Chapter 119 · Tricks

Penetration Tests — Tricks

Exam traps, memory shortcuts, and practice scenarios for physical penetration testing, red and blue team roles, environment types, and passive vs. active reconnaissance.

🎯

Trick 1: Dumpster Diving is Passive Reconnaissance

Passive reconnaissance = no traffic sent to the target's network systems. Dumpster diving is physical but generates no network traffic. It is therefore passive reconnaissance, not active, even though it requires physical presence at or near the target site.

Common Exam Trap: "Physical action = active" is an incorrect generalization. Active reconnaissance specifically means sending network packets to the target's systems (ping scans, port scans, OS fingerprinting). Dumpster diving, physically observing the building, social engineering calls, and reading publicly posted materials are all passive because they do not interact with the target's network.
Memory Hook: Active reconnaissance = the target's firewall could log it. Passive reconnaissance = the target's firewall will never see it. Dumpster diving never appears in a firewall log. Therefore: passive.
🎯

Trick 2: Blind Test = Tester is Blind, Not the Organization

In a blind (unknown environment / black box) test, the testers have no prior knowledge of the target environment. The organization always knows the test is happening because they authorized it. "Blind" refers to the information state of the testers, not the awareness of the organization.

Common Exam Trap: A question describes a test where "the security team does not know the test is happening" — this is sometimes called a double-blind or zero-knowledge test and is less common. More often, exam scenarios describe the pen testers as having no prior technical information. This is the standard blind test, and the organization's security team may or may not know it is happening depending on the test design. The environment classification (known/partially known/unknown) refers to tester information, not organizational awareness.
Memory Hook: Blind test: imagine the pen testers are blindfolded and handed nothing but authorization paperwork. They must take off their blindfolds and figure out the environment entirely on their own.
🎯

Trick 3: Physical Access Defeats All Network Controls

Physical access to a system completely bypasses operating system security. An attacker with physical access can modify the boot process, boot from external media, or directly modify OS files — all of which circumvent encryption, authentication, and network-layer controls.

Common Exam Trap: Questions that offer "strong network firewalls" as a sufficient substitute for physical security. Network controls protect the perimeter; they do not protect against someone who is already touching the hardware. If a server is physically accessible to an attacker, the server is compromised — regardless of how strong its software security is. This is why servers live in locked, access-controlled data centers.
Memory Hook: Network security is a lock on the front door. Physical security is the vault walls themselves. If you can reach the server, you don't need to use the door. Physical control = game over for software controls.
🎯

Trick 4: Job Postings are Passive Reconnaissance Gold

Job postings are a passive reconnaissance source that organizations often overlook. A posting for "Senior AWS Lambda and Kubernetes Engineer" reveals cloud infrastructure. A posting for "Microsoft Dynamics 365 Administrator" reveals the ERP system. A posting for "CrowdStrike Falcon endpoint security experience required" reveals the EDR solution. All publicly available, all actionable intelligence for an attacker.

Common Exam Trap: Active reconnaissance question that lists "reviewing company job postings" alongside port scanning and OS fingerprinting. Job postings are a passive technique because they involve reading publicly available data without sending any traffic to the organization's systems. Don't be misled by the fact that job posting research requires effort or yields useful technical intelligence.
Memory Hook: LinkedIn, websites, forums, job boards = passive. Ping, port scan, DNS query, OS fingerprint = active. The test is simple: did anything appear in the target's network logs? If not, it's passive.

Practice Scenarios

Scenario 1: A pen tester walks through the parking lot of the target organization and finds a USB drive in an envelope labeled "Q4 Salary Data." She photographs the envelope but does not connect the USB drive. She also notes the make and model of vehicles in the parking lot (to identify potential executive targets), observes which badge-access door the most employees use, and searches the company's LinkedIn page on her phone. Which of these activities constitute passive reconnaissance?
A. All of the listed activities are passive reconnaissance. None of them send any network traffic to the target organization's systems. Physical observation, reading public data (LinkedIn), and finding discarded items (dumpster diving equivalent) are all passive techniques that generate no network logs at the target.
B. Only the LinkedIn search is passive. Physical presence at the target's location is active reconnaissance because it involves direct interaction with the target environment.
C. The badge door observation is active because it requires approaching the building, which could be considered a form of attack on physical controls.
Why A: Active reconnaissance is defined by sending network packets to the target's systems, generating entries in logs. Physical observation, parking lot reconnaissance, and reading public social media never appear in the target's firewall or IDS logs. All passive.
Scenario 2: A penetration testing firm is hired for a 2-week engagement. The client wants the most realistic simulation of a real external attacker. The firm receives only a signed authorization document listing the target company's name and IP range. No documentation, system lists, or diagrams are provided. What type of test is this and what are its tradeoffs?
A. Unknown environment (blind/black box) test. Most realistic simulation of an external attacker because testers begin with the same minimal information a real adversary would have. Tradeoff: requires significant time for reconnaissance before exploitation can begin, so less total depth of exploitation within the time budget compared to a known-environment test.
B. Known environment test. Providing the IP range constitutes providing full technical information about the target, which qualifies as a known environment engagement.
C. Partially known environment (gray box) test. Providing any information at all, including IP range, automatically classifies the engagement as partially known rather than unknown.
Why A: Providing an IP range is a practical authorization boundary (to prevent accidental testing of unrelated infrastructure), not a documentation disclosure that changes the environment type. Unknown environment = no system documentation, no diagrams, no inventories. An IP range boundary is standard practice even in blind tests.
Scenario 3: During an integrated penetration testing engagement, the red team exploits a misconfigured firewall rule and accesses an internal database server. The blue team detects the anomalous connection via their SIEM and blocks it within 4 minutes. The firewall rule is corrected. The red team retests 2 days later and cannot reproduce the original exploit. What does this sequence demonstrate?
A. The penetration test failed because the red team was detected and blocked. A successful penetration test should result in the red team maintaining access undetected for an extended period.
B. The blue team's 4-minute detection time is too slow. Industry standards require detection within 60 seconds for integrated testing to provide security benefit.
C. The integrated testing model working exactly as designed. The red team found an exploitable gap; the blue team detected and remediated it; the red team verified the fix. This feedback loop demonstrates measurable security improvement: the vulnerability was found, detected, fixed, and verified within a single integrated cycle.
Why C: The purpose of integrated testing is the improvement cycle: find → detect/remediate → retest. Detection of the red team is a success for the blue team, not a failure of the exercise. The key outcome is that a real vulnerability was found and closed. Detection time standards are context-dependent; 4 minutes for a lateral movement detection is reasonable.