Module 02 - Footprinting and Reconnaissance ( EC Mode ) Flashcards
Which of the following footprinting techniques allows an attacker to gather information passively about the target without direct interaction?
A. Extracting information using Internet archives
B. Performing traceroute analysis
C. Performing social engineering
D. Extracting DNS information
Answer: A. Extracting information using Internet archives.
Explanation:
Few of the Passive footprinting techniques include:
Finding information through search engines
Finding the Top-level Domains (TLDs) and sub-domains of a target through web services
Collecting location information on the target through web services
Performing people search using social networking sites and people search services
Gathering financial information about the target through financial services
Extracting information about the target using Internet archives
Few of the Active footprinting techniques include:
Gathering information through email tracking
Harvesting email lists
Performing Whois lookup
Extracting DNS information
Performing traceroute analysis
Performing social engineering
What type of information is gathered by an attacker through Whois database analysis and tracerouting?
A. Background of the organization
B. Usernames, passwords, and so on
C. Publicly available email addresses
D. DNS records and related information
Answer: D. DNS records and related information.
Explanation:
Network Information: You can gather network information by performing Whois database analysis, trace routing, and so on.
The information collected includes:
Domain and sub-domains
Network blocks
Network topology, trusted routers, and firewalls
IP addresses of the reachable systems
Whois records
DNS records and related information
System Information: You can gather system information by performing network footprinting, DNS footprinting, website footprinting, email footprinting, and so on.
The information collected includes:
Web server OS
Location of web servers
Publicly available email addresses
Usernames, passwords, and so on.
Smith, a professional hacker, has targeted an organization. He employed some footprinting tools to scan through all the domains, subdomains, reachable IP addresses, DNS records, and Whois records to perform further attacks.
What is the type of information Smith has extracted through the footprinting attempt?
A. Physical security information
B. Company’s product information
C. Network information
D. Policy information
Answer: C. Network information.
Explanation:
Physical security information: Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources
Policy information: Policy information is taken to mean information used in the formulation, design, and selection of public policies. It comprises both data and analysis.
Network information: The Network information includes Domain and sub-domains, Network blocks, Network topology, trusted routers, and firewalls, IP addresses of the reachable systems, Whois records, DNS records and related information
Company’s product information: Includes information about products or services produced, marketed, licensed, sold, distributed, or performed the Company or any Subsidiary and all products or services currently under development by the Company or any Subsidiary.
Passive reconnaissance involves collecting information through which of the following?
A. Social engineering
B. Publicly accessible sources
C. Email tracking
D. Traceroute analysis
Answer: B. Publicly accessible sources.
A pen tester was hired to perform penetration testing on an organization. The tester was asked to perform passive footprinting on the target organization. Which of the following techniques comes under passive footprinting?
A. Finding the top-level domains (TLDs) and sub-domains of a target through web services
B. Performing traceroute analysis
C. Performing social engineering
D. Querying published name servers of the target
Answer: A. Finding the top-level domains (TLDs) and sub-domains of a target through web services
In which of the following footprinting threats does an attacker collect information directly and indirectly through persuasion without using any intrusion methods?
A. Social engineering
B. System and network attacks
C. Corporate espionage
D. Business loss
Answer: A. Social engineering.
Social Engineering: Without using any intrusion methods, hackers directly and indirectly collect information through persuasion and other means. Hackers gather crucial information from willing employees who are unaware of the hackers’ intent.
Corporate Espionage: Corporate espionage is a central threat to organizations, as competitors often aim to attempt to secure sensitive data through footprinting. Through this approach, competitors can launch similar products in the market, alter prices, and generally undermine the market position of a target organization.
Business Loss: Footprinting can have a major effect on organizations such as online businesses and other e-commerce websites as well as banking and finance-related businesses.
System and Network Attacks: Footprinting enables an attacker to perform system and network attacks. Thus, attackers can gather information related to the target organization’s system configuration, the operating system running on the machine, and so on. Using this information, attackers can find vulnerabilities in the target system and then exploit such vulnerabilities. They can then take control of a target system or the entire network.
What phase of the penetration test is the tester currently in, if they are searching for IP ranges owned by the bank, performing lookups on the bank’s DNS servers, reading news articles online about the bank, watching the bank employees time in and out, searching the bank’s job postings (paying special attention to IT-related jobs), and visiting the local dumpster for the bank’s corporate office?
