Chapter 3, reconnaissance and intelligence gathering

Question 1

what is the first step when gathering organizational intelligence?

Answer 1

identifying the organization’s technical footprint.

Question 2

Host enumeration creates a map of an organizations networks, systems and other infrastructure. Active reconnaissance uses ___ ____ ____ to help achieve this

Answer 2

host scanning tools

Question 3

Testers can gain an understanding of the network topology based on the ? and other network responses

Answer 3

time to live

Question 4

what can stop nmap getting results from the network? How else might you get the information?

Answer 4

firewalls can stop traffic

you can try passive footprinting instead

Question 5

When laying out the systems discovered in a scan, it is important to lay them out according to what and what?

Answer 5

the network addresses and TTL

Question 6

Name 3 common variables to consider when scanning a network

Answer 6

whether networks are wired or wireless
whether systems and network devices are physical or virtual
whether systems are on-prem or in the cloud

Question 7

what must you consider before scanning a cloud service?

Answer 7

contracts or agreements that would prohibit you from performing scans

Question 8

Documenting what you know about the networks and systems you’re scanning is important because?

Answer 8

you can then consider how they could impact the data you gather and the techniques you use.

Question 9

what is often the first step in active reconnaissance?

Answer 9

port scanning

Question 10

what reconnaissance tool can assist security audits and the testing the security of devices?

Answer 10

port scanners

Question 11

list 3 ways to carry out service identification

Answer 11

1) grabbing the banner page
2) view the connection information provided by the service
3) comparing the responses to signatures of known services

Question 12

which free, open source tool is the most commonly used command-line port scanner?

Answer 12

nmap

Question 13

do you always need an OS identification scan to identify the OS in nmap?

Answer 13

No. You can determine from the ports listed on what OS they are on

Question 14

What is the most popular nmap scan method and why?

Answer 14

TCP SYN method. It verifies the services response. It’s quick and unobtrusive

Question 15

you are doing active reconnaissance and want to find out firewall rules, what type of scan could you use?

Answer 15

ACK scan using nmap

Question 16

Which utility sends out network device logs to a central Network Management Server?

Answer 16

syslog utility

Question 17

you want to find information about what systems interact with a network device and administrative and user account details. Where would you check?

Answer 17

in the network device configuration files

Question 18

you want to see traffic flow and volume on a Cisco network, what two elements can achieve this?

Answer 18

Netflow protocol and a netflow analyzer

Question 19

if you can see the firewall logs, but not the configuration file, can you still determine what the rules are?

Answer 19

Yes the rules can be reverse engineered

Question 20

Why is DNS data one of the first places to go for passive footprinting?

Answer 20

it’s publically available and you can easily connect other information to an organization using the whois lookup

Question 21

How might you get information about an organizations external network connectivity?

Answer 21

using BGP looking glasses

Question 22

Domain registrars do what? Who accredits them and who do they work with?

Answer 22

They manage domain names and provide the interface between customers and the domain registries
They are accredited by domain registries and work with them to provide registration services.

Question 23

Who handles domain renewals and transfers of domains, domain registries or domain registrars?

Answer 23

domain registrars

Question 24

what is the DNS root zone and who manages it

Answer 24

The root zone handles the assignments of gTLDs and ccTLDs. It’s managed by the IANA

Question 25

Which organizations have authority over DNS Root Zones? How many are there? What common lookup service do they provide?

Answer 25

Regional Internet Registries.
there are 5
They provide the WHOIS service to lookup the identity of the assigned users IP space

Question 26

What clues can DNS entries provide? What command do you use?

Answer 26

hostnames, which can provide clues as to the service or applications running on them.
nslookup

Question 27

How would you discover further DNS service following a whois lookup? Then what

Answer 27

Active port scanning for UDP/TCP 53
passively looking at network traffic logs
checking if zone transfers are possible

Question 28

Describe DNS brute forcing

Answer 28

sending DNS queries for each IP that the organization uses.

Question 29

what activity can obtain the SOA record, the wait time between name changes, minimum TTL for the domain and primary name servers?

Answer 29

DNS zone transfers

Question 30

which Python tool is a mixture of passive and active gathering and works by hijacking responses to broadcast events?

Answer 30

Responder

Question 31

What aggregation tool would you use to see relationships maps between people and their ties to other resources?

Answer 31

Maltego

Question 32

What analysis tool allows you to search internet connected devices and their vulnerabilities?

Answer 32

Shodan

Question 33

what aspects of passive footprinting isn’t not possible to get from an external network only?

Answer 33

Getting DHCP/firewall/other network device logs and configurations.
Getting system logs.

Question 34

Name one method to prevent your electronic documents from revealing useful information?

Answer 34

Using metadata scrubbing utilities

Question 35

What do companies have to be aware of when it comes to websites and information gathering?

Answer 35

caching of previous website versions that may contain data they no longer want public

Question 36

Which two popular services allow you to view previous versions of a company’s website?

Answer 36

Internet Archive and the Time Travel Service

Question 37

Social media profiling may be paired with what for a more in-depth analysis?

Answer 37

Information to databases that provide paid access to information gathered about individuals.

Question 38

Which 3 tools can help with conducting social engineering attacks?

Answer 38

1) The Social Engineering Toolkit
2) Creepy, geolocation tool
3) Metasploit, for phishing et al

Question 39

What’s the first step in protecting against reconnaissance? Where on the network do you apply it for the most benefit?

Answer 39

Data capture
monitoring at the connection points between zones
monitoring where data sensitivity / privileged zones meet

Question 40

Which 4 types security devices would you use to collect data to detect reconnaissance? What tools can they provide?

Answer 40

IDS/IPS,NIDS,HIDS

They provide packet analysis, protocol analysis and traffic and flow analysis capability.

Question 41

What’s the problem with reconnaissance detection and hosted services? What should you ensure the host has?

Answer 41

It’s hard to detect and you’re relying on what the host has in place to protect against it.
You should the ensure the host has regular external security audits

Question 42

List the 4 types of data analysis methods you could use after capturing data to detect reconnaissance?

Answer 42

Anomaly
Trend
signature Analysis
Heuristic or behavioral
manual

Question 43

Which analysis method do IDSs and IPSs use?

Answer 43

anomaly detection

Question 44

deploying _____ defense in-depth can limit ____ reconnaissance

Answer 44

network defense in-depth

active reconnaissance

Question 45

Complete the 3 statements on defenses against active reconnaissance
Limiting _______ exposure of services and knowing your _____ footprint
Using an ____ or similar to stop probes
Using _______ and ______ systems to notify you about events that the other two techniques might miss

Answer 45

limiting external exposure, knowing you external footprint

Using an IPS

Using monitoring and alerting systems

Question 46

preventing passive reconnaissance relies on you doing what?

Answer 46

controlling the information you release

Question 47

List anti-DNS harvesting techniques

Answer 47

blacklisting to prevent abuse of the service
using captcha to prevent bots
using 3rd party domain registration services that hide the actual owner of the domain
implementing rate limiting to reduce the rate of lookups
not publishing zone files if possible

Question 48

what pro-active measure can help you understand your footprint thus potential areas of exposure to prevent reconnaissance?

Answer 48

pen-testing