Information Gathering and Vulnerability Scanning Flashcards
What is the process of collecting as much information as you can about a target?
Reconnaissance
When do pentesters typically conduct reconnaissance?
During the planning, initial access, and post-exploitation phases of pentesting.
What is the process of assessing a target to collect preliminary knowledge about it without actively engaging it or its assets?
Passive reconnaissance
Which information gathering technique involves expanding your knowledge of hostnames in use, breadth of network, and even information about some technical contacts within an organization?
DNS Recon
What can you use to validate ownership of an IP address in your scope list?
The regional internet registry (RIR) like ARIN (for America)
What are some command-line tools you can use to access information from DNS?
Commands such as dig or whois.
What tool can you use to resolve the name of a domain to an IP address?
nslookup
Which open-source Python framework is often included in Kali and is a powerful tool with independent modules and a database for storing engagement information during recons?
Recon-ng
Which Python-based framework is useful for DNS recon, can be both active and passive, and can help gather information from webpages to discover domains, subdomains, and email addresses?
theHarvester
What is an open-source framework that pentesters can use to aid in data mining process? It is a static web page focused on information gathering and provides web links and resources.
OSINT Framework
What is an interactive data mining software tool that can help users visualize and analyze relationships using publicly accessible data from the Internet?
Maltego
What is an automated discovery process that can help identify metadata and property information stored in the file info of Microsoft Products?
FOCA (Fingerprinting Organizations with Collected Archives)
What is the name for queries you can use to find data about your targets?
Dorks
What is an open-source repository where people can share source codes and collaborate with others?
GitHub
Which tool was created by the University Of Michigan in 2015 and allows you to query host and certificate information from Internet-wide scans using full-text searches or field-base searches with regex and logic operators enriching your queries?
Censys
Which search engine scans the entire Internet, parsing banners for services and categorizing the data returned by each device?
Shodan
What is defined by actively engaging a target to detect open ports, web pages, services, and exploitable weaknesses?
Active reconnaissance
What is the command-line tool that utilizes various network protocols and advanced features for surveying hosts for open TCP and UDP ports, fingerprinting operating systems, extracting service banners, and much more?
NMAP
What is a simple method of determining if a host is alive on a network?
A ping scan
What kind of scan can you run on a local network to perform host discovery using MAC addresses?
An ARP scan, like arp -a
What type of port scan provides little reliability as to whether a port is available over a network?
UDP Scan
What are the three states of a port, as returned by a port scan?
Open, Closed, Filtered
Which ports range from 0 - 1023, require root/system-level privileges with the OS, and host standardized application services across operating system platforms?
System ports
Which ports range from 1024 - 49151, are user-level, and host applications that do not require elevated privileges to run?
Registered ports
Which protocol is connection-oriented and offers reliable data exchange between two network hosts?
Transmission Control Protocol (TCP)
What is key about a TCP “half-open” scan?
It never completes the three-way handshake in the SYN process
What kind of attack harnesses half-open scans as a form of denial of service?
SYN flood
What is the extended framework in Nmap written in Lua to help automate a variety of networking tasks, including the ability to write scripts to tinker with and finagle network services?
Nmap Scripting Engine (NSE)
What is the most basic way to identify a web server?
Look at the Server field in the HTTP response headed.
What is on eof the most useful and underrated tools available to open a TCP connection to a remote host, to include a database server?
netcat
What is the process of ingesting a web page and following all of the links on that page, and sublinks, and so on?
Crawling
What is the process of looking at the content of a known web page to gather terms and information from the site for analysis?
Scraping
What is a Java-based framework that can be used to find other pages that may not be directly linked on a webpage that you are crawling?
DirBuster
Which file is found at the top-level directory of a host and is used to restrict web indexing capabilities from web crawlers like Google or Bing?
robots.txt
What are the three types of APIs (Application Programming Interface)?
Local, Web, and Program
What kind of security devices are designed to intercept web requests and block common attack patterns?
Web application firewalls (WAFs)
Which kind of web load balancer takes traffic requests and sends them to a pool of systems, one at a time?
Round-robin
Which kind of web load balancer frequently generates and stores some form of session variable and uses that to determine the target system for a given session?
Persistent, and is more likely to be abused
What is the process of inspecting an information system for known security weaknesses?
Vulnerability scanning
Which remote vulnerability scanning tool helps automate vulnerability scanning and is one of the most popular commercial products on the market?
Tenable Nessus
Which organization provides best-practice security configuration baselines that can be used to apply configuration guidance to safeguard operating systems, software, and networks?
Center for Internet Security (CIS)
Which standard defines vulnerabilities as “a weakness in computational logic found in software and hardware components that, when exploited, results in a negative impact to CIA”?
Common Vulnerabilities & Exposures (CVE)
What is the de facto standard for documenting publicly disclosed vulnerabilities?
The CVE Dictionary
Which organization maintains the National Vulnerability Database (NVD)?
NIST
Which database documents analysis on vulnerabilities that have been published in the CVE dictionary, using the Common Vulnerability Scoring System (CVSS)?
National Vulnerability Database (NVD)
Which calculator is a comprehensive tool that uses qualitative factors within an equation to severity ratings, given certain environmental conditions?
The Common Vulnerability Scoring System (CVSS)
Nessus plugins are written in which type of proprietary language?
Nessus Attack Scripting Language (NASL)
Which Nmap script could you use to enumerate popular web directories from the service hosted on port 80?
http-enum