The next step, intelligence gathering, is one of the most important phases in the process, because if you miss something here you might miss an entire avenue of attack. Our goal at this point is to understand what we are going to attack and determine how we might gain access to the system.
We begin with a basic nmap scan (as shown next) against our Windows XP virtual machine, and we find that port 80 is open. We use nmap’s stealth TCP scan, which is typically effective in detecting ports without triggering defenses. Most IPSs can detect port scans, but because port scans are so common, they are generally considered regular noise and are ignored as long as they’re not very aggressive.
root@bt:/#nmap -sT -P0 172.16.32.131Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-22 23:29 EDT Nmap scan report for 172.16.32.131 Host is up (0.00071s latency). Not shown: 999 filtered ports PORT STATE SERVICE80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 17.46 seconds
We discover what appears to be a web server running on this server. This is typical when attacking Internet-facing systems, most of which will limit the ports accessible by Internet users. In this example, we find port 80, the standard HTTP port, listening. If we browse to it, we see something similar to Figure 17-1.