A. Active information gathering
B. Information reporting
C. Passive information gathering
D. Vulnerability assessment
Answer: C. Passive information gathering.
Explanation:
Passive footprinting involves information gathering about the target without direct interaction. This type of footprinting is useful when there is a requirement that the information gathering activities are not to be detected by the target. Performing passive footprinting is technically difficult, as active traffic is not sent to the target organization from a host or from anonymous hosts or services over the Internet.
A pen tester was hired to perform penetration testing on an organization. The tester was asked to perform passive footprinting on the target organization.
Which of the following techniques comes under passive footprinting?
A. Performing traceroute analysis
B. Finding the top-level domains (TLDs) and sub-domains of a target through web services
C. Querying published name servers of the target
D. Performing social engineering
Answer: B. Finding the top-level domains (TLDs) and sub-domains of a target through web services.
Passive footprinting involves gathering information about the target without direct interaction. We can only collect the archived and stored information from about the target using publicly accessible source.
Passive footprinting techniques include:
Finding information through search engines
Finding the Top-level Domains (TLDs) and sub-domains of a target through web services
Collecting location information on the target through web services
Performing people search using social networking sites and people search services
Gathering financial information about the target through financial services
Gathering infrastructure details of the target organization through job sites
Monitoring target using alert services
Active footprinting involves gathering information about the target with direct interaction. In active footprinting, we overtly interact with the target network.
Active footprinting techniques include:
Querying published name servers of the target
Extracting metadata of published documents and files
Gathering website information using web spidering and mirroring tools
Gathering information through email tracking
Performing Whois lookup
Extracting DNS information
Performing traceroute analysis
Performing social engineering
Which of the following web services provides useful information about a target company, such as the market value of the company’s shares, company profile, and competitor details?
A. dice.com
B. indeed.com
C. linkup.com
D. investing.com
Answer: D. investing.com
indeed.com, dice.com, and linkup.com are websites that provide online job services.
Financial services such as Google Finance, MSN Money, Yahoo Finance, and Investing.com can provide a large amount of useful information such as the market value of a company’s shares, company profile, competitor details, stock exchange rates, corporate press releases, financial reports along with news, and blog search articles about corporations.
Which of the following deep and dark web searching tools helps an attacker obtain information about official government or federal databases and navigate anonymously without being traced?
A. ExoneraTor
B. Been Verified
C. Whitepages
D. Spokeo
Answer: A. ExoneraTor
ExoneraTor: Attackers can use deep and dark web searching tools such as Tor Browser, ExoneraTor, and OnionLand Search engine to gather confidential information about the target, such as credit card details, passports information, identification card details, medical records, social media accounts, and Social Security Numbers (SSNs).
Spokeo, Been Verified, and Whitepages are people search online services.
Which of the following web services is a repository that contains a collection of user-submitted notes or messages on various subjects and topics?
A. Online reputation services
B. People search services
C. Business profile sites
D. NNTP Usenet newsgroups
Answer: D. NNTP Usenet newsgroups
Business profile sites contain business information of companies located in a particular region with their contact information, which can be viewed by anyone.
Online Reputation Services: Online reputation tracking tools help us discover what people are saying online about the company’s brand in real-time across the web, social media, and news. They help in monitoring, measuring, and managing one’s reputation online.
People Search Services: online people search services provide people’s names, addresses, contact details, date of birth, photographs, videos, profession, details about their family and friends, social networking profiles, property information, and optional background on criminal checks.
NNTP Usenet Newsgroups is a repository containing a collection of notes or messages on various subjects and topics that are submitted by the users over the Internet. Many professionals use the newsgroups to resolve their technical issues by posting questions on Usenet.
Which of the following activities of a user on social networking sites helps an attacker footprint or collect the identity of the user’s family members, the user’s interests, and related information?
A. Maintaining the profile
B. Sharing photos and videos
C. Creating events
D. Playing games and joining groups
Answer: B. Sharing photos and videos
Which of the following types of DNS records points to a host’s IP address?
A. NS
B. TXT
C. HINFO
D. A
Answer: D. A
DNS footprinting helps in determining the following records about the target DNS:
Record Type - Description
A - Points to a host’s IP address
MX - Points to domain’s mail server
NS - Points to host’s name server
CNAME - Canonical naming allows aliases to a host
SOA - Indicate authority for a domain
SRV - Service records
PTR - Maps IP address to a hostname
RP - Responsible person
HINFO - Host information record includes CPU type and OS
TXT - Unstructured text records
Which of the following is the direct approach technique that serves as the primary source for attackers to gather competitive intelligence?
