Cybersecurity: Reconnaissance Steps

Questions and Answers

What is the primary function of the Border Gateway Protocol (BGP)?

To harvest DNS names from websites

To ensure all hosts on the network reach their destination (correct)

To allocate IP addresses to users

To uniquely identify an IP address range

What is the first phase that must always be performed in a reconnaissance?

Passive reconnaissance

Reconnaissance (correct)

Data analysis

Active reconnaissance

All IP addresses assigned to organizations are actively used.

False

The main difference between advanced attackers and less capable attackers is the amount of reconnaissance time spent.

True

What does the acronym AS stand for in the context of network allocation?

Autonomous System

Name one type of technical data that can be collected during reconnaissance.

internet-routable subnets, Antivirus software, DNS records

The process of gathering DNS names from websites to identify hosts is called __________.

Domain Harvesting

Passive reconnaissance makes it harder for the target to ______ our activities.

detect

Match the following terms with their definitions:

DNS = System for resolving domain names to IP addresses BGP = Routing protocol of the internet AS Number = Unique identifier for an IP address range Whois = Information about registered domain ownership

What information is included in the baseline of technical data about an organization?

Remote access systems

Which of these is a non-technical data type collected in reconnaissance?

Geographic locations

DNS cache snooping can be viewed as a vulnerability.

True

Match the type of reconnaissance with its method:

Active = Can be detected by the target organization Passive = Utilizes sources not owned by the target organization

What is the purpose of harvesting DNS names?

To identify as many hosts as possible

Which of the following is NOT a category of data searched during reconnaissance?

Tactical data

List one source from which reconnaissance data can be obtained.

Physical source, Cyber source

What is the primary purpose of Cache snooping?

To enumerate websites and systems requested by users

A recursive query will only return results if the DNS server has the answer stored locally.

False

What does BGP stand for?

Border Gateway Protocol

In an ______ query, the DNS server provides a list of other DNS servers for further querying.

iterative

Match the following terms with their definitions:

Cache snooping = Identifying requested websites by users Recursive query = Asking other DNS servers for answers BGP = Routing protocol for dynamic information exchange Port scans = Assessing services exposed to the internet

Which of the following describes a potential risk of using BGP?

It can expose networks to unauthorized access.

Less restrictive firewalls may go unnoticed due to less attention from personnel.

True

What is one basic technique for identifying systems and services exposed to the internet?

Port scanning

What is the recommended initial approach if you believe the target organization has detection technologies in place?

Slow and low scan

All organizations will notice port scanning activities immediately.

False

What type of service mentioned is key for remote access in organizations?

VPN service

Using a ______ box or proxy for scanning helps maintain anonymity during scans.

bounce

Match the scanning approaches with their characteristics:

Slow and low = Minimizes detection risk Hard and fast = Faster but higher risk of detection Port scanning = Important for information gathering Web Service Enumeration = Identifying important services including remote access

What is the potential next step after obtaining useful information from port scanning?

Spear phishing

The slow scanning approach follows strict rules.

False

Why might an organization want to change its attack strategy if no remote services are available?

To deliver a backdoor for remote access.

Which of the following ports are commonly scanned for web services?

80, 443, 8080

Geolocation data can only be obtained from GPS systems.

False

What is a popular system used for port scanning in web service exploration?

nmap

GPS stands for ______.

global positioning system

Match the following web systems with their categorization:

Teleconference systems = Communication Security camera systems = Surveillance Server administration tools = Management Phone management systems = Telephony

Which of the following are methods for obtaining reconnaissance data?

Active and Passive

Active reconnaissance involves activities that can possibly be detected by the target organization.

True

Name one type of technical data that can be collected during reconnaissance.

Antivirus software used by the organization

Reconnaissance can be conducted using __________ sources.

Physical and Cyber

Match the following types of reconnaissance data with their examples:

Technical = Geographic locations of the organization Non-Technical = Domain Name Service (DNS) records associated with the organization

Which of the following is an example of passive reconnaissance?

Monitoring social media

What is the primary purpose of reconnaissance in the context of an attack?

To explore all possible vulnerabilities of an organization.

Non-technical data during reconnaissance includes information related to major departments within an organization.

True

Which of the following ports are commonly associated with web services?

80

Geolocation data can be obtained from digital photos via GPS metadata.

True

What technology allows automated dialing of phone numbers?

VoIP

The use of ______ helps identify systems and services exposed to the internet.

port scanning

Match the following web systems with their purposes:

Teleconference systems = Facilitating remote meetings Server administration tools = Managing server configurations Security camera systems = Monitoring premises Phone management systems = Handling phone call features

Which of the following best describes a recursive DNS query?

