Foot printing

Which of the following footprinting techniques allows an attacker to gather information

passively about the target without direct interaction?

Performing social engineering

Performing traceroute analysis

Extracting DNS information

Extracting information using Internet archives

Explanation:

Few of the Passive footprinting techniques include:

 Finding information through search engines

 Finding the Top-level Domains (TLDs) and sub-domains of a target through web
services
 Collecting location information on the target through web services
 Performing people search using social networking sites and people search services
 Gathering financial information about the target through financial services
 Extracting information about the target using Internet archives

Few of the Active footprinting techniques include:

 Gathering information through email tracking

 Harvesting email lists
 Performing Whois lookup
 Extracting DNS information
 Performing traceroute analysis
 Performing social engineering
What type of information is gathered by an attacker through Whois database analysis
and tracerouting?

Background of the organization

Usernames, passwords, and so on

Publicly available email addresses

DNS records and related information

Explanation:

Network Information: You can gather network information by performing Whois

database analysis, trace routing, and so on.

The information collected includes:

 Domain and sub-domains

 Network blocks
 Network topology, trusted routers, and firewalls
 IP addresses of the reachable systems
 Whois records
 DNS records and related information

System Information: You can gather system information by performing network

footprinting, DNS footprinting, website footprinting, email footprinting, and so
on.

The information collected includes:

 Web server OS
 Location of web servers
 Publicly available email addresses
 Usernames, passwords, and so on.
Smith, a professional hacker, has targeted an organization. He employed some
footprinting tools to scan through all the domains, subdomains, reachable IP addresses,
DNS records, and Whois records to perform further attacks.

What is the type of information Smith has extracted through the footprinting attempt?

Network information

Policy information

Company’s product information

Physical security information

Explanation:

 Physical security information: Physical security describes security measures that

are designed to deny unauthorized access to facilities, equipment, and resources
 Policy information: Policy information is taken to mean information used in the
formulation, design, and selection of public policies. It comprises both data and
analysis.
 Network information: The Network information includes Domain and sub-
domains, Network blocks, Network topology, trusted routers, and firewalls, IP
addresses of the reachable systems, Whois records, DNS records and related
information
 Company’s product information: Includes information about products or services
produced, marketed, licensed, sold, distributed, or performed the Company or
any Subsidiary and all products or services currently under development by the
Company or any Subsidiary.

Passive reconnaissance involves collecting information through which of the following?

Social engineering

Publicly accessible sources

Traceroute analysis

Email tracking

Explanation:

Which of the following search engine tools helps an attacker use an image as a search
query and track the original source and details of images, such as photographs, profile
pictures, and memes?

TinEye

Intelius

Mention

Sublist3r
Explanation:

 Intelius: Attackers can use the Intelius people search online service to search for
people belonging to the target organization.
 Sublist3r: Sublist3r is a Python script designed to enumerate the subdomains of
websites using OSINT.
 TinEye: Reverse image search Attackers use online tools such as Google Image
Search, TinEye Reverse Image Search, Yahoo Image Search, and Bing Image
Search to perform a reverse image search.
 Mention: Mention is an online reputation tracking tool that helps attackers in
monitoring the web, social media, forums, and blogs to learn more about the
target brand and industry.

Which of the following deep and dark web searching tools helps an attacker obtain
information about official government or federal databases and navigate anonymously
without being traced?

ExoneraTor

Whitepages

Spokeo

Been Verified

Explanation:
  ExoneraTor: Attackers can use deep and dark web searching tools such as Tor
Browser, ExoneraTor, and OnionLand Search engine to gather confidential
information about the target, such as credit card details, passports information,
identification card details, medical records, social media accounts, and Social
Security Numbers (SSNs).
 Spokeo, Been Verified, and Whitepages are people search online services

Which of the following activities of a user on social networking sites helps an attacker
footprint or collect the identity of the user’s family members, the user’s interests, and
related information?

Sharing photos and videos

Creating events

Playing games and joining groups

Maintaining the profile

Explanation:

The activities of users on social networking sites and the respective information that an
attacker can collect is summarized in the following table.

What Users Do What Attacker Gets

Maintain profile Contact info, location, and related information
Connect to friends, chat Friends list, friends’ info, and related information
Share photos and Identity of family members, interests, and related
videos information
 Play games, join Interests
groups
Create events Activities

In website footprinting, which of the following information is acquired by the attacker

when they examine the cookies set by the server?

