CompTIA PenTest+ (PT0-003): Reconnaissance and Enumeration
Table of Contents
Click Here to Return To the CompTIA PenTest+ Course Page
Reconnaissance and Enumeration is 21% of the CompTIA PenTest+ (PT0-003) exam. This module covers how you map a target’s footprint, gather intelligence, and list every reachable service before you attack. Strong recon decides the whole engagement. The more you learn here, the fewer blind shots you take later.
Reconnaissance is the intelligence phase. You build a picture of the organization, its people, its domains, and its exposed systems. Enumeration is the detailed phase, where you list the specific services, accounts, shares, and versions on the hosts you found. Good recon feeds vulnerability discovery , so you spend time here to save time later.
Active vs. Passive Reconnaissance
You gather information two ways, and the difference is whether you touch the target.
| Type | You interact with the target? | Detection risk | Examples |
|---|---|---|---|
| Passive | No, you use third-party sources | Very low | WHOIS, Shodan, Google, the Wayback Machine, public breach dumps |
| Active | Yes, you send packets to the target | Higher | Port scanning, banner grabbing, DNS zone transfers, service probing |
Passive recon never alerts the target because you never query their systems. You start passive to stay quiet, then move to active once you understand the scope and your rules of engagement allow it.
OSINT (Open Source Intelligence)
OSINT is information you collect from public sources. You harvest it from many places:
- Social media and job boards - employee names, roles, and the technologies a company hires for. A job ad asking for “Cisco ASA and Splunk experience” tells you the firewall and SIEM in use.
- Code repositories - GitHub and GitLab often leak hardcoded credentials, internal hostnames, and API keys in commit history.
- DNS lookups and cached pages - subdomains, mail servers, and old content that still reveals internal structure.
- Password dumps - public breach data that shows reused or leaked employee credentials.
You use theHarvester to pull emails, subdomains, and hosts from public sources in one command:
theHarvester -d example.com -b bing,duckduckgo,crtsh
You query the Wayback Machine to find old pages, exposed directories, and removed admin panels that the live site no longer links. You feed names and domains into Maltego or SpiderFoot to map relationships between people, domains, and infrastructure automatically.
Network Reconnaissance
Network recon discovers the systems and services exposed to the internet or the internal network.
- Protocol scanning - find which ports and services respond
- Certificate transparency logs - public logs of every TLS certificate issued, which leak subdomains like
vpn.example.comanddev.example.com - Banner grabbing - read the version string a service returns when you connect
- HTML scraping - pull comments, paths, and metadata from web pages
You grab a service banner with Netcat to identify the software and version:
nc -nv 192.168.1.50 22
# SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
That single line tells you the OS family, the SSH version, and a starting point for matching known vulnerabilities.
Enumeration Techniques
Enumeration lists the details on the hosts you found. You perform OS fingerprinting, service discovery, DNS enumeration, host discovery, and share enumeration.
Nmap is the core tool. A version-and-OS scan with default scripts gives you most of what you need:
nmap -sV -O -sC -p- 192.168.1.0/24 -oA scan_results
| Flag | Purpose |
|---|---|
-sV | Detect service versions |
-O | Fingerprint the operating system |
-sC | Run default NSE scripts |
-p- | Scan all 65535 ports |
-oA | Save output in all formats for later parsing |
You enumerate DNS to find subdomains and, when a server is misconfigured, pull the entire zone with a transfer:
dig axfr @ns1.example.com example.com
You enumerate SMB shares to find open file shares and exposed data:
smbclient -L //192.168.1.50 -N
Secrets Enumeration
Modern targets leak credentials as much as services. Secrets enumeration hunts for cloud access keys, passwords, API keys, and session tokens in code, config files, and public repositories. A single exposed AWS key in a public Git repo can hand you the whole cloud account, so you grep history, not just the current files. Always confirm a found secret is in scope before you use it.
Scripting for Recon
You modify and write small scripts to automate repetitive recon. The exam expects you to read and adjust Bash, Python, and PowerShell logic constructs like loops and conditionals. A simple Bash loop sweeps a subnet for live hosts:
for ip in 192.168.1.{1..254}; do
ping -c1 -W1 "$ip" &>/dev/null && echo "$ip is up"
done
Knowing how to read and tweak a loop, an if statement, and a variable lets you adapt public scripts to your target instead of running them blind.
The Recon and Enumeration Toolkit
| Tool | Use |
|---|---|
| Wayback Machine | Archived pages and removed content |
| Maltego | Visual link analysis of people and infrastructure |
| Recon-ng | Modular OSINT framework with a Metasploit-style console |
| Shodan | Search engine for internet-connected devices and services |
| SpiderFoot | Automated OSINT collection and correlation |
| WHOIS | Domain registration and ownership data |
| nslookup / dig | DNS record queries and zone transfers |
| Amass | In-depth subdomain enumeration |
| Nmap | Host discovery, port scanning, service and OS detection |
| theHarvester | Emails, subdomains, and hosts from public sources |
Next Steps
You now have a map of live hosts, open services, versions, and leaked secrets. Move to Vulnerability Discovery and Analysis to turn that map into a list of weaknesses, then Attacks and Exploits to exploit them. Review Engagement Management to confirm your active scans stay inside scope, and return to the CompTIA PenTest+ Course for the full path.
