CSY399 Week 02 Capstone

Week Content

Cybersecurity Capstone

Track your progress through this week's content

Mental Model

"Give me six hours to chop down a tree and I will spend the first four sharpening the axe." — Attributed to Abraham Lincoln

Reconnaissance is the foundation upon which all other assessment activities build. Time invested in thoroughly understanding the target environment pays dividends throughout the engagement. Rushing into active testing without comprehensive reconnaissance means missed attack vectors, incomplete coverage, and findings that lack context.

Learning Outcomes

By the end of this week, you will be able to:

LO1: Configure a professional security assessment environment using industry-standard tools
LO2: Conduct passive reconnaissance to gather intelligence without alerting the target
LO3: Enumerate external attack surface components including domains, subdomains, and exposed services
LO4: Document reconnaissance findings in a structured, actionable format
LO5: Differentiate between passive and active reconnaissance techniques and their appropriate use

Introduction: Before You Strike

With your engagement charter signed and scope defined, you're authorized to begin work. But "beginning" doesn't mean launching vulnerability scanners. Professional assessments start with two parallel activities: preparing your tools and understanding your target.

This week covers both: setting up an assessment environment that will serve you throughout the engagement, and conducting reconnaissance to map NovaTech's attack surface. By week's end, you'll have a functioning lab and a comprehensive picture of what you're assessing.

This Week's Deliverables

Assessment Lab: Configured and documented testing environment
Attack Surface Map: Comprehensive documentation of NovaTech's external footprint

1. Assessment Environment Architecture

A professional assessment environment isolates your testing activities, organizes your tools, and ensures you can document and reproduce your work. The environment you build now will be your workspace for the entire engagement.

Environment Requirements

Your assessment environment should provide:

┌─────────────────────────────────────────────────────────────────┐
│              ASSESSMENT ENVIRONMENT REQUIREMENTS                │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ISOLATION                    TOOLING                           │
│  ─────────                    ───────                           │
│  • Separate from personal     • Network scanning/enumeration    │
│    systems                    • Web application testing         │
│  • Dedicated assessment       • Exploitation frameworks         │
│    network                    • Traffic analysis                │
│  • Snapshot/restore           • Documentation/reporting         │
│    capability                                                   │
│                                                                 │
│  DOCUMENTATION                SECURITY                          │
│  ─────────────                ────────                          │
│  • Activity logging           • Encrypted storage for findings  │
│  • Screenshot capture         • Secure credential management    │
│  • Evidence preservation      • VPN for client connectivity     │
│  • Timeline tracking          • Clean state verification        │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Recommended Lab Configuration

For this capstone, we recommend a virtualized environment that you can run on your local machine. This provides isolation, snapshotting, and portability.

Option A: Kali Linux Virtual Machine (Recommended)

Kali Linux is a Debian-based distribution designed for security assessment, with hundreds of pre-installed tools. Running it as a VM provides isolation from your host system.

System Requirements

Host machine: 8GB+ RAM (16GB recommended), 50GB+ free disk space
Virtualization: VirtualBox (free) or VMware Workstation Player (free)
VM allocation: 4GB RAM, 2 CPU cores, 40GB disk

Setup Steps

Download VirtualBox: virtualbox.org/wiki/Downloads — Select your host operating system
Download Kali Linux VM Image: kali.org/get-kali — Download the VirtualBox 64-bit image
Import the VM: In VirtualBox, File → Import Appliance → Select downloaded .ova file
Configure VM Settings:
- Increase RAM to 4096MB if your system allows
- Set Network Adapter to NAT (for internet) or Bridged (for local network testing)
- Enable clipboard sharing: Devices → Shared Clipboard → Bidirectional
Start and Update:
```
sudo apt update && sudo apt upgrade -y
```
Create Initial Snapshot: Machine → Take Snapshot — Name it "Clean Baseline"

Default Credentials: kali / kali

Change the default password immediately after first login:

passwd

Option B: Cloud-Based Practice Labs

If you cannot run VMs locally, browser-based platforms provide pre-configured environments. Note that some features require paid subscriptions.

TryHackMe: tryhackme.com — Browser-based AttackBox, many free rooms
Hack The Box: hackthebox.com — Pwnbox feature (requires subscription for extended use)

Cloud options work for learning but may have limitations for a full capstone engagement. Local VM is preferred for complete control and documentation.

