Chapter 5: Reconnaissance and Intelligence Gathering

The wmap scanner is a web application scanner module for the Metasploit Framework that can scan for vulnerable web applications. The smb_login tool looks for SMB shares, not web applications. Angry IP Scanner is not integrated with Metasploit, and nmap is a port scanner, not a full web application vulnerability scanner.

Nmap's operating system identification flag is –O and it enables OS detection. –A also enables OS identification and other features. –osscan with modifiers like –limit and –guess set specific OS identification features. –os and –id are not nmap flags.

Traceroute (or tracert on Windows systems) is a command-line tool that uses ICMP to trace the route that a packet takes to a host. Whois and nslookup are domain tools, and routeview is not a command-line tool.

Zenmap is a graphical user interface for nmap that also supports graphical output, including visual maps of networks. Valerie can use Zenmap to control nmap and create the output she wants. Angry IP Scanner is a separate scanner and does not generate a visual map of networks—instead, it provides lists. Wmap is a plug-in for the Metasploit Framework and a stand-alone tool that is a web application and service vulnerability testing tool, and nmap-gs was made up for this question.

Susan runs an nmap scan using the following command: nmap -O -Pn 192.168.1.0/255

What information will she see about the hosts she scans?

Along with the time to run the scan and time to live of packets sent, Susan will see the hostname, service ports, and operating system using the scan flags above. The -O flag attempts to identify the operating system, while the -Pn flag skips pinging and scans all hosts in the network on their typically scanned ports.

Maltego calls its server-based functions for information gathering “transforms.”

While you may not know the full list of Recon-ng plug-ins, Shodan is a well-known search engine. Laura could leverage API access to Shodan to gather information from previously performed searches. Both the import utilities will require her to have data she has already gathered, and the Whois miner can be assumed to use Whois information rather than an existing search engine dataset.