Chapter 8 Quiz: Active Reconnaissance

Multiple Choice Questions

1. What is the primary difference between passive and active reconnaissance?

a) Active reconnaissance is faster than passive reconnaissance b) Active reconnaissance sends data to and interacts with the target's systems c) Active reconnaissance uses automated tools while passive uses manual techniques d) Active reconnaissance requires more technical skill

2. A DNS zone transfer (AXFR) is significant in reconnaissance because:

a) It encrypts all DNS traffic between the tester and the name server b) It can return every DNS record in the zone, revealing the complete hostname inventory c) It allows the tester to modify the target's DNS records d) It is the only way to discover a domain's name servers

3. Which of the following tools is specifically designed for subdomain brute forcing via DNS?

a) Nikto b) Burp Suite c) Gobuster (DNS mode) d) Metasploit

4. A subdomain takeover vulnerability exists when:

a) An attacker can modify the target's DNS records b) A subdomain's CNAME points to a third-party service that the organization no longer controls c) A subdomain uses an expired SSL certificate d) A subdomain is accessible without HTTPS

5. You run curl -I https://target.com and see X-Powered-By: Express. What does this reveal?

a) The site uses Microsoft Exchange for email b) The site is built on the Express.js framework running on Node.js c) The site uses Expressive CSS framework d) The site runs on an Express VPN server

6. What security finding is indicated by a successful request to https://target.com/.git/HEAD?

a) The site uses GitHub for version control b) The web server's entire git repository may be downloadable, exposing source code c) The site uses git-based authentication d) The server runs GitLab CE

7. Which HTTP response header, if present, indicates the web application is behind a Cloudflare CDN/WAF?

a) X-Cache: HIT b) CF-Ray: 7abc123def-IAD c) Via: 1.1 varnish d) X-Powered-By: Cloudflare

8. During content discovery with feroxbuster, you find that /actuator/env returns a 200 response. What technology does this indicate, and why is it significant?

a) It indicates Node.js Express and is not security-relevant b) It indicates Spring Boot and may expose environment variables including database credentials c) It indicates Django and reveals URL routing configuration d) It indicates PHP and exposes phpinfo output

9. What is virtual host enumeration?

a) Scanning virtual machines for vulnerabilities b) Discovering multiple websites hosted on the same IP address by fuzzing the HTTP Host header c) Finding virtual private servers used by the target d) Enumerating VMware ESXi instances on the network

10. You discover that a target website returns different responses for OPTIONS requests. What is the primary intelligence value of this?

a) It reveals the server's operating system b) It shows which HTTP methods are allowed, potentially indicating WebDAV, PUT uploads, or debugging endpoints c) It provides the server's SSL certificate d) It reveals the database backend

True or False

11. DNS brute forcing sends queries directly to the target's authoritative name servers, making it an active reconnaissance technique.

12. A CNAME record pointing to medsecure.herokuapp.com that returns a "No such app" error is a confirmed subdomain takeover vulnerability.

13. WAF detection is unnecessary during active reconnaissance because WAFs do not affect subsequent testing phases.

14. Content discovery (directory brute forcing) can only find directories, not individual files.

15. Permutation scanning (using tools like altdns or dnsgen) generates subdomain candidates based on patterns found in already-discovered subdomains.

Short Answer

16. Explain why checking for exposed .git directories is one of the highest-priority checks during active web reconnaissance. What can an attacker gain from a fully exposed .git directory?

17. Describe three ways that WAF detection during active reconnaissance should influence your subsequent testing approach. Be specific about how you would adapt your techniques.

18. You are conducting active reconnaissance on a target and discover that staging-api.medsecure.com exists and runs an older version of the application than the production site. Explain why this finding is significant and what additional reconnaissance steps you would take.

19. Compare DNS brute forcing with certificate transparency log analysis for subdomain discovery. What are the strengths and weaknesses of each approach? When would you use one over the other?

20. A client has asked you to conduct a red team engagement where stealth is paramount. Describe at least four techniques you would use to minimize detection during active reconnaissance.

Answer Key

1. b) Active reconnaissance sends data to and interacts with the target's systems. This is the fundamental distinction — passive recon uses only publicly available data sources, while active recon directly probes the target.

2. b) It can return every DNS record in the zone, revealing the complete hostname inventory. A successful AXFR response includes every DNS record in the domain's zone file, effectively providing a complete map of the organization's DNS infrastructure.

3. c) Gobuster (DNS mode). Gobuster's DNS mode specifically queries DNS servers for subdomain names from a wordlist. Nikto is a web vulnerability scanner, Burp Suite is a web application proxy, and Metasploit is an exploitation framework.