Essential Tool Categories

Kali includes most tools you'll need. Familiarize yourself with these categories:

Information Gathering

Tool	Purpose	Key Usage
`nmap`	Network discovery and port scanning	`nmap -sV -sC target`
`whois`	Domain registration information	`whois domain.com`
`dig`	DNS enumeration	`dig ANY domain.com`
`theHarvester`	Email and subdomain harvesting	`theHarvester -d domain.com -b all`
`amass`	Subdomain enumeration	`amass enum -d domain.com`

Web Application Testing

Tool	Purpose	Key Usage
`Burp Suite`	Web proxy and testing platform	GUI application
`nikto`	Web server vulnerability scanner	`nikto -h https://target`
`gobuster`	Directory and file enumeration	`gobuster dir -u https://target -w wordlist`
`sqlmap`	SQL injection testing	`sqlmap -u "url?param=value"`
`wfuzz`	Web fuzzing	`wfuzz -c -z file,wordlist URL/FUZZ`

Vulnerability Assessment

Tool	Purpose	Notes
`OpenVAS`	Comprehensive vulnerability scanner	Free, requires setup
`Nessus Essentials`	Vulnerability scanner	Free for 16 IPs
`nuclei`	Template-based vulnerability scanner	Fast, community templates

Exploitation

Tool	Purpose	Key Usage
`Metasploit`	Exploitation framework	`msfconsole`
`searchsploit`	Exploit database search	`searchsploit apache 2.4`
`netcat`	Network utility / reverse shells	`nc -lvnp 4444`

Documentation

Tool	Purpose	Notes
`CherryTree`	Hierarchical note-taking	Pre-installed on Kali
`Obsidian`	Markdown-based notes	Download from obsidian.md
`flameshot`	Screenshot capture	`flameshot gui`
`script`	Terminal session recording	`script session.log`

Directory Structure

Organize your engagement files with a consistent structure from the start:

~/engagements/
└── novatech-2025/
    ├── 00-admin/
    │   ├── engagement-charter.pdf
    │   ├── contacts.md
    │   └── scope.md
    ├── 01-recon/
    │   ├── passive/
    │   │   ├── whois/
    │   │   ├── dns/
    │   │   └── osint/
    │   └── active/
    │       ├── nmap/
    │       └── enumeration/
    ├── 02-scanning/
    │   ├── vulnerability-scans/
    │   └── web-scans/
    ├── 03-exploitation/
    │   ├── evidence/
    │   └── screenshots/
    ├── 04-post-exploitation/
    ├── 05-reporting/
    │   ├── drafts/
    │   └── final/
    └── logs/
        └── terminal-sessions/

Create this structure at engagement start:

mkdir -p ~/engagements/novatech-2025/{00-admin,01-recon/{passive/{whois,dns,osint},active/{nmap,enumeration}},02-scanning/{vulnerability-scans,web-scans},03-exploitation/{evidence,screenshots},04-post-exploitation,05-reporting/{drafts,final},logs/terminal-sessions}

2. Understanding Reconnaissance

Reconnaissance ("recon") is the systematic collection of information about a target. It's the intelligence-gathering phase that informs all subsequent testing activities. Professional assessments distinguish between passive and active reconnaissance based on detection risk and authorization requirements.

Passive vs. Active Reconnaissance

┌─────────────────────────────────────────────────────────────────┐
│                RECONNAISSANCE SPECTRUM                          │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  PASSIVE                                      ACTIVE            │
│  ──────────────────────────────────────────────────────────     │
│  No direct target       │        │        Direct target         │
│  interaction            │        │        interaction           │
│                         │        │                              │
│  • Public records       │        │    • Port scanning           │
│  • Search engines       │        │    • Service probing         │
│  • Social media         │        │    • Directory brute-force   │
│  • Job postings         │        │    • Banner grabbing         │
│  • DNS records          │        │    • Vulnerability scanning  │
│  • Certificate logs     │        │                              │
│  • Code repositories    │        │                              │
│                         │        │                              │
│  DETECTION RISK: None   │        │    DETECTION RISK: High      │
│  AUTHORIZATION: Minimal │        │    AUTHORIZATION: Required   │
│                         │        │                              │
└─────────────────────────────────────────────────────────────────┘

Aspect	Passive Reconnaissance	Active Reconnaissance
Definition	Gathering information without directly interacting with target systems	Directly probing or interacting with target systems
Detection	Virtually undetectable by target	May trigger IDS/IPS, appear in logs
Authorization	Generally doesn't require explicit authorization for public information	Requires explicit authorization before conducting
Timing	Can begin before engagement formally starts	Only after engagement charter is signed
Data Sources	Public records, third-party services, cached data	Direct responses from target systems

Authorization Boundary

Even "passive" reconnaissance has limits. Accessing a target's internal systems through compromised credentials found in a data breach, for example, is NOT passive reconnaissance—it's unauthorized access. Passive means using publicly available information and services, not "any method that avoids detection."

3. Passive Reconnaissance Techniques

Passive reconnaissance leverages publicly available information to build understanding of the target without any direct interaction. For NovaTech, we'll gather intelligence from multiple sources.

3.1 WHOIS and Domain Information

WHOIS records reveal domain registration details including registrant information, nameservers, and registration dates. While privacy protection has reduced the information available, WHOIS still provides valuable context.

