Reconnaissance Flashcards

1
Q

Footprinting

A

Part of reconnaissance, mapping out at a high level what the landscape looks like. During footprinting, you look for any information that might give you some insight into the target - no matter how big or small. Investigating web resources and competitive intelligence, mapping out network ranges, mining whois and DNS, social engineering, email tracking, Google Hacking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Anonymous Footprinting

A

Obscure the source of footprinting activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Pseudonymous Footprinting

A

Attributing your actions to someone else when conducting footprinting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Focus and Benefits of Footprinting

A
  1. Know the security posture
  2. Reduce the focus area (network range, number of targets)
  3. Identify vulnerabilities
  4. Draw a network map
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Active Footprinting

A

Requires the attacker to touch the device, network or resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Passive Footprinting

A

Collecting information from public records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Competitive Intelligence

A

Information gathered by a business entity about its competitors, customers, products and marketing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

www.attentionmeter.com

A

Compares website traffic from hosts of different sources and provides traffic data and graphs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Websites that provide information on company origins and how it developed during the years.

A

EDGAR database. Hoovers, LexisNexis, Business Wire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Websites that provide company plans and financials

A

SEC Info, Experian, Market Watch, Wall Street Monitor, Euromonitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Web Mirroring Tools

A

Black Widow, GSA Email Spider, NCollector Studio, HTTRACK, GNU Wget

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Google Hacking: filetype:type

A

Searches for files only of a specific type. (DOC, XLS. etc.) Example: filetype:doc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Google Hacking: index of /string

A

Displays pages with directory browsing enabled. Example: “intitle:index of “ passwd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Google Hacking: info:string

A

Displays information Google stores about the page itself: Example: info:www.anycomp.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Google Hacking: intitle:string

A

Searches for pages that contain the string in the title. Example: intitle: login You can also use allintitle for multiple search strings: Example: allintitle:login password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Google Hacking: inurl:string

A

Displays pages with the string in the URL. Example: inurl:password For multiple strings use allinurl, Example: allinurl: etc passwd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Google Hacking: link:string

A

Displays linked pages based on a search term.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Google Hacking: related:webpagename

A

Shows webpages similar to webpagename

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Google Hacking: site:domain or web page string

A

Displays pages for a specific website or domain holding the search term. site:anywhere.com passwds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Google Hacking: allinurl:tsweb/default.htm

A

Displays RDP Web pages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Google Hacking Tools

A

SiteDigger and Metagoofil (searches document meta tags)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

History Sites

A

www.archive.org and Google Cache

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Email tracking programs

A

www.emailtrackerpro.com
www.mailtracking.com
GetNotify
ContactMonkey
Yesware
ReadNotify,
WhoReadMe,
MSGTAG,
TraceEmail and
Zendio

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

DNS Name Resolvers

A

Answer DNS requests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

DNS Authoritative Servers

A

Hold the records for a namespace

26
Q

DNS Record Types - SRV

A

SRV - Hostname and Ports of servers providing specific services

27
Q

DNS Record Types - SOA

A

Start of Authority - identifies the primary name server for the zone.

28
Q

DNS Record Types - PTR

A

Maps an IP address to a Hostname

29
Q

DNS Record Types - NS

A

Name Servers

30
Q

DNS Record Types - MX

A

Email Servers

31
Q

DNS Record Types - CNAME

A

Domain name aliases

32
Q

DNS Record Types - A

A

Host name to IP address

33
Q

DNS Poisoning

A

Changing the entries in DNS cache to point to alternative servers.

34
Q

Domain Name System Security Extensions (DNSSEC)

A

DNSSEC is aimed at strengthening trust in the Internet by helping to protect users from redirection to fraudulent websites and unintended addresses. In such a way, malicious activities like cache poisoning, pharming, and man-in-the-middle attacks can be prevented.
DNSSEC authenticates the resolution of IP addresses with a cryptographic signature, to make sure that answers provided by the DNS server are valid and authentic. In case DNSSEC is properly enabled for your domain name, the visitors can be ensured that they are connecting to the actual website corresponding to a particular domain name.

35
Q

What makes up a DNS SOA record?

A

Source host, Contact Email, Serial Number, Refresh Time, Retry Time, Expire Time, TTL

36
Q

Internet Corporation for Assigned Names and Numbers (ICANN)

A

ICANN manages IP address ranges.

