Cybersecurity Reconnaissance Basics

Questions and Answers

What is the primary purpose of reconnaissance in an attacker's strategy?

• To discover the location of the organization
• To set the stage for all future attacks (correct)
• To create a detailed report for stakeholders
• To execute the attack as quickly as possible

Which category of data includes information such as DNS records and antivirus software used?

• Technical Data (correct)
• Geographic Information
• Financial Intelligence
• Human Intelligence

Which of the following is considered a method for obtaining reconnaissance data?

• Avoiding interaction with the target
• Active reconnaissance (correct)
• Publicly posting inquiries about the organization
• Relying solely on user feedback

What type of data is derived from understanding the major departments within an organization?

Non-Technical Data (D)

Which source of reconnaissance data involves interactions with people to gather intelligence?

Human Intelligence (HUMINT) (B)

What differentiates advanced attackers from less capable attackers during reconnaissance?

The amount of time spent on reconnaissance (C)

Which of the following best describes passive reconnaissance?

Gathers data without being detected (A)

Which of the following types of data is not classified as technical?

Important personnel and their titles (D)

What does the Mail Exchange (MX) record indicate?

The mail servers for sending mail to a domain (A)

Which record returns an alias for another host record?

Canonical Name Record (CNAME) (B)

What method can be used to harvest DNS names from websites?

Utilizing tools like dnsrecon and theharvester (D)

Why might an organization have different DNS zones for internal and external use?

To secure distinct internal systems (D)

What does DNS cache snooping allow an attacker to do?

Enumerate websites that users or systems have requested (B)

What technology does the Sender Policy Framework (SPF) utilize?

To validate permissions for sending emails (A)

What is the benefit of passive reconnaissance?

It makes detection of reconnaissance much harder for the target. (B)

What is a potential risk when DNS servers allow recursive queries?

Vulnerability to DNS cache snooping attacks (D)

Which of the following is NOT included in the baseline of technical data for a target organization?

Active user login attempts (A)

What type of record returns a CNAME record for a given IP address?

Pointer Record (PTR) (D)

Which organization is associated with the American Registry for Internet Numbers?

ARIN (C)

What does an Autonomous System (AS) number uniquely identify?

A range of IP addresses or a subnet (B)

What is the primary purpose of the Border Gateway Protocol (BGP)?

To ensure that all hosts reach their destination on the internet (D)

Which of the following types of information is NOT typically derived from DNS records?

User account passwords (C)

Which organization would manage network allocation in the Asia Pacific region?

APNIC (C)

What should be verified about networks during passive reconnaissance?

If there are any active sessions using the IP ranges (D)

What is the main benefit of using historical geodata for tracking individuals?

It helps in identifying future locations based on past data. (D)

Which tool is mentioned for extracting geolocation metadata from images?

Geostalker (A)

What capability does Warvox offer in terms of telephone reconnaissance?

It allows scanning using multiple phone lines simultaneously. (B)

What can geo-IP data identify?

The geographic region an IP address routes to. (C)

How does technology advancement in reconnaissance impact the method of telephone monitoring?

It introduced automated systems that handle dial-ups efficiently. (A)

What is the primary reason for starting a port scan with a 'slow and low' approach?

To avoid detection by potential security measures in place. (C)

What should be considered when choosing the order of scans for a target organization?

The likelihood of the organization noticing the scan. (D)

Why might one choose to perform multiple scans on a target organization?

To obtain the maximum amount of useful information. (B)

Which service is commonly sought after during web service enumeration?

Remote access services. (C)

What technology is often implemented for remote access in organizations?

Secure Sockets Layer (SSL). (B)

If no remote services are available after a scan, what should be the next attack strategy?

Deliver a backdoor to the phishing target. (D)

What is the primary purpose of the information gathered from port scanning?

To prepare for subsequent spear phishing efforts. (D)

What benefit does using a proxy or bounce box provide during scanning?

Hides the real IP address of the scanning source. (C)

What is the primary advantage of using historical geodata?

To identify the future locations of individuals. (C)

Geo-IP data can be used to identify a specific IP address's geographic region.

True (A)

What is the purpose of using tools like Geostalker?

To extract geolocation metadata from images posted by users.

The tool used to automate phone dialing and perform reconnaissance more efficiently is called ___ .

Warvox

Match the following tools with their functions:

Geostalker = Extract geolocation metadata from images Warvox = Automated phone dialing and reconnaissance VoIP = Voice over Internet Protocol Geo-IP = Identify geographic regions of IP addresses

Which record type is used to indicate the mail servers for a target domain?

Mail Exchange (MX) (B)

A Pointer Record (PTR) is used to indicate legitimate mail sources for a domain.

False (B)

What is the purpose of Domain Harvesting in the context of reconnaissance?

To identify as many hosts as possible by harvesting DNS names from websites.

The _______________ is used to help fight spam by indicating legitimate mail sources for a domain.

Sender Policy Framework (SPF)

Match the types of DNS records with their functions:

AAAA = Host record for the IPv6 address CNAME = Returns an alias for another host record TXT = Used for arbitrary 'human readable' data PTR = Returns a CNAME record for a given IP address

What is a potential benefit of DNS Cache Snooping?

