CEH V11 Practice questions
How does 802.1X work?
802.1X is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server. The RADIUS server is able to do this by communicating with the organization's directory, typically over the LDAP or SAML protocol.
Which of the following Linux commands will resolve a domain name into IP address?
>host -t a
Which of the following is not a Bluetooth attack?
A = Bluedriving Bluesmacking - Denial of service against device Bluejacking - Sending unsolicited messages Bluebugging - Remotely using a device's features Bluesnarfing - Theft of data from a device While bluedriving exists, it is not an actual "attack."
Which of the following is a component of a risk assessment?
Administrative safeguards Apparently there 4 Critical Components of an Effective Risk Assessment. They are: -Technical Safeguards -Organisational Safeguards -Physical Safeguards -Administrative Safeguards
You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration?
An Intrusion Detection System
Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system?
Answer: An authentication system that creates one-time passwords that are encrypted with secret keys.
What is the minimum number of network connections in a multihomed firewall?
Answer: 2 A multi-homed firewall is a firewall device or host system that has two or more network interfaces. One interface is connected to the untrusted network and another interface is connected to the trusted network.
Why is a penetration test considered to be more thorough than vulnerability scan?
Answer: A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.
You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on theInternet. What is the recommended architecture in terms of server placement?
Answer: A web server facing the Internet, an application server on the internal network, a database server on the internal network
Which of the following is the BEST way to defend against network sniffing?
Answer: A. Using encryption protocols to secure network communications Most Voted
Andrew is an Ethical Hacker who was assigned the task of discovering all the active devices hidden by a restrictive firewall in the IPv4 range in a given target network. Which of the following host discovery techniques must he use to perform the given task?
Answer: ARP ping scan In the ARP ping scan, the ARP packets are sent for discovering all active devices in the IPv4 range even though the presence of such devices is hidden by restrictive firewalls.
At what stage of the cyber kill chain theory model does data exfiltration occur?
Answer: Actions on objectives
A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?
Answer: Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's authentication credentials.
What is the common name for a vulnerability disclosure program opened by companies in platforms such as HackerOne?
Answer: Bug bounty program
Which of the following is an extremely common IDS evasion technique in the web world?
Answer: C. Unicode Characters Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request.
You have gained physical access to a Windows 2008 R2 server, which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your toolkit, you have an Ubuntu 9.10 Linux LiveCD. Which Linux-based tool can change any user's password or activate disabled Windows accounts?
Answer: CHNTPW Chntpw (A.K.A Offline NT Password & Registry Editor) is a small Windows password removal utility that can run from a CD or USB drive. chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, 7, 8, 8.1 and 10. It does this by editing the SAM database where Windows stores password hashes.
What kind of detection techniques is being used in antivirus software that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it's made on the provider's environment?
Answer: Cloud Based Cloud-based detection identifies malware by collecting data from protected computers while analyzing it on the provider's infrastructure, instead of performing the analysis locally.
Alice, a professional hacker, targeted an organization's cloud services. She infiltrated the target's MSP provider by sending spear-phishing emails and distributed custom-made malware to compromise user accounts and gain remote access to the cloud service. Further, she accessed the target customer profiles with herMSP account, compressed the customer data, and stored them in the MSP. Then, she used this information to launch further attacks on the target organization. Which of the following cloud attacks did Alice perform in the above scenario?
Answer: Cloud hopper attack The attackers behind Cloud Hopper were able to get hold of security credentials by sending spoof emails to workers at cloud businesses. They then leveraged the access these "spear-phishing" attacks gave them to install malware that let them steal security credentials and conduct reconnaissance
What is a `Collision attack` in cryptography?
Answer: Collision attacks try to find two inputs producing the same hash
Samuel, a security administrator, is assessing the configuration of a web server. He noticed that the server permits SSLv2 connections, and the same private key certificate is used on a different server that allows SSLv2 connections. This vulnerability makes the web server vulnerable to attacks as the SSLv2 server can leak key information. Which of the following attacks can be performed by exploiting the above vulnerability?
