Chapter 2 - Reconaissance Flashcards
Footprinting
Mapping out on a high level what the landscape of the target looks like. Part of reconaissance.
Footprinting vs Reconaissance
Recon - Basic gathering of information. Footprinting - Maps out on a high level what the landscape looks like.
Anonymous vs Pseudonymous Footprinting
Anonymous - Information gathering without revealinbg anything about yourself. Pseudonymous - Making someone else take the blame for your actions
What are the 4 main focuses and benefits of footprinting
- Know the security posture (footprinting helps) 2. Reduce thefocus area (network range, number of targets, etc.) 3. Identify vulnerabilities 4. Draw a network map
Active Footprinting vs. Passive Footprinting
Active - Requires attacker to touch the device or network (social engineering or any other interactions with target) Passive - Measures to collect information from publicly available sources. (Website, DNS, Database)
Competitive Intelligence
Information gathered by business about competitors
NetCraft
Search Engine tool that provides information about websites and possibly OS info
filetype:type
Google search that searches only for files of a specific type.
“intitle:index of” passwd
show pages that show directory listings containing a certain word (passswd)
info:string
Displays information Google stores about the page itself. Ex: info:www.anycomp.com
intitle:string
Search forpages that contain the string in the title
Inurl:striing
Display pages with the string in the URL
link:string
Displays linked pages based on search terms
related:webpagename
Shows web pages similar to webpagename
site:domain or web page string
Display pages for a specific website or domain holding the search term.
DNS Record Type: SRV
Service - This record defines the hostname and port number of servers providing specific services, such as Directory Services server
DNS Record Type: SOA
Start of Authority - This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain
DNS Record Type: PTR
Pointer - This maps an IP address to a hostname (providing for reverse DNS lookups). You don’t absolutely need a PTR record for every entry in your DNS namepsace but these are usually associated with email server records
DNS Record Type: NS
Name Server - This record defines the name servers within your namespace. These servers are the ones that respond to your clients’ requests for name resolution
DNS Record Type: MX
Mail Exchange - This record identifies your email servers within your domain
DNS Record Type: CNAME
Canonical Name - This record provides for domain name aliases within your zone. For example, you may have an FTP service and a web service running on the same IP address. CNAME records could be used to list both within DNS for you.
DNS Record Type: A
Address - This record maps an IP address to a hostname and is used most often for DNS lookups
DNS Poisoning
Changing the cache on a local name server to point to a bogus server instead of the real address
SOA Record Fields
Source Host - Hostname of primary DNS. Contact Email - email for the person responsible for the zone file. Serial Number - Revision number that increments with each change. Refresh Time - Time in which an update should occur. Retry Time - time that a NS should wait on a failure. Expire Time - time in which a zone transfer is allowed to complete. TTL - Minimum TTL for records within zone
