Wiki

Herramientas de usuario

Herramientas del sitio

Traza: aprendiendo-nmap-kremlin
rusia:aprendiendo-nmap-kremlin

Nmap viene con 599 scripts NSE, y están organizados en categorías

puton@kremlin:$ ls -1 /usr/share/nmap/scripts/ | wc -l
599
puton@kremlin:$

Si queremos buscar a ver si existe algún script relacionado con algún sofware servidor podemos hacer

puton@kremlin:$ ls -1 /usr/share/nmap/scripts/ | grep apache
http-apache-negotiation.nse
http-apache-server-status.nse
puton@kremlin:$ ls -1 /usr/share/nmap/scripts/ | grep drupal
http-drupal-enum.nse
http-drupal-enum-users.nse
puton@kremlin:$ ls -1 /usr/share/nmap/scripts/ | grep joomla
http-joomla-brute.nse
puton@kremlin:$

Si queremos ver detalles de determinado script 

puton@kremlin:$ nmap --script-help http-apache-negotiation.nse
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-25 02:58 CET

http-apache-negotiation
Categories: safe discovery
https://nmap.org/nsedoc/scripts/http-apache-negotiation.html
  Checks if the target http server has mod_negotiation enabled.  This
  feature can be leveraged to find hidden resources and spider a web
  site using fewer requests.

  The script works by sending requests for resources like index and home
  without specifying the extension. If mod_negotiate is enabled (default
  Apache configuration), the target would reply with content-location header
  containing target resource (such as index.html) and vary header containing
  "negotiate" depending on the configuration.

  For more information, see:
  * http://www.wisec.it/sectou.php?id=4698ebdc59d15
  * Metasploit auxiliary module
      /modules/auxiliary/scanner/http/mod_negotiation_scanner.rb
Warning: File ./scripts/ exists, but Nmap is using /usr/bin/../share/nmap/scripts/ for security and consistency reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
puton@kremlin:$

Podemos hacer un script en bash que ejecute determinados scripts NSE al host o que ejecute todos los que pertenezcan a una categoría 

for script in {"vuln","brute","safe","http-apache-negotiation"};do
echo "$script"
sudo nmap -sV -Pn -p80 -O --script=$script kremlin.ru
done

-sV: Información de servicio, versión
-O: Detección de sistema operativo

puton@kremlin:$ sudo nmap -sV -p80 -O kremlin.ru
[sudo] contraseña para puton:            
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:11 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 5.25 seconds

nmap por defecto hace ping para saber si el host está activo antes de proceder a hacer el escaneo, como kremlin.ru bloquea pings entonces nmap asume que está apagado pero nosotros sabemos que no porque la página está funcionando, para decirle a nmap que asuma que el host está activo y proceda se usa la opción -Pn 

puton@kremlin:$ sudo nmap -sV -Pn -p80 -O kremlin.ru
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:14 CET
Nmap scan report for kremlin.ru (95.173.136.71)
Host is up (0.086s latency).
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.72

PORT   STATE SERVICE VERSION
80/tcp open  http?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|WAP|phone
Running: iPXE 1.X, Linux 2.4.X|2.6.X, Sony Ericsson embedded
OS CPE: cpe:/o:ipxe:ipxe:1.0.0%2b cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
OS details: iPXE 1.0.0+, Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.64 seconds
puton@kremlin:$

vuln: busquedas de vulnerabilidades

puton@kremlin:$ sudo nmap -Pn --script=vuln kremlin.ru
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:32 CET
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for kremlin.ru (95.173.136.72)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.71
servicio avahi identificado, pero no vulnerable


puton@kremlin:$ sudo nmap -Pn --script=exploit kremlin.ru
[sudo] contraseña para puton:            
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:48 CET
Nmap scan report for kremlin.ru (95.173.136.72)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.71
All 1000 scanned ports on kremlin.ru (95.173.136.72) are filtered

Nmap done: 1 IP address (1 host up) scanned in 207.41 seconds
puton@kremlin:$ 

All 1000 scanned ports on kremlin.ru (95.173.136.72) are filtered

Nmap done: 1 IP address (1 host up) scanned in 243.00 seconds

No obtenemos nada
puton@kremlin:$ 

puton@kremlin:$ sudo nmap -Pn -sV --script=version kremlin.ru
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 01:54 CET
Nmap scan report for kremlin.ru (95.173.136.71)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.72
All 1000 scanned ports on kremlin.ru (95.173.136.71) are filtered

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.07 seconds
puton@kremlin:$ 

tampoco obtenemos nada

puton@kremlin:$ sudo nmap -Pn -sV --script=discovery kremlin.ru
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 02:01 CET
too short
Pre-scan script results:
| ipv6-multicast-mld-list: 
|   fe80::e8d4:9fff:fefd:c085: 
|     device: wlp9s0
|     mac: ea:d4:9f:fd:c0:85
|     multicast_ips: 
|       ff02::1:fffd:c085         (NDP Solicited-node)
|       ff05::2                   (unknown)
|       ff02::2                   (All Routers Address)
|_      ff02::1:ff00:0            (Solicited-Node Address)
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
| targets-ipv6-multicast-echo: 
|   IP: fe80::e8d4:9fff:fefd:c085  MAC: ea:d4:9f:fd:c0:85  IFACE: wlp9s0
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-invalid-dst: 
|   IP: fe80::e8d4:9fff:fefd:c085  MAC: ea:d4:9f:fd:c0:85  IFACE: wlp9s0
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-mld: 
|   IP: fe80::e8d4:9fff:fefd:c085  MAC: ea:d4:9f:fd:c0:85  IFACE: wlp9s0
| 
|_  Use --script-args=newtargets to add the results as targets
Nmap scan report for kremlin.ru (95.173.136.72)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.70 95.173.136.71
All 1000 scanned ports on kremlin.ru (95.173.136.72) are filtered

