2.1 Information gathering & Vulnerability scanning: passive reconnaissance

Question 1

What is reconnaissance?

Answer 1

Focuses on gathering as much information on the target as possible and can be either passive or active

Question 2

What is footprinting?

Answer 2

Figuring out exactly what type off system the organization uses to be able to attack them in the next phase of assessment

Question 3

What is passive reconnaissance?

Answer 3

Attempts to gain information about targeted computers and networks without actively engaging with those systems (e.g. online search, social engineering, dumpster diving, email harvesting)

Question 4

What is Open-Source Intelligence (OSINT)?

Answer 4

The collection and analysis of data gathered from publicly available sources to produce actionable intelligence (e.g. social media, blogs, newspapers, government records, job listing, metadata, website info etc)

Question 5

What type of valuable information are pentester looking for when doing OSINT?

Answer 5

• Roles different employee have
• Different teams and departments
• Contact information
• Technical aptitude and security training
• Employee and managerial mindset

Question 6

How to do start an OSINT investigation?

Answer 6

Start with the organization’s own social media profiles and accounts (e.g. LinkedIn, Monster, Indeed, ZipRecruiter, Glassdoor etc)

Question 7

What is a metadata?

Answer 7

The data about the data in the file

Question 8

OSINT tools: what are OSINT tools for?

Answer 8

Open-source intelligence tools that find actionable intelligence from various publicly available sources such as public websites, whois database, DNS servers

Question 9

OSINT tools: what’s Metagoofil for?

Answer 9

A Linux-based tool that can search the metadata associated with public documents located on a target’s website

Question 10

OSINT tools: what’s Fingerprinting Organizations with Collected Archives (FOCA)?

Answer 10

Used to find metadata and hidden information in collected documents from an organization

Question 11

OSINT tools: what’s The Harvester?

Answer 11

A program for gathering emails, subdomains, hosts, employee names, email addresses, PGP key entries, open ports and service banners from servers

Question 12

OSINT tools: what’s Recon-ng?

Answer 12

Uses a system of modules to add additional features and functions for your use. It is a cross-platform web reconnaissance framework

Question 13

OSINT tools: what’s Shodan?

Answer 13

A website search engine for web cameras, routers, servers, and other devices that are considered part of the Internet of things

Question 14

OSINT tools: what’s Censys?

Answer 14

A website search engine used for finding hosts and networks across the Internet with data about their configuration

Question 15

OSINT tools: what’s Maltego?

Answer 15

A piece of commercial software used for conducting open-source intelligence that helps connect those relationships.
It can automate the querying of public sources of data and then compare it with other info from various sources

Question 16

What’s a DNS?

Answer 16

Domain Name Server (DNS) helps network clients find a website using human readable hostnames instead of numeric IP addresses

Question 17

DNS information: what’s Address (A) Record?

Answer 17

Links a hostname to an IPv4 address

Question 18

DNS information: what’s AAAA Record ?

Answer 18

Links a hostname to an IPv6

Question 19

DNS information: what’s Canonical Name (CNAME) Record?

Answer 19

A Canonical Name (CNAME) record is a type of DNS record used to specify that a domain name is an alias for another domain name. In other words, it allows a domain to be known by multiple names. For example, if you have a website called “example.com” and you also want it to be accessible via “www.example.com,” you can use a CNAME record to indicate that “www.example.com” is an alias of “example.com”.

Question 20

DNS information: what’s Mail Exchange (MX) Record?

Answer 20

A Mail Exchange (MX) record is a type of DNS record that specifies the mail server responsible for receiving and handling email messages on behalf of a domain. When someone sends an email to an address within a specific domain, the sender’s mail server uses DNS to look up the MX records for the recipient’s domain to determine where to deliver the email. The MX record contains the name of the mail server and a priority value, which indicates the order in which mail servers should be used. This allows for redundancy and load balancing in the email delivery process.

Question 21

DNS information: what’s Start of Authority (SOA) Record?

Answer 21

Stores important information about a domain or zone

Question 22

DNS information: what’s Pointer (PTR) Record?

