Session19_VA

1. What is Footprinting?
a- It’s the first stage of any attack
b- It is used to gather information about the victim’s network

2. Types of Footprinting

Two types:

a- Passive: without direct interaction

b- Active: with direct interaction

3. Information Obtained in footprinting

a- Footprinting operations
b- Information about the organization to which the victim belongs
c- Information about the network that the victim deals with or uses
d- Information about the victim's systems

4. Objectives of footprinting
a- Find out where the hack is likely to be
b- Downsizing of the vulnerabilities
c- There's a chance of finding a point of weakness.
d- Diagram of the network in which the victim works

5. Google advanced Search operations

a- Cache: Displays Google’s cached version of a webpage.
b- link: Used to find pages linking to a specific URL.
c- Related: Finds websites similar to the given URL.
d- Info: Shows details about a website, including cache, similar pages, and links.
e- Site: Limits search results to a specific domain.
f- Allintitle: Finds pages where all specified words appear in the title.
g- Intitle: Finds pages where at least one specified word appears in the title.
h- Allinurl: Finds pages where all specified words appear in the URL.
i- Inurl: Finds pages where at least one specified word appears in the URL.
j- Location: Used to find search results related to a specific location.
6. GHDB
a- Google Hacking Database
b- Authoritative source to query all widening in search engine
c- It used Google Dorks

7. Tools to search company’s sub-domains

a- Netcraft
b- Sublist3r
c- Pentest-Tools

8. Harvesting Email lists

a- theHarvester

9. Gathering information using financial services

a- Google finance
b- Yahoo finance
c- Investing
d- MSN Mony

10. Footprinting through job sites

a- LinkedIn
b- Dice

11. Deep and dark web footprinting

a- Browser: Tor browser
b- The Tor Browser works by routing your Internet traffic through volunteer-operated servers
called Tor nodes (or relays). This process encrypts and bounces your data through multiple
nodes before reaching the final destination, making it difficult to trace the request's origin.

12. Determining the operating system

a- Netcraft
b- Shodan
c- Censys

13. VOIP and VPN footprinting

a- Shodan
14. What are the most important sources of Competitive Intelligence.
a- Company website
b- Recruitment advertisements
c- Press release
d- Trade journal
e- Social engineering employees
f- Product catalogs
g- Analyst reports
h- Customer interview
i- Agent & Suppler

15. What are the most important resource sites

a- Edgar database
b- D&B Hoovers
c- LexisNexis
d- Business wire
e- Factiva

16. What are the most important general resources for locating information from social media
sites
a- Buzzsumo
b- Followerwonk
c- Social Searcher
d- Sherlock (Tool)

17. What are the most important tools for website footprinting?
a- Burp Suite
b- Web spiders
c- Web data extractor

18. What are the most important tools for website Mirroring?
a- HTTrack
b- Archive.org
19. What are the most important tools for extracting website links?
a- Octaparse

20. What are the most important tools for extracting metadata?
a- Code.google.com
b- Metagoofil

21. What are the most important Email tracking tools?

a- Infoga
b- eMailTrackerPro

22. What is Eavesdropping – Shoulder sniffing – Dumpster Diving – Impersonation

a- Eavesdropping Attack: An attacker intercepts network traffic (e.g., using packet sniffers like
Wireshark) to steal sensitive data such as login credentials or financial information
b- Shoulder Surfing Attack: A hacker observes a victim entering passwords, PINs, or security codes
in public places (e.g., at ATMs or while logging into corporate systems)
c- Dumpster Diving Attack: Cybercriminals search discarded documents, USB drives, or hard disks
to retrieve confidential data like login credentials, network diagrams, or employee records
d- Impersonation Attack: An attacker poses as a trusted entity (e.g., IT support, CEO, or vendor) to
trick employees into revealing login credentials, installing malware, or granting unauthorized
access

23. Maltego – Recon-ng – FOCA – OSRFramework - OSINT Framework – Recon Dog – BillCipher
a- Maltego: Visual link analysis tool for mapping relationships between people, domains, IPs, and
organizations.
b- Recon-ng: Python-based web reconnaissance framework for automating OSINT gathering.
c- FOCA: Finds metadata in public documents to extract sensitive info like usernames, emails, and
software versions.
d- OSRFramework: A collection of OSINT tools to gather usernames, domain info, and leaks from
public sources.
e- OSINT Framework: A web-based collection of OSINT tools for gathering intelligence on people,
domains, and infrastructure.
f- Recon Dog: Lightweight reconnaissance tool for gathering subdomains, IPs, and open ports.
g- BillCipher: A penetration testing tool for scanning and gathering information about websites,
including CMS detection and vulnerabilities.
24. What are the main footprinting countermeasures??
a- Restrict the employees' access to social networking sites from the organization's network
b- Configure web servers to avoid information leakage
c- Educate employees to use pseudonyms
d- Do not reveal critical information in press releases, annual reports, product catalogs
e- Limit the amount of information published on a website or the internet
f- Use footprinting techniques to discover and remove any sensitive information that is publicly
available
g- Prevent search engines from caching a web page and use anonymous registration services
h- Use DNS split
i- Disable directory listings in the web servers
j- Do not enable protocols that are not required
====================================
25. Define Network Scanning?
a- A set of procedures to identify ports, hosts and services within the network
b- One of intelligence gathering
c- Vulnerability assessor uses it to create a profile for the target organization