37
Q

Domain Name Registrants

A

www.godaddy.com www.register.com, etc.

38
Q

Regional Internet Registries

A
  1. American Registry for Internet Numbers (ARIN) - Canada, parts of the Caribbean and North Atlantic Islands and the United States
  2. Asia-Pacific Network Information Center (APNIC) - Asia and the Pacific
  3. Reseaux IP Europeens (RIPE) NCC - Europe, Middle East and parts of Central Asia/Northern Africa
  4. Latin America and Caribbean Network Information Center (LACNIC) - Latin America and the Caribbean
  5. African Network Information Center (AfriNIC) - Africa
39
Q

whois database

A

Queries the registries and returns information including domain ownership, addresses, locations and phone numbers of domain owners.

40
Q

Dig command

A

Like NSLOOKUP but for UNIX/Linux. Basic command structure: dig @server name type

41
Q

Tracert

A

Traceroute - tracks a packet across the Internet and provides the route path and transit times. Uses ICMP ECHO packets (UDP datagrams in Linux versions).

42
Q

ICMP Type 11, Code 0

A

TTL Expired

43
Q

ICMP Type 3, Code 13

A

Administratively Blocked

44
Q

Trace Route Tools

A
McAfee Visual Trace (NeoTrace), 
Trout, 
VisualRoute, 
Magic NetTrace, 
Network Pinger, 
GEO Spider, and 
Ping Plotter
45
Q

Differences between Windows and Linux Trace Routers

A

Windows uses tracert whereas Linux uses traceroute. Windows uses ICMP, Linux uses TCP

46
Q

OSRFRAMEWORK

A

Open source research framework in Python that helps in the task of user profiling by performing open source intelligence.

47
Q

OSRFRAMEWORK - usufy.py

A

Verifies if a user profile exists in up to 306 different platforms

48
Q

OSRFRAMEWORK - mailfy.py

A

Checks if a user name (email) has been registered in up to 22 different email providers.

49
Q

OSRFRAMEWORK - searchfy.py

A

Looks for profiles using full names and other info. Exam may say this queries the OSRFramework platform itself.

50
Q

OSRFRAMEWORK - domainfr.py

A

Verifies the existence of a given domain in up to 1567 different registries

51
Q

OSRFRAMEWORK - phonefy.py

A

Checks for the existence of phone numbers

52
Q

OSRFRAMEWORK - entify.py

A

Looks for regular expressions

53
Q

Web Spiders

A

A robot program that automatically traverses the Web’s hypertext structure by retrieving a document, and recursively retrieving all documents that are referenced. Normal Web browsers are not robots, because they are operated by a human, and don’t automatically retrieve referenced documents (other than inline images).
Web robots are sometimes referred to as Web Wanderers, Web Crawlers, or Spiders. These names are a bit misleading as they give the impression the software itself moves between sites like a virus; this not the case, a robot simply visits sites by requesting documents from them.

54
Q

/robots.txt

A

Web site owners use the /robots.txt file to give instructions about their site to web robots; this is called The Robots Exclusion Protocol.

It works likes this: a robot wants to vists a Web site URL, say http://www.example.com/welcome.html. Before it does so, it firsts checks for http://www.example.com/robots.txt, and finds:

User-agent: *
Disallow: /
The “User-agent: *” means this section applies to all robots. The “Disallow: /” tells the robot that it should not visit any pages on the site.

55
Q

Social Engineering Tools

A

Maltego, Social Engineering Framework

56
Q

Competitive Intelligence Tools

A

Google Alerts, Yahoo! Site Explorer, SEO for Firefox, SpyFu, Quarkbase, DomainTools.com

57
Q

Shodan

A

The hackers search engine. Designed to help you find specific types of computers (routers, servers, and IOT) connected to the Internet.

58
Q

Vulnerability Research Databases and Sites

A

National Vulnerability Database,
SecurityTracker,
Hackerstorm Vulnerability Database,
SecurityFocus

59
Q

DNS ports

A

DNS lookups use UDP port 53 and zone transfers use TCP port 53

60
Q

DNS command to initiate a zone transfer using NSLOOKUP

A

ls -d domainname

61
Q

Can be used to check web pages for changes, automatically notifying you when there’s an update:

A

website-watcher (http://aignes.com )