Software in use and its behavior

File-system structure and script type

Comments present in the source code

Contact details of the web developer or admin

Explanation:

 Examining the HTML source code: Attackers can gather sensitive information by
examining the HTML source code and following the comments that are inserted
manually or those that the CMS system creates. The comments may provide
clues as to what is running in the background. They may even provide the
contact details of the web developer or administrator. Observe all the links and
image tags to map the file system structure.
 Examining Cookies

To determine the software running and its behavior, one can examine cookies set by the
server. Identify the scripting platforms by observing sessions and other supporting
cookies. The information about cookie name, value, and domain size can also be
extracted.
Which of the following is the direct approach technique that serves as the primary
source for attackers to gather competitive intelligence?

Search engines, Internet, and online databases

Social media postings

Support threads and reviews

Social engineering

Explanation:

Competitive Intelligence gathering can be performed using a direct or indirect approach.

 Direct Approach

The direct approach serves as the primary source for competitive intelligence
gathering. Direct approach techniques include gathering information from trade
shows, social engineering of employees and customers, and so on.

 Indirect Approach

Through an indirect approach, information about competitors is gathered using

online resources. Indirect approach techniques include:

o Company websites and employment ads

o Support threads and reviews
o Search engines, Internet, and online database
o Social media postings
o Press releases and annual reports
o Trade journals, conferences, and newspapers
o Patent and trademarks
o Product catalogs and retail outlets
 o Analyst and regulatory reports
o Customer and vendor interviews
o Agents, distributors, and suppliers
o Industry-specific blogs and publications
o Legal databases, e.g., LexisNexis
o Business information databases, e.g., Hoover’s
o Online job postings

Which of the following tools is used for gathering email account information from
different public sources and checking whether an email was leaked using the
haveibeenpwned.com API?

Metagoofil

Infoga

Octoparse

Professional Toolset

Explanation:

 Professional Toolset: DNS interrogation tools such as Professional Toolset

(https://tools.dnsstuff.com) and DNS Records (https://network-tools.com) enable
the user to perform DNS footprinting.
 Infoga: Infoga is a tool used for gathering email account information from
different public sources and it checks if an email was leaked using the
haveibeenpwned.com API.
 Octoparse: Octoparse offers automatic data extraction, as it quickly scrapes web
data without coding and turns web pages into structured data.
  Metagoofil: Metagoofil extracts metadata of public documents (pdf, doc, xls, ppt,
docx, pptx, and xlsx) belonging to a target company.

Sean works as a professional ethical hacker and penetration tester. He is assigned a

project for information gathering on a client’s network. He started penetration testing and
was trying to find out the company’s internal URLs, looking for any information about
the different departments and business units. Sean was unable find any information.

What should Sean do to get the information he needs?

Sean should use website mirroring tools

Sean should use WayBackMachine in Archive.org

Sean should use email tracking tools

Sean should use Sublist3r tool

Explanation:

Sublist3r is a python script designed to enumerate subdomains of websites using OSINT.

It enables you to enumerate subdomains across multiple sources at once. It helps
penetration testers and bug hunters collect and gather subdomains for the domain they are
targeting. It enumerates subdomains using many search engines such as Google, Yahoo,
Bing, Baidu, and Ask. It also enumerates subdomains using Netcraft, Virustotal
ThreatCrowd, DNSdumpster, and ReverseDNS. It has integrated the venerable SubBrute,
allowing you to also brute force subdomains using a wordlist.
You are doing research on SQL injection attacks. Which of the following combination of
Google operators will you use to find all Wikipedia pages that contain information about
SQL, injection attacks, or SQL injection techniques?

site:Wikipedia.org related:“SQL Injection”

SQL injection site:Wikipedia.org

site:Wikipedia.org intitle:“SQL Injection”

allinurl: Wikipedia.org intitle:“SQL Injection”

Explanation:

 Site operator restricts the results of those websites in the given domain.
 For example, the [SQL Injection site:Wikipedia.org] query gives information on
SQL injection from the wikipedia.org site.
 Intitle restricts the results to documents containing the search keyword in the title,
and double quotes around search terms restrict the results to the pages that
contain the exact search term.
 Allinurl restricts the results to those pages with all of the search keywords in the
URL. This operator displays websites that are similar or related to the URL
specified.
Which Google search query will search for any files a target certifiedhacker.com may
have?

