L2: Conducting Passive Reconnaissance
theHarvester
An open source OSINT tool that gathers the following information about a public resource: - Subdomain names - Employee names - Email addresses - PGP key entries - Open ports and service banners
D. Query DNS and analyze SRV records
How can a pen tester check if an organization is utilizing a Voice-over-IP (VOIP) phone system? A. Query DNS and analyze the MX records B. Query DNS and analyze the A records C. Query DNS and analyze NS records D. Query DNS and analyze SRV records
B. Using the FOCA tool on locally stored .docx and .pdf files
How can a pen tester collect metadata hidden in documents? A. Using the Google search operator intitle B. Using the FOCA tool on locally stored .docx and .pdf files C. Use a web-based whois tool to query the whois database D. Use the dig tool to Query DNS
B. Submit a whois search using a web app
How can a pen tester locate the name of a domain's registrant? A. Craft a Google search using a search operator of site:domain and the term "registrant" B. Submit a whois search using a web app C. Query DNS servers using the nslookup command D. Inspect the website's SSL certificate
D. DNS servers, SSL/TLS certificates, social media profiles, and Google search results
What is a potential source for Open Source Intelligence (OSINT)? A. Mail server records, social media profiles, an organization's public website, and firewall ruleset B. Social media profiles, active directory objects, Google searches, and job postings C. Job postings, DNS servers, network diagrams, and an organization's public website D. DNS servers, SSL/TLS certificates, social media profiles, and Google search results
A. The practice of deceiving people into giving away access to unauthorized parties or otherwise enabling those parties to compromise sensitive assets.
What is social engineering? A. The practice of deceiving people into giving away access to unauthorized parties or otherwise enabling those parties to compromise sensitive assets. B. The process of turning the results of passive reconnaissance into directions or launch points for active reconnaissance and preliminary attacks. C. Using OSINT tools like Maltego or Google hacking to reveal technologies with which a public website is built. D. Collecting OSINT on sites owned by the target's partners, consultants, or other contractors.
B. To cut down on irrelevant results and focus on very specific information
What is the purpose of Google search operators? A. To expand the breadth of Google searches to include unindexed information B. To cut down on irrelevant results and focus on very specific information C. To receive updated information from Google if a new website is found D. To switch between transactional, informational, and navigational query types
C. Shodan
What online search engine indexes Internet of Things (IOT) devices? A. recon-ng B. theHarvester C. Shodan D. Maltego
B. IP Addresses and subdomains obtained from OSINT
What passive reconnaissance technical information is valuable to a pen tester? A. Open ports and services found running an nmap scan B. IP Addresses and subdomains obtained from OSINT C. Identified vulnerabilities in web servers found by running a Nessus scan D. The name of a disgruntled IT analyst
B. Searching the CVE database
Where can a pen tester find documented weaknesses within a specific product or implementation? A. Searching the CWE database B. Searching the CVE database C. Searching NIST publications D. Searching the CAPEC database
C. LinkedIn
Which social media website can be used to find names and job titles of key people in a company? A. Instagram B. Facebook C. LinkedIn D. Twitter
FOCA (Fingerprinting Organizations with Collected Archives)
a GUI OSINT tool that is designed primarily to discover useful metadata that may be hidden with documents, typically those downloaded from the web. It can work with a variety of document types, including Microsoft Office (.docx, .xlsx, etc.) and the OpenDocument format (.odt, .ods, etc.). It can also analyze PDFs and graphical design file types like the XML-based Scalable Vector Graphics (SVG) format.
Common Weakness Enumeration (CWE)
a database of software-related vulnerabilities.
Common Attack Pattern Enumeration and Classification (CAPEC)
a database that classifies specific attack patterns.
Common Vulnerabilities and Exposures (CVE)
a dictionary of vulnerabilities
Whois
a protocol that supports querying of data related to entities that register public domains and other Internet resources. Information about such entities is available to anyone who queries databases using this.
Open-Source Intelligence (OSINT)
actionable information that has been gathered from freely and publicly available sources. The type of information that can be considered this is not something that an organization or other entity can reasonably expect to keep private. Anyone, regardless of affiliation or authorization, can obtain this information without running afoul of any laws or regulations. This makes it valuable to the preliminary phases of a pen test, where discretion is desired.
Shodan
an online search engine that enables anyone to connect to public or improperly secured devices that allow remote access through the Internet.
Maltego
another OSINT tool that can gather a wide variety of information on public resources. Unlike theHarvester and Recon-ng, it has a full GUI to help users visualize the gathered information and compare it to other sets of information. It features an extensive library of "transforms," which automate the querying of public sources of data.
Certificate Transparency (CT) framework
logs of public certificate authorities (CAs) are published for anyone to access. These logs contain information about the domains and subdomains that a CA's issued certificates apply to.
Recon-ng
similar to theHarvester in that it is an open source tool for gathering OSINT data. This is a little bit more robust and includes dozens of different "modules." Each module runs a specific type of query and enables you to set various options that are either required or optional in order to run that query.
Social Engineering
the practice of deceiving people into giving away access to unauthorized parties or otherwise enabling those parties to compromise sensitive assets.
information gathering
the process of identifying, discovering, and obtaining information that may have relevance to the pen test. It covers a wide variety of tasks, goals, and outcomes.
Full disclosure
the process of publishing an analysis of vulnerabilities without restrictions as to who can access this analysis. The intent is to ensure that as many users and organizations as possible are aware of the vulnerabilities so that they can take action to protect themselves.
Weaponization
the process of turning the results of passive reconnaissance into directions or launch points for active reconnaissance and preliminary attacks. This will ensure that the more overt phases of the pen test process are influenced by your previous actions, rather than being isolated and therefore missing out on key information that could enhance their effectiveness.
Google Hacking
the process of using the Google search engine to identify potential security weaknesses in publicly available sources, like an organization's website.
Subject Alternative Name (SAN)
usually identify specific subdomains that the certificate applies to, but can also identify other domains, IP addresses, and email addresses.
Sender Policy Framework (SPF)
validates that incoming mail from a domain is coming from a trusted IP address. This is an effort to mitigate email spoofing used in spam, phishing, and other email-based attacks.