# Query WHOIS for primary domain
whois novatech-solutions.com

# Key information to extract:
# - Registrar (may indicate company size/sophistication)
# - Name servers (identify DNS providers)
# - Creation date (company age)
# - Registrant organization (verify correct target)
# - Admin/Tech contacts (if not privacy-protected)

Simulated NovaTech WHOIS Output

Domain Name: NOVATECH-SOLUTIONS.COM
Registry Domain ID: 2345678901_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: https://www.cloudflare.com
Updated Date: 2024-03-15T12:00:00Z
Creation Date: 2018-06-22T08:30:00Z
Registrar Registration Expiration Date: 2026-06-22T08:30:00Z
Registrar: Cloudflare, Inc.
Registrant Organization: NovaTech Solutions, Inc.
Registrant State/Province: Texas
Registrant Country: US
Name Server: NS1.CLOUDFLARE.COM
Name Server: NS2.CLOUDFLARE.COM

Analysis: Domain registered in 2018 (matches company founding), using Cloudflare for DNS (indicates some security awareness), Texas-based (consistent with Austin HQ). Cloudflare may indicate CDN/DDoS protection.

3.2 DNS Enumeration

DNS records reveal infrastructure details: mail servers, subdomains, service providers, and sometimes internal naming conventions.

# Query all DNS record types
dig novatech-solutions.com ANY

# Specific record types
dig novatech-solutions.com A        # IPv4 addresses
dig novatech-solutions.com AAAA     # IPv6 addresses
dig novatech-solutions.com MX       # Mail servers
dig novatech-solutions.com TXT      # Text records (SPF, DKIM, verification)
dig novatech-solutions.com NS       # Name servers
dig novatech-solutions.com CNAME    # Aliases

# Attempt zone transfer (usually blocked, but try)
dig axfr novatech-solutions.com @ns1.cloudflare.com

Simulated DNS Records

;; ANSWER SECTION:
novatech-solutions.com.    300  IN  A      104.21.45.123
novatech-solutions.com.    300  IN  A      172.67.182.45
novatech-solutions.com.    300  IN  MX     10 aspmx.l.google.com.
novatech-solutions.com.    300  IN  MX     20 alt1.aspmx.l.google.com.
novatech-solutions.com.    300  IN  TXT    "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
novatech-solutions.com.    300  IN  TXT    "google-site-verification=abc123..."
novatech-solutions.com.    300  IN  TXT    "atlassian-domain-verification=xyz789..."

Analysis: Multiple A records suggest load balancing or CDN. Google MX records confirm Google Workspace (from client brief). SPF includes SendGrid (email marketing/transactional email). Verification TXT records confirm Google and Atlassian (Jira/Confluence) usage.

3.3 Subdomain Enumeration

Subdomains often reveal internal applications, development environments, APIs, and forgotten services. Multiple techniques combine for comprehensive coverage.

# Using amass for passive subdomain enumeration
amass enum -passive -d novatech-solutions.com -o subdomains.txt

# Using subfinder (alternative tool)
subfinder -d novatech-solutions.com -o subfinder-results.txt

# Certificate Transparency logs (crt.sh)
curl -s "https://crt.sh/?q=%25.novatech-solutions.com&output=json" | \
  jq -r '.[].name_value' | sort -u > crtsh-subdomains.txt

# Combine and deduplicate results
cat subdomains.txt subfinder-results.txt crtsh-subdomains.txt | \
  sort -u > all-subdomains.txt

Simulated Subdomain Results

api.novatech-solutions.com
app.novatech-solutions.com
blog.novatech-solutions.com
careers.novatech-solutions.com
dev.novatech-solutions.com
docs.novatech-solutions.com
github.novatech-solutions.com
grafana.novatech-solutions.com
jenkins.novatech-solutions.com
jira.novatech-solutions.com
mail.novatech-solutions.com
portal.novatech-solutions.com
staging.novatech-solutions.com
status.novatech-solutions.com
support.novatech-solutions.com
vpn.novatech-solutions.com
www.novatech-solutions.com

Analysis: Several interesting findings: dev and staging suggest non-production environments that may have weaker controls. jenkins and grafana indicate CI/CD and monitoring infrastructure that could be high-value targets. api confirms API endpoints for testing. vpn indicates remote access infrastructure.

3.4 Certificate Transparency

Certificate Transparency (CT) logs record all publicly issued TLS certificates. This reveals subdomains, including those the organization may not want publicly known.

# Query crt.sh for all certificates
# Web interface: https://crt.sh/?q=novatech-solutions.com

# Command line query
curl -s "https://crt.sh/?q=%25.novatech-solutions.com" | \
  grep -oP '(?<=)[^<]+(?=)' | \
  grep novatech-solutions.com | sort -u

# Look for:
# - Wildcard certificates (*.novatech-solutions.com)
# - Internal naming patterns
# - Certificates for unexpected domains
# - Certificate issuers (Let's Encrypt vs commercial CAs)

3.5 Search Engine Intelligence (Google Dorking)

Search engines index publicly accessible content. Specialized queries can reveal sensitive information that shouldn't be public.

