Reconnaissance Practice

Focus on passive and active information gathering to understand the target before touching production systems.

1. Question

Which activity is the BEST example of passive reconnaissance against a web application?

Running a full TCP connect scan against the target's IP rangeScraping public job listings and documentation for technology stack detailsSending crafted phishing emails to internal staffLaunching a password spray attack against VPN endpoints

2. Question

Which of the following tools is MOST associated with open-source intelligence (OSINT) collection?

HydratheHarvesterMetasploitResponder

3. Question

Reviewing SSL/TLS certificates and certificate transparency logs for subdomains primarily supports which goal?

Discovering internal password policiesIdentifying potential target hosts and servicesCapturing plaintext credentials on the networkDetecting insider threats within the organization

4. Question

Which DNS record type is MOST useful for discovering mail infrastructure during reconnaissance?

AMXTXTCNAME

5. Question

Why is it important to document the source of each piece of information collected during reconnaissance?

To ensure it can be reused in future, unrelated engagementsTo attribute blame in case of an incidentTo support reproducibility, traceability, and reporting to the clientTo comply with PCI-DSS requirements

6. Question

Which activity would MOST likely be considered active reconnaissance rather than passive?

Searching paste sites for leaked credentialsQuerying DNS records via WHOISRunning Nmap host discovery against the target IP spaceReviewing public GitHub repositories for code leaks

7. Question

During reconnaissance, you discover a public S3 bucket containing configuration files. What is the MOST appropriate next step?

Immediately attempt to modify the bucket ACLsQuietly exfiltrate as much data as possibleVerify scope, capture limited evidence, and document the exposurePublicly disclose the issue to raise awareness

8. Question

What is the PRIMARY reason to perform reconnaissance before scanning or exploitation?

To avoid the need for further technical testingTo reduce the number of reports to writeTo better understand the environment and focus later effortsTo ensure that tests are noisy and easily detected

9. Question

Which of the following is MOST likely to reveal usernames and email formats during recon?

Reviewing SPF and DKIM DNS recordsMonitoring NetFlow dataSearching LinkedIn and company social media profilesSniffing traffic on the internal LAN

10. Question

When performing reconnaissance on a target's website, which action is MOST appropriate within a typical web application scope?

Enumerating directories and files with a wordlist-based toolStress-testing the site with a massive DDoS to measure resilienceAttempting to deface public content to prove impactBrute-forcing admin credentials without rate limiting consideration

Score: 0.0 / 10 (0 of 10 correct)