Chapter 4 - Footprinting and Reconnaissance Flashcards
If you were checking on the IP addresses for a company in France, what RIR would you be checking with for details?
A. ARIN
B. RIPE
C. AfriNIC
D. LACNIC
B. RIPE
France is in Europe, and as such, it falls under the jurisdiction of RIPE. ARIN handles North America. AfriNIC handles Africa, and LACNIC handles Latin America and parts of the Caribbean.
You need to identify all Excel spreadsheets available from the company Example, Inc., whose domain is example.com. What search query would you use?
A. site:example.com files:pdf
B. site:excel files:xls
C. domain:example.com filetype:xls
D. site:example.com filetype:xls
D. D. site:example.com filetype:xls
The keyword site indicates the site (or domain) you want to search in. You need to pro- vide either a domain, which would catch all FQDNs in that domain that were available in the search database, or a specific hostname. The keyword filetype indicates the file extension for the results. This keyword requires that a file extension be provided. There is no files or domain keyword that can be used in Google or other search engines.
If you found a colleague searching at pgp.mit.edu, what would they likely be looking for?
A. Email addresses
B. Company keys
C. Executive names
D. Privacy policies
A. Email addresses
PGP uses public servers and shared verification to store and validate keys and key owner- ship. Keys are owned by individuals as a general rule. If someone were searching at pgp.mit. edu, they would likely be looking for people and, most specifically, email addresses.
The DNS server where records for a domain belonging to an organization or enterprise reside is called the ____________ server.
A. Caching
B. Recursive
C. Authoritative
D. Local
C. Authoritative
A local caching server is what most people use to perform DNS lookups from their sys- tems to get better performance. Recursion is the process used to look up DNS addresses from a caching server. Eventually, the caching server would ask an authoritative server for the information.
What information could you get from running p0f?
A. Local time
B. Remote time
C. Absolute time
D. Uptime
D. D. Uptime
p0f can provide the uptime for some systems. Packets don’t include any time information, so it’s not possible to gather local or remote time. Absolute time would be based in a particular time zone, and time zones aren’t communicated at the Network or Data Link layers.
What strategy does a local, caching DNS server use to look up records when asked?
A. Recursive
B. Serial
C. Combinatorics
D. Bistromathics
A. Recursive
DNS requests from a local caching server start with the cache and then move to root servers and then subsequent servers, always getting closer to the final destination. This pro- cess of asking a question, getting an answer, and asking again using the new information
is called recursion. Neither serial nor combinatorics make sense in this context, and bistro- mathics is a field of study invented by Douglas Adams for the book Life, the Universe and Everything.
What would you use a job listing for when performing reconnaissance?
A. Executive staff
B. Technologies used
C. Phishing targets
D. Financial records
B. Technologies used
It would be unusual to find executive staff identified in a job listing. It may be possible to get phishing targets, but it’s not guaranteed, and a single individual usually isn’t identified. No financial records would be available in a job listing. Technologies used at a company, though, would be identified to ensure that the applicant has the right experience.
What tool could be used to gather email addresses from PGP servers, Bing, Google,
or LinkedIn?
A. whois
B. dig
C. netstat
D. theHarvester
D. whois is used to inquire about domains, IP addresses, and other related information. dig is used to issue queries to DNS servers. netstat is used for network statistics. theHarvester, though, can be used to search across multiple sources, including Bing, Google, PGP servers, and LinkedIn.
What social networking site would be most likely to be useful in gathering information about a company, including job titles?
A. Twitter
B. LinkedIn
C. Foursquare
D. Facebook
B. LinkedIn
While the others may include details about companies, only LinkedIn is primarily used as a business social networking site. People who have profiles there would list job titles, and job searches would indicate openings, including job titles.
You see the following text written down—port:502. What does that likely reference?
A. Shodan search
B. I/O search
C. p0f results
D. RIR query
see the following text written down—port:502. What does that likely reference
A. Shodan is a website you would use to look for IoT devices. The query language is similar to that used by Google, except it has additional keywords that could be used to identify net- work traffic. This may include port numbers. p0f is used for passive network traffic analysis. You might query an RIR for information about an IP address block. The domain name for Shodan is shodan.io, but there is no I/O search.
What would you use Wappalyzer for?
A. Analyzing web headers
B. Analyzing application code
C. Identifying web headers
D. Identifying web technologies
D. Identifying web technologies
WappAlyzer is an extension for the Chrome browser that can be used to identify technol- ogies used in a website. It will, in part, use HTTP headers, but it doesn’t identify the headers. It’s also not used for analyzing web headers because there is more to what WappAlyzer does than that. It may look at some pieces of application code to get frameworks that are used, but it doesn’t analyze application code in the traditional sense of application code analysis.
What technique would you ideally use to get all the hostnames associated with a domain?
A. DNS query
B. Zone copy
C. Zone transfer
D. Recursive request
C. Zone transfer
A DNS query can be used to identify an IP address from a hostname or vice versa. You could potentially use a brute-force technique to identify hostnames, though you may not get everything using that method. A recursive request is common from a caching server to get an authoritative response. The term for getting all the contents of the zone is a zone transfer.
What would you be looking for with the filetype:txt Administrator:500: Google query?
A. Text files owned by the administrator
B. Administrator login from file
C. Text files including the text Administrator:500:
D. 500 administrator files with text
C. Text files including the text Administrator:500:
Google uses the keyword filetype: to identify filename extensions that should be searched. Administrator: is not a keyword, which means Administrator:500: is the search term that Google would use along with the filetype of txt, which would mean text files.
What information would you not expect to find in the response to a whois query about an IP address?
A. IP address block
B. Domain association
C.Address block owner
D.Technical contact
B. Domain association
When you run a whois query against an IP address, you will get the block the address belongs to, the owner of the block, and the technical contact. You will also get address information and possibly additional information. You will not get an association bet- ween a domain and the address block. This may be something you might infer, but it is not something that the results provide for you.
What command would you use to get the list of mail servers for a domain?
A. whois mx zone=domain.com
B. netstat zone=domain.com mx
C. dig domain.com @mx
D. dig mx domain.com
D. dig mx domain.com
The command whois would be used to query the RIR for information about an IP address block. It could also be used to identify information about a domain. The program netstat is used for network statistics. dig can be used, but when you provide the @ parameter, it would be followed by the name server you want to query. The correct way to look for name server records is to use ns as the record type. When you are looking for mail servers, you would look for the mx record type.