# Site-specific searches
site:novatech-solutions.com

# Find specific file types
site:novatech-solutions.com filetype:pdf
site:novatech-solutions.com filetype:xlsx
site:novatech-solutions.com filetype:docx
site:novatech-solutions.com filetype:sql
site:novatech-solutions.com filetype:log

# Look for exposed directories
site:novatech-solutions.com intitle:"index of"

# Find login pages
site:novatech-solutions.com inurl:login
site:novatech-solutions.com inurl:admin
site:novatech-solutions.com inurl:portal

# Look for error messages
site:novatech-solutions.com "error" OR "warning" OR "exception"

# Search for configuration exposure
site:novatech-solutions.com "password" OR "pwd" OR "credentials"

# AWS-specific searches
site:novatech-solutions.com "s3.amazonaws.com"
site:novatech-solutions.com "amazonaws.com"

Ethical Consideration

Google dorking reveals publicly indexed information—you're not accessing anything unauthorized. However, be mindful that some indexed content may be unintentionally public. Document findings without downloading sensitive files; instead, report the exposure.

3.6 GitHub and Code Repository Search

Developers sometimes commit sensitive information to public repositories. Search GitHub for organization names, domain names, and potential credential exposures.

# GitHub search queries (use github.com search or gh CLI)

# Organization and domain references
"novatech-solutions.com"
"novatech" password
"novatech" api_key
"novatech" secret

# AWS-specific leaks
"novatech" AKIA          # AWS access key ID prefix
"novatech" aws_secret

# Common credential patterns
"novatech-solutions.com" password
filename:.env novatech
filename:config novatech password

# Look for the organization's own repositories
org:novatech-solutions

Automated Tools

Tools like trufflehog, gitleaks, and gitrob automate credential scanning across repositories. For passive recon, focus on public repositories only.

3.7 Job Postings and Social Media

Job postings reveal technology stack, organizational structure, and sometimes security maturity. LinkedIn provides employee information and organizational insights.

Information to Gather

Technology Stack: Job requirements reveal tools, languages, platforms
Team Structure: Security team size, reporting structure
Growth Areas: What they're hiring for indicates strategic priorities
Employee Count: LinkedIn shows company size and growth
Key Personnel: Security team members, IT leadership, executives

Simulated Job Posting Findings

Senior DevOps Engineer - NovaTech Solutions
Requirements:
- 5+ years experience with AWS (EC2, EKS, RDS, Lambda)
- Strong Kubernetes and Docker experience
- Terraform for infrastructure as code
- Experience with Jenkins CI/CD pipelines
- Familiarity with Datadog or similar monitoring
- Python and Bash scripting

Analysis: Confirms AWS as primary cloud, Kubernetes workloads, Jenkins for CI/CD (matches subdomain finding), Datadog for monitoring (new intel). Infrastructure-as-code suggests mature practices but also potential for misconfiguration drift.

3.8 Shodan and Censys

Internet scanning services like Shodan and Censys continuously scan the internet and index exposed services. Query these for target IP ranges to discover exposed services without conducting your own scans.

# Shodan queries (requires free account for full results)
# Web: https://www.shodan.io/

# Search by organization name
org:"NovaTech Solutions"

# Search by domain
hostname:novatech-solutions.com

# Search by SSL certificate
ssl.cert.subject.cn:novatech-solutions.com

# Censys queries (requires free account)
# Web: https://search.censys.io/

# Search by domain
services.tls.certificates.leaf_data.subject.common_name: novatech-solutions.com

Simulated Shodan Results

IP: 52.23.xxx.xxx
Hostnames: vpn.novatech-solutions.com
Port: 443
Product: OpenVPN Access Server
Version: 2.11.1

IP: 54.85.xxx.xxx  
Hostnames: jenkins.novatech-solutions.com
Port: 8080
Product: Jetty
HTTP Title: Dashboard [Jenkins]

IP: 34.201.xxx.xxx
Hostnames: grafana.novatech-solutions.com
Port: 3000
Product: Grafana
Version: 9.3.2

Analysis: OpenVPN server version may have known vulnerabilities. Jenkins exposed on 8080 is a high-value target. Grafana version 9.3.2 should be checked against CVE databases. All three services warrant inclusion in active testing scope.

4. Active Reconnaissance Techniques

With the engagement charter signed, you're authorized to interact directly with NovaTech's systems. Active reconnaissance confirms passive findings and discovers details only visible through direct interaction.

Authorization Reminder

Active reconnaissance requires explicit authorization. Ensure your engagement charter is signed and your testing window has begun before conducting any active reconnaissance. All active techniques will generate logs and may trigger security alerts.

4.1 DNS Zone Enumeration

While zone transfers are typically blocked, active DNS probing can reveal additional records and verify passive findings.

# Attempt zone transfer (document if it works—significant finding)
dig axfr novatech-solutions.com @ns1.cloudflare.com

# DNS brute-forcing with wordlist
# Note: This generates queries to target DNS servers
dnsrecon -d novatech-solutions.com -t brt -D /usr/share/wordlists/subdomains.txt

# Verify discovered subdomains resolve
while read subdomain; do
  host "$subdomain" && echo "$subdomain resolves"
done < all-subdomains.txt

4.2 Port Scanning

Port scanning identifies running services on target systems. Different scan types balance speed, accuracy, and detection risk.