It allows enumeration of websites accessed by users in a target organization. (D)

Organizations always have separate domain names for internal and external systems.

False (B)

Name one tool that can be used for harvesting domain names.

TheHarvester

What type of scan is recommended if the target organization is likely to have defenses against detection?

Slow and low scan (D)

Using a proxy or bounce box during scanning is considered a precautionary measure.

True (A)

What is the main purpose of the information gathered from port scanning?

To assist in spear phishing strategies.

Many organizations are utilizing ___________ to provide remote access services.

Secure Sockets Layer (SSL)

Match the following scanning approaches with their appropriate use case:

Slow and low = Target with defenses Hard and fast = Target without defenses Bounce box = Anonymization of scans Multiple scans = Gathering comprehensive data

If a target organization has no remote services available, which strategy should be changed to?

Focus on backdoor delivery (C)

Port scanning does not set off any alarms in most organizations due to automated programs constantly scanning.

True (A)

What is indicated if a target organization has a remote access service such as a VPN?

Focus on obtaining valid credentials.

What is the main difference between an iterative and recursive DNS query?

An iterative query provides a list of other DNS servers. (B)

The Border Gateway Protocol (BGP) is responsible for the centralized exchange of routing information.

False (B)

What is the typical approach for a BGP configuration regarding Internet Service Providers?

One connection is preferred while the second is used as a backup.

A ______ query occurs when a DNS server asks other DNS servers for the answer and returns the result directly to the client.

recursive

Match the following concepts with their descriptions:

Iterative Query = Returns a list of other DNS servers Recursive Query = Resolves the query on behalf of the client BGP = Primary routing protocol of the internet Port Scanning = Technique to identify open ports and services

Which of the following web systems can be identified that might provide useful information on target organizations?

Teleconference systems (B)

Ports 80 and 443 are commonly scanned for identifying web services.

True (A)

Which command shows BGP information for a specific IP address?

show ip bgp (D)

What command can be used to extract HTTP-related services from an nmap scan output?

grep 'open http'

Firewalls typically have identical configurations to ensure no vulnerabilities exist.

False (B)

Why is port scanning considered an essential technique in identifying systems and services?

It provides useful information about open ports and services that may be exploited.

Geolocation data can include __________, geo-IP data, and GPS data.

geo-metadata

Match the types of geolocation data to their descriptions:

geo-metadata = Data embedded in digital files like photos geo-IP data = Location data derived from IP addresses GPS data = Location data provided by satellites metadata = Information about other data

Metadata from digital photos rarely includes GPS coordinates.

False (B)

What option in nmap is used for service versioning and identification?

–sV (B)

What is the purpose of using theharvester in the context of web systems identification?

To identify web systems and their services

Flashcards are hidden until you start studying

Study Notes

Reconnaissance Introduction

• Reconnaissance is the essential first step in penetrating an organization.
• Advanced attackers dedicate significant time to reconnaissance, exploring all vulnerabilities.
• Reconnaissance data is categorized as technical and non-technical, and gathered from physical and cyber sources.
• Active reconnaissance involves actions detectable by the target organization.
• Passive reconnaissance utilizes sources not owned by the target, making detection harder.

Data Categories

• Technical Data includes:
  • Internet-routable subnets used by the organization.
  • Antivirus software employed by the organization.
  • Domain Name Service (DNS) records associated with the organization.
• Non-Technical Data includes:
  • Geographical locations of the organization.
  • Key departments within the organization.
  • Important personnel and their titles.

Data Sources

• Physical Sources include:
  • Open-source intelligence (OSINT)
  • Financial intelligence (FININT)
  • Human intelligence (HUMINT)

Technical Data

• Internet Registry Information: Includes Whois data, registered and actively used subnets.
• DNS Information and Records: Provides valuable technical insights.
• Routing and Border Protocol (BGP) Information: Reveals network routing paths and connectivity.
• Username and Email Formats: Assists in social engineering and phishing attempts.
• Remote Access and Login Systems: Identifies potential entry points for attackers.
• Specific Technologies: Reveals security measures in place, such as firewalls, routers, and antivirus software.
• Public Data Sets: Analisis of public data sets can yield valuable information about the target organization.

Registrant Information

• Includes Whois details, IPV4 and IPV6 address allocations, Autonomous System (AS) number allocations, and DNS reverse record delegation.
• Organizations register in different registries depending on their location, such as ARIN (American Registry for Internet Numbers) and AfriNIC (African Network Information Center).

Network Allocation

• IPV4 and IPV6 addresses assigned to customers are listed under the "Networks" heading.
• IP addresses can be unused by organizations.

Autonomous Systems

• AS numbers identify IP address ranges or subnets using a 16-bit or 32-bit number.
• These IP addresses are commonly used by Border Gateway Protocol (BGP).
• BGP ensures communication between network hosts, identifying alternative paths if routing fails.

