Study Guide - Chapter 5: Reconnaissance and Intelligence Gathering Flashcards
1- Megan wants to use the Metasploit Framework to conduct a web application vulnerability scan. What module from the following list is best suited to her needs?
- smb_login
- Angry IP
- nmap
- wmap
wmap
The wmap scanner is a web application scanner module for the Metasploit Framework that can scan for vulnerable web applications. The smb_login tool looks for SMB shares, not web applications. Angry IP Scanner is not integrated with Metasploit, and nmap is a port scanner, not a full web application vulnerability scanner.
wmap
WMAP is a web application scanner module for the Metasploit Framework that can scan for vulnerable web applications
smb_login
tool that looks for smb shares
2- What flag does nmap use to enable operating system identification?
- -os
- -id
- -O
- -osscan
-O
Nmap’s operating system identification flag is -O and it enables OS detection. -A also enables OS identification and other features. -osscan with modifiers like -limit and -guess set specific OS identification features. -os and -id are not nmap flags.
4- Valerie wants to use a graphical interface to control nmap and wants to display her scans as a visual map to help her understand her target networks. What tool from the following list should she use?
- Angry IP Scanner
- wmap
- Zenmap
- nmap‐gs
Zenmap
Zenmap is a graphical user interface for nmap that also supports graphical output, including visual maps of networks. Valerie can use Zenmap to control nmap and create the output she wants. Angry IP Scanner is a separate scanner and does not generate a visual map of networks—instead, it provides lists. Wmap is a plug‐in for the Metasploit Framework and a stand‐alone tool that is a web application and service vulnerability testing tool, and nmap‐gs was made up for this question.
Zenmap
Zenmap is a graphical user interface for nmap that also supports graphical output, including visual maps of networks.
5- Susan runs an nmap scan using the following command:
nmap -O -Pn 192.168.1.0/255
What information will she see about the hosts she scans?
- The hostname and service ports
- The hostname, service ports, and operating system
- The hostname and operating system
- The hostname, uptime, and logged‐in user
The hostname, service ports, and operating system
Along with the time to run the scan and time to live of packets sent, Susan will see the hostname, service ports, and operating system using the scan flags above. The -O flag attempts to identify the operating system, while the -Pn flag skips pinging and scans all hosts in the network on their typically scanned ports.
6- Tuan wants to gather additional information about a domain that he has entered in Maltego. What functionality is used to perform server‐based actions in Maltego?
- A worker
- A query
- A transform
- A scan
A transform
Maltego calls its server‐based functions for information gathering “transforms.”
7- Laura wants to conduct a search for hosts using Recon‐ng but wants to leverage a search engine with API access to acquire existing data. What module should she use?
recon/companies‐multi/whois_miner
import/nmap
recon/domains‐hosts/shodan_hostname
import/list
recon/domains‐hosts/shodan_hostname
While you may not know the full list of Recon‐ng plug‐ins, Shodan is a well‐known search engine. Laura could leverage API access to Shodan to gather information from previously performed searches. Both the import utilities will require her to have data she has already gathered, and the Whois miner can be assumed to use Whois information rather than an existing search engine dataset.
9- What information is used to identify network segments and topology when conducting an nmap scan?
- IP addresses
- Hostnames
- Time to live
- Port numbers
Time to live
The time to live (TTL) provided as part of responses is used to evaluate the number of hops in a network, and thus to derive a best guess at network topology. While IP addresses can sometimes be related to network topology, they’re less likely to be directly associated with it. Hostnames and port numbers have no correlation to topology.
10- Murali wants to scan a network using nmap and has run a scan without any flags without discovering all of the hosts that he thinks should show. What scan flag can he use to scan without performing host discovery that will also determine if services are open on the systems?
- -sn
- -PS
- -Pn
- -sL
-Pn
The -Pn, or “no ping”, flag skips host discovery and performs a port scan. The -sn flag skips the port scan after discovery, sL lists hosts by performing DNS lookups, and -PS performs probes using a TCP SYN.
11- Jaime is using the Angry IP Scanner and notices that it supports multiple types of pings to identify hosts. Why might she choose to use a specific type of ping over others?
- To bypass firewalls
- To allow better vulnerability detection
- To prevent the scan from being flagged by DDoS protection tools
- To leverage the faster speed of TCP pings over UDP pings
To bypass firewalls
Some firewalls block ICMP ping but allow UDP or TCP pings. Jaime knows that choosing her ping protocol can help to bypass some firewalls. Angry IP Scanner is not a vulnerability scanner, and UDP pings are faster than TCP pings.
Hue wants to perform network footprinting as part of a reconnaissance effort. Which of the following tools is best suited to passive footprinting given a domain name as the starting point for her efforts?
