A cybersecurity analyst is in the initial reconnaissance phase of a penetration test for a client with a mature security posture, including a well-monitored network with sensitive intrusion detection systems (IDS). The analyst's primary goal is to gather information about the client's internet-facing assets, such as open ports and running services, without triggering any alerts that would reveal the assessment is underway. Which of the following techniques would be the most suitable for this initial, covert information-gathering stage?
Using Nmap to perform a service discovery scan
Performing ARP cache poisoning to map out the network
Sending ICMP echo requests ('ping') to enumerate live hosts
Analyzing data from Internet-wide search engines such as Shodan
Querying internet-wide scanning databases like Shodan is a form of passive reconnaissance. This method is ideal for covert information gathering because it relies on pre-existing data and does not involve sending any packets directly to the target's network, thereby avoiding detection by their intrusion detection systems. In contrast, ARP cache poisoning is an active man-in-the-middle attack, sending ICMP echo requests ('ping') is a form of active host discovery, and using Nmap for service discovery are all active techniques that generate network traffic and would likely trigger alerts on a monitored network.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Shodan and how does it work?
Open an interactive chat with Bash
What is an Intrusion Detection System (IDS), and how does it detect threats?
Open an interactive chat with Bash
Why is ARP cache poisoning or Nmap scans considered active reconnaissance?