site: certifiedhacker.com ext:xml || ext:conf || ext:cnf || ext:reg || ext:inf || ext:rdp ||

ext:cfg || ext:txt || ext:ora || ext:ini

site: certifiedhacker.com filetype:xml | filetype:conf | filetype:cnf | filetype:reg |

filetype:inf | filetype:rdp | filetype:cfg | filetype:txt | filetype:ora | filetype:ini

site: certifiedhacker.com intext:xml | intext:conf | intext:cnf | intext:reg | intext:inf |

intext:rdp | intext:cfg | intext:txt | intext:ora | intext:ini

allinurl: certifiedhacker.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp |

ext:cfg | ext:txt | ext:ora | ext:ini

Explanation:

 The “site” operator restricts the results to those websites in the given domain.
 Filetype operator restricts the results to pages whose names end in suffix.
 This operator restricts results to only those pages containing all the query terms
specified in the URL.
 The query intext:term restricts results to documents containing term in the text.

Which of the following techniques is used to create complex search engine queries?

DuckDuckGo
Google hacking

Bing search

Yahoo search

Explanation:

Google hacking refers to use of advanced Google search operators for creating complex
search queries to extract sensitive or hidden information. The accessed information is
then used by attackers to find vulnerable targets. Footprinting using advanced Google
hacking techniques gathers information by Google hacking, a hacking technique to locate
specific strings of text within search results, using an advanced operator in the Google
search engine.

Which of the following tools consists of a publicly available set of databases that contain
personal information of domain owners?

Metadata extraction tools

Web spidering tools

WHOIS lookup tools

Traceroute tools

Explanation:
WHOIS is a query and response protocol that is widely used for querying databases that
store the registered users or assignees of an Internet resource, such as a domain name, an
IP address block, or an autonomous system but is also used for a wider range of other
information. The protocol stores and delivers database content in a human-readable
format.

Whois Lookup tools extract information such as IP address, hostname or domain name,
registrant information, DNS records including country, city, state, phone and fax
numbers, network service providers, administrators and technical support information for
any IP address or domain name.

What information is gathered about the victim using email tracking tools?

Recipient’s IP address, geolocation, proxy detection, operating system, and browser

information

Information on an organization’s web pages since their creation

Targeted contact data, extracts the URL and meta tag for website promotion

Username of the clients, operating systems, email addresses, and list of software

Explanation:

Email tracking monitors the emails of a particular user. This kind of tracking is possible
through digitally time stamped records that reveal the time and date when the target
receives and opens a specific email. Email tracking tools allows you to collect
information such as IP addresses, mail servers, and service provider involved in sending
the mail.
Information gathered about the victim using email tracking tools:

 Recipient's system IP address

 Geolocation
 Email received and Read
 Read duration
 Proxy detection
 Links
 Operating system and Browser information
 Forward Email
 Device Type

Which of the following tools allows an attacker to extract information such as sender
identity, mail server, sender’s IP address, location, and so on?

Email tracking tools

Website mirroring tools

Web updates monitoring tools

Metadata extraction tools

Explanation:

Email tracking monitors the emails of a particular user. This kind of tracking is possible
through digitally time stamped records that reveal the time and date when the target
receives and opens a specific email. Email tracking tools allows an attacker to collect
information such as IP addresses, mail servers, and service provider involved in sending
the mail.

Information gathered about the victim using email tracking tools:

 Recipient's system IP address

 Geolocation
 Email received and Read
 Read duration
 Proxy detection
 Links
 Operating system and Browser information
 Forward Email
 Device Type

Which of the following DNS record type helps in DNS footprinting to determine a
domain’s mail server?

MX

NS

CNAME

Explanation:
DNS footprinting, namely Domain Name System footprinting, reveals information about
DNS zone data. DNS zone data include DNS domain names, computer names, IP
addresses, and much more about a particular network. An attacker uses DNS information
to determine key hosts in the network, and then performs social engineering attacks to
gather even more information.

DNS footprinting helps in determining following records about the target DNS:

Record Type Description

A Points to a host’s IP address

MX Points to domain’s mail server

NS Points to host’s name server

CNAME Canonical naming allows aliases to a

host

SOA Indicate authority for domain

SRV Service records

PTR Maps IP address to a hostname

RP Responsible person

HINFO Host information record includes

CPU type and OS

TXT Unstructured text records

Robert, an attacker, targeted a high-level executive of an organization and wanted to

obtain information about the executive on the Internet. He employed a tool through which
he discovered the target user on various social networking sites, along with the complete
URL.
What is the tool used by Robert in the above scenario?