Answer: DROWN attack DROWN attack allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key.
What is the Shellshock bash vulnerability attempting to do on a vulnerable Linux host?
Answer: Display passwd content to prompt
DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switchers leverages the DHCP snooping database to help prevent man-in-the-middle attacks?
Answer: Dynamic ARP Inspection (DAI) What is DHCP snooping database? DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities: • Validates DHCP messages received from untrusted sources and filters out invalid messages. • Overview of Dynamic ARP Inspection Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain "man-in-the-middle" attacks
Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?
Answer: ESP transport mode ESP transport mode should be used to ensure the integrity and confidentiality of data that is exchanged within the same LAN.
An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines.Which one of the following tools the hacker probably used to inject HTML code?
Answer: Ettercap Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing.
Jane invites her friends Alice and John over for a LAN party. Alice and John access Jane's wireless network without a password. However, Jane has a long, complex password on her router. What attack has likely occurred?
Answer: Evil Twin Evil Twin is a wireless AP that pretends to be a legitimate AP by replicating another network name. Attackers set up a rogue AP outside the corporate perimeter and lures users to sign into the wrong AP.
In the field of cryptanalysis, what is meant by a `rubber-hose` attack?
Answer: Extraction of cryptographic secrets through coercion or torture.
What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet-filtering of the firewall?
Answer: Firewalking Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.
An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next?
Answer: He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer. In an STP manipulation attack, an attacker connects to a switch port and either directly themselves, or through the use of a rogue switch, attempts to manipulate Spanning Tree Protocol (STP) parameters to become the root bridge. Because the root bridge is responsible for calculating the spanning tree from topology changes advertised by non-root bridges, attackers see a variety of frames that they would normally not see.
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", the user is directed to a phishing site. Which file does the attacker need to modify?
Answer: Hosts Correct modifying hosts file can override dns entry.
Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end encryption of the connection?
Answer: Ipsec
What is the role of test automation in security testing?
Answer: It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.
John, a professional hacker, targeted an organization that uses LDAP for accessing distributed directory services. He used an automated tool to anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names to launch further attacks on the target organization.What is the tool employed by John to gather information from the LDAP service?
Answer: JXplorer JXplorer is a cross platform LDAP browser and editor Attackers can enumerate information such as valid usernames, addresses, and departmental details from different LDAP servers.
Which of the following is the best countermeasure to encrypting ransomwares?
Answer: Keep some generation of off-line backup Virus and Worm Countermeasures Since virus infections can corrupt data, ensure that you perform regular data backups.
Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a Linux platform?
Answer: Kismet Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs.
What is the known plaintext attack used against DES which gives the result that encrypting plaintext with one DES key followed by encrypting it with a secondDES key is no more secure than using a single key?
Answer: Meet-in-the-middle-attack Meet-in-the-Middle Attack on Digital Signature SchemesA meet-in-the-middle attack is the best attack method for cryptographic algorithms using multiple keys for encryption.This enables the attacker to gain access to the data easily compared with double DES. Keyword for Meet-in-the-middle-attack is "Plaintext"
Which of the following program infects the system boot sector and the executable files at the same time?
Answer: Multipartite Virus A multipartite virus is a computer virus that's able to attack both the boot sector and executable files of an infected computer. If you're familiar with cyber threats, you probably know that most computer viruses either attack the boot sector or executable files. Multipartite viruses, however, are unique because of their ability to attack both the boot sector and executable files simultaneously, thereby allowing them to spread in multiple ways.
Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?
Answer: Nikto Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers
SQL injection (SQLi) attacks attempt to inject SQL syntax into web requests, which may bypass authentication and allow attackers to access and/or modify data attached to a web application. Which of the following SQLi types leverages a database server's ability to make DNS requests to pass data to an attacker?
