# 4. Reconnaissance Tasks
This chapter covers the following recipes:
- Performing IP address geolocation
- Getting information from WHOIS records
- Obtaining traceroute geolocation information
- Querying Shodan to obtain target information
- Collecting valid email accounts and IP addresses from web servers
- Discovering hostnames pointing to the same IP address
- Discovering hostnames by brute-forcing DNS records
- Matching services with public vulnerability advisories and picking the low-hanging fruit

## Performing IP address geolocation
Identifying the location of an IP address may help system administrators or threat intelligence analysts identify the origin of a network connection. Nmap ships with several NSE scripts that help us perform geolocation of a remote IP address: ip-geolocation maxmind, ip-geolocation-ipinfodb, ip-geolocation-geoplugin, ip-geolocation-map-bing, ip-geolocation-map-google, and ip-geolocation-map-kml. 
This recipe will show you how to set up and use the geolocation scripts included with NSE.

### Getting ready
- From the scripts mentioned previously, only ip-geolocation-geoplugin does not require an API key. The ip-geolocation-maxmind script depends on a database that is not included in Nmap by default. Sign up and download Maxmind's GeoLite City database from http://dev.maxmind.com/geoip/legacy/geolite/ and place it in your local Nmap data folder (/nselib/data/). Note that the database format has changed, and it is no longer a plaintext .dat file. To use the new format (mmdb) you must convert it using the geolite2legacy.py Python script found at https://github.com/sherpya/geolite2legacy or download a non-official legacy database from https://www.miyuru.lk/geoiplegacy. 
- The ip-geolocation-ipinfodb script requires an API key to query its external service. The service is free, and you only need to register at http://ipinfodb.com/ register.php to get one. This service does not limit the number of queries, but connections are only processed from one IP address that you need to register during the signup process.

### How to do it...

1. Open a terminal and enter the following command:
$nmap -sn --script ip-geolocation-* <target>
2. For example, let's locate the IP address that resolves scanme.nmap.org:
$nmap -sn --script ip-geolocation-* scanme.nmap.org
3. The geolocation information available in the databases will be displayed for each of the targets:

<img src="../images/nmap/00_nmap.png" alt="Nmap" style = "width: 600px; height: 320px;"/>

### How it works...
- The --script ip-geolocation-* options initialize all scripts starting with the file name pattern of ip-geolocation-. At the moment, there are three scripts available to geolocate IP addresses:
    - ip-geolocation-geoplugin 
    - ip-geolocation-maxmind 
    - ip-geolocation-ipinfodb 
- The service providers will not return information about certain IP addresses, so it is recommended to use them all and compare the results. The information returned by these scripts includes at least the latitude and longitude coordinates and other fields such as country, state, and city when available.
- The ip-geolocation-geoplugin NSE script works by querying a free public service. Consider the number of queries you need to send and be considerate; otherwise, the provider will restrict the service as other providers have done in the past.
- It is a common misconception that IP-to-geolocation services provide a 100% accurate location of the computer or device. The location accuracy heavily depends on the database, and each service provider may have used different methods of collecting data. Keep it in mind when interpreting results from external providers.

- **Mapping geolocation markers**: 
    - The ip-geolocation-map-* scripts can be used for generating graphical representations of the markers obtained by the previous scripts. Similarly, they require API keys that are free but require signing up to get hold of. Consider using them to view and interpret results easily. After all, most of us are already familiar with Google Maps or Bing.


- **Submitting a new geolocation provider**: 
    - If you know a better IP-to-geolocation provider, don't hesitate in submitting your geolocation script to the official mailing list. Don't forget to document if the script requires an external API or database. If you know an excellent service but do not have experience developing scripts, you may add your idea to the NSE script wish list located at https://secwiki.org/w/Nmap/Script_Ideas.

## Getting information from WHOIS records
WHOIS records contain useful information, such as the registrar/organization name, creation and expiration dates, geographical location, and abuse contact information among some potentially interesting fields. System administrators, IT staff, and other security professionals have been using WHOIS records for years now, and although there are many tools and websites available to query this information, Nmap can process IP ranges/target lists in many formats to perform this task in batch. 
This recipe will show you how to retrieve the WHOIS records of an IP address or domain name with Nmap.

### How to do it...
1. Open a terminal and enter the following command:
$nmap -sn --script whois-* <target>
- Example:
$nmap -sn --script whois-* scanme.nmap.org

<img src="../images/nmap/01_nmap.png" alt="Nmap" style = "width: 600px; height: 320px;"/>



- Bước 1: chạy XAMPP
- Bước 2: chạy DVWA
    - target: 160.216.223.81
    - đây là target của thầy, mình đã cắm dây mạng vào ổ mạng chung do vậy mình sẽ dùng target này để tiến hành các bước tiếp theo

- Bước 3: chạy nmap
    - target: 160.216.223.81


- Câu lệnh này sử dụng nmap để quét các cổng 139 và 455 trên mục tiêu 160.216.223.121
- và sử dụng script smb-os-discovery để phát hiện hệ điều hành của mục tiêu.

nmap -p 139,455 --script smb-os-discovery 160.216.223.81

nmap -p137,139,445 --script smb-security-mode 160.216.223.81

nmap -p80,443 --script http-methods --script-args http-methods.test-all=true 160.216.223.81

nmap sV--script=http-enum 160.216.223.81

nmap -p80 --script http-brute 160.216.223.81

nmap -p80 --script=http-form-brute --script-args "userdb=users.txt,passdb=pass.txt,http-form-brute.path=/dvwa/login.php" 160.216.223.81