A. Social media postings
B. Social engineering
C. Search engines, Internet, and online databases
D. Support threads and reviews
Answer: B. Social engineering
Explanation:
Competitive Intelligence gathering can be performed using a direct or indirect approach.
Direct Approach
The direct approach serves as the primary source for competitive intelligence gathering. Direct approach techniques include gathering information from trade shows, social engineering of employees and customers, and so on.
Indirect Approach
Through an indirect approach, information about competitors is gathered using online resources. Indirect approach techniques include:
Company websites and employment ads
Support threads and reviews
Search engines, Internet, and online database
Social media postings
Press releases and annual reports
Trade journals, conferences, and newspapers
Patent and trademarks
Product catalogs and retail outlets
Analyst and regulatory reports
Customer and vendor interviews
Agents, distributors, and suppliers
Industry-specific blogs and publications
Legal databases, e.g., LexisNexis
Business information databases, e.g., Hoover’s
Online job postings
Which of the following tools is used for gathering email account information from different public sources and checking whether an email was leaked using the haveibeenpwned.com API?
A. Metagoofil
B. Infoga
C. Professional Toolset
D. Octoparse
Answer: B. Infoga
Professional Toolset: DNS interrogation tools such as Professional Toolset (https://tools.dnsstuff.com) and DNS Records (https://network-tools.com) enable the user to perform DNS footprinting.
Infoga: Infoga is a tool used for gathering email account information from different public sources and it checks if an email was leaked using the haveibeenpwned.com API.
Octoparse: Octoparse offers automatic data extraction, as it quickly scrapes web data without coding and turns web pages into structured data.
Metagoofil: Metagoofil extracts metadata of public documents (pdf, doc, xls, ppt, docx, pptx, and xlsx) belonging to a target company.
Sean works as a professional ethical hacker and penetration tester. He is assigned a project for information gathering on a client’s network. He started penetration testing and was trying to find out the company’s internal URLs, looking for any information about the different departments and business units. Sean was unable find any information. What should Sean do to get the information he needs?
A. Sean should use email tracking tools
B. Sean should use WayBackMachine in Archive.org
C. Sean should use Sublist3r tool
D. Sean should use website mirroring tools
Answer: C. Sean should use Sublist3r tool
Explanation:
Sublist3r is a python script designed to enumerate subdomains of websites using OSINT. It enables you to enumerate subdomains across multiple sources at once. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. It enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. It also enumerates subdomains using Netcraft, Virustotal ThreatCrowd, DNSdumpster, and ReverseDNS. It has integrated the venerable SubBrute, allowing you to also brute force subdomains using a wordlist.
Which results will be returned with the following Google search query?
site:target.com -site:Marketing.target.com accounting
A. Results matching “accounting” in domain target.com but not on the site Marketing.target.com
B. Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting
C. Results for matches on target.com and Marketing.target.com that include the word “accounting”
D. Results matching all words in the query
Answer: A. Results matching “accounting” in domain target.com but not on the site Marketing.target.com
Explanation:
“site” Google search operator restricts search results to the specified site or domain. It allows you to see the URLs they have indexed of your website. Adding [-] to most operators tells Google to search for anything but that particular text.
Here, the query will search for “accounting” in target.com domain but not on the Marketing.target.com domain because [-] is added before the Marketing.target.com domain in the query.
Which Google search query can you use to find mail lists dumped on pastebin.com?
A. cache: pastebin.com intitle:@.com:*
B. site:pastebin.com intext:@.com:*
C. allinurl: pastebin.com intitle:@.com:*
D. allinurl: pastebin.com intitle:“mail lists”
Answer: B. site:pastebin.com intext:@.com:*
Explanation:
The site operator restricts the results to those websites in the given domain, and the query intext:term restricts results to documents containing term in the text.
For example, the [site:pastebin.com intext:@.com:*] query gives information on mail list from the pastebin.com site.
Intitle restricts the results to documents containing the search keyword in the title, and double quotes around search terms restrict the results to the pages that contain the exact search term. Allinurl restricts the results to those with all search keywords in the URL related operator lists web pages that are similar to a specified web page.