It returns the answer directly from external DNS servers.

BGP is primarily used for routing information exchange between multiple ISPs.

True

What primary technique is suggested for identifying systems exposed to the internet?

Port scanning

The purpose of DNS cache snooping is to ______ websites and systems that users have requested.

enumerate

Match the following DNS query types with their descriptions:

Recursive Query = Asks other DNS servers for an answer Iterative Query = Provides a list of DNS servers to query Cache Query = Returns data stored locally Forward Query = Sends the request to an external server

What is a potential risk associated with less restrictive firewalls?

They may be exploited due to unnoticed vulnerabilities.

Iterative queries provide a direct answer from the DNS server without additional querying.

False

Why is DNS server configuration critical for security?

It can be vulnerable if configured to allow recursive queries.

What does an Autonomous System (AS) number uniquely identify?

An IP address range or subnet

Organizations often use the same DNS servers for both internal and external operations.

False

What is a common purpose of DNS cache snooping?

To exploit vulnerabilities in the DNS system.

The Border Gateway Protocol is commonly known as the __________ protocol of the internet.

routing

Match the type of IP address with its corresponding description:

IPV4 = 32-bit address scheme IPV6 = 128-bit address scheme Autonomous System Number = Identifier for IP address ranges DNS = Domain name resolution service

What is the primary function of harvesting DNS names?

To identify as many hosts as possible

Name one type of information included in registrant details.

Whois information.

All IP addresses allocated to an organization are actively in use.

False

What is a recommended scanning approach if detection technologies are suspected in the target organization?

Slow and low scan

Every organization is constantly being scanned by automated programs.

True

What is the purpose of using a bounce box or proxy during scanning?

To maintain anonymity during scans

If the target organization has a remote access service, we should focus on obtaining a valid set of credentials to use for __________.

VPN

Match the scanning approaches with their key characteristics:

Slow and low = Less likely to be detected by security systems Hard and fast = More aggressive and faster scanning method Bounce box = Anonymity and avoidance of detection Port scanning = Identifying open ports on a system

Which of the following statements about the frequency of port scanning is true?

Automated programs scan organizations continually.

The slow scanning approach operates under strict rules that must always be followed.

False

What should be the next focus if no remote services are available in a target organization?

Delivering a backdoor to provide remote access

What is the role of Autonomous System (AS) numbers in networking?

To uniquely identify an IP address range or subnet

Domain harvesting is a technique used to find the internal hosts of an organization.

True

What are the two types of IP address versions mentioned?

IPv4 and IPv6

The __________ protocol is commonly known as the routing protocol of the internet.

Border Gateway

Match the following DNS records with their purposes:

A = MX Records B = A Records C = CNAME Records D = PTR Records

Which type of information is contained in registrant information?

Autonomous System (AS) number allocations

Organizations typically do not have separate DNS zones for internal and external use.

False

What does DNS stand for?

Domain Name System

Which of the following is a method of reconnaissance that minimizes detection risk?

Passive Reconnaissance

Technical data obtained during reconnaissance includes information such as geographic locations of the organization.

False

What type of data includes items like internet-routable subnets and antivirus software used?

Technical data

The ___ phase is crucial in setting the stage for future attacks in any penetration attempt.

reconnaissance

Match the following types of data with their descriptions:

Technical = Includes data such as software used and network configuration Non-Technical = Includes data such as personnel titles and organization structure Physical = Data sourced from physical locations Cyber = Data sourced from online environments

Which of the following represents a source from which reconnaissance data can be obtained?

Physical Source

Active reconnaissance is often undetectable by the target organization.

False

Name one type of non-technical data that can be collected during reconnaissance.

Major departments within the organization

Which of the following ports are commonly used to identify web services?

80

Geolocation data can only be obtained from GPS systems.

False

What technology allows for the automated dialing of phone numbers?

VoIP

The GPS system uses __________ to calculate the current location on Earth.

satellites

Match the following systems with their uses:

Teleconference systems = Real-time remote communication Security camera systems = Surveillance and monitoring Server administration tools = Managing server operations Phone management systems = Managing phone communications

What is a requirement for a DNS server to be vulnerable to cache snooping?

It must allow recursive queries.

An iterative DNS query returns results directly to the client without querying other DNS servers.

False

What is the primary purpose of using the Border Gateway Protocol (BGP)?

To allow decentralized and dynamic exchange of routing information on the internet.

