Chapter 2 Reconnaissance and Intelligence Gathering

Question 1

• Syslog severity message

- Immediate action is needed

Answer 1

Level 1 Alerts

Question 2

Tool designed to gather emails, domain info hostnames, employee names, and open ports and banners using search engines

Answer 2

theHarvester

Question 3

Netstat flag for Linux that shows RAW

Answer 3

-w

Question 4

Netstat flag for Linux that shows Unix socket connections

Answer 4

-X

Question 5

Syslog severity message

Normal but significant conditions

Answer 5

Level 5 Notifications

Question 6

Technique that uses a fingerprint or signature to detect threats or other threats

Answer 6

Signature Analysis

Question 7

In Windows Event Viewer where logs are captured when applications are installed

Answer 7

Setup logs

Question 8

• Syslog severity message

- Warning conditions

Answer 8

Level 4 Warnings

Question 9

Technique where analyst investigates the logs and data himself in order to detect something

Answer 9

Manual analysis

Question 10

Ways to prevent passive reconnaissance

Answer 10

• Blacklisting systems or Networks
• Using CATCHAs to prevent Bots
• Providing privacy services that use third-party registration info instead of the actual person or organization registering the domain
• Rate-limiting lookups
• Not publishing Zone files

Question 11

Relies on logs and other existing data not probes to fully identify targets

Answer 11

Passive footprinting

Question 12

Windows, Mac, and Linux tool used to view all network connections on a localhost

Answer 12

Netstat

Question 13

• Netstat flag for Windows that shows the process IDs of each connection
• This can be cross-reference with Windows Task Manager

Answer 13

-o

Question 14

Netstat flag for Windows that provides interface statistics

Answer 14

-e

Question 15

• System severity message

- Error conditions

Answer 15

Level 3 Errors

Question 16

Creates a map of an organization networks, systems and infrastructure

Answer 16

Footprinting

Question 17

Netstat flag for Linux that shows active TCP connections

Answer 17

-ta

Question 18

Scanning tools are used to gather info about systems, services, and vulnerabilities

Answer 18

Active Reconnaissance

Question 19

• System severity message

- Informational messages (default level)

Answer 19

Level 6 Informational

Question 20

Ports from 0 - 1023 are known as

Answer 20

Well-known ports or System ports

Question 21

Netstat flag for Linux that shows UDP connections

Answer 21

-u

Question 22

nslookup flag used to look up DNS entries MX, NS, SOA, and Any

Answer 22

-query=(flag)

Question 23

Search engine for internet-connected devices and their vulnerabilities

Answer 23

Shodan

Question 24

Ports ranging from 1024 to 49151

Answer 24

Registered ports

Question 25

- Document info like author's name, software used to create the document, revisions, edits, etc... - Used in reconnaissance

Answer 25

Metadata

Question 26

A geolocation tool that uses social media and file metadata about individuals to provide better information about them

Answer 26

Creepy

Question 27

- DHCP logs for Linux are typically found where? | - Bonus - In some distros where’s the location

Answer 27

/var/log/dhcp.log | Bonus - journalctl command

Question 28

Technique used to identify differences from establish patterns or expected behaviors

Answer 28

Anomaly Analysis

Question 29

Technique used to predict behaviors based on existing data

Answer 29

Trend analysis

Question 30

- System severity message | - System is unusable

Answer 30

Level 0 Emergencies

Question 31

- Technique used to detect threats based on behavior | - Can detect unknown threats in the environment

Answer 31

Heuristic or Behavior Analysis

Question 32

- System severity message | - Critical conditions

Answer 32

Level 2 Critical

Question 33

- System severity message | - Debugging messages

Answer 33

Level 7 Debugging

Question 34

What are some ways to prevent active reconnaissance?

Answer 34

- Limit external exposure of services - Use IPS or similar that can limit or stop Probes - Use monitoring and alerting to notify you

Question 35

- In Windows event viewer, events to be forwarded from one host to another and by default, the forwarded event will be stored in the Windows Logs > Forwarded Events folder but a different folder can be specified - A subscription is then configured on Host A that allows you to collect the forwarded events.

Answer 35

Forwarded Event logs