Domain 2: Information Gathering and Vulnerability Scanning Flashcards
Information Gathering and Vulnerability Scanning
What is Reconnaissance?
Learning abiut an organization in a systematic attmept to locate, gather, identify and record information about the target
aka Footprinting
What is passive reconaissance?
Investigating the target without activly engaging with the target organizations systems.
What is Open-Source Intelligence?
The collection and analysis of data gathered from publicly available sources to produce actionable inteliligence
What should you do with reconaissance findings?
Gather and catalog all findings for others to review and use
Useful for when workign as a team.
Examples of Open Source Inteligence
- Blogs
- Publications\
- Adverts
- Job Listings
- Metadata
- Website Information
Good key details to understand abouut the target organization?
- Roles of different employees
- Different teams and departments
- Contact Information
- Technical Aptitud\e and Security Training
- Employee and Managerial Mindset
A linux-based tool that can search the metadata associated with public documents located on a targets website
Security Tool
Obj 2.1
Metagoofil
What is Metadata?
The data about the data in the file
Used to find metadata and hidden information in collected documents from an organization.
Secuirty Tool
Obj 2.1
Fingerprint Organizations with Collected Archives (FOCA)
A program for gathering emails, subdomains, hosts, employee names, email addresses, PGP Key Entires, open ports ans service banner from servers.
Secuirty Tool
Obj 2.1
The Harvester
Uses a system of modules to add additional features and functions for your use
Security Tool
Obj 2.1
Recon-NG
A website search engine used for finding hosts and networks across the Internet with data abouit their configurations
Secuirty Tool
Obj 2.1
Censys
A piece of commercial software used for conducting open-source inteligence that visually helps connect those relationships
Security Tool
Obj 2.1
Maltego
A website search engine for web cameras, routers, servers and other devices that are considered part of the internet of things
Secuirty Tool
Obj 2.1
Shodan
What is the system that helps network clients find a website using human-readable hostnames instead of numeric IP addresses?
Obj 2.1
Domain Name System (DNS)
Links a hostname to an IPv4 address
DNS Record
Obj 2.1
Address (A) Record
Links a hostname to a IPv6 address
DNS Record
Obj 2.1
AAAA Record
Points a domain to another domain or subdomain
DNS Record
Obj 2.1
Canonical Name (CNAME) Record
Directs mail to a mail server
DNS Record
Obj 2.1
Mail Exchange (MX) Record
Stores important information about the domain or zone
DNS Record
Obj 2.1
Start of Authority (SOA) Record
Correlates an IP Address with a Domain Name
DNS Record
Obj 2.1
Pointer (PTR) Record
Adds text into the DNS Record
DNS Record
Obj 2.1
Text (TXT) Record
Specifies a host and port for a specific service
DNS Record
Obj 2.1
Service (SVR) Record
Indicates which DNS nameserver has the authority
DNS Record
Obj 2.1
Nameserver (NS) Record
Which DNS records should a penetration tester focus on durign the recon phase?
MX, TXT and SRV to check for email and third-party SAAS solutions.
What is a cross-platform tool used to query the DNS to provide mapping between domain names and IP addresses or other DNS Records?
DNS Tool
Obj 2.1
Name Server Lookup (NSLookup)
WHat is a command-line tool on Linux which is also a website that is a query and response protocol for Internet resources?
DNS Tool
Obj 2.1
Whois
What websites allow developers to work together in an agile way to create software very quickly?
OBJ 2.1
Public Source Code Repositories
Gitlab etc
What type of files can be mistakenly classified as public for anyone to find?
OBJ 2.1
Private Files
What have developers been known to put in public source code repositories?
OBJ 2.1
Hard coded credentials & API Keys
Where can deleted website data still be know to exist on the internet?
OBJ 2.1
Website Archives and Website Caches
What open source intelligence techniques use Google Search operators to locate vulnerable web servers and applications?
Google Hacking
Which grammar do you use to specify an exact phase to make a search more precise?
Quotes
Which Search Engine command uses a minus symbol tin front of a word or quoted phrase to exclude results?
NOT
Which logical operators require both search terms?
AND / OR
What are different keywords that can be used to select the search such as site, filetype, related, allintitle, allinurl and allinanchor?
Scope
What modifiers can be added to the results page to affect the results, such as &pws=0, &filter=0 etc
URL Modifier
What activity is performed to identify whether a link is already flagged on an existing reputation list or has a malicious script encoded in it?
URL Analysis
What is a set of request methods to indicate the desired action to be performed for a given resource?
HTTP Method
Which HTTP method is used to retrieve a resource?
GET
Which HTTP method is used to send data to the server for processing by the requested resource?
POST
Which HTTP method is used to create or replace the requested resource?
PUT
Which HTTP method is used to remove the requested resource?
DELETE
Which HTTP method retrieves the headers for a resource only and ignores the body?
HEAD
Which character delimits data that is submitted?
?
What are usually formatted as one or more name=value pair with & delimitating each pair?
&
What mechanism is used to encode 8-bit characters that have specific meaning in the context or URL’s also known as URL encoding?
Percent Encoding
What checks the validity of certificates or potential vulnerabilities to exploit within the target servers?
Cryptographic Inspection
What defines the algorithm supported by the client and server when requesting to use encryption and hashing?
Cipher Suite
What can be used to trick the target organizations users?
Falsified digital certificates