Performing ______ sweeps is one basic approach to identifying systems exposed to the internet.

ping

Match the following query types with their characteristics:

Iterative query = Provides a list of other DNS servers for queries Recursive query = Queries other servers and returns a direct answer BGP = Facilitates decentralized routing information exchange Port scanning = Identifies open services on a network

What might be a consequence of having two firewalls with different configurations?

Potential for exploitation due to less oversight on one firewall.

DNS cache snooping can be used as a technique to identify the systems that users have accessed.

True

List one basic technique for identifying services exposed to the internet.

Port scanning

Which scanning approach is recommended if you suspect the target organization has detection technologies?

Slow and low

Organizations typically provide remote access services using non-standard ports.

False

What type of information can the results of port scanning inform the next phase of an attack?

Spear phishing

Using a ______ box or proxy helps maintain anonymity during scans.

bounce

Match the scanning approaches with their intended use:

Slow and low = Discreet scanning to avoid detection Hard and fast = Rapid scanning when detection is unlikely Bounce box = Maintains anonymity during scans Port scanning = Identifies open services on a network

What is a potential action if there are no remote services available during scanning?

Focus on delivering a backdoor

Why is it important to perform multiple scans?

To gather the most useful information

It is assumed that most scanning activities will go unnoticed by organizations.

True

Study Notes

Reconnaissance Steps

• Reconnaissance must be performed before any other step in an attack.
• Advanced attackers spend a lot of time on reconnaissance.

Data Categories

• Technical data includes information about an organization’s systems like subnets, antivirus software, and DNS records.
• Non-technical data includes information about an organization’s physical location, departments, and key personnel.

Data Sources

• Physical sources are any sources that are not obtained digitally, such as documents or videos.
• Digital sources are obtained automatically over the internet or from technology.

Data Methods

• Active reconnaissance is detectable by the target organization.
• Passive reconnaissance uses sources that the target organization does not own, making it harder to detect.

Target Data

• The target's IP address ranges, DNS records, and Autonomous System (AS) number allocations provide important information about their infrastructure.

DNS Techniques

• Domain harvesting allows attackers to identify many hosts by collecting DNS names from websites.
• DNS cache snooping can enumerate websites and systems that users or systems at the target organization have requested.

BGP Information

• Companies typically have multiple internet providers each with a firewall, which could have different security configurations.
• This information can be used to find an easier path for attack.

Port Scanning

• Port scanning helps identify systems and services exposed to the internet, which is crucial for planning future attack phases.
• To avoid detection, attackers use a “slow and low” approach for stealthy scans or a “hard and fast” approach for rapid information gathering.

Web Service Enumeration

• Identifying remote access services, such as VPNs or web portals, is crucial for understanding the target organization's security postures.
• Understanding the target organization's use of web-based services can be helpful for attack planning, especially if the target uses teleconferencing systems, server administration tools, or security camera systems.

Geolocation Information

• Metadata from digital photos, especially GPS coordinates and timestamps, can be used to gather geolocation data about target individuals or assets.

Phone System Information

• VoIP technology allows attackers to automatically dial phone numbers, gather voice traffic, and use automated dialers for reconnaissance.

Reconnaissance

• Reconnaissance is the first and most crucial step in an attack.
• It involves gathering information about the target organization to identify vulnerabilities.
• Advanced attackers spend significant time on reconnaissance to thoroughly understand the target.
• Reconnaissance data is categorized as technical or non-technical and obtained from physical or cyber sources.
• Two main methods for gathering data are active and passive reconnaissance.

Technical Data

• Examples of technical data: internet-routable subnets, antivirus software, DNS records.
• Key technical data to collect: user names and email formats, remote access systems.
• Registrant information: Whois and registrant information, IP address allocations, Autonomous System numbers, DNS reverse record delegation.
• Network allocation: IPV4 and IPV6 address space assigned to the organization.
• Autonomous Systems: AS number uniquely identifies an IP address range or subnet.
• DNS Information: DNS records provide technical and non-technical information about the organization.

Domain Harvesting

• Identify hosts by harvesting DNS names from websites using specialized tools.
• Organizations can have separate DNS zones for internal and external use.
• Third-party vendors might host domain names belonging to the target organization.

DNS Cache Snooping

• Enumerates websites and systems accessed by users or systems at the target organization.
• Requires DNS server configured for recursive queries, making it vulnerable.
• Iterative query: DNS server responds with a list of other DNS servers for the client to query.
• Recursive query: DNS server queries other servers and returns the result directly to the client.

Border Gateway Protocol (BGP)

• The primary routing protocol for the internet.
• Enables decentralized and dynamic exchange of routing information.
• BGP configuration can prioritize provider connections, leading to different firewall configurations.
• One firewall might be less restrictive than the other, providing potential exploit paths.

