Reconnaissance and Intelligence Gathering Flashcards

1
Q

What method is used to replicate DNS information for DNS servers but is also a tempting exploit target for attackers?

A. DNSSEC

B. AXR

C. DNS registration

D. Zone transfers

A

Answer:

D. DNS zone transfers provide a method to replicate DNS information between DNS servers, but they are also a tempting target for attackers due to the amount of information that they contain. A properly secured DNS server will only allow zone transfers to specific, permitted peer DNS servers. DNSSEC is a suite of DNS security specifications, AXR is a made-up term (AXFR is the zone transfer command), and DNS registration is how you register a domain name.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What flag does nmap use to enable operating system identification?

A. –os

B. –id

C. –o

D. –osscan

A

Answer:

C. Nmap’s operating system identification flag is –o and it enables OS detection. –A also enables OS identification and other features. –osscan with modifiers like –limit and –guess set specific OS identification features. –os and –id are not nmap flags.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What command-line tool can be used to determine the path that traffic takes to a remote system?

A. Whois

B. traceroute

C. nslookup

D. routeview

A

Answer:

B. Traceroute (or tracert on Windows systems) is a command-line tool that uses ICMP to trace the route that a packet takes to a host. Whois and nslookup are domain tools, and routeview is not a command-line tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What type of data can frequently be gathered from images taken on smartphones?

A. Extended Graphics Format

B. Exif

C. JPIF

D. PNGrams

A

Answer:

B. Exif (Exchangeable Image Format) data often includes location and camera data, allowing the images to be mapped and identified to a specific device or type of camera.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which Cisco log level is the most critical?

A. 0

B. 1

C. 7

D. 10

A

Answer:

A. Log level 0 is used for emergencies in Cisco’s logging level scheme. Log level 7 is for debugging information and is at the bottom of the scale.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

During passive intelligence gathering, you are able to run netstat on a workstation located at your target’s headquarters. What information would you not be able to find using netstat on a Windows system?

A. Active TCP connections

B. A list of executables by connection

C. Active UDP connections

D. Route table information

A

Answer:

C. UDP connections are not shown by netstat because UDP is a connectionless protocol. Active TCP connections, executables that are associated with them, and route table information are all available via netstat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following options is the most likely used for the host listed in the dhcpd.conf entry?

host db1 {
option host-name “sqldb1.example.com”;
hardware ethernet 8a:00:83:aa:21:9f
fixed address 10.1.240.10

A. Active Directory server

B. Apache web server

C. Oracle database server

D. Microsoft SQL Server

A

Answer:

D. Although it is possible that a system named “db1” with a hostname “sqldb1” is not a Microsoft SQL Server, the most likely answer is that it is a Microsoft SQL Server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which type of Windows log is most likely to contain information about a file being deleted?

A. httpd logs

B. Security logs

C. System logs

D. Configuration logs

A

Answer:

B. Microsoft Windows security logs can contain information about files being opened, created, or deleted if configured to do so. Configuration and httpd logs are not a type of Windows logs, and system logs contain information about events logged by Windows components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What organization manages the global IP address space?

A. NASA

B. ARIN

C. WorldNIC

D. IANA

A

Answer:

D. The Internet Assigned Numbers Authority manages the global IP address space. ARIN is the American Registry for Internet Numbers, WorldNIC is not an IP authority, and NASA tackles problems in outer space, not global IP space.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Before Ben sends a Word document, he uses the built-in Document Inspector to verify that the file does not contain hidden content. What is this process called?

A. Data purging

B. Data remanence insurance

C. Metadata scrubbing

D. File cleansing

A

Answer:

C. Metadata scrubbing removes hidden information about a file such as the creator, creation time, system used to create the file, and a host of other information. The other answers are made up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What type of analysis is best suited to identify a previously unknown malware package operating on a compromised system?

