Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CEH V11 > MOD2: Footprinting and Recon > Flashcards

MOD2: Footprinting and Recon Flashcards

1
Q

Information obtained in footprinting.

A
  1. Organizational info –> ex Employee details is most important
  2. Network Info –> DNS, IP addresses etc,
  3. System info –> users and pws, OS, location of web servers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Footprinting using Google Hacking techniques:

What type of information does [cache:] provide?

A

Displays the web pages stored in the Google cache.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Footprinting using Google Hacking techniques:

What type of information does [link:] provide?

A

Lists web pages that have links to the specified web pages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Footprinting using Google Hacking techniques:

What type of information does [related:] provide?

A

Lists web pages that are similar to the specified web pages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Footprinting using Google Hacking techniques:

What type of information does [info:] provide?

A

Presents some information that Google has about a particular web page.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Footprinting using Google Hacking techniques:

What type of information does [site:] provide?

A

Restricts the results to those websites in the given domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Footprinting using Google Hacking techniques:

What type of information does [intitle:] provide?

A

Restricts the results to documents containing the search keyword in the title.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Footprinting using Google Hacking techniques:

What type of information does [allintitle:] provide?

A

Restricts the results to those websites containing all the search keywords in the title.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Footprinting using Google Hacking techniques:

What type of information does [allinurl:] provide?

A

Restricts the results to those containing all the search keywords in the URL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Footprinting using Google Hacking techniques:

What type of information does [inurl:] provide?

A

Restricts the results to documents containing the search keyword in the URL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Footprinting using Google Hacking techniques:

What type of information does [location:] provide?

A

Finds information for a specific location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You can do Google search queries for VoIP and VPN footprinting.
True / False.

A

True.

You can check out Google Dork, where they provide predefined search queries and the description for each.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name 1 meta search engine that uses other search engines (Google, Bing, etc) to produce their own results from the internet.

A

“Startpage” or “Metager”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a FTP (File Transfer Protocol) search engine?

A

A global File Search Engine that lets you search images, videos, music, folders, disc images, compressed files, regular files.

People in today’s day are still using FTP search engines to send and receive files however it’s not as secure as today’s security products.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What information can you find at Netcraft.com?

A

Top level domains (TLD) and sub-domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What 2 tools are useful to enumerate on LinkedIn to find employees of target companies along with their job titles?

A

“theHarvester” and “Email Spider”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is an example of a whaling attack?

A

Going after the executive.

FYI: Attackers can go through Google to find financial services details for the target company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the Deep Web?

A

It consists of web pages and contents that ARE HIDDEN and UNINDEXED and cannot be located using traditional web browsers and search engines.
It can be accessed by the Tor Browser and the WWW Virtual Library.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the Darknet?

A

It is a subset of the deep web that enables ANYONE to navigate ANONYMOUSLY without being traced.
It can be accessed by browsers like Tor Browser, Freenet, GNUnet, I2P, and Retroshare.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What kind of information can attackers find on the deep and dark net?

A

They can use searching tools such as Tor Browser and ExoneraTor to gather confidential information about the target.
This includes: Social Security Numbers (SSNs), credit card details, passport information, identification card details, medical records, social media accounts, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Name 2 sites that help determine the OS by finding connected devices (such as routers, servers, IoT, etc).

A

“SHODAN” and “Censys”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is competitive intelligence gathering?

A

Gathering information about your competitor.

This is passive information gathering.

23
Q

Competitive Intelligence Gathering: what are some information resource sites for determining how a company began /developed?

A
  • EDGAR Database
  • D & B Hoovers
  • LexisNexis
  • Business Wire
24
Q

Competitive Intelligence Gathering: what are some information resource sites for determining what the company’s plans are?

