
Key Points:
Authenticated scans reveal deeper vulnerabilities such as:
Missing patches.
Misconfigured permissions.
Weak password policies.
Unauthenticated scans are more limited, only exposing externally visible services and basic configurations.
Exam tip: If the client provides system credentials, assume the scan will be more thorough but also requires greater caution.
Intrusive vs Non-Intrusive Scans
| Type | Description |
|---|---|
| Intrusive Scan | Actively attempts to exploit or simulate exploitation of vulnerabilities. |
| Non-Intrusive Scan | Passively identifies vulnerabilities without executing them. It detects weaknesses based on signatures or metadata. |
Key Points:
Intrusive scans may:
Cause service crashes or downtime.
Be flagged as attacks by intrusion detection systems (IDS).
Non-intrusive scans:
Are safer for production environments.
Only provide vulnerability detection—not validation.
Use Case: When testing in a live production system, prefer non-intrusive, unauthenticated scans.
Credentialed Scan (Often Synonymous with Authenticated)
Often referred to in vendor documentation as “credentialed scan.”
Performs scanning from the perspective of a legitimate user.
Offers high accuracy and visibility into:
Patch status.
Installed software.
User permissions.
Caution: Requires strong controls and logging, as misuse of credentials can cause compliance or operational risks.
2. Comparative Tool Analysis
The PT0-002 exam doesn’t just test tool names—it often presents scenarios where you must choose the best tool based on requirements (e.g., stealth, depth, type of service). That’s where tool comparison becomes essential.
Nessus vs OpenVAS
| Feature | Nessus | OpenVAS |
|---|---|---|
| Licensing | Commercial (Tenable) | Open-source (Greenbone) |
| Vulnerability DB | Tenable’s proprietary feed | Community-maintained feeds |
| GUI & Usability | Intuitive, enterprise-ready | Less polished, but functional |
| Integration | Easily integrates with Tenable platforms | May require more configuration |
| Detection Accuracy | High (especially for zero-day coverage) | Good, but fewer plugin updates |
Summary:
Nessus is best when commercial support, regular plugin updates, and high accuracy are needed.
OpenVAS is excellent for budget-conscious organizations or testing open-source ecosystems.
Nmap vs Netcat
| Feature | Nmap | Netcat |
|---|---|---|
| Primary Use | Network scanning & enumeration | Manual port probing & communication |
| Scan Automation | Supports complex scan profiles | Manual (interactive or scripted) |
| Service Detection | Yes (version detection, OS fingerprinting) | Limited (banner grabbing only) |
| Output Detail | Structured, detailed output | Raw output, user-formatted |
Summary:
Nmap is a full-featured scanner, ideal for mapping and discovering.
Netcat is a lightweight socket tool, ideal for quick checks or crafting custom TCP/UDP requests.
Enum4linux vs Medusa
| Feature | Enum4linux | Medusa |
|---|---|---|
| Primary Function | SMB enumeration | Brute-force login attacks |
| Information Focus | Lists users, shares, groups (Samba/Windows) | Cracks credentials across protocols |
| Protocols Supported | SMB (via RPC), NetBIOS | SSH, FTP, RDP, SMB, etc. |
| Use Case | Reconnaissance & data gathering | Password attack & login testing |
Summary:
Enum4linux is used during passive or active information gathering—before exploitation.
Medusa is used when attempting brute-force authentication, typically in the exploitation phase.
Summary Table: Use the Right Tool for the Right Task
| Objective | Recommended Tool |
|---|---|
| Discover open ports | Nmap |
| Scan web apps for OWASP issues | OWASP ZAP |
| Intercept and tamper HTTP | Burp Suite |
| Run brute-force logins | Medusa |
| Enumerate Windows shares/users | Enum4linux |
| Analyze network traffic | Wireshark |
| Conduct credentialed vulnerability scan | Nessus / OpenVAS |
Frequently Asked Questions
A penetration tester wants to gather information about a target organization without interacting directly with its systems. Which reconnaissance method should be used?
Passive reconnaissance.
Passive reconnaissance collects information about a target without sending traffic to the target’s systems. This technique relies on publicly available data sources such as WHOIS records, DNS records, social media profiles, public repositories, and search engines. Because no direct interaction occurs with the target network, passive reconnaissance reduces the likelihood of detection by security monitoring systems. It is typically the first step in a penetration test because it provides valuable information such as domain names, employee details, technology stacks, and potential attack surfaces. These insights can later guide active reconnaissance activities.
Demand Score: 83
Exam Relevance Score: 88
A tester wants to identify open ports and services on a target host. Which reconnaissance technique is most appropriate?
Active network scanning.
Active scanning involves directly interacting with the target system to identify open ports, running services, and potential vulnerabilities. Tools such as network scanners send packets to the target host and analyze the responses to determine which services are accessible. This technique provides accurate, real-time information about the target environment. However, because the target system receives the scanning traffic, the activity may be logged or detected by intrusion detection systems. Active scanning is typically performed after passive reconnaissance to verify discovered information and identify exploitable services.
Demand Score: 80
Exam Relevance Score: 90
What is the primary purpose of vulnerability scanning during a penetration test?
To automatically identify known vulnerabilities and misconfigurations in systems and applications.
Vulnerability scanners compare system configurations, software versions, and network services against databases of known vulnerabilities. These tools help testers quickly identify weaknesses such as outdated software, exposed services, weak encryption protocols, and configuration errors. While vulnerability scanners provide useful insights, they typically produce potential findings that require manual verification. Penetration testers must validate the results to determine whether a vulnerability is actually exploitable. Scanning therefore serves as an initial discovery phase that guides deeper exploitation attempts.
Demand Score: 77
Exam Relevance Score: 86
Why is service version detection important during reconnaissance?
It allows the tester to identify specific software versions that may contain known vulnerabilities.
Service version detection reveals the exact software version running on a network service such as a web server, database server, or SSH service. Knowing the version allows the tester to search vulnerability databases and exploit frameworks for known weaknesses affecting that software. For example, an outdated web server version might have documented remote code execution vulnerabilities. Version information therefore significantly improves the efficiency of vulnerability research and exploitation planning. Without accurate version data, the tester may need to rely on trial-and-error techniques.
Demand Score: 75
Exam Relevance Score: 84
What is the key difference between enumeration and vulnerability scanning?
Enumeration actively extracts detailed information from services, while vulnerability scanning identifies known weaknesses.
Enumeration focuses on retrieving detailed data from target services, such as user accounts, network shares, domain information, and service configurations. This process often requires interacting with specific protocols such as SMB, LDAP, or SNMP. Vulnerability scanning, in contrast, focuses on identifying potential security weaknesses using automated tools that compare systems against vulnerability databases. Enumeration provides deeper insight into the environment and helps testers discover valuable targets for exploitation, while vulnerability scanning highlights known weaknesses that may be exploitable.
Demand Score: 74
Exam Relevance Score: 85
