Domain 2: Information Gathering and Vulnerability Scanning

Question 1

What is Reconnaissance?

Answer 1

Learning abiut an organization in a systematic attmept to locate, gather, identify and record information about the target

aka Footprinting

Question 2

What is passive reconaissance?

Answer 2

Investigating the target without activly engaging with the target organizations systems.

Question 3

What is Open-Source Intelligence?

Answer 3

The collection and analysis of data gathered from publicly available sources to produce actionable inteliligence

Question 4

What should you do with reconaissance findings?

Answer 4

Gather and catalog all findings for others to review and use

Useful for when workign as a team.

Question 5

Examples of Open Source Inteligence

Answer 5

• Blogs
• Publications\
• Adverts
• Job Listings
• Metadata
• Website Information

Question 6

Good key details to understand abouut the target organization?

Answer 6

• Roles of different employees
• Different teams and departments
• Contact Information
• Technical Aptitud\e and Security Training
• Employee and Managerial Mindset

Question 7

A linux-based tool that can search the metadata associated with public documents located on a targets website

Security Tool

Obj 2.1

Answer 7

Metagoofil

Question 8

What is Metadata?

Answer 8

The data about the data in the file

Question 9

Used to find metadata and hidden information in collected documents from an organization.

Secuirty Tool

Obj 2.1

Answer 9

Fingerprint Organizations with Collected Archives (FOCA)

Question 10

A program for gathering emails, subdomains, hosts, employee names, email addresses, PGP Key Entires, open ports ans service banner from servers.

Secuirty Tool

Obj 2.1

Answer 10

The Harvester

Question 11

Uses a system of modules to add additional features and functions for your use

Security Tool

Obj 2.1

Answer 11

Recon-NG

Question 12

A website search engine used for finding hosts and networks across the Internet with data abouit their configurations

Secuirty Tool

Obj 2.1

Answer 12

Censys

Question 13

A piece of commercial software used for conducting open-source inteligence that visually helps connect those relationships

Security Tool

Obj 2.1

Answer 13

Maltego

Question 14

A website search engine for web cameras, routers, servers and other devices that are considered part of the internet of things

Secuirty Tool

Obj 2.1

Answer 14

Shodan

Question 15

What is the system that helps network clients find a website using human-readable hostnames instead of numeric IP addresses?

Obj 2.1

Answer 15

Domain Name System (DNS)

Question 16

Links a hostname to an IPv4 address

DNS Record

Obj 2.1

Answer 16

Address (A) Record

Question 17

Links a hostname to a IPv6 address

DNS Record

Obj 2.1

Answer 17

AAAA Record

Question 18

Points a domain to another domain or subdomain

DNS Record

Obj 2.1

Answer 18

Canonical Name (CNAME) Record

Question 19

Directs mail to a mail server

DNS Record

Obj 2.1

Answer 19

Mail Exchange (MX) Record

Question 20

Stores important information about the domain or zone

DNS Record

Obj 2.1

Answer 20

Start of Authority (SOA) Record

Question 21

Correlates an IP Address with a Domain Name

DNS Record

Obj 2.1

Answer 21

Pointer (PTR) Record

Question 22

Adds text into the DNS Record

DNS Record

Obj 2.1

Answer 22

Text (TXT) Record

Question 23

Specifies a host and port for a specific service

DNS Record

Obj 2.1

Answer 23

Service (SVR) Record

Question 24

Indicates which DNS nameserver has the authority

DNS Record

Obj 2.1

Answer 24

Nameserver (NS) Record

Question 25

Which DNS records should a penetration tester focus on durign the recon phase?

Answer 25

MX, TXT and SRV to check for email and third-party SAAS solutions.

Question 26

What is a cross-platform tool used to query the DNS to provide mapping between domain names and IP addresses or other DNS Records? | DNS Tool ## Footnote Obj 2.1

Answer 26

Name Server Lookup (NSLookup)

Question 27

WHat is a command-line tool on Linux which is also a website that is a query and response protocol for Internet resources? | DNS Tool ## Footnote Obj 2.1

Answer 27

Whois

Question 28

What websites allow developers to work together in an agile way to create software very quickly? ## Footnote OBJ 2.1

Answer 28

Public Source Code Repositories ## Footnote Gitlab etc

Question 29

What type of files can be mistakenly classified as public for anyone to find? ## Footnote OBJ 2.1

Answer 29

Private Files

Question 30

What have developers been known to put in public source code repositories? ## Footnote OBJ 2.1

Answer 30

Hard coded credentials & API Keys

Question 31

Where can deleted website data still be know to exist on the internet? ## Footnote OBJ 2.1

Answer 31

Website Archives and Website Caches

Question 32

What open source intelligence techniques use Google Search operators to locate vulnerable web servers and applications?

Answer 32

Google Hacking

Question 33

Which grammar do you use to specify an exact phase to make a search more precise?

Answer 33

Quotes

Question 34

Which Search Engine command uses a minus symbol tin front of a word or quoted phrase to exclude results?

Answer 34

NOT

Question 35

Which logical operators require both search terms?

Answer 35

AND / OR

Question 36

What are different keywords that can be used to select the search such as site, filetype, related, allintitle, allinurl and allinanchor?

Answer 36

Scope

Question 37

What modifiers can be added to the results page to affect the results, such as &pws=0, &filter=0 etc

Answer 37

URL Modifier

Question 38

What activity is performed to identify whether a link is already flagged on an existing reputation list or has a malicious script encoded in it?

Answer 38

URL Analysis

Question 39

What is a set of request methods to indicate the desired action to be performed for a given resource?

Answer 39

HTTP Method

Question 40

Which HTTP method is used to retrieve a resource?

Answer 40

GET

Question 41

Which HTTP method is used to send data to the server for processing by the requested resource?

Answer 41

POST

Question 42

Which HTTP method is used to create or replace the requested resource?

Answer 42

PUT

Question 43

Which HTTP method is used to remove the requested resource?

Answer 43

DELETE

Question 44

Which HTTP method retrieves the headers for a resource only and ignores the body?

Answer 44

HEAD

Question 45

Which character delimits data that is submitted?

Answer 45

?

Question 46

What are usually formatted as one or more name=value pair with & delimitating each pair?

Answer 46

&

Question 47

What mechanism is used to encode 8-bit characters that have specific meaning in the context or URL's also known as URL encoding?

Answer 47

Percent Encoding

Question 48

What checks the validity of certificates or potential vulnerabilities to exploit within the target servers?

Answer 48

Cryptographic Inspection

Question 49

What defines the algorithm supported by the client and server when requesting to use encryption and hashing?

Answer 49

Cipher Suite

Question 50

What can be used to trick the target organizations users?

Answer 50

Falsified digital certificates