Module 1: Footprinting & Reconnaissance

Questions and Answers

Which organization is responsible for IP address management in the Asia Pacific region?

AFRINIC

RIPE

APNIC (correct)

LACNIC

What command would you use to perform a DNS query on a specific server using the Dig tool?

dig name type @server

dig @server name type (correct)

dig @hostname type name

dig -type=name @server

Which of the following tools uses open source intelligence to gather information about a target?

Shodan

Traceroute

Maltego (correct)

Dig

In Windows, which command performs a traceroute to determine the path to a target server?

tracert

Which command in Nslookup is used for an interactive zone transfer?

set type=any ls -d domainname.com

Which of the following statements regarding Whois is accurate?

It obtains registration information for domains.

What is the primary purpose of DNS poisoning?

To change the cache on a machine to a malicious server

Which tool can be used for DNS footprinting?

nslookup

Which DNS record type specifies the authoritative nameserver for a namespace?

SOA Record

What does DNSSEC primarily help prevent?

DNS poisoning

Which field in the SOA record indicates the revision number that increments with each change?

Serial Number

What is the purpose of the CNAME record in DNS?

To map a name to an A record

What does the MX record specify in DNS footprinting?

The mailing server used for emails

Which tool is designed to search for usernames on social media platforms?

UserRecon

Which method involves gathering information by observing someone without their knowledge?

Shoulder Surfing

What is the primary purpose of the TTL field in DNS records?

Set the duration for which a record is valid

Which command is used with the tool 'sherlock' to gather username information?

python3 sherlock

What is the primary function of the CNAME record in DNS?

To provide additional names or aliases for a domain

Which Google dork operator would you use to find a string specifically in the page title?

intitle:

What does the tool 'theHarvester' aim to collect information about?

Usernames from search engines

What distinguishes active footprinting from passive footprinting?

Active footprinting involves direct interaction to gather information.

Which tool is commonly used for active footprinting?

tracert

What type of information can be obtained through passive footprinting?

Whois records and DNS records.

Which of the following is NOT a common use of search engines in footprinting?

Compile real-time network traffic data.

How can attackers refine their search using major search engines?

By creating sophisticated queries with advanced search operators.

Which information category does NOT belong to the data obtained through footprinting?

Real-time user login attempts.

Which tool is best suited for passive footprinting?

nslookup

Which type of information is typically included in organization details during footprinting?

Web technologies used by the organization.

Which Google Dork command would be most appropriate for finding directories that may expose sensitive information?

index of

What is the primary purpose of using 'intitle:' in Google Dorks?

To find pages that contain a specific string in the title

Which of the following tools is specifically listed for finding subdomains of a company?

Netcraft

What is the function of the 'dmitry –w' command?

To perform a whois lookup on the domain name

Which command would you use to search for all pages available on a specific site in Google?

site:

What type of information does the Google Hacking Database (GHDB) primarily provide?

A compilation of Google Dorks and their usage

Which tool can be used to quickly look up information about a specific Autonomous System Number (ASN)?

asnlookup.com

What does the 'allintext:' command do in Google Dorking?

Find pages with specific keywords in the text of the page

Study Notes

Footprinting & Reconnaissance

• Footprinting involves gathering data about a target network to identify potential points of intrusion.
• Active Footprinting requires direct interaction with the target, while Passive Footprinting gathers information without direct interaction.

Tools for Footprinting

• Passive Tools:
  • Whois, nslookup, dig, netcraft, dnssumpster, mxtoolbox, theHarvester, Dmitry, peekyou, shodan.io, wapalyzer
• Active Tools:
  • Tracert, ping, Maltego, Hunter.io, thehackertarget.com

Types of Information Obtained

• Organization Information:
  • Details about employees, contact numbers, location branches, web technologies, and relevant documents like news articles.
• Network Information:
  • Domain and sub-domains, network blocks, IP addresses, and DNS records.
• System Information:
  • Web server OS, email addresses, and publicly available usernames/passwords.

Reconnaissance through Search Engines

• Search engines are critical for gathering information about target organizations, including employee profiles and technological platforms.
• Advanced search operators enhance query capabilities for filtering specific information.
• Major search engines include Google, Bing, Yahoo!, DuckDuckGo, and Baidu.

Advanced Google Hacking Techniques

• Google Dorks:
  • Use specific syntax to find sensitive information:
    • filetype: for file types, intitle: matches keywords in titles, inurl: for specific URLs, link: finds linked pages, etc.
• Google Hacking Database (GHDB):
  • Contains collections of Google Dorks for ethical hacking.

Web Services for Footprinting

• Tools for finding top-level domains (TLDs) and sub-domains include Netcraft, Sublist3r, and Assestfinder.
• ASN Lookup tools provide details on IP addresses and organizations.

Gathering Information from LinkedIn

• Dmitry:
  • Use dmitry -w for whois lookups or dmitry -s for sub-domain information.

DNS Footprinting

• DNS records provide essential network information, such as A (IPv4), AAAA (IPv6), MX (mail server), and NS (name server).
• DNS querying tools include Security Trails, Mxtoolbox, and DNSDumpster.

Social Engineering Techniques

• Eavesdropping: Intercepting unauthorized communication.
• Shoulder Surfing: Observing targets to collect sensitive information.
• Impersonation: Misleading individuals into revealing information by pretending to be someone else.

User Reconnaissance Tools

• UserRecon: Searches usernames across 75 social media platforms.
• Sherlock: Similar to UserRecon but more focused on username searches.
• TheHarvester: Collects information from public sources regarding email addresses and entities.

DNS Record Types

• A: Maps hostname to IPv4 address.
• CNAME: Maps an alias to an A record.
• MX: Lists mail servers.
• NS: Lists name servers.

IP Address Management Authorities

• ARIN: North America
• APNIC: Asia Pacific
• RIPE: Europe, Middle East
• LACNIC: Latin America
• AFRINIC: Africa

Tools for Network Footprinting

• Traceroute: Maps the path data takes to reach its destination; uses ICMP echo for Windows (tracert) and Linux (traceroute).
• OSRFramework: Utilizes open-source intelligence to gather data on targets.
• Maltego and Shodan: Capture extensive network-related information from connected devices.

DNS Security

• DNS Poisoning: Redirects requests to malicious servers.
• DNSSEC: Prevents DNS poisoning via encrypted records.

SOA Record Fields

• Contains information such as the source hostname, contact email, and serial numbers for zone file revisions.

Description

This quiz explores the concepts of footprinting and reconnaissance in information security. Learn about active and passive footprinting techniques, and discover various tools used for gathering data on target networks. Enhance your understanding of how these methods form the basis for potential cyberattacks.