BeRoot

Sherlock

Sublist3r

OpUtils

Explanation:

 Sherlock: To search a vast number of social networking sites for a target

username. This tool helps the attacker to locate the target user on various social
networking sites along with the complete URL.
 BeRoot: BeRoot is a post-exploitation tool to check for common
misconfigurations which can allow an attacker to escalate their privileges.
 OpUtils: SNMP enumeration protocol that helps to monitor, diagnose and trouble
shoot the IT resources.
 Sublist3r: Sublist3r is a Python script designed to enumerate the subdomains of
websites using OSINT. It enables you to enumerate subdomains across multiple
sources at once.

Which of the following tools is a command-line search tool for Exploit-DB that allows
taking a copy of the Exploit database for remote use?

Spyse

DroidSniff
Spokeo

SearchSploit

Explanation:

 SearchSploit: Attackers can also use SearchSploit, which is a command-line

search tool for Exploit-DB that allows taking a copy of the Exploit database for
remote use. It allows attackers to perform detailed offline searches through their
locally checked-out copy of the repository.
 Spyse: Spyse is an online platform that can be used to collect and analyze
information about devices and websites available on the Internet.
 Spokeo: Attackers can use the Spokeo people search online service to search for
people belonging to the target organization.
 DroidSniff: DroidSniff is an Android app for security analysis in wireless
networks that can capture Facebook, Twitter, LinkedIn, and other accounts.

Jacob, a professional hacker, targeted an organization’s website to find a way into its
network. To achieve his goal, he employed a footprinting tool that helped him in
gathering confidential files and other relevant information related to the target website
from public source-code repositories.

Identify the footprinting tool employed by Jacob in the above scenario.

ShellPhish

Netcraft

Reverse Lookup
Recon-ng

Explanation:

 Recon-ng: Recon-ng is a full-featured reconnaissance framework designed to

provide a powerful environment to conduct web-based reconnaissance quickly
and thoroughly. It assists attackers in gathering information from public source-
code repositories.
 Reverse Lookup: The Reverse Lookup tool performs a reverse IP lookup by taking
an IP address and locating a DNS PTR record for that IP address
 ShellPhish: ShellPhish is a phishing tool used to phish user credentials from
various social networking platforms such as Instagram, Facebook, Twitter, and
LinkedIn.
 Netcraft: The Netcraft anti-phishing community is a giant neighborhood watch
scheme, empowering the most alert and most expert members to defend everyone
within the community against phishing attacks.

Peter, a professional hacker, targeted an organization’s network to gather as much

information as possible to perform future attacks. For this purpose, he employed a
reconnaissance framework that helped him gather confidential information such as
private Secure Shell (SSH) and Secure Sockets Layer (SSL) keys as well as dynamic
libraries from an online third-party repository.

Identify the online third-party repository targeted by Peter in the above scenario.

GitLab

Sublist3r
MITRE ATT&CK framework

BeRoot

Explanation:

 MITRE ATT&CK framework: MITRE ATT&CK is a globally accessible

knowledge base of adversary tactics and techniques based on real-world
observations.
 GitLab : Source code–based repositories are online services or tools available on
internal servers or can be hosted on third-party websites such as GitHub, GitLab,
SourceForge, and BitBucket. These sites contain sensitive data related to
configuration files, private Secure Shell (SSH) and Secure Sockets Layer (SSL)
keys, source-code files, dynamic libraries, and software tools developed by
contributors, which can be leveraged by attackers to launch attacks on the target
organization.
 Sublist3r: Sublist3r is a Python script designed to enumerate the subdomains of
websites using OSINT.
 BeRoot: BeRoot is a post-exploitation tool to check common misconfigurations to
find a way to escalate privilege.

Which of the following tools allows attackers to construct and analyze social networks
and obtain critical information about the target organization/users?

NodeXL

HTTrack Web Site Copier

Mention

Burp Suite
Explanation:

 NodeXL: Attackers use various tools such as Gephi, SocNetV, and NodeXL to
construct and analyze social networks and obtain critical information about the
target organization/users.
 Mention: Mention is an online reputation tracking tool that helps attackers in
monitoring the web, social media, forums, and blogs to learn more about the
target brand and industry.
 HTTrack Web Site Copier: HTTrack is an offline browser utility. It downloads a
website from the Internet to a local directory and recursively builds all the
directories including HTML, images, and other files from the web server on
another computer.
 Burp Suite: Burp Suite is an integrated platform for performing security testing of
web applications. Its various tools work together to support the entire testing
process, from initial mapping and analysis of an application's attack surface to
finding and exploiting security vulnerabilities.

