Home > Articles

Footprinting, Reconnaissance, and Scanning

In this sample chapter from CEH Certified Ethical Hacker Cert Guide, 4th Edition, you will review a number of ways individuals can attempt to passively gain information about an organization and interactive scanning techniques.

This chapter is from the book

This chapter is from the book

CEH Certified Ethical Hacker Cert Guide, 4th Edition

Learn More Buy

This chapter is from the book

This chapter is from the book

CEH Certified Ethical Hacker Cert Guide, 4th Edition

Learn More Buy

This chapter covers the following topics:

  • Footprinting: The process of accumulating data about a specific network environment, usually for the purpose of completing the footprinting process, mapping the attack surface, and finding ways to intrude into the environment. Fingerprinting can be categorized as either active or passive. Active fingerprinting is more accurate but also more easily detected. Passive fingerprinting is the act of identifying systems without injecting traffic or packets into the network.

  • Scanning: The identification of active machines that is accomplished by means of ping sweeps and port scans. Both aid in an analysis of understanding whether the machine is actively connected to the network and reachable. After all details of a network and its operations have been recorded, the attacker can then identify vulnerabilities that could possibly allow access or act as an entry point.

This chapter introduces you to two of the most important pre-attack phases: footprinting and scanning. Although these steps don’t constitute breaking in, they occur at the point at which a hacker or ethical hacker will start to get information. The goal here is to discover what a hacker or other malicious user can uncover about the organization, its technical infrastructure, locations, employees, policies, security stance, and financial situation. Just as most hardened criminals don’t rob a jewelry store without preplanning, elite hackers and cybercriminals won’t attack a network before they understand what they are up against. Even script kiddies will do some pre-attack reconnaissance as they look for a target of opportunity. For example, think of how a burglar walks around a building to look for entry points.

This chapter begins by looking at a number of general mechanisms individuals can attempt to passively gain information about an organization without alerting the organization. This chapter also discusses interactive scanning techniques and reviews their benefits. Note in this context, the goal of scanning is to discover open ports and applications. This chapter concludes with attack surface mapping techniques.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 3-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 3-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Footprinting

1–8

Scanning

9–15

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

  1. Where should an ethical hacker start the information-gathering process?

    1. Interview with company

    2. Dumpster diving

    3. Company’s website

    4. Interview with employees

  2. What common Windows and Linux tool is used for port scanning?

    1. Hping

    2. Amap

    3. Nmap

    4. SuperScan

  3. What does the Nmap -sT switch do?

    1. UDP scan

    2. ICMP scan

    3. TCP full connect scan

    4. TCP ACK scan

  4. Which of the following would be considered outside the scope of footprinting and information gathering?

    1. Finding physical addresses

    2. Attacking targets

    3. Identifying potential targets

    4. Reviewing a company website

  5. During a security assessment, you are asked to help with a footprinting activity. Which of the following might be used to determine network range?

    1. ARIN

    2. DIG

    3. Traceroute

    4. Ping host

  6. You have been asked to gather some specific information during a penetration test. The “intitle” string is used for what activity?

    1. Traceroute

    2. Google search

    3. Website query

    4. Host scanning

  7. During a footprinting exercise, you have been asked to gather information from APNIC and LACNIC. What are these examples of?

    1. IPv6 options

    2. DHCP servers

    3. DNS servers

    4. RIRs

  8. CNAMEs are associated with which of the following?

    1. ARP

    2. DNS

    3. DHCP

    4. Google hacking

  9. Which of the following TCP scan types is also known as the half-open scan?

    1. FIN scan

    2. XMAS scan

    3. SYN scan

    4. Null scan

  10. What scan is also known as a zombie scan?

    1. IDLE scan

    2. SYN scan

    3. FIN scan

    4. Stealth scan

  11. What is the TCP port scan that is used to toggle on the FIN, URG, and PSH TCP flags?

    1. XMAS scan

    2. Null scan

    3. ACK scan

    4. None of these answers are correct

  12. You were hired to perform penetration testing for a local school. You discovered an FTP server in the network. What type of FTP scan technique would make the scan harder to trace?