# First, resolve target hosts to IPs
host app.novatech-solutions.com
host api.novatech-solutions.com
host vpn.novatech-solutions.com

# Save in-scope IPs to file
echo "52.23.xxx.xxx" >> targets.txt
echo "54.85.xxx.xxx" >> targets.txt
# ... add all in-scope IPs

# Initial discovery scan (fast, common ports)
nmap -sS -T4 --top-ports 1000 -oA initial-scan targets.txt

# Comprehensive scan (all ports, slower)
nmap -sS -p- -T3 -oA full-port-scan targets.txt

# Service version detection (after identifying open ports)
nmap -sV -sC -p 22,80,443,8080 -oA service-scan targets.txt

# UDP scan (selected ports, slow)
nmap -sU --top-ports 100 -oA udp-scan targets.txt

Key Nmap Options

Option	Purpose	Notes
`-sS`	SYN scan (stealth)	Default for root, doesn't complete TCP handshake
`-sV`	Version detection	Probes services to determine version
`-sC`	Default scripts	Runs standard NSE scripts for enumeration
`-p-`	All ports	Scans 1-65535 (slow but comprehensive)
`-T[0-5]`	Timing template	T3=normal, T4=aggressive, T5=insane
`-oA`	Output all formats	Creates .nmap, .xml, .gnmap files

Simulated Nmap Results

Nmap scan report for jenkins.novatech-solutions.com (54.85.xxx.xxx)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu
80/tcp   open  http       nginx 1.18.0
443/tcp  open  ssl/http   nginx 1.18.0
8080/tcp open  http       Jetty 9.4.z
|_http-title: Dashboard [Jenkins]
|_http-server-header: Jetty(9.4.43.v20210629)

Nmap scan report for vpn.novatech-solutions.com (52.23.xxx.xxx)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1
443/tcp open  ssl/http OpenVPN Access Server
943/tcp open  http     OpenVPN Access Server admin portal

4.3 Service Enumeration

Once ports are identified, deeper enumeration reveals service configurations, versions, and potential vulnerabilities.

# Web server enumeration
whatweb https://app.novatech-solutions.com
nikto -h https://app.novatech-solutions.com -o nikto-app.txt

# SSL/TLS analysis
sslscan https://app.novatech-solutions.com
testssl.sh https://app.novatech-solutions.com

# HTTP methods and headers
curl -I https://app.novatech-solutions.com
curl -X OPTIONS https://app.novatech-solutions.com -i

# Directory enumeration (careful with rate limiting)
gobuster dir -u https://app.novatech-solutions.com \
  -w /usr/share/wordlists/dirb/common.txt \
  -t 10 -o gobuster-app.txt

# Technology fingerprinting
wappalyzer https://app.novatech-solutions.com  # Browser extension
# Or use builtwith.com for passive fingerprinting

4.4 Web Application Reconnaissance

For WorkflowPro (app.workflowpro.io), gather application-specific intelligence:

# Crawl application to discover endpoints
# Using Burp Suite (configure browser proxy first):
# 1. Set browser proxy to 127.0.0.1:8080
# 2. Browse application manually
# 3. Review Site Map in Burp

# Automated crawling with gospider
gospider -s https://app.workflowpro.io -d 2 -o crawl-output

# JavaScript file analysis (reveals API endpoints)
# Download and analyze JS files referenced in HTML
curl https://app.workflowpro.io | grep -oP 'src="[^"]+\.js"'
# Review each JS file for API endpoints, hardcoded values

# API endpoint discovery
# Check for common paths
curl https://app.workflowpro.io/api/
curl https://app.workflowpro.io/api/v1/
curl https://app.workflowpro.io/graphql
curl https://app.workflowpro.io/swagger.json
curl https://app.workflowpro.io/api-docs

API Documentation Discovery

Check for exposed API documentation:

/swagger.json, /swagger-ui/, /swagger/
/api-docs, /api/docs
/openapi.json, /openapi.yaml
/graphql (introspection query)
/redoc, /docs

5. Documenting the Attack Surface

Reconnaissance generates substantial data. Professional documentation transforms raw findings into actionable intelligence. Your attack surface map becomes a reference document for the entire engagement.

