Ch.2 - Reconnaissance Techniques & OSINT Gathering

You’re planning reconnaissance techniques for a penetration test, and you need to gather detailed information about users and network services. Time is limited, but you’re not that worried about stealth.

Which pieces of advice might be useful for your team? Select all that apply.

A. Aggressive scans will produce more detailed results at the cost of stealth

B. Exploit frameworks are the quickest way to enumerate services

C. OSINT gathering is a good match for your constraints

D. SNMP walking can help you find user accounts

E. Social engineering is good for acquiring user information

A. Aggressive scans will produce more detailed results at the cost of stealth

D. SNMP walking can help you find user accounts

E. Social engineering is good for acquiring user information

You want to perform packet sniffing on a Wi-Fi network which uses strong WPA2 encryption. You hope to find the key, but even if you don’t what can you still learn? Select all that apply.

A. Active applications

B. IP addresses

C. MAC addresses

D. Most active hosts

E. SSIDs

C. MAC addresses

D. Most active hosts

E. SSIDs

As a penetration tester you want to get a user name and password for an important server, but lockout and
monitoring systems mean you’ll be detected if you try brute force guessing. What techniques might directly find the credentials you need? Select all that apply.

A. DNS harvesting

B. Packet capture

C. Phishing

D. Service discovery

E. Social engineering

B. Packet capture

C. Phishing

E. Social engineering

You’ve discovered a server with an open Telnet service, and you suspect an administrator uses it for remote login. Since Telnet uses cleartext credentials, you placed a packet sniffer capturing traffic to the server to target that administrator passwords. Your first attempt generated a massive log filled with irrelevant traffic, and the only login you’ve been able to find was for a non-privileged user. It’s still useful, but what can you do to more efficiently achieve your goal next time?

Choose the best response.

Apply a capture filter on the port number

You’re preparing to conduct active scans of a network in order to enumerate internal services. The network’s firewall and IDS block scans from your current network location, but you arranged to bounce the scan off a server on a trusted subnet to hide its real origin. What kind of tool will that intermediate server need to have?
Choose the best response.

Proxy

When should you document your testing?

Choose the best response.

Only on tests after remediation

For business reasons, your company isn’t at all secretive about its WHOIS information. What reconnaissance type does this make easier for attackers? Choose the best response.

Social engineering

You’re reviewing logs from a DNS server, and filtered for requests from outside addresses. Which of the following single query types against your domain name is most likely to indicate a DNS harvesting attempt?
Choose the best response.

AXFR

You’ve identified some specific vulnerabilities in software the target organization uses. What public database could you use to find useful attacks against them? Choose the best response.

CAPEC

You want to perform a zone transfer from ns1.javatucana.com. Which of the following would be part of a valid command sequence for it? Choose the best response.

dig axfr javatucana.com @ns1.javatucana.com

You’re used to how Metasploit is a broad spectrum tool for the exploitation phase, and you’d like a similar modular program that performs all sorts of reconnaissance gathering. What tool should you try?

Recon-NG

While examining your target’s public-facing web servers, you find one with an expired SSL certificate. Which of the following suggestions from your teammates is most relevant later exploitation?

If the certificate is expired, maybe the server isn’t being actively maintained.