A
  • MarketWatch
  • The Wall Street Transcript
  • Alexa
  • Euromonitor
25
Competitive Intelligence Gathering: what are some information resource sites for determining what experts say about the company?
- SEMRush - AttentionMeter - ABI/INFORM Global - SimilarWeb
26
What tool is used to search a vast number of social networking sites for a target username?
Sherlock.
27
What is the benefit of web mirroring (using a tool like HTTrack, Web Site Copier, NCollector Studio) for attackers?
Any of these tools can be used to download a copy of the website to a local directory, recursively building all directories, HTML, images, flash, videos, and other files from the server to your company.
28
What is the benefit of using archive.org for attackers?
They can see a timeline of websites evolve. Sometimes even find comments in the source code that can be helpful for gathering more information, especially using the Wayback Machine. It can also help to determine internal and external links.
29
What tool is used by attackers to gather a list words from the target website?
CeWL. This tool helps attackers gather a list of words available on the target website to brute-force the email addresses gathered through search engines, social networking sites, web spidering, etc. ex. cewl www.certifiedhacker.com
30
What tool is used to extract metadata of public documents?
Tool: Metagoofil (this tool extracts metadata of public documents such as pdf, doc, xls, ppt, docx, pptx, xlsx, etc) Another tool: Exiftool Attackers use this to gather useful information that resides in the organization's website in the form of PDF documents, Microsoft word files, etc.
31
What are other techniques for website footprinting?
- monitor web pages for updates/changes (Tool example: WebSite-Watcher, VisualPing) - search for contact info, email addresses, telephone numbers from company websites - search for web pages posting patterns / revision numbers - monitor website traffic of target company (Tool example: Web-Stat, Alexa, Monitis)
32
What type of information can email tracking tools provide?
Tools: eMailTrackerPro, Infoga, Mailtrack, PoliteMail Allows the attacker to track an email and extract information such as: sender identity, mail server, sender's IP address, location, OS details, geolocation. eMailTrackerPro analyses email headers and reveals information such as sender's geographic location and IP address.
33
Who maintains the Whois databases?
Regional Internet Registries.
34
What information does the Whois databases contain?
``` Personal information of domain owners. This includes: - domain name details - contact details of domain owners - domain name servers - NetRange - When a domain was created - expiry records - last updated record ``` FYI: "whois" then "iprange" will give information that is specific.
35
List the Regional Internet Registries (RIRs)?
1. AFRINIC : Africa, portions of the Indian Ocean. 2. APNIC : Portions of Asia, portions of Oceania. 3. ARIN: Canada, many Caribbean and North Atlantic islands, and the United States. 4. LACNIC : Latin America, portions of the Caribbean. 5. RIPE NCC : Europe, the Middle East, Central Asia.
36
What information obtained from Whois database provides assistance to an attacker?
- gathering personal information that assist in social engineering - creating a map of the target organization's network - obtain internal details of the target network
37
Why do attackers perform a reverse DNS lookup on IP ranges?
To locate a DNS PTR record. fyi - PTR (pointer record) provides the domain name associated with an IP address. Tools: DNSRecon Attackers can also find other domains that share the same web server. Tools: Reverse IP Domain Checker
38
What is the benefit of locating a network range of a target?
It can help in creating a map of the target network. Attackers can use: - ARIN whois database search tool to find the range of IP addresses. RIR can provide information such as the range of IP addresses and the subnet masks used by the target organization.
39
What program works on the concept of ICMP protocol and use the TTL field in the header of ICMP packets to discover the routers on the path to a target host? hint: tool to be used for network footprinting.
Traceroute. This tool can be used to extract information about network topology, trusted routers, firewall locations, etc.
40
What tool is used to determine the relationships and real world links between people, groups of people, organizations, websites, internet infrastructure, documents, etc.
Maltego.
41
What tool is used as a Web Reconnaissance framework with independent modules and database interaction, which provides an environment in which open source, web-based recon can be conducted.
Recon-ng.
42
What tool is used to find metadata and hidden information in the documents it scans?
FOCA (Fingerprinting Organizations with Collected Archives).
43
Which footprinting tool includes applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, etc
OSRFramework
44
If using theHarvester, what does this cmd line do? | theHarvester -d microsoft.com -l 200 -b baidu
- d specifies the domain or company name to search - l specifies the number of results to be retrieved - b specifies the data source
45
What type of request is sent during a ping request?
The ping command sends an ICMP echo request to the target host and waits for an ICMP response.
46
What does "packet needs to be fragmented by DF set" mean? ping www.certifiedhacker.com -f -l 1500 Pinging certifiedhacker.com [0.0.0.0] with 1500 bytes of data: Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Ping statistics for 0.0.0.0 Packets: Sent = 4 , Received = 0, Lost = 4 (100% loss)
It means that the frame is too large to be on the network and needs to be fragmented. The packet was not sent as we used the -f switch with the ping command, and the ping command returned this error.
47
What does it mean if TTL reaches 0?
The router discards the packet. This mechanism prevents the loss of packets.
48
What does 0.0.0.0: TTL expired in transit mean?
It means that the router discarded the frame because it's TTL expired (reached 0)
49
What does -n mean in the below: | ping www . Certifiedhacker . Com -n 1
-n represents the number of echo requests to be sent to the target.
50
How can you find the hop count on the target?
Find the hop value by trying different TTL value to reach the target domain.
51
What is the primary function of DNS?
to translate a domain name to IP address and vice-versa to enable human-machine-network-internet communications.
52
What is DNS PTR?
A DNS pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of the 'A' record, which provides the IP address associated with a domain name. DNS PTR records are used in reverse DNS lookups.
53
When using nslookup, you receive a "non-authoritative answer". What does that mean? ex. nslookup >set type=a >www.certifiedhacker.com Non-authoritative answer: Name: certifiedhacker.com Address: 0.0.0.0 Aliases: www.certifiedhacker.com
Thus, if the response is coming from your local machine’s server (Google), but not the server that legitimately hosts the domain www.certifiedhacker.com; it is considered a NON-authoritative answer. So, if an attacker can determine the authoritative name server (primary name server) and obtain its associated IP address, he/she might attempt to exploit the server to perform attacks such as DoS, DDoS, URL Redirection, etc.

CEH V11 (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions