Exam PT0-002 topic 1 question 33 discussion

B. Shodan Shodan is a search engine for Internet-connected devices. It allows a user to search for specific types of devices or services, such as cameras, servers, or routers, connected to the Internet. This tool can be useful in identifying additional information about the client's building, such as the make and model of the security cameras, or any other devices connected to the Internet. It can provide additional information that would be useful in identifying potential vulnerabilities that can be exploited during the physical penetration test. Wardriving is a technique to detect wireless access points, Aircrack-ng is a tool that allows you to crack wifi password, Recon-ng is a reconnaissance tool that can be used to gather information about a target, but it is more useful for web-based reconnaissance.

Check the book

Recon-ng, wardriving and aircrack-ng are for wireless attack and not physical access. With Shodan an attacker could use webcam to prepare an efficient tailgating (physical) attack.

Doesn't Recon-ng have a Shodan module in it anyway?

C. Shodan. Given that the security cameras are connected to the Internet, Shodan can be used to gather additional information about these devices, such as their make, model, and any known vulnerabilities. Analysis of Other Options: A. Wardriving: While wardriving (searching for WiFi networks from a moving vehicle) can be useful for identifying wireless networks, it is less specific than Shodan for gathering detailed information about Internet-connected devices. C. Recon-ng: Recon-ng is a reconnaissance framework that can be used for gathering open-source intelligence (OSINT). While useful, it is more general-purpose and not specifically focused on identifying Internet-connected devices like Shodan. D. Aircrack-ng: Aircrack-ng is a suite of tools for assessing WiFi network security, including cracking WEP and WPA-PSK keys. This tool is more relevant for wireless network security testing rather than Internet-connected device reconnaissance.

In the context of a physical penetration test, Recon-ng would be a better choice for additional reconnaissance within the building.

The fact that the question specifies there were multiple cameras connected to the internet it's a clear indicator that there is an incentive for the pentester to go and use Shodan for further investigation.

B. Shodan Shodan can be used to search for Internet-connected devices like security cameras to gather more information that may assist the physical penetration test. Wardriving, Recon-ng, and Aircrack-ng are more focused on wireless enumeration and exploitation, which is not the primary objective based on the information provided. Shodan will help maximize reconnaissance on the identified security cameras. However, if further wireless testing is in scope, these tools may become more relevant as the test progresses.

Among the options provided, the best tool for performing additional reconnaissance on a target that includes Internet-connected devices, like security cameras, is: B. Shodan

Since the objective is to perform a physical penetration test, the best option for additional reconnaissance would be Recon-ng. Recon-ng is a tool that automates the process of information gathering and reconnaissance, providing the tester with a large number of data sources to gather information about the target, such as employees' social media profiles, publicly available documents, and network infrastructure details. This information can help the tester identify potential weaknesses in the physical security of the target's building, such as employee schedules, physical access controls, or CCTV camera blind spots.

Shodan is a search engine that allows users to find information about Internet-connected systems, such as routers, servers, and webcams. With Shodan, the penetration tester can quickly locate vulnerable systems connected to the WiFi guest network, and can also identify which security cameras are connected to the Internet, allowing for further reconnaissance.

B. Shodan as you can search for internet faced devices.

answer a Wardriving: This involves driving or walking around the building to identify and map out the Wi-Fi access points and their locations. This can provide information on the types of wireless networks that are present, their security configurations, and the presence of any vulnerabilities that can be exploited.

You can add a shodan API to recon-ng if you have a pro account https://www.hackers-arise.com/post/2019/05/16/osint-part-2-using-recon-ng-to-find-the-same-profile-across-multiple-sites

Recon-ng is a full-featured reconnaissance framework

recon-ng also has shodan module

shodan is about IoT devices on public, cameras are on internet so should be it