A. Trend analysis

B. Signature analysis

C. Heuristic analysis

D. Regression analysis

A

Answer:

C. Heuristic analysis focuses on behaviors, allowing a tool using it to identify malware behaviors instead of looking for a specific package. Trend analysis is typically used to identify large-scale changes from the norm, and it is more likely to be useful for a network than for a single PC. Regression analysis is used in statistical modeling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is not a common DNS antiharvesting technique?

A. Blacklisting systems or networks

B. Registering manually

C. Rate limiting

D. CAPTCHAs

A

Answer:

B. Registering manually won’t prevent DNS harvesting, but privacy services are often used to prevent personal or corporate information from being visible via domain registrars. CAPTCHAs, rate limiting, and blacklisting systems or networks that are gathering data are all common anti-DNS harvesting techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What technique is being used in this command?

dig axfr @dns-server example.com

A. DNS query

B. nslookup

C. dig scan

D. Zone transfer

A

Answer:

D. The axfr flag indicates a zone transfer in both the dig and host utilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is not a reason that penetration testers often perform packet capture while conducting port and vulnerability scanning?

A. Work process documentation

B. To capture additional data for analysis

C. Plausible deniability

D. To provide a timeline

A

Answer:

C. A packet capture can’t provide plausible deniability, as it provides evidence of action. Packet capture is often used to document work, including the time that a given scan or process occurred, and it can also be used to provide additional data for further analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What process uses information such as the way that a system’s TCP stack responds to queries, what TCP options it supports, and the initial window size it uses?

A. Service identification

B. Fuzzing

C. Application scanning

D. OS detection

A

Answer:

D. Operating system detection often uses TCP options support, IP ID sampling, and window size checks, as well as other indicators that create unique fingerprints for various operating systems. Service identification often leverages banners since TCP capabilities are not unique to a given service. Fuzzing is a code testing method, and application scanning is usually related to web application security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What tool would you use to capture IP traffic information to provide flow and volume information about a network?

A. libpcap

B. netflow

C. netstat

D. pflow

A

Answer:

B. Netflow is a Cisco network protocol that collects IP traffic information that allows analysis of traffic flow and volume. Netstat provides information about local connections, which applications have made them, and other useful local system information. Libpcap is the Linux packet capture library and would not be used alone. Pflow is a made-up term.

17
Q

What method used to replicate DNS information between DNS servers can also be used to gather large amounts of information about an organization’s systems?

A. traceroute

B. Zone transfer

C. DNS sync

D. dig

A

Answer:

B. Zone transfers are intended to allow DNS database replication, but an improperly secured DNS server can also allow third parties to request a zone transfer, exposing all of their DNS information. Traceroute is used to determine the path and latency to a remote host, whereas dig is a useful DNS query tool. DNS sync is a made-up technical term.

18
Q

Selah believes that an organization she is penetration testing may have exposed information about their systems on their website in the past. What site might help her find an older copy of their website?

A. The Internet Archive

B. WikiLeaks

C. The Internet Rewinder

D. TimeTurner

A

Answer:

A. The Internet Archive maintains copies of sites from across the Internet, and it can be used to review the historical content of a site. WikiLeaks distributes leaked information, whereas the Internet Rewinder and TimeTurner are both made-up names.

19
Q

During an information gathering exercise, Chris is asked to find out detailed personal information about his target’s employees. What is frequently the best place to find this information?

A. Forums

B. Social media

C. The company’s website

D. Creepy

A

Answer:

B. Social media can be a treasure trove of personal information. Company websites and forums are usually limited in the information they provide, and Creepy is a geolocation tool that gathers data from social media and geotagging.

20
Q

Which lookup tool provides information about a domain’s registrar and physical location?

A. nslookup

B. host

C. Whois

D. traceroute

A

Answer:

C. Whois provides information that can include the organization’s physical address, registrar, contact information, and other details. Nslookup will provide IP address or hostname information, whereas host provides IPv4 and IPv6 addresses as well as email service information. Traceroute attempts to identify the path to a remote host as well as the systems along the route.