Chapter 7 Quiz: Passive Reconnaissance and OSINT
Multiple Choice Questions
1. What is the defining characteristic that distinguishes passive reconnaissance from active reconnaissance?
a) Passive reconnaissance uses automated tools while active reconnaissance is manual b) Passive reconnaissance does not send any data to the target's systems c) Passive reconnaissance is legal while active reconnaissance is illegal d) Passive reconnaissance is faster than active reconnaissance
2. Which of the following is NOT a phase of the OSINT intelligence cycle?
a) Collection b) Exploitation c) Analysis d) Dissemination
3. A DNS TXT record containing v=spf1 include:_spf.google.com include:sendgrid.net ~all reveals that the organization uses:
a) Google Cloud Platform and SendGrid for web hosting b) Google Workspace for email and SendGrid for transactional email c) Google Analytics and SendGrid for marketing d) Google DNS and SendGrid for DNS management
4. What does a search on crt.sh for %.medsecure.com query?
a) Active DNS records for the medsecure.com domain b) WHOIS registration data for medsecure.com c) Certificate Transparency logs for certificates covering medsecure.com subdomains d) Google search results for pages on medsecure.com
5. Which Google dork operator restricts results to a specific file type?
a) inurl:
b) site:
c) filetype:
d) intitle:
6. You discover that an organization's WHOIS data shows a domain expiring in 15 days with no auto-renewal. What is the primary security concern?
a) The domain will stop resolving DNS records b) The domain could be registered by an attacker after expiration (domain hijacking) c) The SSL certificate will expire simultaneously d) The email system will stop functioning
7. What information can Shodan reveal about an organization's infrastructure that Google cannot?
a) Cached web pages from the organization's website b) Open ports, service banners, and software versions on internet-facing hosts c) Employee social media profiles d) Internal network documentation
8. When mining GitHub repositories for leaked secrets, why is it important to check the entire commit history rather than just the current state of files?
a) GitHub only indexes the commit history, not current files b) Developers often commit secrets and then try to remove them, but the original commit remains in the git history c) Current files are encrypted while historical commits are not d) GitHub search only works on historical data
9. In the context of OSINT, what does "metadata" from documents typically reveal?
a) The document's classification level b) Author names, software versions, internal file paths, and creation dates c) The number of times the document has been downloaded d) Which security controls protect the document
10. Which Maltego concept represents a query that takes an entity as input and produces related entities as output?
a) Graph b) Node c) Transform d) Entity
True or False
11. Passive reconnaissance always requires explicit written authorization because it involves accessing the target's systems.
12. A successful DNS zone transfer can reveal every hostname in a domain's DNS zone.
13. WHOIS privacy services completely prevent an attacker from ever identifying the domain registrant through any means.
14. Certificate Transparency logs only contain certificates that are currently valid and not expired.
15. The site:*.example.com -www Google dork helps discover subdomains by excluding the main www subdomain from results.
Short Answer
16. Explain why using multiple OSINT sources is important rather than relying on a single tool like theHarvester. Provide at least three reasons.
17. You are conducting passive recon for a healthcare penetration test. Describe three OSINT sources specific to the healthcare industry that could provide valuable intelligence, and what you would expect to find from each.
18. Describe the ethical boundaries of passive reconnaissance. When does collecting publicly available information cross an ethical line, even if it remains technically legal?
19. A penetration tester discovers an AWS access key committed to a developer's personal GitHub repository during passive reconnaissance. The key appears to be for the client's production AWS account. What should the tester do, and why?
20. Compare and contrast Shodan and Censys as reconnaissance tools. In what scenarios would you prefer one over the other?
Answer Key
1. b) Passive reconnaissance does not send any data to the target's systems. This is the fundamental distinction — passive recon uses only publicly available data without interacting with the target.
2. b) Exploitation. The OSINT cycle consists of Planning/Direction, Collection, Processing, Analysis, Dissemination, and Feedback. Exploitation is a penetration testing phase, not an intelligence cycle phase.
3. b) Google Workspace for email and SendGrid for transactional email. SPF records specify which mail servers are authorized to send email for the domain. The include:_spf.google.com indicates Google Workspace email, and include:sendgrid.net indicates SendGrid for transactional or marketing email.
