Another solid day of training! Today we worked through Sections B5 to C3 of the CREST CPSA syllabus and things really started getting technical.
Tool Output & Fingerprinting
We kicked off with B5, looking at how to interpret the output from tools like port scanners and packet sniffers. It was a useful reminder of how to spot open ports, running services, and patterns in traffic that could help us later in an assessment.
From there, we moved into filter avoidance (B6) and OS fingerprinting (B8) — learning techniques for identifying operating systems and bypassing basic filters. We also covered application fingerprinting (B9) and how to identify unknown services, often just by analyzing headers, banners, and subtle responses.
Access Controls & Cryptography
Section B10 focused on network access control — understanding how firewalls, ACLs, and segmentation play a part in hardening a system.
We also took a dive into cryptography basics in B11 and B12, going over symmetric and asymmetric encryption, hashing, SSL, and even IPsec. It’s not about becoming a crypto expert, but more about understanding how these are used and what to look for when auditing a system.
Permissions & Audit Trails
B13 was about file system permissions and what misconfigurations could mean in terms of security gaps. Following that, B14 looked at auditing techniques — spotting logs, missing logs, and changes that indicate something fishy.
Open-Source Intelligence (OSINT)
After lunch, we hit Section C, where things shifted towards reconnaissance and OSINT.
We practiced interpreting WHOIS records (C1), attempted DNS zone transfers (C2), and explored how much information you can gather just from customer-facing content (C3) like blogs, PDFs, metadata, and job ads.
Final Thoughts
Today felt like a real step up in both pace and depth. I’m beginning to see how these building blocks connect — from scanning and fingerprinting to using OSINT to build a clearer picture of a target. Loads to take in, but also really satisfying to start piecing it together.