Bash, the Crucial Exams Chat Bot
AI Bot
Reconnaissance and Footprinting Methods Flashcards
| Front | Back |
| Define OSINT | Open Source Intelligence - information collected from publicly available sources such as websites, social media, public records, and publications |
| How can archived websites be useful in reconnaissance? | They may contain sensitive information that has been removed from current versions but remains accessible through archives like the Wayback Machine |
| How can metadata in documents reveal sensitive information? | May contain author names, organization details, software versions, creation dates, and other hidden information |
| How can social media be used in reconnaissance? | To build profiles of individuals, understand organizational structure, track activities, and identify potential vulnerabilities |
| How does DNS interrogation help in reconnaissance? | Reveals domain name information, mail servers, IP addresses, and potential internal network structure |
| How does Shodan differ from regular search engines? | Shodan indexes internet-connected devices rather than websites, allowing discovery of exposed systems and services |
| Name three common OSINT frameworks | Maltego, OSINT Framework, SpiderFoot |
| What are the main categories of DNS records useful in reconnaissance? | A (address), MX (mail exchange), NS (name server), SOA (start of authority), TXT (text), CNAME (canonical name) |
| What information can be obtained from WHOIS lookups? | Domain registrant information, contact details, registration dates, name servers, and registrar information |
| What information can LinkedIn provide during reconnaissance? | Company structure, employee names, job titles, professional backgrounds, and potential internal technologies |
| What is a network topology map? | Visual representation of how devices are connected on a network, showing the arrangement of nodes and their connections |
| What is active reconnaissance? | Direct interaction with a target system to gather information; includes port scanning, DNS queries, and network mapping |
| What is DNS zone transfer? | Process of copying DNS zone files from a primary DNS server to secondary servers; can reveal internal network structure if misconfigured |
| What is fingerprinting in the context of reconnaissance? | Identifying the specific operating systems, services, or applications running on target systems |
| What is footprinting? | Systematic method of gathering target information to create a profile of an organization's security posture |
| What is geolocation in reconnaissance? | Identifying the physical location of target systems or infrastructure |
| What is Google dorking? | Using advanced search operators in Google to find specific information or vulnerabilities in websites |
| What is harvesting email addresses? | Collecting email addresses associated with a target organization to identify potential points of contact or targets for social engineering |
| What is horizontal scanning? | Scanning multiple hosts for a specific port or service |
| What is Maltego used for? | Visual link analysis for gathering and connecting information for reconnaissance investigations |
| What is meant by "the attack surface"? | The sum of all points where an unauthorized user can attempt to enter or extract data from an environment |
| What is passive reconnaissance? | Gathering information about a target without direct interaction; includes techniques like analyzing public records, social media, and search engine results |
| What is Recon-ng? | A full-featured reconnaissance framework designed for web-based information gathering |
| What is social engineering in the context of reconnaissance? | Manipulating people to divulge confidential information through pretexting, phishing, or impersonation |
| What is subdomain enumeration? | Process of finding valid subdomains for a domain to expand the potential attack surface |
| What is the purpose of Banner Grabbing? | Technique to obtain information about systems on a network by retrieving banners from services that display version information |
| What is the purpose of the traceroute command? | Maps the route packets take from your computer to a destination, revealing network topology information |
| What is vertical scanning? | Scanning a single host for multiple ports or services |
| What tool can create visual network maps from traceroute data? | Zenmap (Nmap's GUI) or Visual Trace Route tools |
| What tool is commonly used for DNS enumeration? | nslookup, dig, or host commands |
Front
How can social media be used in reconnaissance?
Click the card to flip
Back
To build profiles of individuals, understand organizational structure, track activities, and identify potential vulnerabilities
Front
What is Maltego used for?
Back
Visual link analysis for gathering and connecting information for reconnaissance investigations
Front
What is active reconnaissance?
Back
Direct interaction with a target system to gather information; includes port scanning, DNS queries, and network mapping
Front
What is meant by "the attack surface"?
Back
The sum of all points where an unauthorized user can attempt to enter or extract data from an environment
Front
What information can LinkedIn provide during reconnaissance?
Back
Company structure, employee names, job titles, professional backgrounds, and potential internal technologies
Front
What is a network topology map?
Back
Visual representation of how devices are connected on a network, showing the arrangement of nodes and their connections
Front
What is footprinting?
Back
Systematic method of gathering target information to create a profile of an organization's security posture
Front
What is vertical scanning?
Back
Scanning a single host for multiple ports or services
Front
What tool can create visual network maps from traceroute data?
Back
Zenmap (Nmap's GUI) or Visual Trace Route tools
Front
What are the main categories of DNS records useful in reconnaissance?
Back
A (address), MX (mail exchange), NS (name server), SOA (start of authority), TXT (text), CNAME (canonical name)
Front
How can archived websites be useful in reconnaissance?
Back
They may contain sensitive information that has been removed from current versions but remains accessible through archives like the Wayback Machine
Front
What is geolocation in reconnaissance?
Back
Identifying the physical location of target systems or infrastructure
Front
What information can be obtained from WHOIS lookups?
Back
Domain registrant information, contact details, registration dates, name servers, and registrar information
Front
What is Recon-ng?
Back
A full-featured reconnaissance framework designed for web-based information gathering
Front
What is Google dorking?
Back
Using advanced search operators in Google to find specific information or vulnerabilities in websites
Front
What is social engineering in the context of reconnaissance?
Back
Manipulating people to divulge confidential information through pretexting, phishing, or impersonation
Front
What is harvesting email addresses?
Back
Collecting email addresses associated with a target organization to identify potential points of contact or targets for social engineering
Front
What tool is commonly used for DNS enumeration?
Back
nslookup, dig, or host commands
Front
How can metadata in documents reveal sensitive information?
Back
May contain author names, organization details, software versions, creation dates, and other hidden information
Front
Define OSINT
Back
Open Source Intelligence - information collected from publicly available sources such as websites, social media, public records, and publications
Front
What is horizontal scanning?
Back
Scanning multiple hosts for a specific port or service
Front
What is passive reconnaissance?
Back
Gathering information about a target without direct interaction; includes techniques like analyzing public records, social media, and search engine results
Front
What is subdomain enumeration?
Back
Process of finding valid subdomains for a domain to expand the potential attack surface
Front
What is fingerprinting in the context of reconnaissance?
Back
Identifying the specific operating systems, services, or applications running on target systems
Front
What is DNS zone transfer?
Back
Process of copying DNS zone files from a primary DNS server to secondary servers; can reveal internal network structure if misconfigured
Front
What is the purpose of Banner Grabbing?
Back
Technique to obtain information about systems on a network by retrieving banners from services that display version information
Front
How does DNS interrogation help in reconnaissance?
Back
Reveals domain name information, mail servers, IP addresses, and potential internal network structure
Front
How does Shodan differ from regular search engines?
Back
Shodan indexes internet-connected devices rather than websites, allowing discovery of exposed systems and services
Front
Name three common OSINT frameworks
Back
Maltego, OSINT Framework, SpiderFoot
Front
What is the purpose of the traceroute command?
Back
Maps the route packets take from your computer to a destination, revealing network topology information
1/30
Covers passive and active information gathering techniques including OSINT sources, DNS interrogation, WHOIS lookups, network topology mapping and target profiling to build a detailed picture of the attack surface.