Recon Basics
What is the main goal of reconnaissance in cybersecurity?
To gather info about a target before an attack
What is Google Dorking?
Using advanced Google search operators to find sensitive or hidden information
What is the purpose of the WHOIS database?
To provide ownership and registration information about domains.
What does an IP address identify?
A device on a network
What is nmap primarily used for?
Network scanning and recon
What is the difference between passive and active recon?
Passive: Recon without directly interacting with the target / Research publicly available info
Active: Recon by directly interacting with the target (like trying to open the door of someone else's house)
What operator limits search results to a specific website?
site:
What information might WHOIS reveal that helps social engineering attacks?
Contact names, email addresses, organization details.
What does a subnet mask determine?
Which part of the IP is the network and which part is the host.
What does an open port indicate?
A service is listening and potentially accessible.
Name one example of passive recon.
Google dorking
WHOIS lookup
DNS queries
Why is Google dorking considered passive reconnaissance?
It uses publicly available search results without touching the target system.
What does DNS stand for?
Say we have 2 devices and a subnet mask of /16
One device has an IP address of 10.15.124.53
The other has an IP address of 10.15.230.42
What does this tell us about the 2 devices?
The 2 devices are on the same network
Why might defenders be concerned about repeated nmap scans?
They indicate reconnaissance and possible preparation for an attack.
Why do attackers perform recon before exploiting a system?
To reduce risk, avoid detection, and choose the best attack path.
What is the purpose of the Robots.txt file?
Tells search engine crawlers which parts of a website they are allowed or not allowed to access.
What is the role of DNS in networking?
It translates domain names into IP addresses.
What is network segmentation? Why is it helpful?
The practice of dividing a network into smaller, separate subnetworks. It is helpful because it limits access, reduces the attack surface, and prevents malware or attackers from easily moving across the entire network.
What is the purpose of a host discovery (ping sweep) scan?
Check to see if a device is "alive".
Why is reconnaissance dangerous even if no system is “hacked”?
Because it reveals sensitive information that enables later attacks.
Explain what the google dork is doing:
site:.edu | .gov ext:bkp | ext:bak | ext:old | ext:backup
Look in education or government websites for files that end with bkf or bak or old or backup.
What is the difference between a domain, a website, and a url?
Domain: Human readable name that maps to an IP
Website: Actual contents hosted on that domain
URL: Full address to a specific resource on a website
Why does subnet size matter to an attacker?
It tells how many possible hosts exist on the network.
What does the following command do:
nmap -v -sT 10.15.3.131
Performs a scan that will identify which ports are open and give specific details.