Reconnaissance

Question 1

Footprinting

Answer 1

Part of reconnaissance, mapping out at a high level what the landscape looks like. During footprinting, you look for any information that might give you some insight into the target - no matter how big or small. Investigating web resources and competitive intelligence, mapping out network ranges, mining whois and DNS, social engineering, email tracking, Google Hacking.

Question 2

Anonymous Footprinting

Answer 2

Obscure the source of footprinting activities.

Question 3

Pseudonymous Footprinting

Answer 3

Attributing your actions to someone else when conducting footprinting.

Question 4

Focus and Benefits of Footprinting

Answer 4

1. Know the security posture
2. Reduce the focus area (network range, number of targets)
3. Identify vulnerabilities
4. Draw a network map

Question 5

Active Footprinting

Answer 5

Requires the attacker to touch the device, network or resource.

Question 6

Passive Footprinting

Answer 6

Collecting information from public records.

Question 7

Competitive Intelligence

Answer 7

Information gathered by a business entity about its competitors, customers, products and marketing.

Question 8

www.attentionmeter.com

Answer 8

Compares website traffic from hosts of different sources and provides traffic data and graphs.

Question 9

Websites that provide information on company origins and how it developed during the years.

Answer 9

EDGAR database. Hoovers, LexisNexis, Business Wire

Question 10

Websites that provide company plans and financials

Answer 10

SEC Info, Experian, Market Watch, Wall Street Monitor, Euromonitor

Question 11

Web Mirroring Tools

Answer 11

Black Widow, GSA Email Spider, NCollector Studio, HTTRACK, GNU Wget

Question 12

Google Hacking: filetype:type

Answer 12

Searches for files only of a specific type. (DOC, XLS. etc.) Example: filetype:doc

Question 13

Google Hacking: index of /string

Answer 13

Displays pages with directory browsing enabled. Example: “intitle:index of “ passwd

Question 14

Google Hacking: info:string

Answer 14

Displays information Google stores about the page itself: Example: info:www.anycomp.com

Question 15

Google Hacking: intitle:string

Answer 15

Searches for pages that contain the string in the title. Example: intitle: login You can also use allintitle for multiple search strings: Example: allintitle:login password

Question 16

Google Hacking: inurl:string

Answer 16

Displays pages with the string in the URL. Example: inurl:password For multiple strings use allinurl, Example: allinurl: etc passwd

Question 17

Google Hacking: link:string

Answer 17

Displays linked pages based on a search term.

Question 18

Google Hacking: related:webpagename

Answer 18

Shows webpages similar to webpagename

Question 19

Google Hacking: site:domain or web page string

Answer 19

Displays pages for a specific website or domain holding the search term. site:anywhere.com passwds

Question 20

Google Hacking: allinurl:tsweb/default.htm

Answer 20

Displays RDP Web pages

Question 21

Google Hacking Tools

Answer 21

SiteDigger and Metagoofil (searches document meta tags)

Question 22

History Sites

Answer 22

www.archive.org and Google Cache

Question 23

Email tracking programs

Answer 23

www.emailtrackerpro.com
www.mailtracking.com
GetNotify
ContactMonkey
Yesware
ReadNotify,
WhoReadMe,
MSGTAG,
TraceEmail and
Zendio

Question 24

DNS Name Resolvers

Answer 24

Answer DNS requests

Question 25

DNS Authoritative Servers

Answer 25

Hold the records for a namespace

Question 26

DNS Record Types - SRV

Answer 26

SRV - Hostname and Ports of servers providing specific services

Question 27

DNS Record Types - SOA

Answer 27

Start of Authority - identifies the primary name server for the zone.

Question 28

DNS Record Types - PTR

Answer 28

Maps an IP address to a Hostname

Question 29

DNS Record Types - NS

Answer 29

Name Servers

Question 30

DNS Record Types - MX

Answer 30

Email Servers

Question 31

DNS Record Types - CNAME

Answer 31

Domain name aliases

Question 32

DNS Record Types - A

Answer 32

Host name to IP address

Question 33

DNS Poisoning

Answer 33

Changing the entries in DNS cache to point to alternative servers.

Question 34

Domain Name System Security Extensions (DNSSEC)

Answer 34

DNSSEC is aimed at strengthening trust in the Internet by helping to protect users from redirection to fraudulent websites and unintended addresses. In such a way, malicious activities like cache poisoning, pharming, and man-in-the-middle attacks can be prevented.
DNSSEC authenticates the resolution of IP addresses with a cryptographic signature, to make sure that answers provided by the DNS server are valid and authentic. In case DNSSEC is properly enabled for your domain name, the visitors can be ensured that they are connecting to the actual website corresponding to a particular domain name.

Question 35

What makes up a DNS SOA record?