Answer: Out-of-band SQLi Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. ... Out-of-band SQLi techniques would rely on the database server's ability to make DNS or HTTP requests to deliver data to an attacker.
John the Ripper is a technical assessment tool used to test the weakness of which of the following?
Answer: Passwords John the ripper is used for password cracking
What is the port to block first in case you are suspicious that an IoT device has been compromised?
Answer: Port 48101
The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE's Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the Transport Layer Security (TLS) protocols defined in RFC6520.What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?
Answer: Private "What makes the Heartbleed Bug unique? Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of PRIVATE KEYS and other secrets exposed to the Internet."
The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the Central Processing Unit (CPU), rather than passing only the frames that the controller is intended to receive.Which of the following is being described?
Answer: Promiscuous mode Network interface cards (NICs) are programmed to only forward frames up to the operating system whose destination MAC address is either the MAC address of the NIC or the broadcast MAC address. To force the NIC to forward all messages up to the operating system, the card has to be put into what is called promiscuous mode. This just gets the NIC to forward all messages up, behaving promiscuously.
An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?
Answer: Protocol Analyzer You can use a sniffer to create a pcap file but you need a protocol analyzer. An example of a protocol analyzer is WireShark which you can clearly use to analyze a pcap file. PCAP = Packet capture - Packet capture is a networking practice involving the interception of data packets travelling over a network. Once the packets are captured, they can be stored by IT teams for further analysis. The inspection of these packets allows IT teams to identify issues and solve network problems affecting daily operations.
PGP, SSL, and IKE are all examples of which type of cryptography?
Answer: Public Key
Which file is a rich target to discover the structure of a website during web-server footprinting?
Answer: Robots.txt
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing.What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester?
Answer: Rules of Engagement Rule Of Engagement: Formal permission to conduct penetration testing
What is the name of the command used by SMTP to transmit email over TLS?
Answer: STARTTLS StartTLS is a protocol command used to inform the email server that the email client wants to upgrade from an insecure connection to a secure one using TLS or SSL
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.What is this type of DNS configuration commonly called?
Answer: Split DNS Common reasons for using split DNS systems is to hide internal information from external clients on the Internet or to allow internal networks to resolve DNS on the Internet. In a split DNS infrastructure, you create two zones for the same domain, one to be used by the internal network, the other used by the external network typically users on the Internet. Split DNS directs internal hosts to an internal domain name server for name resolution and external hosts are directed to an external domain name server for name resolution
What is FCC ID search?
Answer: Stands for Federal Communications Commission Identification Number Footprinting techniques are used to collect basic information about the target IoT and OT platforms to exploit them. Information collected through footprinting techniques ncludes IP address, hostname, ISP, device location, banner of the target IoT device, FCC ID information, certification granted to the device, etc.
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?
Answer: Stealth/Tunneling virus These viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running.
Sam is a penetration tester hired by Inception Tech, a security organization. He was asked to perform port scanning on a target host in the network. While performing the given task, Sam sends FIN/ACK probes and determines that an RST packet is sent in response by the target host, indicating that the port is closed.What is the port scanning technique used by Sam to discover open ports?
Answer: TCP Maimon scan FIN/ACK = Maimon
Why should the security analyst disable/remove unnecessary ISAPI filters?
Answer: To defend against webserver attacks Remove unnecessary Internet Server Application Programming Interface (ISAPI) filters from the web server. Remove all unnecessary IIS script mappings for optional file extensions to avoid exploitation of any bugs in the ISAPI extensions that handle these types of files.
What does a firewall check to prevent particular ports and applications from getting packets into an organization?
Answer: Transport layer port numbers and application layer headers
In this form of encryption algorithm, every individual block contains 64-bit data, and three keys are used, where each key consists of 56 bits. Which is this encryption algorithm?