- Traceroute
- Maltego
- Nmap
- Angry IP Scanner
Maltego
Hue knows that Maltego provides transforms that can identify hosts and IP addresses related to a domain and that it can then gather additional information using other OSINT transforms. Nmap and Angry IP Scanner are both active scanning tools, and traceroute won’t provide useful footprinting information given just a domain name.
Maltego
open source intelligence (OSINT) tool that focuses on open source intelligence gathering and connecting data points together via a graphical user interface (GUI).
Key components and functions of Maltego include:
Graphical User Interface (GUI): Maltego’s GUI provides a way to understand and document correlations and hierarchies. It also is used to display scans as a visual map to help understand target networks.
Transforms: These are actions taken by a server that provide additional data or processing about objects and entities. Maltego calls its server-based functions for information gathering “transforms”.
It is useful for data mining and link analysis
Jack wants to scan a system using the Angry IP Scanner. What information does he need to run the scan?
- The system’s IP address
- The system’s Whois data
- The system’s MAC address
- The system administrator’s username and password
The system’s IP address
To conduct a port scan, all Jack needs is an IP address, hostname, or IP range.
14- Which of the following is not a reason that security professionals often perform packet capture while conducting port and vulnerability scanning?
Work process documentation
To capture additional data for analysis
To prevent external attacks
To provide a timeline
To prevent external attacks
A packet capture can’t prevent external attacks, although it might capture evidence of one. Packet capture is often used to document work, including the time that a given scan or process occurred, and it can also be used to provide additional data for further analysis.
15- What process uses information such as the way that a system’s TCP stack responds to queries, what TCP options it supports, and the initial window size it uses?
- Service identification
- Fuzzing
- Application scanning
- OS detection
OS detection
Operating system detection often uses TCP options support, IP ID sampling, and window size checks, as well as other indicators that create unique fingerprints for various operating systems. Service identification often leverages banners since TCP capabilities are not unique to a given service. Fuzzing is a code testing method, and application scanning is usually related to web application security.
16- Li wants to use Recon‐ng to gather data from systems. Which of the following is not a common use for Recon‐ng?
- Conducting vulnerability scans of services
- Looking for sensitive files
- Conducting OSINT gathering of Whois, DNS, and similar data
- Finding target IP addresses
Conducting vulnerability scans of services
Recon‐ng is not a vulnerability scanner. It does help with OSINT activities like looking for sensitive files, conducting OSINT information gathering, and finding target IP addresses. Li knows that Recong‐ng is an OSINT‐focused tool and that vulnerability scanning is an active, rather than passive, information‐gathering effort. While Recon‐ng supports port scanning, it does not have a vulnerability scanner function.
17- Jason wants to conduct a port scan using the Metasploit Framework. What tool can he use from the framework to do this?
- Angry IP Scanner
- Recon‐ng
- Maltego
- Nmap
Nmap
Nmap support is built into MSF, allowing easy port scanning by simply calling nmap as you would normally from the command line. Angry IP Scanner is not built in, and both Recon‐ng and Maltego are separate tools with OSINT and information management capabilities.
18- Sally wants to use operating system identification using nmap to determine what OS a device is running. Which of the following is not a datapoint used by nmap to identify operating systems?
- TCP sequences
- TCP timestamps
- TCP OS header
- TCP options
TCP OS header
Operating system fingerprinting relies in many cases on knowing what the TCP stack for a given operating system does when it sends responses. You can read more detail about the many ways nmap tests for and filters the data at https://nmap.org/book/osdetect-methods.html#osdetect-probes. Sally knows that banners are provided at interactive logins or by services and that nmap uses network protocol data for OS detection.
19- Chris wants to perform network‐based asset discovery. What limitation will he encounter if he relies on a port scanner to perform his discovery?
- Port scanners cannot detect vulnerabilities.
- Port scanners cannot determine what services are running on a given port.
- Firewalls can prevent port scanners from detecting systems.
- A port scanner can create a denial‐of‐service condition for many modern systems.
Firewalls can prevent port scanners from detecting systems.
Firewalls can prevent responses to port scanners, making systems essentially invisible to the scanner. A port scanner alone is not sufficient for asset discovery in many networks. Port scanners often have some limited vulnerability detection built in, often relying on version information or fingerprinting, but not detecting vulnerabilities does not prevent discovery. Port scanners make a best guess at services on a port based on information provided by the service. Port scanners do not typically cause problems for most modern applications and services but can under some circumstances. This shouldn’t stop a discovery port scan, though!
Emily wants to gather open source intelligence and centralize it using an open source tool. Which of the following tools is best suited to managing the collection of data for her OSINT efforts?
- The Metasploit Framework
- Recon‐ng
- nmap
- Angry IP Scanner
Recon‐ng
Recon‐ng is a Python‐based open source framework for open source intelligence gathering and web‐based reconnaissance. The Metasploit Framework is a penetration testing and compromise tool with a multitude of other features, but it is not as well suited to information gathering as a core purpose. Nmap and the Angry IP Scanner are both port scanners.