Attack Surface Map Structure

┌─────────────────────────────────────────────────────────────────┐
│                    ATTACK SURFACE MAP                           │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  1. EXTERNAL PERIMETER                                          │
│     ├── Domains and subdomains                                  │
│     ├── IP ranges                                               │
│     ├── Exposed services by port                                │
│     └── Technology fingerprints                                 │
│                                                                 │
│  2. WEB APPLICATIONS                                            │
│     ├── Application inventory                                   │
│     ├── Authentication mechanisms                               │
│     ├── API endpoints discovered                                │
│     └── Technology stack per application                        │
│                                                                 │
│  3. CLOUD INFRASTRUCTURE                                        │
│     ├── Cloud provider(s) identified                            │
│     ├── Services enumerated                                     │
│     ├── Storage endpoints                                       │
│     └── CDN and edge services                                   │
│                                                                 │
│  4. THIRD-PARTY SERVICES                                        │
│     ├── SaaS applications identified                            │
│     ├── Integration points                                      │
│     └── SSO/federation relationships                            │
│                                                                 │
│  5. HUMAN FACTORS                                               │
│     ├── Key personnel identified                                │
│     ├── Email formats discovered                                │
│     └── Organizational structure                                │
│                                                                 │
│  6. INTELLIGENCE NOTES                                          │
│     ├── Potential vulnerabilities (version-based)               │
│     ├── Misconfigurations observed                              │
│     ├── High-value targets for testing                          │
│     └── Questions for client clarification                      │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Documentation Best Practices

Timestamp Everything

Record when each piece of information was gathered. Infrastructure changes during engagements; timestamps establish what was true when.

Source Attribution

Document how you discovered each item. "Subdomain found via CT logs" differs from "Subdomain found via DNS brute-force." Sources affect confidence levels.

Verification Status

Mark whether findings are verified (actively confirmed) or unverified (from passive sources only). Passive findings should be verified before exploitation attempts.

Testing Priority

Flag high-value targets for priority testing: internet-facing admin panels, outdated software versions, services with known vulnerabilities.

Sample Attack Surface Entry

## Subdomain: jenkins.novatech-solutions.com

### Basic Information
- IP Address: 54.85.xxx.xxx
- First Discovered: 2025-01-15 via CT logs (passive)
- Verified: 2025-01-16 via nmap scan (active)
- Cloud Provider: AWS (us-east-1 based on IP range)

### Services
| Port | Service | Version | Notes |
|------|---------|---------|-------|
| 22   | SSH     | OpenSSH 8.2p1 Ubuntu | Standard config |
| 80   | HTTP    | nginx 1.18.0 | Redirects to 443 |
| 443  | HTTPS   | nginx 1.18.0 | Valid cert, expires 2025-08 |
| 8080 | HTTP    | Jetty 9.4.43 | Jenkins dashboard |

### Technology Stack
- Operating System: Ubuntu (inferred from SSH banner)
- Web Server: nginx 1.18.0 (reverse proxy)
- Application: Jenkins (version TBD)
- Java Runtime: Jetty 9.4.43

### Security Observations
- Jenkins accessible without VPN (external exposure)
- No apparent IP restriction
- Login page publicly accessible
- Version disclosure in HTTP headers

### Testing Priority: HIGH
- CI/CD systems are high-value targets
- May contain credentials, code, deployment access
- Check for CVEs affecting Jenkins version
- Test for default credentials, authentication bypass

### Screenshots
- [jenkins-login-page.png](./screenshots/jenkins-login-page.png)

### Raw Data Files
- [nmap-jenkins.xml](./nmap/jenkins-scan.xml)
- [nikto-jenkins.txt](./web-scans/nikto-jenkins.txt)

6. NovaTech Attack Surface Summary

Based on reconnaissance conducted for this capstone scenario, here's a summary of NovaTech's attack surface. Your lab will involve creating this documentation yourself through actual reconnaissance exercises.

External Perimeter

Asset	IP/Host	Services	Priority
Corporate Website	www.novatech-solutions.com	HTTPS (Cloudflare CDN)	Low
WorkflowPro App	app.workflowpro.io	HTTPS (React SPA)	Critical
WorkflowPro API	api.workflowpro.io	HTTPS (REST/GraphQL)	Critical
Jenkins CI	jenkins.novatech-solutions.com	HTTPS, 8080	High
Grafana Monitoring	grafana.novatech-solutions.com	HTTPS (3000)	High
VPN Gateway	vpn.novatech-solutions.com	HTTPS, 943, 1194/UDP	High
Staging Environment	staging.workflowpro.io	HTTPS	High
Documentation	docs.workflowpro.io	HTTPS	Medium

Cloud Infrastructure (AWS)

Regions: us-east-1 (primary), us-west-2 (DR)
Services Identified: EC2, EKS, RDS, S3, Lambda, CloudFront
Potential S3 Buckets: novatech-assets, workflowpro-uploads (to verify)

Third-Party Integrations

Google Workspace (email, SSO)
GitHub Enterprise (source code)
Atlassian Cloud (Jira, Confluence)
SendGrid (transactional email)
Datadog (monitoring)
Cloudflare (CDN, DNS)

High-Priority Testing Targets

WorkflowPro Application & API — Primary product, customer data
Jenkins — CI/CD access, potential credential exposure
Staging Environment — Likely weaker controls, may mirror production
VPN Gateway — Internal network access vector
Grafana — Infrastructure visibility, potential credential exposure

Self-Check Questions

Test your understanding of reconnaissance concepts and techniques:

Question 1

During passive reconnaissance, you discover what appears to be a NovaTech employee's credentials in a public GitHub repository. The credentials appear to be for their internal Jenkins system. What should you do?

