Chapter 42 Quiz: Advanced OSINT & Attack Surface Mapping¶

B — Passive reconnaissance, because CT logs are publicly accessible third-party records

Certificate Transparency logs (e.g., crt.sh, Censys) are publicly maintained records of SSL/TLS certificates issued by Certificate Authorities. Querying these logs does not send any traffic to the target organization's infrastructure, making it a passive reconnaissance technique. CT logs frequently expose internal hostnames, subdomain structures, and organizational hierarchy that were not intended to be public.

B — Active reconnaissance — it directly queries the target's infrastructure and may be logged

DNS zone transfer (AXFR) requests are sent directly to the target's name servers and request a complete copy of the DNS zone. This is active reconnaissance because it involves direct interaction with target infrastructure, can be detected and logged, and may be blocked by properly configured DNS servers. Successful zone transfers reveal the complete DNS record inventory.

A — T1590

T1590 (Gather Victim Network Information) covers adversary activities to collect network configuration details such as IP ranges, domain names, network topology, and DNS records. T1589 covers Gather Victim Identity Information, T1592 covers Gather Victim Host Information, and T1595 covers Active Scanning. These all fall under the Reconnaissance tactic (TA0043).

B — Sensitive documents unintentionally indexed by search engines and publicly accessible

Google dorking leverages advanced search operators to find information indexed by search engines that organizations may not realize is publicly accessible. The query searches for PDF files on the target domain containing the word "confidential," which could reveal policy documents, financial reports, or internal communications. This is a passive OSINT technique since it queries Google, not the target directly.

B — Subdomain takeover risk if the subdomains point to decommissioned cloud resources or dangling DNS records

Dangling DNS records — subdomains pointing to decommissioned cloud services (S3 buckets, Azure web apps, Heroku instances) — create subdomain takeover vulnerabilities. An attacker can claim the unclaimed cloud resource and serve malicious content under the target's legitimate domain, enabling phishing, cookie theft, and reputation damage. This is a critical finding in attack surface assessments.

B — HTTP response headers, JavaScript library references, and Wappalyzer-style fingerprinting

Technology stack fingerprinting examines HTTP headers (X-Powered-By, Server), JavaScript libraries loaded in pages, HTML meta tags, cookie naming conventions, and URL structures. Tools conceptually similar to Wappalyzer, BuiltWith, and WhatWeb automate this analysis. This information reveals frameworks, CMS platforms, and server software that can be mapped to known vulnerabilities.

B — The email security posture (SPF, DKIM, DMARC records) and potential phishing attack surface

MX record analysis leads to examining SPF, DKIM, and DMARC DNS records that define the organization's email authentication posture. Weak or missing email authentication records (e.g., DMARC set to p=none, overly broad SPF includes) indicate susceptibility to email spoofing and phishing. This is critical intelligence for social engineering attack planning in red team engagements.

B — BGP and ASN lookups using ARIN/RIPE databases and tools like BGPView

Regional Internet Registries (ARIN, RIPE, APNIC) maintain publicly queryable databases of IP allocations, ASN assignments, and organizational ownership. Tools like BGPView, Hurricane Electric BGP Toolkit, and RIPE Stat allow analysts to map an organization's entire IP footprint, peering relationships, and hosting providers without sending any traffic to the target — a purely passive technique.

A — T1593.001 — Search Open Websites/Domains: Social Media

T1593.001 covers adversary use of social media platforms to gather information about the target organization. Employee social media posts inadvertently disclosing internal systems, software versions, network configurations, or organizational details represent a significant OSINT risk. This is passive reconnaissance since the information is voluntarily published on third-party platforms.

B — Shadow IT APIs or zombie APIs

Shadow IT APIs (also called zombie APIs or rogue APIs) are endpoints that exist in production but are not documented, monitored, or maintained by the organization's security team. They often lack authentication, rate limiting, and input validation, making them attractive targets. Attack surface management programs specifically aim to discover and remediate these forgotten interfaces.

B — CNAME records pointing to external service providers

CNAME records create aliases that often point to external service providers (e.g., target.com CNAME to target.zendesk.com, target.s3.amazonaws.com). Enumerating CNAME records reveals the organization's third-party service ecosystem, cloud hosting providers, CDN usage, and SaaS platforms — all of which expand the attack surface and may be vulnerable to subdomain takeover.

B — As OSINT revealing the defensive technology stack, enabling the red team to tailor evasion techniques to bypass those specific security controls

Job postings are a rich OSINT source that inadvertently reveals technology stacks, security tools, infrastructure platforms, and organizational structure. Knowing the exact EDR, SIEM, and firewall products allows red teams to test their payloads and C2 infrastructure against those specific solutions in a lab environment before the engagement, significantly increasing operational effectiveness.

B — Passive DNS reveals historical records including previously used IP addresses, decommissioned subdomains, and infrastructure changes over time — without alerting the target

Passive DNS databases (e.g., Farsight DNSDB, SecurityTrails, VirusTotal) aggregate historical DNS resolution data collected from sensors worldwide. They reveal infrastructure that no longer exists in live DNS but may still be accessible, IP address changes indicating hosting migrations, and temporal patterns in infrastructure deployment — all without generating any queries to the target's DNS servers.

B — org:"Target Corp" port:502,44818 product:"Modbus" OR product:"EtherNet/IP"

Shodan indexes internet-facing devices and their service banners. Port 502 (Modbus) and port 44818 (EtherNet/IP) are industrial control system protocols. Combining organization filters with ICS-specific ports and protocol identifiers effectively surfaces exposed SCADA/ICS devices — a critical finding since these systems should never be directly internet-accessible. Shodan queries are passive from the target's perspective since Shodan performs the scanning.

B — Git retains full commit history, and secrets in previous commits remain accessible unless the repository history is rewritten using tools like git filter-branch or BFG Repo Cleaner

Git's design preserves complete commit history. Simply deleting a secret in a new commit does not remove it from the repository — anyone with access can view previous commits containing the exposed credentials. Remediation requires rewriting git history (git filter-branch, BFG Repo Cleaner), rotating all exposed credentials, and implementing pre-commit hooks or GitHub secret scanning to prevent future exposure.