Chapter 19 Quiz: OSINT & Reconnaissance¶

B — Certificate Transparency logs (e.g., crt.sh)

Certificate Transparency (CT) logs are publicly append-only logs of all TLS certificates issued by participating CAs. Querying crt.sh or similar CT log aggregators reveals every certificate issued for a domain, including wildcard certs and subdomains, without any interaction with the target. This is a critical passive recon technique for attack surface mapping.

B — Behavioral / code-level overlap that supports clustering samples to the same threat actor

Shared implementation details — mutex names, encryption keys, string formatting, code structure — represent strong technical indicators for clustering malware families and attributing them to the same development team. This is a higher-confidence attribution signal than infrastructure overlap (IPs/domains change) or victimology (multiple actors may target the same sector).

B — site:target.com inurl:login OR inurl:remote-access OR intitle:"SSL VPN"

Google dorking uses advanced search operators to find specific content. site: restricts results to the target domain, inurl: matches URL path strings, and intitle: matches page titles. Combining these targets login pages and VPN portals indexed by Google — common OSINT reconnaissance to identify externally facing authentication surfaces before active scanning.

B — The analyst's corporate IP is logged by the threat actor, potentially alerting them to the investigation and burning analyst tradecraft

Directly visiting threat actor infrastructure from a corporate or personal IP reveals the investigator's identity and organization. Sophisticated threat actors monitor access logs to their C2 infrastructure. Analysts must use anonymization infrastructure (VPNs, Tor, cloud-based analysis VMs with ephemeral IPs) for all active OSINT collection against adversary-controlled resources.

B — A search engine that indexes internet-connected devices by crawling and banner-grabbing exposed services

Shodan continuously scans the internet and stores service banners (SSH versions, HTTP headers, SSL certificates, ICS/SCADA protocol responses) from every reachable port on every public IP. Analysts use it to find exposed services, identify software versions, locate specific devices (cameras, PLCs, routers), and map an organization's attack surface without directly probing the target.

B — The mail server and autodiscover service share the same IP, revealing a mail infrastructure host that may run Exchange or similar — a high-value target for credential harvesting and privilege escalation

autodiscover is a Microsoft Exchange service discovery endpoint. Co-located with the mail server, it strongly suggests on-premises Exchange — historically one of the most exploited enterprise services (ProxyLogon, ProxyShell). This DNS information narrows the attack surface to a specific high-value host and technology stack.

C — Social Networks / Professional (LinkedIn-type resources)

The OSINT Framework categorizes professional networking sites (LinkedIn, Xing, GitHub profiles) under social networks, specifically professional/business networks. These sources reveal organizational hierarchy, employee names and roles, technical skill stacks, and project history — all valuable for spear-phishing pretexts and targeting specific insiders during a social engineering campaign.

B — It is passive because it queries third-party data sources (CT logs, DNS datasets, APIs) without sending queries directly to target.com's DNS servers; limitation is it may miss recently created subdomains not yet in third-party indexes

Passive enumeration with tools like Amass queries external intelligence sources — Censys, Shodan, VirusTotal, CT logs, DNS dumpster — without generating DNS traffic that the target could log. The trade-off is temporal lag: newly created subdomains may not appear in third-party indexes for hours to days, and internal/split-horizon DNS entries are never visible passively.

B — Individual pieces of benign public data, when combined, can reveal sensitive information that none of the individual pieces would expose on their own

Data aggregation is a core privacy and security concern: a person's name is public, their employer is public, their neighborhood is public, their commute time is public — but combining these creates a detailed profile enabling physical surveillance, targeted phishing, or identity theft. This is why OSINT-based reconnaissance is so powerful and why minimizing public data exposure is important for high-risk individuals.

B — A qualitative or quantitative assessment of certainty that a specific actor is responsible, which is rarely high because adversaries deliberately use false flags, shared tooling, and attribution-obfuscating infrastructure

Attribution confidence accounts for the possibility that indicators were planted, that tools were shared or leaked (as happened with CIA tools via the Shadow Brokers), or that infrastructure was rented from bulletproof hosting used by multiple actors. Intelligence agencies use structured confidence levels (e.g., "high/medium/low" or "with high confidence") specifically to communicate uncertainty — premature high-confidence attribution has historically caused geopolitical incidents.