Reveal Answer

Do NOT test the credentials. Document the finding (repository URL, commit hash, date discovered) and immediately notify Marcus Webb through the critical finding process. Exposed credentials in public repositories are a significant finding regardless of whether they're still valid. Testing them could be seen as unauthorized access if they provide access beyond your scope, and you would destroy the ability to determine if attackers have already used them. Let the client revoke and investigate while you document the exposure.

Question 2

You're conducting subdomain enumeration and discover dev-internal.novatech-solutions.com. It resolves to a private IP address (10.x.x.x). Is this useful information?

Reveal Answer

Yes, this is valuable intelligence even though you can't reach it directly. It reveals: (1) internal naming conventions that might apply to other resources; (2) the existence of development infrastructure; (3) potential DNS configuration issues (internal DNS records shouldn't typically be publicly resolvable). Document this for the internal network assessment phase when you have VPN access. It may also indicate split-horizon DNS, which could have security implications.

Question 3

Your nmap scan of NovaTech's external IPs completes and shows all ports filtered for several IP addresses. Does this mean there's nothing to test?

Reveal Answer

No, "filtered" typically indicates a firewall is blocking your probes, not that nothing is running. This is actually expected for well-configured infrastructure. Next steps: (1) Verify you're scanning during authorized windows; (2) Try different scan types (-sA for ACK scan, -sN/-sF/-sX for null/FIN/Xmas); (3) Focus on hosts/ports you know are accessible (from passive recon); (4) Check if your source IP needs whitelisting; (5) The services identified through passive recon (HTTPS on app.workflowpro.io) are still in scope even if port scans are blocked.

Question 4

Explain why Certificate Transparency logs are valuable for reconnaissance even when the target uses wildcard certificates.

Reveal Answer

CT logs record all issued certificates, not just the domains they cover. Even with a wildcard (*.novatech-solutions.com), you gain: (1) Historical certificates showing what specific subdomains were previously issued certs for (before they switched to wildcard); (2) Non-wildcard certs for specific services that needed their own certificate; (3) Certificate authority preferences (Let's Encrypt vs. commercial CAs indicates security investment); (4) Timing of certificate issuance (recent certs may indicate new services); (5) Alternative domain names in SAN fields that might not be obvious.

Question 5

You're documenting NovaTech's attack surface and need to prioritize testing targets. Rank these three discoveries from highest to lowest priority and explain why: (A) Corporate blog running WordPress, (B) Jenkins server accessible from internet, (C) Staging environment of WorkflowPro application.

Reveal Answer

1. Jenkins (B) — Highest: CI/CD systems typically have access to source code, deployment credentials, and production infrastructure. A compromised Jenkins often leads to supply chain attacks or direct production access. External exposure is unexpected and concerning.

2. Staging Environment (C) — High: Staging environments often mirror production but with weaker security controls, test data that may include production copies, and developer shortcuts. Vulnerabilities found here likely exist in production.

3. WordPress Blog (A) — Medium: While WordPress has frequent vulnerabilities, a corporate blog is typically isolated from core infrastructure and doesn't contain sensitive data. Unless it's on the same infrastructure as critical systems, compromise impact is limited to reputation.

Question 6

What's the difference between running nmap -sV and checking Shodan for the same target? When would you use each?

Reveal Answer

Shodan: Queries pre-collected data from Shodan's internet-wide scans. Passive from your perspective (no packets to target). Data may be hours/days/weeks old. Useful before engagement starts, for understanding what's historically been exposed, and for targets you can't directly reach.

nmap -sV: Active scan sending probes directly to target. Current, real-time data. More accurate version detection through active probing. Generates logs on target. Requires authorization.

When to use each: Use Shodan during passive recon before engagement authorization, for quick overview, or to see historical exposure. Use nmap once authorized for accurate, current service enumeration. Compare both to identify changes (services that were exposed but are now closed, or new exposures not yet in Shodan).

Lab: Build Your Attack Surface Map

Objective

Configure your assessment environment and conduct comprehensive reconnaissance against practice targets, producing a professional attack surface map document.

Deliverables

Configured Lab Environment: Documented with screenshots showing tool verification
Attack Surface Map: Comprehensive documentation of reconnaissance findings

Time Estimate

4-5 hours

Important: Practice Targets

Since NovaTech is fictional, you'll practice reconnaissance techniques against authorized targets. Use the following for hands-on practice:

Your own domains/infrastructure (if you have any)
Deliberately vulnerable labs:
- TryHackMe reconnaissance rooms (free tier available)
- HackTheBox starting point machines
- DVWA, Metasploitable (local VMs)
Bug bounty targets (within their scope—reconnaissance is typically allowed)

For your deliverable, document your process as if targeting NovaTech, adapting your actual practice findings to demonstrate methodology.

