Chapter 2 Reconnaissance and Intelligence Gathering Flashcards

1
Q
  • Syslog severity message

- Immediate action is needed

A

Level 1 Alerts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Tool designed to gather emails, domain info hostnames, employee names, and open ports and banners using search engines

A

theHarvester

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Netstat flag for Linux that shows RAW

A

-w

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Netstat flag for Linux that shows Unix socket connections

A

-X

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Syslog severity message

Normal but significant conditions

A

Level 5 Notifications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Technique that uses a fingerprint or signature to detect threats or other threats

A

Signature Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In Windows Event Viewer where logs are captured when applications are installed

A

Setup logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  • Syslog severity message

- Warning conditions

A

Level 4 Warnings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Technique where analyst investigates the logs and data himself in order to detect something

A

Manual analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Ways to prevent passive reconnaissance

A
  • Blacklisting systems or Networks
  • Using CATCHAs to prevent Bots
  • Providing privacy services that use third-party registration info instead of the actual person or organization registering the domain
  • Rate-limiting lookups
  • Not publishing Zone files
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Relies on logs and other existing data not probes to fully identify targets

A

Passive footprinting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Windows, Mac, and Linux tool used to view all network connections on a localhost

A

Netstat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  • Netstat flag for Windows that shows the process IDs of each connection
  • This can be cross-reference with Windows Task Manager
A

-o

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Netstat flag for Windows that provides interface statistics

A

-e

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  • System severity message

- Error conditions

A

Level 3 Errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Creates a map of an organization networks, systems and infrastructure

A

Footprinting

17
Q

Netstat flag for Linux that shows active TCP connections

A

-ta

18
Q

Scanning tools are used to gather info about systems, services, and vulnerabilities

A

Active Reconnaissance

19
Q
  • System severity message

- Informational messages (default level)

A

Level 6 Informational

20
Q

Ports from 0 - 1023 are known as

A

Well-known ports or System ports

21
Q

Netstat flag for Linux that shows UDP connections

A

-u

22
Q

nslookup flag used to look up DNS entries MX, NS, SOA, and Any

A

-query=(flag)

23
Q

Search engine for internet-connected devices and their vulnerabilities

A

Shodan

24
Q

Ports ranging from 1024 to 49151

A

Registered ports

25
Q
  • Document info like author’s name, software used to create the document, revisions, edits, etc…
  • Used in reconnaissance
A

Metadata

26
Q

A geolocation tool that uses social media and file metadata about individuals to provide better information about them

A

Creepy

27
Q
  • DHCP logs for Linux are typically found where?

- Bonus - In some distros where’s the location

A

/var/log/dhcp.log

Bonus - journalctl command

28
Q

Technique used to identify differences from establish patterns or expected behaviors

A

Anomaly Analysis

29
Q

Technique used to predict behaviors based on existing data

A

Trend analysis

30
Q
  • System severity message

- System is unusable

A

Level 0 Emergencies

31
Q
  • Technique used to detect threats based on behavior

- Can detect unknown threats in the environment

A

Heuristic or Behavior Analysis

32
Q
  • System severity message

- Critical conditions

A

Level 2 Critical

33
Q
  • System severity message

- Debugging messages

A

Level 7 Debugging

34
Q

What are some ways to prevent active reconnaissance?

A
  • Limit external exposure of services
  • Use IPS or similar that can limit or stop Probes
  • Use monitoring and alerting to notify you
35
Q
  • In Windows event viewer, events to be forwarded from one host to another and by default, the forwarded event will be stored in the Windows Logs > Forwarded Events folder but a different folder can be specified
  • A subscription is then configured on Host A that allows you to collect the forwarded events.
A

Forwarded Event logs