Answer 22

Correlates an IP address with a domain name

Question 23

DNS information: what’s Text (TXT) Record?

Answer 23

A Text (TXT) record is a type of DNS record used to associate arbitrary text with a host or other name. It is often used to carry human-readable information, such as a sender’s email address or a brief note about the host. Additionally, TXT records are commonly used in various internet protocols, such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to verify the legitimacy of an email message.

Question 24

DNS information: what’s Service (SRV) Record?

Answer 24

Specifies a host and port for a specific service

Question 25

DNS information: what’s Nameserver (NS) Record?

Answer 25

It specifies which name servers are authorized to respond to DNS queries for a specific domain name. These records indicate the authority over the DNS zone of a domain by specifying the name servers that are responsible for providing information about that domain. In other words, NS records indicate which servers are the sources of authority for the DNS resolution of a domain. This allows for the delegation of management of subdomains to other name servers while maintaining a hierarchical structure in the domain name system.

Question 26

DNS information: while doing an OSINT, what record can you check to gather information on email and SaaS solutions?

Answer 26

Focus on MX, TXT and SRV records

Question 27

DNS information: what’s Name Server Lookup (nslookup)?

Answer 27

Tool to query the DNS to provide the mapping between domain names and IP addresses or the other DNS records

Question 28

DNS information: what’s Whois?

Answer 28

A command line tool on Linus, which is also a website, that is a query and response protocol for Internet resources.

Question 29

Public repositories: what public source code repositories for?

Answer 29

• Websites that allow developers to work together in an agile way to create software very quickly.
• Private files can sometimes be mistakenly classified as public for anyone to find
• GitHub, Bitbucket, SourceForge

Question 30

Public repositories: why should you search for website archives/caches?

Answer 30

Deleted data can still exist somewhere on the Internet. You can use Wayback Machine

Question 31

Google hacking: what is it for?

Answer 31

Open-source intelligence technique that uses Google search operators to locate vulnerable web servers and applications.

Question 32

Google hacking: how to use it: quote/NOT/ AND/ Scope/ URL?

Answer 32

• Quote: use “” to specify an exact phrase and make a search precise
• NOT: use - in front a word to exclude results that contain that string
  -AND/ OR: use these to require both search terms (AND) or to require either term (OR)
• Scope: keyword that can be used to select the scope of the search (e.g. site, filetype, related, allintitle, allinurl, allinanchor)
• URL modifiers: modifiers that can be added to the results page to affect the results (e.g. &pws=0, &filter=0, &tbs=li:1

Question 33

Google hacking: what’s Google Hacking Database (GHDB)?

Answer 33

The Google Hacking Database (GHDB) is a repository of complex search methods, operators, and queries. This enables regular users and cybersecurity experts to locate security flaws and potential threats.

Question 34

URL analysis: what it is?

Answer 34

Activity that is performed to identify whether a link is already flagged on an existing reputation list, and if not, to identify what malicious script or activity might be coded within in

Question 35

URL analysis: why is it important?

Answer 35

• Resolving percent encoding
• Assessing redirection of the URL
• Showing source code for scripts in URL

Question 36

URL analysis: what is HTTP Method?

Answer 36

Different types of requests that can be made by a client to interact with a web server. The most common HTTP methods are:

• GET: Used to request data from a specified resource.
• POST: Used to send data to a server to create/update a resource.
• PUT: Used to update a resource on the server.
• DELETE: Used to delete a specified resource.
  A request contains a method, a resource, a version number, the header and the body of the request

Question 37

URL analysis: give explanation for each of the methods: GET, POST, PUT, DELETE, HEAD?

Answer 37

• GET: principal method used with HTTP and used to retrieve a resource
• POST: used to send data to the server for processing by the requested resource
• PUT: creates or replaces the requested resource
• DELETE: remove the requested resource
• HEAD: retrieve the header for a resource only and ignores the body

Question 38

URL analysis: what “?” means in an URL?

Answer 38

Data submitted via URL are delimited by “?”

Question 39

URL analysis: what are the query parameters in this exemple : “www.exemple.com/widgets?color=blue&sort=new”?

Answer 39

? > start of parameter
color=blue > name= value
& > separator

Question 40

URL analysis: what is HTTP Response Codes?

Answer 40

The header value returned by a server when a client requests a URL

Question 41

URL analysis: what is HTTP code 200 and code 201?

Answer 41

200 = successful GET or POST request (OK)
201 = indicates where a PUT request has succeeded in creating a resource

Question 42

URL analysis: what is HTTP code 3xx ?

Answer 42

These codes indicate that further action needs to be taken to complete the request. For example, 301 Moved Permanently indicates that the requested resource has been permanently moved to a new location.

Question 43

URL analysis: what is HTTP code 4xx?

Answer 43

Any code in this range indicates an error in the client request

Question 44

URL analysis: what is HTTP code 400?

Answer 44

It indicates that the server cannot process the request because the client sent a request that the server could not understand. This could be due to malformed syntax, invalid request message framing, or deceptive request routing.

Question 45

URL analysis: what is HTTP code 401?

Answer 45

HTTP code 401 is an Unauthorized error. It indicates that the client’s request lacks valid authentication credentials, and the server is refusing to respond to the request without proper authentication. This status code is commonly used when a user tries to access a resource that requires authentication, but the user has not provided the necessary credentials or the credentials provided are invalid.

Question 46

URL analysis: what is HTTP code 403?

Answer 46

Request did not have sufficient permissions

Question 47

URL analysis: what is HTTP code 404?

Answer 47

Client has requested a non-existent resource

Question 48

URL analysis: what is HTTP code 5xx?

Answer 48

Any code in this range indicates a server-side issue

Question 49

URL analysis: what is HTTP code 500?

Answer 49

HTTP code 500 is an Internal Server Error. This status code indicates that the server encountered an unexpected condition that prevented it from fulfilling the request. It’s a generic error message that is often used when no more specific message is suitable. The server-side issue could range from a bug in the server software to problems with the server’s database or other backend systems.

Question 50

URL analysis: what is HTTP code 502?

Answer 50

Indicates a bad gateway has occurred when the server is acting as a proxy

Question 51

URL analysis: what is HTTP code 503?

Answer 51

Indicates an overloading of the server is causing service unavailability

Question 52

URL analysis: what is HTTP code 504?

Answer 52

Indicates a gateway timeout which means there’s an issue with the upstream server

Question 53

URL analysis: what is percent encoding/ URL encoding?

Answer 53

Percent encoding, also known as URL encoding, is a method used to convert special characters and non-ASCII characters into a format that can be transmitted through a URL. When a URL contains characters that are unsafe or have special meaning in the context of the URL, these characters need to be encoded to ensure proper transmission.
For example, if a character like space (“ “) or a non-ASCII character like “é” is included in a URL, it needs to be percent encoded. For the space, it would be encoded as %20, and for “é”, it would be encoded as %C3%A9.

This allows web browsers and servers to correctly transmit URLs, even if they contain special characters, ensuring that these characters are not misinterpreted or disrupt the structure of the URLA mechanism to encode 8-bit characters that have specific meaning in the context of URLs, also known as URL encoding

Question 54

URL analysis: what are the reserved and unreserved characters in percent encoding?

Answer 54

• Unreserved characters: a-z, A-Z, 0-9, (-), (.), (_), (~)
• Reserved characters: (:), (/), (?), (#), ([), (]), (@), (!), ($), (&), (‘), ((), ()), (*), (+), (,), (;), (=)

Question 55

URL analysis: what are the unsafe characters that an URL cannot contains?

Answer 55

Null string termination, carriage return, line feed, end of file, tab, space, and (), (<), (>), ({), (})

Question 56

Cryptographic flaws: what is Cryptographic Inspection?

Answer 56

Checks validity of certificates or potential vulnerabilities to exploit within the target servers

Question 57

Cryptographic flaws: what is Cipher Suite?

Answer 57

Defines the algorithm supported by the client and server when requesting to use encryption and hashing.
Exemple: ●ECDHE_RSA_AES128_GCM_SHA256
●TLS_AES_256_GCM_SHA384

Question 58

Cryptographic flaws: how to test a web server to see its cipher suite?

Answer 58

Use ssllabs.com

Question 59

Cryptographic flaws: what are the encryption algorithms?

Answer 59

▪ ChaCha20
▪ RSA
▪ AES
▪ GCM
▪ CBC

Question 60

Cryptographic flaws: are SSL 2 and SSL 3 secure?

Answer 60

No

Question 61

Cryptographic flaws: what is the risk with falsified digital certificates?

Answer 61

Falsified digital certificates can be used to trick the target organization’s users

Question 62

Cryptographic flaws: why should you look into SAN field or Wildcard in a digital certificates?

Answer 62

Looking into the Subject Alternative Name (SAN) field or using a Wildcard in a digital certificate is important for ensuring that the certificate can secure multiple domains or subdomains under a single certificate:
- SAN: allows you to include additional domain names beyond the primary domain for which the certificate is issued. This is particularly useful when securing multiple subdomains or different domain names with a single certificate
- Wildcard: allows you to secure a domain and all its subdomains with a single certificate using a wildcard character (*). This can simplify certificate management and reduce costs for organizations with numerous subdomains.

Question 63

Cryptographic flaws: what is a Certificate Revocation List (CRL) in PKI?

Answer 63

An online list of digital certificates revoked by the certificate authority

Question 64

Cryptographic flaws: what is the Online Certificate Status Protocol (OCSP) in PKI?

Answer 64

Determine the status of a digital certificate using its serial number

Question 65

Cryptographic flaws: how a client validates the certificate?

Answer 65

With the CRL and the OCSP

Question 66

Cryptographic flaws: what is certificate pinning?

Answer 66

Certificate pinning is a security mechanism used to prevent man-in-the-middle attacks by associating a host with its expected X.509 certificate or public key. This involves hardcoding the certificate or public key of the server that the client expects to communicate with. By doing so, the client can verify that it is connecting to the correct server and not a malicious one. If the server’s certificate or public key does not match the pinned value, the client will terminate the connection, thus providing an additional layer of security against potential attacks.

Question 67

Cryptographic flaws: what is certificate stapling?

Answer 67

Allows a web server t perform certificate status check and eliminate the need for additional connection at the time of the request

Question 68

Cryptographic flaws: what is HTTP Strict Transport Security (HSTS)?

Answer 68

Allows a web server to notify web browsers to only request using HTTPS and not HTTP

Question 69

CWE & CVE: what is it for?

Answer 69

A penetration tester needs to keep updated with the latest techniques and vulnerabilities:
▪ CVEs
▪ CWEs
▪ Security Blogs
▪ Podcasts

Question 70

CWE & CVE: what is Computer Emergency Response Team (CERT) -Vcisa.gov/uscert?

Answer 70

Maintained by the United States federal government and lists all of the different known vulnerabilities that they have identified in the wild as well as those self-reported by industry partners

Question 71

CWE & CVE: what is JPCERT - pcert.or.jp?

Answer 71

Japan’s version of the Computer Emergency Response Team

Question 72

CWE & CVE: what is National Vulnerability Database (NVD) - nvd.nist.gov ?

Answer 72

Provided by the National Institute for Standards and Technology (NIST) which displays all of the latest vulnerabilities and assigns them each a CVE number

Question 73

CWE & CVE: what is Common Vulnerabilities and Exposures (CVE) - cve.org?

Answer 73

Common database used worldwide that references known vulnerabilities

Question 74

CWE & CVE: what is Common Weakness Enumeration (CWE) – cwe.mitre.org?

Answer 74

A community-developed list of the different types of software weaknesses and the details of those weaknesses

Question 75

CWE & CVE: what is Common Attack Pattern Enumeration and Classification (CAPEC) - capec.mitre.org?

Answer 75

Help to understand and identify a particular attack so that security researchers may better understand the different attack patterns

Question 76

CWE & CVE: what is Full Disclosure?

Answer 76

A mailing list from the makers of Nmap