Answer 35

Source host, Contact Email, Serial Number, Refresh Time, Retry Time, Expire Time, TTL

Question 36

Internet Corporation for Assigned Names and Numbers (ICANN)

Answer 36

ICANN manages IP address ranges.

Question 37

Domain Name Registrants

Answer 37

www.godaddy.com www.register.com, etc.

Question 38

Regional Internet Registries

Answer 38

1. American Registry for Internet Numbers (ARIN) - Canada, parts of the Caribbean and North Atlantic Islands and the United States
2. Asia-Pacific Network Information Center (APNIC) - Asia and the Pacific
3. Reseaux IP Europeens (RIPE) NCC - Europe, Middle East and parts of Central Asia/Northern Africa
4. Latin America and Caribbean Network Information Center (LACNIC) - Latin America and the Caribbean
5. African Network Information Center (AfriNIC) - Africa

Question 39

whois database

Answer 39

Queries the registries and returns information including domain ownership, addresses, locations and phone numbers of domain owners.

Question 40

Dig command

Answer 40

Like NSLOOKUP but for UNIX/Linux. Basic command structure: dig @server name type

Question 41

Tracert

Answer 41

Traceroute - tracks a packet across the Internet and provides the route path and transit times. Uses ICMP ECHO packets (UDP datagrams in Linux versions).

Question 42

ICMP Type 11, Code 0

Answer 42

TTL Expired

Question 43

ICMP Type 3, Code 13

Answer 43

Administratively Blocked

Question 44

Trace Route Tools

Answer 44

McAfee Visual Trace (NeoTrace), 
Trout, 
VisualRoute, 
Magic NetTrace, 
Network Pinger, 
GEO Spider, and 
Ping Plotter

Question 45

Differences between Windows and Linux Trace Routers

Answer 45

Windows uses tracert whereas Linux uses traceroute. Windows uses ICMP, Linux uses TCP

Question 46

OSRFRAMEWORK

Answer 46

Open source research framework in Python that helps in the task of user profiling by performing open source intelligence.

Question 47

OSRFRAMEWORK - usufy.py

Answer 47

Verifies if a user profile exists in up to 306 different platforms

Question 48

OSRFRAMEWORK - mailfy.py

Answer 48

Checks if a user name (email) has been registered in up to 22 different email providers.

Question 49

OSRFRAMEWORK - searchfy.py

Answer 49

Looks for profiles using full names and other info. Exam may say this queries the OSRFramework platform itself.

Question 50

OSRFRAMEWORK - domainfr.py

Answer 50

Verifies the existence of a given domain in up to 1567 different registries

Question 51

OSRFRAMEWORK - phonefy.py

Answer 51

Checks for the existence of phone numbers

Question 52

OSRFRAMEWORK - entify.py

Answer 52

Looks for regular expressions

Question 53

Web Spiders

Answer 53

A robot program that automatically traverses the Web’s hypertext structure by retrieving a document, and recursively retrieving all documents that are referenced. Normal Web browsers are not robots, because they are operated by a human, and don’t automatically retrieve referenced documents (other than inline images).
Web robots are sometimes referred to as Web Wanderers, Web Crawlers, or Spiders. These names are a bit misleading as they give the impression the software itself moves between sites like a virus; this not the case, a robot simply visits sites by requesting documents from them.

Question 54

/robots.txt

Answer 54

Web site owners use the /robots.txt file to give instructions about their site to web robots; this is called The Robots Exclusion Protocol.

It works likes this: a robot wants to vists a Web site URL, say http://www.example.com/welcome.html. Before it does so, it firsts checks for http://www.example.com/robots.txt, and finds:

User-agent: *
Disallow: /
The “User-agent: *” means this section applies to all robots. The “Disallow: /” tells the robot that it should not visit any pages on the site.

Question 55

Social Engineering Tools

Answer 55

Maltego, Social Engineering Framework

Question 56

Competitive Intelligence Tools

Answer 56

Google Alerts, Yahoo! Site Explorer, SEO for Firefox, SpyFu, Quarkbase, DomainTools.com

Question 57

Shodan

Answer 57

The hackers search engine. Designed to help you find specific types of computers (routers, servers, and IOT) connected to the Internet.

Question 58

Vulnerability Research Databases and Sites

Answer 58

National Vulnerability Database,
SecurityTracker,
Hackerstorm Vulnerability Database,
SecurityFocus

Question 59

DNS ports

Answer 59

DNS lookups use UDP port 53 and zone transfers use TCP port 53

Question 60

DNS command to initiate a zone transfer using NSLOOKUP

Answer 60

ls -d domainname

Question 61

Can be used to check web pages for changes, automatically notifying you when there’s an update:

Answer 61

website-watcher (http://aignes.com )