New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA PT0-003 Exam - Topic 2 Question 14 Discussion

Actual exam question for CompTIA's PT0-003 exam
Question #: 14
Topic #: 2
[All PT0-003 Questions]

A penetration tester is conducting reconnaissance for an upcoming assessment of a large corporate client. The client authorized spear phishing in the rules of engagement. Which of the following should the tester do first when developing the phishing campaign?

Show Suggested Answer Hide Answer
Suggested Answer: C

When developing a phishing campaign, the tester should first use social media to gather information about the targets.

Social Media:

Purpose: Social media platforms like LinkedIn, Facebook, and Twitter provide valuable information about individuals, including their job roles, contact details, interests, and connections.

Reconnaissance: This information helps craft convincing and targeted phishing emails, increasing the likelihood of success.

Process:

Gathering Information: Collect details about the target employees, such as their names, job titles, email addresses, and any personal information that can make the phishing email more credible.

Crafting Phishing Emails: Use the gathered information to personalize phishing emails, making them appear legitimate and relevant to the recipients.

Other Options:

Shoulder Surfing: Observing someone's screen or keyboard input to gain information, not suitable for gathering broad information for a phishing campaign.

Recon-ng: A tool for automated reconnaissance, useful but more general. Social media is specifically targeted for gathering personal information.

Password Dumps: Using previously leaked passwords to find potential targets is more invasive and less relevant to the initial stage of developing a phishing campaign.

Pentest Reference:

Spear Phishing: A targeted phishing attack aimed at specific individuals, using personal information to increase the credibility of the email.

OSINT (Open Source Intelligence): Leveraging publicly available information to gather intelligence on targets, including through social media.

By starting with social media, the penetration tester can collect detailed and personalized information about the targets, which is essential for creating an effective spear phishing campaign.


by Rolande at Oct 21, 2024, 02:36 AM

Limited Time Offer

25%

Off

Get Premium PT0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Julene
3 months ago
Password dumps seem a bit off for this scenario, right?
upvoted 0 times
...
German
3 months ago
Recon-ng is great for automated data collection!
upvoted 0 times
...
Micheline
3 months ago
Wait, isn't shoulder surfing a bit too risky?
upvoted 0 times
...
Brittni
4 months ago
Definitely, you can find a lot about targets there!
upvoted 0 times
...
Beula
4 months ago
I think social media is key for gathering info.
upvoted 0 times
...
Lashonda
4 months ago
I definitely recall that social media is a goldmine for personal info, so that might be the right choice to kick off the campaign.
upvoted 0 times
...
Adelle
4 months ago
I feel like checking password dumps could be useful, but it seems more relevant for later stages, right?
upvoted 0 times
...
Leigha
4 months ago
I remember practicing with Recon-ng in a lab, but I'm not sure if that's the best first step for a phishing campaign.
upvoted 0 times
...
Maira
5 months ago
I think the first step should be gathering information about the target, so maybe using social media would be a good start?
upvoted 0 times
...
Sherell
5 months ago
I think the key here is to really understand the client's environment and the types of employees you'll be targeting. That will help you determine the best reconnaissance method, whether it's social media, password dumps, or something else. Gotta be strategic about this.
upvoted 0 times
...
Nan
5 months ago
I'm a little confused on the best approach here. Should we be looking at password dumps or trying to gather intel through social media? I want to make sure we do this the right way and stay within the rules of engagement.
upvoted 0 times
...
Eura
5 months ago
Easy peasy! The answer is clearly C - social media. That's where you're going to find the most valuable information to craft a convincing phishing campaign. Just gotta be careful not to get caught, you know?
upvoted 0 times
...
Lou
5 months ago
Hmm, I'm a bit unsure about this one. I know we're allowed to do spear phishing, but I'm not sure if that means we can just start sending emails right away. Shouldn't we do some initial reconnaissance first to figure out the best approach?
upvoted 0 times
...
Rebbeca
5 months ago
This looks like a pretty straightforward question. I'd say the first step is to gather as much information as possible about the target organization and its employees through social media and other open-source intelligence.
upvoted 0 times
...
Nakisha
1 year ago
D. Password dumps all the way! It's like a cheat sheet for breaking into the company.
upvoted 0 times
...
Nicholle
1 year ago
Phishing? More like 'fishing' for compliments on your hacking skills!
upvoted 0 times
Mammie
1 year ago
C: Password dumps
upvoted 0 times
...
Maxima
1 year ago
B: Social media
upvoted 0 times
...
Lindsey
1 year ago
A: Recon-ng
upvoted 0 times
...
...
Ceola
1 year ago
C. Social media is the way to go. I bet the client's CEO has some juicy info on their Facebook page.
upvoted 0 times
Ranee
1 year ago
User 4: Social media is definitely a goldmine for spear phishing campaigns.
upvoted 0 times
...
Cheryl
1 year ago
User 3: Once we have the CEO's personal info, we can tailor the email to make it more believable.
upvoted 0 times
...
Della
1 year ago
User 2: Good idea, we can use that information to craft a convincing phishing email.
upvoted 0 times
...
Margot
1 year ago
User 1: Let's check out the CEO's Facebook page for some personal details.
upvoted 0 times
...
...
Charisse
1 year ago
A. Shoulder surfing? Really? What is this, the 90s? Get with the times, people.
upvoted 0 times
Nenita
1 year ago
User3: Social media could also be a good source of information for the phishing campaign.
upvoted 0 times
...
Bronwyn
1 year ago
User2: Yeah, we should focus on more modern techniques like Recon-ng.
upvoted 0 times
...
Mabelle
1 year ago
User1: Shoulder surfing is so outdated.
upvoted 0 times
...
...
Hana
1 year ago
I agree with Lorean, Recon-ng would help gather information for the phishing campaign.
upvoted 0 times
...
Major
1 year ago
D. Password dumps could give you a ton of useful information to craft a convincing phishing email. Gotta love those data breaches!
upvoted 0 times
...
Dorothy
1 year ago
B. Recon-ng seems like the most comprehensive tool for reconnaissance. It's got everything you need in one place.
upvoted 0 times
Fannie
1 year ago
User 4: Definitely, using Recon-ng will give us a good starting point for the spear phishing campaign.
upvoted 0 times
...
Lacey
1 year ago
User 3: I agree, Recon-ng can provide a lot of valuable data for the phishing campaign.
upvoted 0 times
...
Latricia
1 year ago
User 2: Yeah, it's a powerful tool for reconnaissance.
upvoted 0 times
...
Denny
1 year ago
I think Recon-ng is the way to go for gathering information.
upvoted 0 times
...
...
Lorean
1 year ago
I think the first step should be Recon-ng.
upvoted 0 times
...
Deangelo
1 year ago
I think the answer is C. Social media is the best way to gather information for a phishing campaign.
upvoted 0 times
Dierdre
1 year ago
C: I agree with A, Recon-ng is definitely the way to go for this scenario.
upvoted 0 times
...
Luis
1 year ago
B: I disagree, I believe the answer is D. Password dumps can provide valuable credentials for a phishing campaign.
upvoted 0 times
...
Rochell
1 year ago
A: I think the answer is B. Recon-ng is a great tool for gathering information during reconnaissance.
upvoted 0 times
...
...

Save Cancel