4. b) A subdomain's CNAME points to a third-party service that the organization no longer controls. When the third-party service account is cancelled but the DNS CNAME record remains, an attacker can register the same service account and serve content on the target's subdomain.

5. b) The site is built on the Express.js framework running on Node.js. The X-Powered-By: Express header is a default header set by the Express.js web framework, which runs on the Node.js JavaScript runtime.

6. b) The web server's entire git repository may be downloadable, exposing source code. If .git/HEAD is accessible, tools like git-dumper can reconstruct the entire repository, including source code, configuration files, and potentially secrets in the commit history.

7. b) CF-Ray: 7abc123def-IAD. The CF-Ray header is unique to Cloudflare and includes a request ID and datacenter code (IAD = Washington Dulles).

8. b) It indicates Spring Boot and may expose environment variables including database credentials. Spring Boot Actuator endpoints like /actuator/env can reveal application configuration including database connection strings, API keys, and other sensitive environment variables.

9. b) Discovering multiple websites hosted on the same IP address by fuzzing the HTTP Host header. Virtual host enumeration exploits the fact that web servers use the Host header to determine which website to serve, allowing discovery of hidden sites on shared infrastructure.

10. b) It shows which HTTP methods are allowed, potentially indicating WebDAV, PUT uploads, or debugging endpoints. The OPTIONS response reveals supported HTTP methods, which can indicate additional attack surface like file upload capabilities or debugging interfaces.

11. True. DNS brute forcing sends resolution queries to DNS servers (either the target's authoritative servers or public resolvers that then query the target's servers), generating network traffic that interacts with the target's infrastructure.

12. True. A CNAME pointing to a Heroku app that returns "No such app" means the Heroku app name is available for registration. An attacker could register that app name and serve content on the target's subdomain.

13. False. WAF detection is essential because it directly affects testing strategy: different WAFs have different bypass techniques, WAFs may block certain scanning tools or payloads, and understanding the WAF configuration helps testers choose appropriate attack methods.

14. False. Content discovery tools can find both directories and individual files. By specifying file extensions (e.g., -x php,asp,jsp,bak), you can discover specific files including backup files, configuration files, and script files.

15. True. Permutation scanning tools like altdns and dnsgen take existing discovered subdomains as input and generate variations (e.g., from staging-api.example.com generating staging-api-v2.example.com, dev-api.example.com, etc.).

16. An exposed .git directory is high-priority because it can provide: (1) Complete source code of the application, revealing business logic and vulnerability patterns; (2) Configuration files that may contain database credentials, API keys, and internal URLs; (3) The full commit history, which may contain secrets that were committed and later "removed" but persist in git history; (4) Internal developer names and email addresses; (5) Deployment scripts revealing infrastructure details. Tools like git-dumper can reconstruct the entire repository from the exposed .git directory.

17. WAF detection should influence testing by: (1) Adjusting payload encoding and obfuscation — if Cloudflare WAF is detected, use known Cloudflare bypass techniques such as Unicode normalization or chunked transfer encoding; (2) Reducing scan speed and implementing jitter to avoid triggering WAF rate limiting rules that could block the testing IP; (3) Selecting tools and wordlists that are less likely to trigger WAF signatures — for example, using custom wordlists instead of well-known ones that WAFs may fingerprint. Additionally, searching for the target's origin IP behind the CDN could allow bypassing the WAF entirely.

18. A staging environment running an older application version is significant because: staging environments are typically less hardened than production, may have debug features enabled, may use weaker authentication, and the older version may contain known vulnerabilities patched in production. Additional recon steps: fingerprint the exact version running on staging, compare security headers between staging and production, check if staging uses the same database as production, test if staging credentials work on production, and check if staging has different WAF or access controls.

19. CT log analysis (passive) discovers subdomains with SSL certificates — high accuracy, broad coverage, but misses subdomains without certificates and HTTP-only services. DNS brute forcing (active) discovers any resolvable subdomain regardless of certificate status — catches internal services and HTTP endpoints, but is limited by wordlist quality and generates network traffic. Use CT logs first for a quiet, comprehensive baseline, then brute forcing to discover additional subdomains, especially those without certificates or using naming patterns not in CT logs.

20. Stealth techniques for red team active recon: (1) Reduce scan rate to 1-5 requests per second with random delays between requests; (2) Distribute traffic across multiple source IPs using VPN, cloud instances, or residential proxies; (3) Rotate User-Agent strings to mimic legitimate browser traffic; (4) Use DNS-over-HTTPS to prevent DNS monitoring from identifying subdomain enumeration; (5) Time reconnaissance activities during business hours when traffic is normal; (6) Interleave scanning requests with legitimate-looking browsing behavior; (7) Spread reconnaissance over days or weeks rather than hours; (8) Use indirect methods (Shodan, Censys) where possible instead of direct probing.