4. c) Certificate Transparency logs for certificates covering medsecure.com subdomains. The % is a wildcard, so this searches for any certificate with a name ending in .medsecure.com.
5. c) filetype: restricts Google results to specific file types (e.g., filetype:pdf).
6. b) The domain could be registered by an attacker after expiration (domain hijacking). An expired domain can be re-registered by anyone, potentially allowing an attacker to intercept email, serve malicious content, or impersonate the organization.
7. b) Open ports, service banners, and software versions on internet-facing hosts. Shodan scans the internet for services and banners, revealing information about the actual infrastructure that standard web search engines do not index.
8. b) Developers often commit secrets and then try to remove them, but the original commit remains in the git history. Git preserves all historical commits, so even if a secret is deleted in a subsequent commit, it remains accessible in the repository's history.
9. b) Author names, software versions, internal file paths, and creation dates. Document metadata can reveal significant internal information including usernames, software in use, directory structures, and timestamps.
10. c) Transform. In Maltego, transforms are automated queries that take one entity type as input and produce related entities as output.
11. False. Passive reconnaissance uses only publicly available information and does not interact with the target's systems. However, best practice is to have authorization documented for all reconnaissance activities as part of a penetration test.
12. True. A successful DNS zone transfer (AXFR) returns all records in the DNS zone, effectively providing a complete inventory of all hostnames configured in that zone.
13. False. While WHOIS privacy services obscure current registration data, historical WHOIS records (from before privacy was enabled), certificate details, and other cross-referencing techniques can often still identify the registrant.
14. False. CT logs contain all certificates that have been logged, including expired certificates and pre-certificates. This historical data is valuable for discovering subdomains that may no longer be active but could still be accessible.
15. True. This dork uses site:*.example.com to find all indexed subdomains and -www to exclude the common www subdomain, helping identify less obvious subdomains.
16. Multiple OSINT sources are important because: (1) Different sources have different data coverage — an email found in a breach database may not appear in search engine results; (2) Cross-referencing findings from multiple sources increases confidence in accuracy; (3) Some sources have exclusive data partnerships not available elsewhere; (4) Sources have different update frequencies, so recent changes may appear in one but not another; (5) Redundancy ensures that if one source is unavailable or rate-limited, alternatives exist.
17. Healthcare-specific OSINT sources: (1) CMS.gov (Centers for Medicare & Medicaid Services) — hospital financial data, compliance reports, and facility information; (2) HIPAA breach notification databases (HHS Breach Portal) — historical data breaches at the organization revealing security weaknesses; (3) Medical device databases (FDA MAUDE) — identifies medical devices in use that may have known vulnerabilities; (4) Healthcare job boards — reveal EHR systems, clinical applications, and IT infrastructure; (5) State health department licensing databases — facility locations, services offered, and regulatory compliance status.
18. Ethical boundaries of passive recon include: collecting only information necessary for the authorized engagement (not building comprehensive personal dossiers on employees); avoiding collection of sensitive personal information (medical records, financial data, relationship status) unless directly relevant; handling all collected data securely and destroying it according to the engagement agreement; not using personal information to harass, embarrass, or harm individuals; reporting critical findings immediately rather than waiting; and respecting the spirit of authorization even when technically operating within legal boundaries.
19. The tester should immediately report the finding to the client through the designated emergency communication channel. This is a critical finding that represents active risk — the exposed key could be used by malicious actors at any time. The tester should not attempt to use the key (even to verify it works) and should recommend immediate key rotation. The finding should be documented with evidence (screenshots of the GitHub commit) and included in the final report. Time is critical because the key may have already been discovered and exploited by others.
20. Shodan and Censys both index internet-connected devices but differ in approach: Shodan excels at service banner analysis, IoT device discovery, and industrial control system identification with a broad service/port scanning approach. Censys takes a certificate-centric approach, offering superior TLS certificate analysis and structured data about the certificate ecosystem. Prefer Shodan for general infrastructure discovery, ICS/IoT assessment, and when searching by organization name or ASN. Prefer Censys for certificate-focused investigations, when you need historical certificate data, or when the target's infrastructure is heavily cloud-based with many certificates.