Chapter 2 - Reconaissance Flashcards
Footprinting
Mapping out on a high level what the landscape of the target looks like. Part of reconaissance.
Footprinting vs Reconaissance
Recon - Basic gathering of information. Footprinting - Maps out on a high level what the landscape looks like.
Anonymous vs Pseudonymous Footprinting
Anonymous - Information gathering without revealinbg anything about yourself. Pseudonymous - Making someone else take the blame for your actions
What are the 4 main focuses and benefits of footprinting
- Know the security posture (footprinting helps) 2. Reduce thefocus area (network range, number of targets, etc.) 3. Identify vulnerabilities 4. Draw a network map
Active Footprinting vs. Passive Footprinting
Active - Requires attacker to touch the device or network (social engineering or any other interactions with target) Passive - Measures to collect information from publicly available sources. (Website, DNS, Database)
Competitive Intelligence
Information gathered by business about competitors
NetCraft
Search Engine tool that provides information about websites and possibly OS info
filetype:type
Google search that searches only for files of a specific type.
“intitle:index of” passwd
show pages that show directory listings containing a certain word (passswd)
info:string
Displays information Google stores about the page itself. Ex: info:www.anycomp.com
intitle:string
Search forpages that contain the string in the title
Inurl:striing
Display pages with the string in the URL
link:string
Displays linked pages based on search terms
related:webpagename
Shows web pages similar to webpagename
site:domain or web page string
Display pages for a specific website or domain holding the search term.
DNS Record Type: SRV
Service - This record defines the hostname and port number of servers providing specific services, such as Directory Services server
DNS Record Type: SOA
Start of Authority - This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain
DNS Record Type: PTR
Pointer - This maps an IP address to a hostname (providing for reverse DNS lookups). You don’t absolutely need a PTR record for every entry in your DNS namepsace but these are usually associated with email server records
DNS Record Type: NS
Name Server - This record defines the name servers within your namespace. These servers are the ones that respond to your clients’ requests for name resolution
DNS Record Type: MX
Mail Exchange - This record identifies your email servers within your domain
DNS Record Type: CNAME
Canonical Name - This record provides for domain name aliases within your zone. For example, you may have an FTP service and a web service running on the same IP address. CNAME records could be used to list both within DNS for you.
DNS Record Type: A
Address - This record maps an IP address to a hostname and is used most often for DNS lookups
DNS Poisoning
Changing the cache on a local name server to point to a bogus server instead of the real address
SOA Record Fields
Source Host - Hostname of primary DNS. Contact Email - email for the person responsible for the zone file. Serial Number - Revision number that increments with each change. Refresh Time - Time in which an update should occur. Retry Time - time that a NS should wait on a failure. Expire Time - time in which a zone transfer is allowed to complete. TTL - Minimum TTL for records within zone
IP Address Management: ARIN
North America
IP Address Management: APNIC
Asia Pacific
IP Address Management: RIPE
Europe, Middle East
IP Address Management: LACNIC
Latin America
IP Address Management: AfriNIC
Africa
Web Mirroring
Allows for discrete testing offline
HTTrack
Web Mirroring Tool
Wget
Web Mirroring Tool
Black Widow
Web Mirroring Tool
WebRipper
Web Mirroring Tool
Teleport Pro
Web Mirroring Tool
Backstreet Browser
Web Mirroring Tool
Archive.org
Provides cached websites from various dates which possibly have sensitive information that has been now removed.
Whois
obtains registration information for the domain
What are two ways to lookup IP Address ranges on a target?
Use regional registrar to obtain info (www.arin.net), or use Tracert (Windows)/ Traceroute (linux)
Tracert
windows command used to route paths and transit times. USES ECHO packets
Traceroute
Linux command used to route paths and transit times. USES UDP
OSRFramework
Uses OSINT to get information about target. Basically a Metasploit for OSINT
Web Spiders
Tool that crawls websites to Obtain information from the website such as pages, etc.
Maltego
OSINT and forensics application designed explicitly to demonstrate social engineering
Shodan
Search engine that shows devices connected to the internet
What tool would you use to footprint restricted URLs and OS information from a target?
Netcraft
Computer Security Incident Response Team (CSIRT)
Point of contact for all incident response services for associates.
