Wiki

1º Recolección de urls del gobierno mediante gob site:.ir en google
2º en la configuración de vim (.vimrc) crear el siguiente alias a éste comando:

command! LimpiarUrls %s/^\(http[s]\{0,1\}:\/\/\)\(\www\.\)\{0,1\}// | %s/\/$//

3º Ahora con hacer en vim Esc : LimpiarUrls las dejará listas para usarlas en los escáneres

urls_gobierno_ir.txt.gz

gunzip -c urls_gobierno_ir.txt.gz 
my.gov.ir
sso.my.gov.ir
tax.gov.ir
op.salamat.gov.ir
behdasht.gov.ir
irc.fda.gov.ir
mimt.gov.ir
csp.ihio.gov.ir
women.gov.ir
smttk.gov.ir
naciportal.inso.gov.ir
mfa.gov.ir
evisa.mfa.ir
fata.gov.ir
mcls.gov.ir
epl.irica.gov.ir
mikhak.mfa.gov.ir
hamrah.msy.gov.ir
president.ir
ticketing.ito.gov.ir
caa.gov.ir
tehran.farhang.gov.ir
farhang.gov.ir

urls_ips_ir_recon_ng.tar.gz

Mismo procedimiento que con Israel para obtener subdominios a partir de las urls del gobierno obtenidas con google mediante búsqueda con gov site:.ir

Ips y subdominios obtenidos mediante recon-ng a partir del fichero urls_gobierno_ir.txt

cat url_ip_ir.txt | wc -l
730

Muchos, primeros 10, así se ven:

cat url_ip_ir.txt | sed -n '1,10p'
cp.mfa.gov.ir                          109.201.11.102
mail.mfa.gov.ir                        109.201.11.102
office.behdasht.gov.ir                 172.21.60.201
sibservice95361.behdasht.gov.ir        172.21.66.145
sibservice95362.behdasht.gov.ir        172.21.66.145
hop.behdasht.gov.ir                    172.21.66.183
eo.behdasht.gov.ir                     172.21.67.127
eoffice.behdasht.gov.ir                172.21.67.127
maternaldeath.behdasht.gov.ir          172.21.67.192
educationportal.behdasht.gov.ir        185.123.208.106

nmap a los puertos más comunes y vulnerables

nmap -Pn -p 20-23,69,139,137,445,53,443,80,8080,8443 -sV --script vuln $(tar -xOzf urls_ips_ir_recon_ng.tar.gz url_ip_ir.txt | awk '{print $2}' | sort | uniq) -oN nmap_vuln_ir_pvarios.txt

servicios abiertos

cat nmap_vuln_ir_pvarios.txt | grep -Ex '^[0-9]+\/.*open.*' | sed -E 's/ {2,}/ /g' | sort | uniq
443/tcp open ssl/https
443/tcp open ssl/https ArvanCloud
443/tcp open ssl/https LiteSpeed
443/tcp open ssl/tcpwrapped
443/tcp open tcpwrapped
53/tcp open tcpwrapped
8080/tcp open http-proxy ArvanCloud
80/tcp open http LiteSpeed
80/tcp open http Microsoft IIS httpd 10.0
80/tcp open http nginx (reverse proxy)
80/tcp open tcpwrapped
8443/tcp open https-alt
8443/tcp open ssl/https-alt ArvanCloud

servicios cerrados

cat nmap_vuln_ir_pvarios.txt | grep -Ex '^[0-9]+\/.*closed.*' | sed -E 's/ {2,}/ /g' | sort | uniq
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
445/tcp closed microsoft-ds
53/tcp closed domain
69/tcp closed tftp
8080/tcp closed http-proxy
80/tcp closed http
8443/tcp closed https-alt

vulnerabilidades encontradas

cat nmap_vuln_ir_pvarios.txt | sed -nE '/VULNERABLE:/{n;p}' | sort | uniq
|   Authentication bypass by HTTP verb tampering
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|   Slowloris DOS attack

Estado de cada una:

cat nmap_vuln_ir_pvarios.txt | sed -nE '/VULNERABLE:/{n;n;p}' | sort | uniq
|     State: LIKELY VULNERABLE
|     State: UNKNOWN (unable to test)
|     State: VULNERABLE
|     State: VULNERABLE (Exploitable)