DNS Information and Records

• Domain Name System (DNS) provides valuable technical and non-technical information.
• Key DNS records include:
  • Start of Authority (SOA): Identifies name servers and domain administrators.
  • Mail Exchange (MX): Indicates mail servers for sending mail to the domain.
  • Pointer Records (PTR): Returns a CNAME record for a given IP address.
  • Canonical Name Records (CNAME): Returns an alias for another host record.
  • AAAA: The host record for the IPv6 address.
  • TXT: Text or arbitrary "human-readable" data.
  • Sender Policy Framework (SPF): Indicates legitimate mail sources for a domain to combat spam.

Domain Harvesting

• Identifying all potential hosts within a target domain.
• Tools like dnsrecon and theharvester scrape Google and other data sources for domain names.

DNS Zones

• Organizations may have separate DNS zones and servers for internal and external uses.
• External DNS records may not fully reflect internal network infrastructure.

DNS Cache Snooping

• Enumerates websites and systems requested by users or systems at the target organization.
• Requires a DNS server configured to allow recursive queries.

Port Scanning

• Techniques for discovering open ports and services on a target network.
• Types of scans include:
  • Slow and Low: Used when stealth is crucial.
  • Hard and Fast: Employed when detection is less likely.
• Information from port scanning informs spear-phishing strategies.

Web Service Enumeration

• Identifies remote access services and other services on a target network.
• Organizations often use SSL/web VPN systems, web email access, or portals for remote access.

Real-Time and Historical Geodata

• Valuable for targeting individuals remotely or determining their location at specific times.
• Tools like Geostalker gather geolocation metadata from images shared online.

Data from the Phone System

• VoIP technology enables automated scanning of phone numbers.
• Tools like Warvox facilitate mass phone scanning, sort and analyze data, and enable listening to phone call recordings.

DNS Records

• DNS Records contain information about a domain, such as its name servers, mail servers, and IP address.
• Start of Authority (SOA) records specify the authoritative name server for a domain, along with contact information for the administrator.
• Mail Exchange (MX) records define the mail servers responsible for handling email for the domain.
• Pointer (PTR) records provide the CNAME record associated with a specific IP address.
• Canonical Name (CNAME) records act as aliases for other host records.
• AAAA Records are used to store IPv6 addresses.
• TXT Records store text data that is human-readable.
• Sender Policy Framework (SPF) records indicate authorized mail sources for a domain to combat spam.

Domain Harvesting

• Domain harvesting involves collecting domain names associated with a target organization.
• Tools like dnsrecon and theharvester can scrape Google and other online sources for domain names.
• Theharvester can also collect email addresses, phone numbers, and other information.

DNS Zones

• Organizations often maintain separate DNS zones and servers for internal and external network traffic.
• Different DNS zones can result in different responses for the same domain name, depending on the query source.
• Third-party vendors may also host domain names for organizations.

DNS Cache Snooping

• DNS cache snooping allows enumeration of websites and systems accessed by users or systems within an organization.
• Recursive Queries occur when a DNS server contacts other servers to resolve a request and returns the answer to the client.
• Iterative Queries involve the DNS server providing a list of other DNS servers that the client can query directly.
• For cache snooping, the DNS server must be configured to allow recursive queries.

Border Gateway Protocol (BGP)

• BGP is the primary routing protocol for the internet, enabling decentralized and dynamic exchange of routing information.
• Organizations with multiple internet service provider (ISP) connections often prioritize one connection, with the other serving as backup.
• This configuration means that firewalls protecting the organization might have different settings, potentially leading to variations in security levels.
• Commands such as "show ip bgp" can help reveal BGP configurations.

System and Service Identification

• Port scanning and ping sweeps are essential for identifying systems and services exposed to the internet.
• Nmap is a versatile tool for port scanning, offering different scan modes for various levels of stealth.
• Slow and low scans are more stealthy, while hard and fast scans are faster but more likely to be detected.
• The information gained from port scanning can guide subsequent attack phases, such as spear phishing.

Web Service Enumeration

• Web service enumeration involves identifying web services running on a target network.
• Common web service ports include 80 (HTTP), 443 (HTTPS), and 8080.
• Nmap and grep can be used to analyze port scan results for web services.

Web Service Exploration

• Web cloning can create copies of websites for gathering information or launching attacks.
• Identifying web services can reveal valuable information about the target organization, such as remote access systems, teleconference tools, and administrative systems.
• Web service identification and version enumeration can be performed with Nmap's –A option.

Geolocation Information

• Geolocation data provides information about the physical location of assets associated with a target organization.
• Geolocation data sources include:
• Geo-metadata: GPS coordinates embedded in digital photos.
• Geo-IP data: Location associated with specific IP addresses.
• GPS data: Real-time or historical location data from GPS devices.
• Non-technical sources like social media posts can also reveal location information.

Data from the Phone System

• VoIP technology enables automated scanning of phone numbers for reconnaissance.
• Warvox is a tool that provides a web interface for automated VoIP scanning, supporting multiple phone lines and service providers.
• Warvox capabilities include:
• Scanning numerous numbers simultaneously.
• Sorting and analyzing call data.
• Listening to audio from captured calls.
• VoIP scanning can help identify internal systems and provide data on employee availability.