Which Google search query will search for any files a target certifiedhacker.com may have?
A. site: certifiedhacker.com filetype:xml | filetype:conf | filetype:cnf | filetype:reg | filetype:inf | filetype:rdp | filetype:cfg | filetype:txt | filetype:ora | filetype:ini
B. site: certifiedhacker.com ext:xml || ext:conf || ext:cnf || ext:reg || ext:inf || ext:rdp || ext:cfg || ext:txt || ext:ora || ext:ini
C. site: certifiedhacker.com intext:xml | intext:conf | intext:cnf | intext:reg | intext:inf | intext:rdp | intext:cfg | intext:txt | intext:ora | intext:ini
D. allinurl: certifiedhacker.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini
Answer: A. site: certifiedhacker.com filetype:xml | filetype:conf | filetype:cnf | filetype:reg | filetype:inf | filetype:rdp | filetype:cfg | filetype:txt | filetype:ora | filetype:ini
The “site” operator restricts the results to those websites in the given domain.
Filetype operator restricts the results to pages whose names end in suffix.
This operator restricts results to only those pages containing all the query terms specified in the URL.
The query intext:term restricts results to documents containing term in the text.
Which of the following techniques is used to create complex search engine queries?
A. Google hacking
B. Yahoo search
C. Bing search
D. DuckDuckGo
Answer: A. Google hacking
Explanation:
Google hacking refers to use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information. The accessed information is then used by attackers to find vulnerable targets. Footprinting using advanced Google hacking techniques gathers information by Google hacking, a hacking technique to locate specific strings of text within search results, using an advanced operator in the Google search engine.
Sean works as a penetration tester in ABC firm. He was asked to gather information about the target company. Sean begins with social engineering by following the steps:
Secretly observes the target to gain critical information
Looks at employee’s password or PIN code with the help of binoculars or a low-power telescope
Based on the above description, identify the social engineering technique.
A. Shoulder surfing
B. Tailgating
C. Phishing
D. Dumpster diving
Answer: A. Shoulder surfing
Explanation:
Here, sean is trying to perform shoulder surfing.
Shoulder surfing is the technique of observing or looking over someone’s shoulder as he/she keys in information into a device. Shoulder surfing helps penetration tester to find out passwords, personal identification numbers, account numbers, and other information. Penetration tester sometimes even uses binoculars or other optical devices, or install small cameras to record actions performed on victim’s system, to obtain login details and other sensitive information.
Which of the following tools allows an attacker to extract information such as sender identity, mail server, sender’s IP address, location, and so on?
A. Email tracking tools
B. Web updates monitoring tools
C. Website mirroring tools
D. Metadata extraction tools
Answer: A. Email tracking tools
Email tracking monitors the emails of a particular user. This kind of tracking is possible through digitally time stamped records that reveal the time and date when the target receives and opens a specific email.
Email tracking tools allows an attacker to collect information such as IP addresses, mail servers, and service provider involved in sending the mail.
Information gathered about the victim using email tracking tools:
Recipient’s system IP address
Geolocation
Email received and Read
Read duration
Proxy detection
Links
Operating system and Browser information
Forward Email
Device Type
Which of the following is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system?
A. TCP/IP
B. Traceroute
C. Whois lookup
D. DNS lookup
Answer: C. Whois lookup
Explanation:
Whois is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. This protocol listens to requests on port 43 (TCP). Regional Internet Registries (RIRs) maintain Whois databases and it contains the personal information of domain owners. For each resource, Whois database provides text records with information about the resource itself, and relevant information of assignees, registrants, and administrative information (creation and expiration dates).
Whois query returns following information:
Domain name details
Domain name servers
NetRange
When a domain has been created
Contact details of domain owner
Expiry records
Records last updated
TCP/IP, or the Transmission Control Protocol/Internet Protocol, is a suite of communication protocols used to interconnect network devices on the internet. TCP/IP can also be used as a communications protocol in a private network (an intranet or an extranet).
DNS Lookup reveals information about DNS zone data. DNS zone data include DNS domain names, computer names, IP addresses, and much more about a particular network.
The Traceroute utility can detail the path travelled by IP packets between two systems. The utility can trace the number of routers the packets travel through, the round trip time (duration in transiting between two routers), and, if the routers have DNS entries, the names of the routers and their network affiliation. It can also trace geographic locations.