Answer: Triple Data Encryption Standard (3DES)
John wants to send Marie an email that includes sensitive information, and he does not trust the network that he is connected to. Marie gives him the idea of usingPGP. What should John do to communicate correctly using this type of encryption?
Answer: Use Marie's public key to encrypt the message. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. The session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key
Your company was hired by a small healthcare provider to perform a technical assessment on the network. What is the best approach for discovering vulnerabilities on a Windows-based computer?
Answer: Use a scan tool like Nessus
Which of the following commands checks for valid users on an SMTP server?
Answer: VRFY
Which system consists of a publicly available set of databases that contain domain name registration contact information?
Answer: WHOIS Searching for the target company's website in the Internet's Whois database can easily provide hackers with the company's IP addresses, domain names, and contact information."
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks?
Answer: Whisker A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads.[1] The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.
Shellshock allowed an unauthorized user to gain access to a server. It affected many Internet-facing services, which OS did it not directly affect?
Answer: Windows Shellshock is the common name for a coding vulnerability found in the Bash shell user interface that affects Unix-based operating systems, including Linux and Mac OS X, and allows attackers to remotely gain complete control of a system.
You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script engine. What Nmap script will help you with this task?
Answer: http-methods
You are attempting to run an Nmap port scan on a web server. Which of the following commands would result in a scan of common ports with the least amount of noise in order to evade IDS?
Answer: nmap -sT -O -T0 -sT = TCP connect port scan -O = Enable OS detection using TCP/IP stack fingerprinting -T0 = Paranoid
Which of the following tools can be used for passive OS fingerprinting?
Answer: tcpdump Passive OS fingerprinting involves sniffing network traffic at any given collection point and matching known patterns that pass to a table of pre-established OS identities. No traffic is sent with passive fingerprinting. Nmap does not use a passive style of fingerprinting. Instead it performs its Operating System Fingerprinting Scan (OSFS) via active methodologies. Keyword: passive = tcpdump Keyword: active = nmap
Which of the following is a command line packet analyzer similar to GUI-based Wireshark?
Answer: tcpdump The correct answer is tcpdump. Please read the question carefully - question is asking for "command line tool", which should be tcpdump.
Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?
Answer: tcptrace
What is Bluto?
Bluto is a tool for DNS Recon DNS lookup tools such as DNSdumpster.com, Bluto, and Domain Dossier to retrieve DNS records for a specified domain or hostname. These tools retrieve information such as domains and IP addresses, domain Whois records, DNS records, and network Whois records.
Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly configures the firewall to allow access just to servers/ports, which can have direct internet access, and block the access to workstations. Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the case of TPNQM SA.In this context, what can you say?
Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstation
Which of the following programming languages is most susceptible to buffer overflow attacks, due to its lack of a built-in bounds checking mechanism?
C++
Louis, a professional hacker, had used specialized tools or search engines to encrypt all his browsing activity and navigate anonymously to obtain sensitive/hidden information about official government or federal databases. After gathering the information, he successfully performed an attack on the target government organization without being traced.Which of the following techniques is described in the above scenario?
Dark web footprinting
Dorian is sending a digitally signed email to Poly. With which key is Dorian signing this message and how is Poly validating it?
Dorian is signing the message with his private key, and Poly will verify that the message came from Dorian by using Dorian's public key. A digital signature only requires the sender (the signer) to have cryptographic keys (a private key and a public key). The sender signs the message locally on his/her device (using sender's private key). Furthermore, the receiver verifies it on his device by using sender's public key.
What is Flowmon?
Flowmon empowers manufacturers and utility companies to ensure the reliability of their industrial networks confidently to avoid downtime and disruption of service continuity. This can be achieved by continuous monitoring and anomaly detection so that malfunctioning devices or security incidents, such as cyber espionage, zero-days, or malware, can be reported and remedied as quickly as possible. OT Security Tools: Flowmon OT stands for operation technology
Define Hit-list scanning technique
Hit-list Scanning - The attacker scans the list to find a vulnerable machine. On finding one, the attacker installs malicious code on it and divides the list in half. The attacker continues to scan one half, whereas the other half is scanned by the newly compromised machine. This process keeps repeating, causing the number of compromised machines to increase exponentially.
