Fill In The ____
Reconnaissance that gathers information without interacting with the target is called __________ recon, while interacting with the target network is __________ recon.
Passive, Active
You’re trying to figure out whether a company has any extra servers besides its main website “www.targetsite.com.” Which specific type of Google Dork would you use to discover other hosts in the same domain that aren’t the main web server?
Use a site:domain -site:www.domain search
What is recon?
Gaining info about targeted computers or networks that can be used as preliminary step toward a further attack seeking to exploit the target system.
The command used to look up domain registration information is __________, and the Google operator used to restrict results to a specific website is site:__________.
WhoIs, The Target Domain Name
You’re investigating a suspicious domain and want to find out the name, phone number, and street address of the administrator who registered the domain. Which recon tool do you use, and what kind of info does it give you that helps your investigation?
Use WHOIS, which returns domain owner/admin contact info including email, phone, and street address.
What is a google dork?
A search string that uses Advanced Search Operators to find OSINT info that is hard to find with a simple search.
A scan that determines which ports are open on a host is called a __________ scan, and in Nmap it can be run using the flag -s__________.
port scan, sT or sS for TCP connect scan or SYN scan
A security team notices someone is trying to determine what operating system a server is running by sending packets and analyzing how the server responds. What tool and specific scan option is being used, and what is the goal of the scan?
Answer: They’re using Nmap with the -O option to perform OS detection, aiming to fingerprint the operating system.
What is the curated repository of advanced search queries, Google dorks, that are used to uncover publicly accessible, and often sensitive, information and security vulnerabilities on the internet?
Google Hacking Database (GHDB)
A TXT DNS record often reveals information about __________, which could help an attacker plan __________ or exploit software.
Software/Services in use, Future Attacks/Exploitation (Multiple Possible Answers)
You’re assessing a company’s attack surface. You know they cannot hide their DNS records because the domain must be publicly reachable, but you still want to gather as much recon data as possible (including their mail servers and any security-related TXT records). Which command (including the option) gives you this information, and what types of weaknesses could this reveal?
Use nslookup -type=MX for mail servers and nslookup -type=TXT for security/software details. This can expose their mail provider, internal structure, software in use, or other miscellaneous info attackers could leverage.
What is a recon techniques in which there are no interactions with the target?
Passive Techniques
A device uses a subnet mask to determine which part of an IP address represents the __________ and which part represents the __________, allowing the router to deliver packets to the correct LAN.
network portion, host portion
You are troubleshooting why two users cannot communicate on the same switch. Their configurations are:
PC1: 192.168.10.25 /24
PC2: 192.168.11.77 /24
Even though the IPs look similar, communication fails.
What is the networking reason they cannot reach each other, and what device would be required for communication?
They are in different network IDs (192.168.10.0 vs 192.168.11.0), so a router is required to connect the two separate LANs.
The process of customizing how many network bits vs. host bits an address contains—allowing administrators to resize networks, isolate departments, and limit how far an intruder can move—is known as __________.
Subnetting (or subnet mask–based network segmentation)