Reconnaissance 1 Flashcards

1
Q

WHOIS

A
  • The WHOIS system is responsible for keeping track of who is responsible for a domain name. It is intended to provide contact details for the owners of a domain in cases of abuse or other circumstances.
  • You can easily search for WHOIS information using the ‘whois’ command on Linux.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

DNS Recon

A
  • The first thing to watch out for is the ability to perform a zone transfer. You’ll almost never be able to pull it off these days, but it’s worth checking because a zone transfer will allow you to pull off a complete list of every DNS record for the domain in question.
    cmd: host -l domain ip
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Dirb

A
  • Armed with a list of websites, you could start to find directories that are not linked directly in the public areas of the site.
  • For this task, we can use ‘dirb’.
  • Once again, this tool uses a wordlist to craft HTTP requests to the target, and it will tell us if the directory exists on the site.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

NMap

A
  • NMap is a prolific portscanner in the security community, and for good reason. It is incredibly powerful, with a host of different options.
  • By default NMap will only scan the top 1000 most common ports. If you want to override that and have NMap scan all possible ports then then you need to use: ‘-p-‘
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Connect Scan

A
  • The connect scan is the most basic type of scan you can do in NMap.
  • The benefit to using a connect scan is that you don’t need root permissions on the system you are scanning from to use it.
  • The downside is that a connect scan is quite obvious and many firewalls or IDS systems will flag it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Syn Scan

A
  • There is a faster and stealthier alternative to the connect scan, which is the syn scan. This is the scan type you should almost always be using if you have root access to the system you are scanning from.

Open port connection (TCP):
Syn
Syn-Ack

Closed port refusal (TCP):
Syn
Rst

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Service Detection

A
  • Once you know what ports are open, you could connect to them to try to find out which services are running.
  • NMap can do a great job of telling you which services are running with ‘-sV’. The ‘-sV’ parameter is for version detection.
  • Nmap does version detection by fingerprints. It looks at several factors and compares them against a fingerprint database to try to find out which services are running. It can even tell the difference if a service is configured to provide the wrong banner when you connect to it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

OS Detection

A
  • Add ‘-O’ to NMap cmd
How well did you know this?
1
Not at all
2
3
4
5
Perfectly