You are conducting penetration testing and trying to identify vulnerable user accounts and shared resources on a host located in the perimeter network. Which of the following best describes the action you are taking?
A. Reconnaissance
B. Fingerprinting
C. Enumeration
D. Port scanning

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Enumeration.

This question is designed to point out that there are various penetration testing methodologies, and the terms or jargon may be used inconsistently by penetration testers. However, the following terms are generally accepted:

• Fingerprinting is a technique to identify a host or service. For example, information like time-to-live (TTL), header, or banner can determine the operating system, service or daemon name and version, and other information.
• Port scanning is a technique to determine which TCP or UDP ports are open or closed.

Enumeration

Pen testers typically enumerate resources provisioned by services on a host after collecting information/intelligence, scanning IPs, determining the type of devices and operating systems, scanning ports, and discovering the services available.

According to InfoSec Institute, enumeration is used to gather the following:

• Usernames, group names
• Hostnames
• Network shares and services
• IP tables and routing tables
• Service settings and audit configurations
• Application and banners
• SNMP and DNS details

Reconnaissance

However, Reconnaissance, or Recon for short, is a jargon commonly used but without consistent definition. Most pen testers may agree it happens in the early stage of the penetration test. Some may equate it with OSINT, some may treat it as a stage, not a technique, while others may refer to it as a combination of methods.

• Recon for intelligence. It’s a more passive approach to collect information or intelligence from the open-source, called OSINT (Open-source intelligence).
• Recon for target information. Some may take a more active approach to do recon by interacting with the targets under evaluation to collect information. In view of this, fingerprinting as a technique can be used.

Reference

• A Complete Guide to the Phases of Penetration Testing
• What is Enumeration? [updated 2021]
• Phase 2 – Enumeration: Finding Attack Vectors
• Security Testing – Enumeration
• Cybersecurity Fingerprinting Techniques and OS-Network Fingerprint Tools

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您正在進行滲透測試，並試圖找出周邊網路中一台主機上的易受攻擊的用戶帳戶和共享資源。 以下哪項最能描述您所採取的行動？
A. 偵察 (Reconnaissance)
B. 指紋 (Fingerprinting)
C. 枚舉 (Enumeration)
D. 端口掃描 (Port scanning)