nerdexam
GIAC

GCIH · Question #650

When would a web-based reconnaissance tool be preferred over a direct/local reconnaissance tool?

The correct answer is D. To keep traffic from the attacker's system from hitting the target network. Web-based reconnaissance tools query external databases or search engines, so no packets from the attacker ever reach the target network.

Reconnaissance, Scanning, and Enumeration

Question

When would a web-based reconnaissance tool be preferred over a direct/local reconnaissance tool?

Options

  • AWhen more comprehensive TCP port scanning is required than what is offered by local tools
  • BIn the event that the target is running third-party web applications
  • CWhen the target's employees are using a VPN to connect to the central office
  • DTo keep traffic from the attacker's system from hitting the target network

How the community answered

(19 responses)
  • A
    5% (1)
  • B
    5% (1)
  • C
    11% (2)
  • D
    79% (15)

Why each option

Web-based reconnaissance tools query external databases or search engines, so no packets from the attacker ever reach the target network.

AWhen more comprehensive TCP port scanning is required than what is offered by local tools

Local tools like nmap offer far more granular, configurable, and comprehensive TCP port scanning than any web-based reconnaissance service.

BIn the event that the target is running third-party web applications

Identifying and testing third-party web applications on a target requires direct interaction using local tools like Burp Suite or Nikto, not passive web-based lookups.

CWhen the target's employees are using a VPN to connect to the central office

A target organization's employees using a VPN affects internal traffic routing but has no bearing on which reconnaissance method an external attacker should choose.

DTo keep traffic from the attacker's system from hitting the target networkCorrect

Tools like Shodan or Censys retrieve pre-indexed information about a target from third-party databases, meaning the attacker's IP address never appears in the target's firewall logs, IDS alerts, or web server access logs. This passive approach is preferred when the attacker needs to avoid detection or attribution.

Concept tested: Passive versus active reconnaissance and traffic attribution

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#web-based reconnaissance#OSINT#operational security#traffic obfuscation

Community Discussion

No community discussion yet for this question.

Full GCIH Practice