System and Service Identification

• Identify systems and services exposed to the internet through ping sweeps and port scans.
• Port scans are essential for identifying systems, services, and information for future attack phases.
• Consider using slow and low scans for organizations with security technologies.
• Harden fast scans can be used for organizations with fewer security measures.
• Use bounce boxes or proxies to mask scanning activities.
• Information obtained from port scanning is crucial for spear phishing attacks.
• Identifying remote access services like VPNs can help focus on obtaining valid credentials for remote access.

Web Service Enumeration

• Identify remote access services operating over web ports.
• Modern organizations prioritize user-friendly remote access methods like web VPNs, webmail, and portals.
• Identify other web services used by the organization, including teleconference systems, administration tools, security cameras, and phone management systems.
• Focus on common web ports like 80, 443, and 8080 using tools like nmap.

Web Service Exploration

• Identify the services offered by web systems identified through port scanning and DNS harvesting.

Geolocation Information

• Gather physical location data of assets owned by or related to the target organization.
• Location data often associated with specific employees or shared among employees.
• Metadata from digital photos can provide geolocation data, including GPS coordinates, time, and date.

Data from the Phone System

• Phone systems can be used for reconnaissance, ranging from manual to automated methods.
• VoIP enables automated dialing of phone numbers.

APT Approach to Reconnaissance

• Reconnaissance is the most important step for an APT attack and must always be performed first.
• APT attackers spend a significant amount of time on reconnaissance to explore vulnerabilities.
• There are two main categories of data: technical and non-technical.
• Technical data includes internet-routable subnets, antivirus software, and DNS records.
• Non-technical data includes geographic locations, major departments, and important personnel.

Data Categories

• Data can be obtained from Physical and Cyber sources.
• Active reconnaissance is any activity detectable by the target organization.
• Passive reconnaissance leverages sources not owned by the target, making detection harder.

Registrant Information

• Whois information provides valuable data such as registrant details, IP addresses, and autonomous system numbers.

Network Allocation

• IPV4 and IPV6 address allocations are listed under "Networks."
• Many organizations have large ranges of unused IP addresses.

Autonomous Systems

• Autonomous systems (AS) are uniquely identified by a 16-bit or 32-bit number.
• AS numbers are used in the Border Gateway Protocol (BGP), which is the "routing protocol of the internet."

Domain Harvesting

• Domain harvesting identifies hosts by collecting DNS names from websites.
• Various tools are available to assist with this process.

DNS Zones

• Organizations can have separate DNS zones for internal and external use.
• Internal systems might use distinct domain names.
• Third-party vendors might host domain names for the target organization.

DNS Cache Snooping

• DNS cache snooping allows enumeration of websites and systems requested by users or systems at the target organization.
• The DNS server must be configured to allow recursive queries for this to work.

Border Gateway Protocol (BGP)

• BGP is the primary routing protocol for the internet.
• It facilitates a decentralized and dynamic exchange of routing information.
• Different ISP providers can offer DNS subnets over their links.
• Firewall configurations on backup networks may be less restrictive, providing potential exploit paths.

System and Service Identification

• Port scans and ping sweeps are basic techniques for identifying exposed systems and services.
• Slow and low scans minimize detection risk, while hard and fast scans are used when detection is unlikely.
• Bounce boxes or proxies are used to conceal scanning activities.
• Information from port scans is crucial for future attack phases like spear phishing.

Web Service Enumeration

• Remote access services are prioritized targets for identification.
• Organizations often use standard web ports or helper services for remote access.
• SSL, web VPN systems, web email access, and portal systems are common remote access methods.
• Other web services, like teleconference, administration tools, security cameras, and phone management systems, can provide valuable information.

Web Service Exploration

• Nmap is used to identify hosts with common web services like ports 80, 443, and 8080.
• Tools like theharvester help identify web systems from port scans and DNS hostnames.

Geolocation Information

• Geolocation data refers to physical locations associated with the target organization.
• Metadata from digital photos, particularly GPS coordinates, is often used to gain geolocation data.
• Cameras and smartphones typically embed GPS coordinates, time, and date in their photos.

Data from Phone System

• Phone systems provide opportunities for reconnaissance.
• VoIP (Voice over Internet Protocol) enables automated dialing of phone numbers.

Description

This quiz delves into the vital reconnaissance steps in cybersecurity. It covers technical and non-technical data categories, data sources, and methods, including active and passive reconnaissance. Test your knowledge on how attackers use reconnaissance to gather critical information.