What is Infoga? 127
Infoga is a free and open-source tool, which is used for finding if emails were leaked using haveibeenpwned.com API. Infoga is used for scanning email addresses using different websites and search engines for information gathering and finding information about leaked information on websites and web apps
TCP 631
Internet Printing Protocol (IPP)
Which of the following describes the characteristics of a Boot Sector Virus?
Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.
Define obfuscation
Obfuscating is an IDS evasion technique used by attackers who encode the attack packet payload in such a way that the destination host can decode the packet but not the IDS. Encode attack patterns in unicode to bypass IDS filters, but be understood by an IIS web server.
What does the `"oX flag do in an Nmap scan?
Output the results in XML format to a file
What are the 7 stages of cyber kill chain?
Phase 1: Reconnaissance Phase 2: Weaponization Phase 3: Delivery Phase 4: Exploitation Phase 5: Installation Phase 6: Command and control Phase 7: Actions on Objective
Define quid pro quo
Quid Pro Quo Quid pro quo is a Latin phrase that meaning "something for something." In this technique, attackers keep calling random numbers within a company, claiming to be calling from technical support. This is a baiting technique where attackers offer their service to end-users in exchange of confidential data or login credentials. For example, an attacker gathers random phone numbers of the employees of a target organization. They then start calling each number, pretending to be from the IT department. The attacker eventually finds someone with a genuine technical issue and offers their service to resolve it. The attacker can then ask the victim to follow a series of steps and to type in the specific commands to install and launch malicious files that contain malware designed to collect sensitive information
Residual Risk
Residual risk - The residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.
What is Docker Daemon?
The Docker daemon (dockerd) listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. A daemon can also communicate with other daemons to manage Docker services.
What is the purpose of a demilitarized zone on a network?
To only provide direct access to the nodes within the DMZ and protect the network behind it
While using your bank's online servicing you notice the following string in the URL bar:`http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980&Camount=21`You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflect the changes.Which type of vulnerability is present on this site?
Web Parameter Tampering
nslookup
a tool used to query the DNS system to find the IP addresses for domain names, and vice versa
Clickjacking Attack
clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element.
What is iOS trustjacking 172
iOS Trustjacking is a vulnerability that can be exploited by an attacker to read messages and emails and capture sensitive information such as passwords and banking credentials from a remote location without a victim's knowledge. This vulnerability exploits the "iTunes Wi-Fi Sync" feature whereby a victim connects his/her phone to any trusted computer (could be of a friend or any trusted entity) that is already infected by the attacker.
Techno Security Inc. recently hired John as a penetration tester. He was tasked with identifying open ports in the target network and determining whether the ports are online and any firewall rule sets are encountered.John decided to perform a TCP SYN ping scan on the target network.Which of the following Nmap commands must John use to perform the TCP SYN ping scan?
nmap -sn -PS < target IP address > Just remember the "S" in -PS for SYN for this question.
A company's policy requires employees to perform file transfers using protocols which encrypt traffic. You suspect some employees are still performing file transfers using unencrypted protocols because the employees do not like changes. You have positioned a network sniffer to capture traffic from the laptops used by employees in the data ingest department. Using Wireshark to examine the captured traffic, which command can be used as a display filter to find unencrypted file transfers?
tcp.port = = 21 The answer is ftp (port 21), option A. telnet (port 23) is not used for file transfer and ssh (port 22) is encrypted. File Transfer Protocol Runs on port 21 eq == Equal
Reconaissance
the information-gathering stage of ethical hacking, where you collect data about the target system. This data can include anything from network infrastructure to employee contact details. The goal of reconnaissance is to identify as many potential attack vectors as possible.