26. What are the main objectives of network scanning?

a- Find live hosts, open ports and IP address
b- Find the operating system and system architecture
c- Find worked services on each hosts
d- Find the existing vulnerabilities

27. Distinguish between port scanning , network scanning and vulnerability scanning
a- Port scanning: Find the services which work on target computer by sending a set of messages for
this port
b- Network scanning: Find live hosts and IP addresses
c- Vulnerability scanning:Find vulnerability and weaknesses

28. Nmap – Hping2/Hping3 – Metasploit – NetScan Tools Pro

a- Nmap: An open-source network scanner used for discovering hosts, open ports, and running
services to identify potential vulnerabilities.
b- Hping2/Hping3: Command-line packet crafting tools used for advanced network scanning,
firewall testing, and simulating DoS attacks by sending custom TCP/IP packets.
c- Metasploit: A powerful penetration testing framework that provides a suite of exploits and
payloads to identify and test vulnerabilities in systems.
d- NetScan Tools Pro: A comprehensive suite of network utilities designed for network discovery,
diagnostics, and vulnerability assessments through various scanning and monitoring tools.
29. For mobile: IP scanner – Fing – Network scanner
a- IP Scanner: Scans the network to detect connected devices by their IP addresses, helping in
network mapping and identifying unauthorized devices.
b- Fing: A comprehensive mobile app that quickly identifies network devices, open ports, and
services, aiding in vulnerability assessment and monitoring network health.
c- Network Scanner: A general term for tools that analyze mobile networks to discover devices,
services, and potential security weaknesses.

30. What are the most important Host discovery techniques?

a- ARP ping scan

b- UDP ping scan

c- ICMP ping scan
a. ICMP echo ping
i. ICMP echo ping sweep
b. ICMP Timestamp
c. ICMP address mask request
d- TCP ping scan
a. TCP SYN
b. TCP ACK
e- IP protocol ping scan

31. What are the Ping sweep countermeasures?

a- Configuration firewall
b- Using IDS
c- Evaluation ICMP continuously
d- Cut off for any connection do more than 10 ICMP echo request
e- Using DMZ (enable echo reply, disable host unreachable)
f- Limitation for ICMP traffic using ACL (Access Control List)
32. What are the most important Port scanning techniques?
a- TCP scanning
a. Open TCP scanning methods
i. TCP connect / full open scan
b. Stealth TCP scanning methods
i. Half-open scan
ii. Inverse TCP flag scan
1. Xmas scan
2. FIN scan
3. NULL scan
4. Maimon scan
iii. ACK flag probe scan
1. TTL-Based scan
2. Window-Based scan
c. Third party and spoofed TCP scanning methods
i. IDLE/IPID header scan
b- UDP scanning
c- SCTP scanning
a. SCTP INIT scanning
b. SCTP COOKIE/ECHO scanning
d- SSDP scanning
e- IPv6 Scanning

33. What are the Port Scanning countermeasures?

a- Configuration for Firewall and IDS
b- Port scanning continuously
c- Verification for routing and filtering
d- Update all IDS, Firewall and Router
e- Using specific rule set
f- Filter ICMP messages
g- TCP and UDP scanning with ICMP continuously
h- Verification that you are use all anti-spoofing and anti-scanning within equipment

34. Types of Banner grabbing (OS Discovery)? || How to identify OS?

a- Two Types:
a. Active banner grabbing: The attacker sends a variety of malformed packets to the
remote host, and the responses are compared with a database.
b. Passive banner grabbing: Depends on error messages, sniffing the network traffic,
banner grabbing from page extensions
35. Banner grabbing countermeasures?

----------------------

36. What are the most important techniques that is used to evade FW and IDS?
a- Packet fragmentation
b- Source routing
c- Source port manipulation
d- IP address decoy
e- IP address spoofing
f- MAC address spoofing
g- Creating custom packets
h- Randomizing host order
i- Sending bad checksums
j- Proxy Servers
k- Anonymizers

37.IP spoofing countermeasures?

a- Encryption all the network traffic
b- Using multiple firewalls (double bastion)
c- Do not rely on IP-based authentication
d- Use random initial sequence number to prevent IP spoofing attacks based on sequence number
spoofing
e- Ingress filtering: use routers and firewalls at your network perimeter to filter incoming packets
that appear to come from an internal IP address
f- Egress filtering: filter all outgoing packets with an invalid local IP address as the source
addresses

38. What is an anonymizer and what are the most important tools?
a- An anonymizer removes all identity information from the user's computer while the user surfs
the Internet
b- Anonymizers make activity on the Internet untraceable
c- Anonymizers allow you to bypass Internet censors
d- Why use an Anonymizer? → Privacy and anonymity, Protection against online attacks, Access
restricted content, Bypass IDS and Firewall rules
e- Tools: Whonix, Psiphon, TunnelBear, Invisible internet project, JonDo,
f- Tools for mobile: Orbot, Psiphon pro