Week 2 Qs Flashcards
Reconnaissance
Also known as information gathering, refers to the preparatory phase where a penetration tester seeks to gather as much information as possible about a target prior to launching a simulated attack.
Active Reconnaissance
Includes interacting directly with the target, as such the target may record our IP address and log our activity.
Passive Reconnaissance
makes use of the vast amount of information available on the web. The type does not interact directly with the target.
Search Methods
Locate the target web presence;
Gather search engine results regarding the target;
Look for web groups containing employee/company comments;
Examine the personal web sites of employees;
Search archival sites for additional information;
Look for job postings submitted by the target;
Search newsgroups;
Query the domain registrar.
Trade papers, financial databases, users groups and blogs, alternative websites, Google hacking, etc.
Job Postings
Often reveal very detailed information about the technology being used by an organization. Often it will define specific hardware and software.
archive.org
Used to browse archived web pages dating back to 1996. It’s a useful tool for looking for information no longer on a site.
whois
Allows access to specific information about a target including the IP addresses or host names of the company’s domain name systems (DNS) servers and contact information usually containing an address and phone number.
nslookup
A tool that can be used to query DNS servers and potentially obtain records about the various hosts of which it is aware.
robots.txt
Restricts access to a site by search engine bots that crawl the web, by preventing them accessing certain pages.
Google hacking
The art of creating complex search engine queries in order to filter through large amounts of search results.
Google directive
Keywords that enable us to more accurately extract information from the Google index. You need: the name of the directive you want to use; a colon; and the term you want to use in the directive. For example, to utilize the “site:” directive: site:domain term(s) to search.