    1. FTP bounce scan

    2. FTP stealth SYN scan

    3. FTP null scan

    4. Slowloris FTP scan

  13. Which of the following tools can be used to enumerate systems that are running NetBIOS?

    1. Nmap

    2. nbtscan

    3. Metasploit

    4. All of these answers are correct

  14. What type of information can you obtain when successfully enumerating insecure SNMP systems?

    1. Network interface configuration

    2. The device hostname and current time

    3. The device IP routing table

    4. All of these answers are correct

  15. What SMTP command can be used to verify whether a user’s email mailbox exists in an email server?

    1. EXPN

    2. VRFY

    3. RCPT

    4. None of these answers are correct

vceplus-200-125    | boson-200-125    | training-cissp    | actualtests-cissp    | techexams-cissp    | gratisexams-300-075    | pearsonitcertification-210-260    | examsboost-210-260    | examsforall-210-260    | dumps4free-210-260    | reddit-210-260    | cisexams-352-001    | itexamfox-352-001    | passguaranteed-352-001    | passeasily-352-001    | freeccnastudyguide-200-120    | gocertify-200-120    | passcerty-200-120    | certifyguide-70-980    | dumpscollection-70-980    | examcollection-70-534    | cbtnuggets-210-065    | examfiles-400-051    | passitdump-400-051    | pearsonitcertification-70-462    | anderseide-70-347    | thomas-70-533    | research-1V0-605    | topix-102-400    | certdepot-EX200    | pearsonit-640-916    | itproguru-70-533    | reddit-100-105    | channel9-70-346    | anderseide-70-346    | theiia-IIA-CIA-PART3    | certificationHP-hp0-s41    | pearsonitcertification-640-916    | anderMicrosoft-70-534    | cathMicrosoft-70-462    | examcollection-cca-500    | techexams-gcih    | mslearn-70-346    | measureup-70-486    | pass4sure-hp0-s41    | iiba-640-916    | itsecurity-sscp    | cbtnuggets-300-320    | blogged-70-486    | pass4sure-IIA-CIA-PART1    | cbtnuggets-100-101    | developerhandbook-70-486    | lpicisco-101    | mylearn-1V0-605    | tomsitpro-cism    | gnosis-101    | channel9Mic-70-534    | ipass-IIA-CIA-PART1    | forcerts-70-417    | tests-sy0-401    | ipasstheciaexam-IIA-CIA-PART3    | mostcisco-300-135    | buildazure-70-533    | cloudera-cca-500    | pdf4cert-2v0-621    | f5cisco-101    | gocertify-1z0-062    | quora-640-916    | micrcosoft-70-480    | brain2pass-70-417    | examcompass-sy0-401    | global-EX200    | iassc-ICGB    | vceplus-300-115    | quizlet-810-403    | cbtnuggets-70-697    | educationOracle-1Z0-434    | channel9-70-534    | officialcerts-400-051    | examsboost-IIA-CIA-PART1    | networktut-300-135    | teststarter-300-206    | pluralsight-70-486    | coding-70-486    | freeccna-100-101    | digitaltut-300-101    | iiba-CBAP    | virtuallymikebrown-640-916    | isaca-cism    | whizlabs-pmp    | techexams-70-980    | ciscopress-300-115    | techtarget-cism    | pearsonitcertification-300-070    | testking-2v0-621    | isacaNew-cism    | simplilearn-pmi-rmp    | simplilearn-pmp    | educationOracle-1z0-809    | education-1z0-809    | teachertube-1Z0-434    | villanovau-CBAP    | quora-300-206    | certifyguide-300-208    | cbtnuggets-100-105    | flydumps-70-417    | gratisexams-1V0-605    | ituonline-1z0-062    | techexams-cas-002    | simplilearn-70-534    | pluralsight-70-697    | theiia-IIA-CIA-PART1    | itexamtips-400-051    | pearsonitcertification-EX200    | pluralsight-70-480    | learn-hp0-s42    | giac-gpen    | mindhub-102-400    | coursesmsu-CBAP    | examsforall-2v0-621    | developerhandbook-70-487    | root-EX200    | coderanch-1z0-809    | getfreedumps-1z0-062    | comptia-cas-002    | quora-1z0-809    | boson-300-135    | killtest-2v0-621    | learncia-IIA-CIA-PART3    | computer-gcih    | universitycloudera-cca-500    | itexamrun-70-410    | certificationHPv2-hp0-s41    | certskills-100-105    | skipitnow-70-417    | gocertify-sy0-401    | prep4sure-70-417    | simplilearn-cisa    |
http://www.pmsas.pr.gov.br/wp-content/    | http://www.pmsas.pr.gov.br/wp-content/    |