Chapter 5: Reconnaissance and Intelligence Gathering

The wmap scanner is a web application scanner module for the Metasploit Framework that can scan for vulnerable web applications. The smb_login tool looks for SMB shares, not web applications. Angry IP Scanner is not integrated with Metasploit, and nmap is a port scanner, not a full web application vulnerability scanner.

Nmap's operating system identification flag is –O and it enables OS detection. –A also enables OS identification and other features. –osscan with modifiers like –limit and –guess set specific OS identification features. –os and –id are not nmap flags.

Traceroute (or tracert on Windows systems) is a command-line tool that uses ICMP to trace the route that a packet takes to a host. Whois and nslookup are domain tools, and routeview is not a command-line tool.

Zenmap is a graphical user interface for nmap that also supports graphical output, including visual maps of networks. Valerie can use Zenmap to control nmap and create the output she wants. Angry IP Scanner is a separate scanner and does not generate a visual map of networks—instead, it provides lists. Wmap is a plug-in for the Metasploit Framework and a stand-alone tool that is a web application and service vulnerability testing tool, and nmap-gs was made up for this question.

Along with the time to run the scan and time to live of packets sent, Susan will see the hostname, service ports, and operating system using the scan flags above. The -O flag attempts to identify the operating system, while the -Pn flag skips pinging and scans all hosts in the network on their typically scanned ports.

Maltego calls its server-based functions for information gathering “transforms.”

While you may not know the full list of Recon-ng plug-ins, Shodan is a well-known search engine. Laura could leverage API access to Shodan to gather information from previously performed searches. Both the import utilities will require her to have data she has already gathered, and the Whois miner can be assumed to use Whois information rather than an existing search engine dataset.

Ports 80 and 443 are commonly associated with unencrypted (port 80) and TLS encrypted (port 443) web servers. There is not enough information to determine if this might be a Windows or Linux system, and these are not typical ports for a database server.

The time to live (TTL) provided as part of responses is used to evaluate the number of hops in a network, and thus to derive a best guess at network topology. While IP addresses can sometimes be related to network topology, they're less likely to be directly associated with it. Hostnames and port numbers have no correlation to topology.

The -Pn, or “no ping”, flag skips host discovery and performs a port scan. The -sn flag skips the port scan after discovery, sL lists hosts by performing DNS lookups, and -PS performs probes using a TCP SYN.