During reconnaissance, a penetration tester discovers a public GitHub repository belonging to the target organization. The repository contains internal project names, server IP addresses, and code comments with database credentials. Which reconnaissance technique does this represent?
OSINT gathers information from public sources like GitHub, which can leak internal details without interacting with the target's systems.
Why this answer
The discovery of a public GitHub repository containing internal project names, server IP addresses, and database credentials is a classic example of OSINT (Open-Source Intelligence). OSINT involves collecting and analyzing publicly available information from sources like code repositories, social media, and websites to gain insights about a target without direct interaction. This technique leverages the fact that sensitive data is often inadvertently exposed in public repositories, making it a passive reconnaissance method.
Exam trap
The trap here is that candidates may confuse OSINT with active reconnaissance techniques like DNS enumeration or port scanning, failing to recognize that passive collection from public sources (like GitHub) is a distinct OSINT method.
How to eliminate wrong answers
Option B (DNS enumeration) is wrong because it specifically involves querying DNS servers to discover hostnames, IP addresses, and DNS records (e.g., A, MX, CNAME) using tools like `dnsrecon` or `nslookup`, not by analyzing code repositories. Option C (Port scanning) is wrong because it actively probes target systems for open TCP/UDP ports and services using tools like `nmap`, which requires network connectivity and is an active reconnaissance technique, not passive information gathering from public sources. Option D (Social engineering) is wrong because it relies on manipulating human behavior through phishing, pretexting, or impersonation to extract information, whereas this scenario involves finding already exposed data in a public repository without any human interaction.