Which of the following commands allows attackers to retrieve the archived URLs of a
target website from archive.org?

theHarvester -d microsoft.com -1 200 -b linkedin

theHarvester -d microsoft -1 200 -b linkedin

photon.py -u http//www.certifiedhacker.com -1 3 -t 200 --wayback

cewl www.certifiedhacker.com
Explanation:

 theHarvester -d microsoft -1 200 -b linkedin: The attacker uses this command to

enumerate users on LinkedIn.
 photon.py -u <Target website URL> -1 3 -t 200 –wayback: Attackers can use
tools such as Photon to retrieve archived URLs of the target website from
archive.org.
 theHarvester -d microsoft.com -1 200 -b linkedin: The attacker uses this command
to extract email addresses of microsoft.com using the Baidu search engine.
 cewl www.certifiedhacker.com: Attackers uses this command to gather a list of
unique words present in the target URL.

Which of the following tools allows attackers to retrieve archived URLs of a target
website from archive.org?

Burp Suite

Sublist3r

SecurityTrails

Photon

Explanation:

 SecurityTrails: SecurityTrails is an advanced DNS enumeration tool capable of

creating a DNS map of the target domain network. It can enumerate both current
and historical DNS records such as A, AAAA, NS, MX, SOA, and TXT, which
helps in building the DNS structure.
  Sublist3r: Sublist3r is a Python script designed to enumerate the subdomains of
websites using OSINT.
 Photon: Attackers can use tools such as Photon to retrieve archived URLs of the
target website from archive.org.
 Burp Suite: Burp Suite is an integrated platform for performing security testing of
web applications.

Which of the following tools does an attacker use to perform a query on the platforms
included in OSRFramework?

usufy.py

searchfy.py

mailfy.py

domainfy.py

Explanation:

The tools included in the OSRFramework package that attackers can use to gather information on the
target are listed below:

 usufy.py – Checks for a user profile on up to 290 different platforms

 mailfy.py – Check for the existence of a given email
 searchfy.py – Performs a query on the platforms in OSRFramework
 domainfy.py – Checks for the existence of domains
 phonefy.py – Checks for the existence of a given series of phones
 entify.py – Uses regular expressions to extract entities
Which of the following options of Sublist3r allows the user to specify a comma-
separated list of search engines?

-d

-p

-e

-o

Explanation:

Sublist3r

Sublist3r is a Python script designed to enumerate the subdomains of websites using

OSINT. It enables you to enumerate subdomains across multiple sources at once. Further,
it helps penetration testers and bug hunters in collecting and gathering subdomains for the
domain they are targeting. It enumerates subdomains using many search engines such as
Google, Yahoo, Bing, Baidu, and Ask. It also enumerates subdomains using Netcraft,
VirusTotal, ThreatCrowd, DNSdumpster, and ReverseDNS.

Syntax:

sublist3r [-d DOMAIN] [-b BRUTEFORCE] [-p PORTS] [-v VERBOSE][-t THREADS]
[-e ENGINES] [-o OUTPUT]

Short Long Form Description

Form
-d --domain Domain name to enumerate subdomains of
-b --bruteforce Enable the subbrute bruteforce module
-p --ports Scan the found subdomains against specific TCP
 ports
-v --verbose Enable the verbose mode and display results in real
time
-t --threads Number of threads to use for subbrute bruteforce
-e --engines Specify a comma-separated list of search engines
-o --output Save the results to a text file

Which of the following tools allows attackers to collect information such as subdomains,
IP addresses, HTTP response status, SSL/TTL certificates, vulnerability scores, and DNS
records of the target domain or website?

Nagios

Spyse

THC-Hydra

L0phtCrack

Explanation:

 L0phtCrack: L0phtCrack is a tool designed to audit passwords and recover

applications. It recovers lost Microsoft Windows passwords with the help of a
dictionary, hybrid, rainbow table, and brute-force attacks, and it also checks the
strength of the password.
 Nagios: Nagios provides complete monitoring of SAN solutions – including disk
usage, directories, file count, file presence, file size, RAID array status and more.
 Spyse: Spyse is an online platform that can be used to collect and analyze
information about devices and websites available on the Internet. Attackers can
use different parameters available in this tool to identify information such as
subdomains, IP addresses, HTTP response status, SSL/TTL certificates,
 vulnerability scores (low, high, and medium risk), and DNS records of the target
domain or website.
 THC-Hydra: THC Hydra is a parallelized login cracker that can attack numerous
protocols. This tool is a proof-of-concept code that provides researchers and
security consultants the possibility to demonstrate how easy it would be to gain
unauthorized remote access to a system.