Lab Tasks

Part 1: Environment Setup (LO1)

Configure and verify your assessment environment:

Install VirtualBox and import Kali Linux VM (or configure alternative)

Update Kali and verify core tools are functional:

nmap --version
amass -version
burpsuite &  # Verify GUI launches
gobuster version

Create engagement directory structure
Configure note-taking application (CherryTree or Obsidian)
Create "Clean Baseline" snapshot
Document your setup with screenshots

Deliverable: Screenshots showing VM running, tool verification, directory structure

Part 2: Passive Reconnaissance (LO2, LO4)

Conduct passive reconnaissance using techniques from Section 3:

Perform WHOIS lookups and document registrar information
Enumerate DNS records (A, MX, TXT, NS)
Conduct subdomain enumeration using multiple sources:
- Certificate Transparency (crt.sh)
- amass passive mode
- subfinder
Search Shodan/Censys for target information
Conduct Google dorking for sensitive exposures
Review GitHub for organization repositories and potential leaks

Document all findings with: Source, timestamp, raw data, analysis notes

Part 3: Active Reconnaissance (LO3, LO5)

Against authorized targets only, conduct active reconnaissance:

Perform port scanning with nmap:
- Quick scan (top 1000 ports)
- Service version detection
- Script scanning
Enumerate web services:
- Technology fingerprinting
- Directory enumeration
- SSL/TLS analysis
Document all discovered services with version information

Save all scan outputs in appropriate directories

Part 4: Attack Surface Map Document (LO4)

Compile findings into a professional Attack Surface Map:

Create structured document following the template in Section 5
Include all discovered assets organized by category
Add testing priority ratings with justification
Include relevant screenshots and evidence references
Note questions or areas requiring client clarification

Self-Assessment Checklist

Environment Setup

☐ VM configured and running successfully
☐ All core tools verified functional
☐ Directory structure created
☐ Snapshot created for clean restore
☐ Screenshots document the setup

Passive Reconnaissance

☐ Multiple techniques employed (not just one tool)
☐ Findings are timestamped
☐ Sources are documented
☐ Raw data is preserved
☐ Analysis accompanies raw findings

Active Reconnaissance

☐ Conducted only against authorized targets
☐ Scan outputs saved in organized structure
☐ Service versions documented
☐ Differentiated from passive findings

Attack Surface Map Quality

☐ Follows professional structure
☐ Assets categorized logically
☐ Priority ratings justified
☐ Evidence referenced appropriately
☐ Could be used to plan testing phases

Portfolio Integration

Save your attack surface map as the second artifact in your capstone portfolio. This document will guide your testing activities in subsequent weeks.

Files to save:

02-attack-surface-map-novatech.pdf — Main deliverable
02-lab-environment-setup.pdf — Environment documentation
01-recon/ — Directory containing all raw reconnaissance data

🎯 Hands-On Capstone Activities

Build your reconnaissance toolkit and conduct professional OSINT for the capstone engagement.

🔍 TryHackMe: Reconnaissance Mastery

What you'll do: Complete advanced OSINT and recon labs—passive information gathering, subdomain enumeration, service discovery.
Why it matters: Reconnaissance determines the attack surface—thorough recon enables better targeting.
Time estimate: 3-4 hours

TryHackMe Recon Labs →

🛠️ Lab Environment Setup

What you'll do: Build professional pentesting environment—Kali Linux, Burp Suite Pro (community), reconnaissance tools, documentation system.
Why it matters: Proper tooling is essential for efficient, professional security assessments.
Time estimate: 2-3 hours

Kali Linux Documentation →

📊 Capstone Recon Report

What you'll do: Conduct and document reconnaissance for your capstone target—create professional findings report with discovered assets.
Why it matters: This becomes part of your final capstone deliverable—portfolio-ready documentation.
Time estimate: 3-4 hours

Sample Report Format →

💡 Capstone Strategy: Document your recon methodology—show your process, not just results. This demonstrates professional thinking to employers.

Resources

Required

OWASP Testing Guide: Information Gathering

Comprehensive methodology for web application reconnaissance including search engine discovery, fingerprinting, and application mapping.

OWASP Testing Guide - Information Gathering 60 minutes

Required

Nmap Reference Guide

Official Nmap documentation covering scan types, timing options, output formats, and NSE scripting.

nmap.org/book/man.html 45 minutes

Optional

TryHackMe: Passive Reconnaissance Room

Hands-on practice room covering WHOIS, DNS enumeration, and passive information gathering techniques.

tryhackme.com/room/passiverecon 90 minutes

Weekly Reflection

Prompt

Reflect on the relationship between thoroughness and efficiency in reconnaissance. Consider: How do you decide when you've gathered "enough" information to move forward? What are the risks of insufficient reconnaissance versus the cost of spending too much time in this phase? How did passive reconnaissance findings shape your approach to active reconnaissance?

Connect your reflection to the broader engagement context. How does the quality of your reconnaissance affect subsequent phases of the assessment? What would you do differently in future engagements based on this experience?

Target length: 250-350 words

Week 02 Quiz

Test your understanding of the weekly concepts.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz