Chapter 2 - Reconaissance

Question 1

Footprinting

Answer 1

Mapping out on a high level what the landscape of the target looks like. Part of reconaissance.

Question 2

Footprinting vs Reconaissance

Answer 2

Recon - Basic gathering of information. Footprinting - Maps out on a high level what the landscape looks like.

Question 3

Anonymous vs Pseudonymous Footprinting

Answer 3

Anonymous - Information gathering without revealinbg anything about yourself. Pseudonymous - Making someone else take the blame for your actions

Question 4

What are the 4 main focuses and benefits of footprinting

Answer 4

1. Know the security posture (footprinting helps) 2. Reduce thefocus area (network range, number of targets, etc.) 3. Identify vulnerabilities 4. Draw a network map

Question 5

Active Footprinting vs. Passive Footprinting

Answer 5

Active - Requires attacker to touch the device or network (social engineering or any other interactions with target) Passive - Measures to collect information from publicly available sources. (Website, DNS, Database)

Question 6

Competitive Intelligence

Answer 6

Information gathered by business about competitors

Question 7

NetCraft

Answer 7

Search Engine tool that provides information about websites and possibly OS info

Question 8

filetype:type

Answer 8

Google search that searches only for files of a specific type.

Question 9

“intitle:index of” passwd

Answer 9

show pages that show directory listings containing a certain word (passswd)

Question 10

info:string

Answer 10

Displays information Google stores about the page itself. Ex: info:www.anycomp.com

Question 11

intitle:string

Answer 11

Search forpages that contain the string in the title

Question 12

Inurl:striing

Answer 12

Display pages with the string in the URL

Question 13

link:string

Answer 13

Displays linked pages based on search terms

Question 14

related:webpagename

Answer 14

Shows web pages similar to webpagename

Question 15

site:domain or web page string

Answer 15

Display pages for a specific website or domain holding the search term.

Question 16

DNS Record Type: SRV

Answer 16

Service - This record defines the hostname and port number of servers providing specific services, such as Directory Services server

Question 17

DNS Record Type: SOA

Answer 17

Start of Authority - This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain

Question 18

DNS Record Type: PTR

Answer 18

Pointer - This maps an IP address to a hostname (providing for reverse DNS lookups). You don’t absolutely need a PTR record for every entry in your DNS namepsace but these are usually associated with email server records

Question 19

DNS Record Type: NS

Answer 19

Name Server - This record defines the name servers within your namespace. These servers are the ones that respond to your clients’ requests for name resolution

Question 20

DNS Record Type: MX

Answer 20

Mail Exchange - This record identifies your email servers within your domain

Question 21

DNS Record Type: CNAME

Answer 21

Canonical Name - This record provides for domain name aliases within your zone. For example, you may have an FTP service and a web service running on the same IP address. CNAME records could be used to list both within DNS for you.

Question 22

DNS Record Type: A

Answer 22

Address - This record maps an IP address to a hostname and is used most often for DNS lookups

Question 23

DNS Poisoning

Answer 23

Changing the cache on a local name server to point to a bogus server instead of the real address

Question 24

SOA Record Fields

Answer 24

Source Host - Hostname of primary DNS. Contact Email - email for the person responsible for the zone file. Serial Number - Revision number that increments with each change. Refresh Time - Time in which an update should occur. Retry Time - time that a NS should wait on a failure. Expire Time - time in which a zone transfer is allowed to complete. TTL - Minimum TTL for records within zone

Question 25

IP Address Management: ARIN

Answer 25

North America

Question 26

IP Address Management: APNIC

Answer 26

Asia Pacific

Question 27

IP Address Management: RIPE

Answer 27

Europe, Middle East

Question 28

IP Address Management: LACNIC

Answer 28

Latin America

Question 29

IP Address Management: AfriNIC

Answer 29

Africa

Question 30

Web Mirroring

Answer 30

Allows for discrete testing offline

Question 31

HTTrack

Answer 31

Web Mirroring Tool

Question 32

Wget

Answer 32

Web Mirroring Tool

Question 33

Black Widow

Answer 33

Web Mirroring Tool

Question 34

WebRipper

Answer 34

Web Mirroring Tool

Question 35

Teleport Pro

Answer 35

Web Mirroring Tool

Question 36

Backstreet Browser

Answer 36

Web Mirroring Tool

Question 37

Archive.org

Answer 37

Provides cached websites from various dates which possibly have sensitive information that has been now removed.

Question 38

Whois

Answer 38

obtains registration information for the domain

Question 39

What are two ways to lookup IP Address ranges on a target?

Answer 39

Use regional registrar to obtain info (www.arin.net), or use Tracert (Windows)/ Traceroute (linux)

Question 40

Tracert

Answer 40

windows command used to route paths and transit times. USES ECHO packets

Question 41

Traceroute

Answer 41

Linux command used to route paths and transit times. USES UDP

Question 42

OSRFramework

Answer 42

Uses OSINT to get information about target. Basically a Metasploit for OSINT

Question 43

Web Spiders

Answer 43

Tool that crawls websites to Obtain information from the website such as pages, etc.

Question 44

Maltego

Answer 44

OSINT and forensics application designed explicitly to demonstrate social engineering

Question 45

Shodan

Answer 45

Search engine that shows devices connected to the internet

Question 46

What tool would you use to footprint restricted URLs and OS information from a target?

Answer 46

Netcraft

Question 47

Computer Security Incident Response Team (CSIRT)

Answer 47

Point of contact for all incident response services for associates.