Reconnaissance and Intelligence Gathering Flashcards
What method is used to replicate DNS information for DNS servers but is also a tempting exploit target for attackers?
A. DNSSEC
B. AXR
C. DNS registration
D. Zone transfers
Answer:
D. DNS zone transfers provide a method to replicate DNS information between DNS servers, but they are also a tempting target for attackers due to the amount of information that they contain. A properly secured DNS server will only allow zone transfers to specific, permitted peer DNS servers. DNSSEC is a suite of DNS security specifications, AXR is a made-up term (AXFR is the zone transfer command), and DNS registration is how you register a domain name.
What flag does nmap use to enable operating system identification?
A. –os
B. –id
C. –o
D. –osscan
Answer:
C. Nmap’s operating system identification flag is –o and it enables OS detection. –A also enables OS identification and other features. –osscan with modifiers like –limit and –guess set specific OS identification features. –os and –id are not nmap flags.
What command-line tool can be used to determine the path that traffic takes to a remote system?
A. Whois
B. traceroute
C. nslookup
D. routeview
Answer:
B. Traceroute (or tracert on Windows systems) is a command-line tool that uses ICMP to trace the route that a packet takes to a host. Whois and nslookup are domain tools, and routeview is not a command-line tool.
What type of data can frequently be gathered from images taken on smartphones?
A. Extended Graphics Format
B. Exif
C. JPIF
D. PNGrams
Answer:
B. Exif (Exchangeable Image Format) data often includes location and camera data, allowing the images to be mapped and identified to a specific device or type of camera.
Which Cisco log level is the most critical?
A. 0
B. 1
C. 7
D. 10
Answer:
A. Log level 0 is used for emergencies in Cisco’s logging level scheme. Log level 7 is for debugging information and is at the bottom of the scale.
During passive intelligence gathering, you are able to run netstat on a workstation located at your target’s headquarters. What information would you not be able to find using netstat on a Windows system?
A. Active TCP connections
B. A list of executables by connection
C. Active UDP connections
D. Route table information
Answer:
C. UDP connections are not shown by netstat because UDP is a connectionless protocol. Active TCP connections, executables that are associated with them, and route table information are all available via netstat.
Which of the following options is the most likely used for the host listed in the dhcpd.conf entry?
host db1 {
option host-name “sqldb1.example.com”;
hardware ethernet 8a:00:83:aa:21:9f
fixed address 10.1.240.10
A. Active Directory server
B. Apache web server
C. Oracle database server
D. Microsoft SQL Server
Answer:
D. Although it is possible that a system named “db1” with a hostname “sqldb1” is not a Microsoft SQL Server, the most likely answer is that it is a Microsoft SQL Server.
Which type of Windows log is most likely to contain information about a file being deleted?
A. httpd logs
B. Security logs
C. System logs
D. Configuration logs
Answer:
B. Microsoft Windows security logs can contain information about files being opened, created, or deleted if configured to do so. Configuration and httpd logs are not a type of Windows logs, and system logs contain information about events logged by Windows components.
What organization manages the global IP address space?
A. NASA
B. ARIN
C. WorldNIC
D. IANA
Answer:
D. The Internet Assigned Numbers Authority manages the global IP address space. ARIN is the American Registry for Internet Numbers, WorldNIC is not an IP authority, and NASA tackles problems in outer space, not global IP space.
Before Ben sends a Word document, he uses the built-in Document Inspector to verify that the file does not contain hidden content. What is this process called?
A. Data purging
B. Data remanence insurance
C. Metadata scrubbing
D. File cleansing
Answer:
C. Metadata scrubbing removes hidden information about a file such as the creator, creation time, system used to create the file, and a host of other information. The other answers are made up.
What type of analysis is best suited to identify a previously unknown malware package operating on a compromised system?
A. Trend analysis
B. Signature analysis
C. Heuristic analysis
D. Regression analysis
Answer:
C. Heuristic analysis focuses on behaviors, allowing a tool using it to identify malware behaviors instead of looking for a specific package. Trend analysis is typically used to identify large-scale changes from the norm, and it is more likely to be useful for a network than for a single PC. Regression analysis is used in statistical modeling.
Which of the following is not a common DNS antiharvesting technique?
A. Blacklisting systems or networks
B. Registering manually
C. Rate limiting
D. CAPTCHAs
Answer:
B. Registering manually won’t prevent DNS harvesting, but privacy services are often used to prevent personal or corporate information from being visible via domain registrars. CAPTCHAs, rate limiting, and blacklisting systems or networks that are gathering data are all common anti-DNS harvesting techniques.
What technique is being used in this command?
dig axfr @dns-server example.com
A. DNS query
B. nslookup
C. dig scan
D. Zone transfer
Answer:
D. The axfr flag indicates a zone transfer in both the dig and host utilities.
Which of the following is not a reason that penetration testers often perform packet capture while conducting port and vulnerability scanning?
A. Work process documentation
B. To capture additional data for analysis
C. Plausible deniability
D. To provide a timeline
Answer:
C. A packet capture can’t provide plausible deniability, as it provides evidence of action. Packet capture is often used to document work, including the time that a given scan or process occurred, and it can also be used to provide additional data for further analysis.
What process uses information such as the way that a system’s TCP stack responds to queries, what TCP options it supports, and the initial window size it uses?
A. Service identification
B. Fuzzing
C. Application scanning
D. OS detection
Answer:
D. Operating system detection often uses TCP options support, IP ID sampling, and window size checks, as well as other indicators that create unique fingerprints for various operating systems. Service identification often leverages banners since TCP capabilities are not unique to a given service. Fuzzing is a code testing method, and application scanning is usually related to web application security.