Host script results:
|_asn-query: No Answers
| dns-brute: 
|   DNS Brute-force hostnames: 
|     news.kremlin.ru - 95.173.136.80
|     ns.kremlin.ru - 194.226.127.34
|     en.kremlin.ru - 95.173.136.70
|     en.kremlin.ru - 95.173.136.71
|     en.kremlin.ru - 95.173.136.72
|     blog.kremlin.ru - 95.173.136.80
|     www.kremlin.ru - 95.173.136.70
|     www.kremlin.ru - 95.173.136.71
|_    www.kremlin.ru - 95.173.136.72
|_fcrdns: FAIL (No PTR record)
| hostmap-crtsh: 
|   subdomains: 
|     *.kremlin.ru\nkremlin.ru
|_    admin.accred.kremlin.ru
|_hostmap-robtex: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin: 
|_95.173.136.72 (kremlin.ru)
| resolveall: 
|   Host 'kremlin.ru' also resolves to:
|     95.173.136.70
|     95.173.136.71
|   Use the 'newtargets' script-arg to add the results as targets
|_  Use the --resolve-all option to scan all resolved addresses without using this script.
| whois-domain: 
| 
| Domain name record found at whois.tcinet.ru
| % TCI Whois Service. Terms of use:
| % https://tcinet.ru/documents/whois_ru_rf.pdf (in Russian)
| % https://tcinet.ru/documents/whois_su.pdf (in Russian)
| 
| domain:        KREMLIN.RU
| nserver:       acl.dns.ripn.net.
| nserver:       bcl.dns.ripn.net.
| nserver:       ccl.dns.ripn.net.
| nserver:       ns2.gov.ru.
| nserver:       ns.gov.ru.
| state:         REGISTERED, DELEGATED, VERIFIED
| org:           Special Communications and Information Service of the Federal Guard Service of the Russian Federation (Spetssvyaz FSO RF)
| taxpayer-id:   7702358248
| registrar:     CC-RU
| admin-contact: http://www.cctld.ru
| created:       1998-07-22T12:02:55Z
| paid-till:     2025-07-31T21:00:00Z
| free-date:     2025-09-01
| source:        TCI
| 
| Last updated on 2025-01-23T01:03:01Z
|_
|_whois-ip: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 231.28 seconds

Interpretación del resultado: 

ip primaria detectada 95.173.136.72 mas las 2 secundarias 95.173.136.70 y 95.173.136.71

Los 1000 puertos escaneados están marcados como filtrados, es posible que un firewall bloquee el tráfico

Detección de direcciones relacionadas con IPv6 multicast:
Dirección link-local: fe80::e8d4:9fff:fefd:c085

Se detectaron los siguientes subdominios asociados a kremlin.ru:
news.kremlin.ru - 95.173.136.80
ns.kremlin.ru - 194.226.127.34
en.kremlin.ru - 95.173.136.70
en.kremlin.ru - 95.173.136.71
en.kremlin.ru - 95.173.136.72
blog.kremlin.ru - 95.173.136.80
www.kremlin.ru - 95.173.136.70
www.kremlin.ru - 95.173.136.71
www.kremlin.ru - 95.173.136.72

WHOIS del dominio
Información general:
Registrado por: Special Communications and Information Service of the Federal Guard Service of the Russian Federation (Spetssvyaz FSO RF).
Fecha de creación: 1998-07-22.
Expiración del registro: 2025-07-31.

Servidores dns de kremlin.ru
acl.dns.ripn.net.
bcl.dns.ripn.net.
ccl.dns.ripn.net.
ns2.gov.ru.
ns.gov.ru.

Scripts utilizados:
dns-brute: Realizó fuerza bruta para encontrar subdominios asociados al dominio
whois-domain: Proporciona detalles del registro de dominio
whois-ip: Falla al obtener información específica para la ip (primaria 95.173.136.72), como su ubicación geográfica, registro regional correspondiente (RIR, como ARIN, RIPE, APNIC, LACNIC, o AFRINIC)

sudo nmap -Pn -sV --script=external kremlin.ru
[sudo] contraseña para puton:            
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 02:39 CET
Pre-scan script results:
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
Nmap scan report for kremlin.ru (95.173.136.71)
Host is up.
Other addresses for kremlin.ru (not scanned): 95.173.136.72 95.173.136.70
All 1000 scanned ports on kremlin.ru (95.173.136.71) are filtered

Host script results:
|_asn-query: No Answers
| dns-blacklist: 
|   SPAM
|_    l2.apews.org - FAIL
| hostmap-crtsh: 
|   subdomains: 
|     *.kremlin.ru\nkremlin.ru
|_    admin.accred.kremlin.ru
|_hostmap-robtex: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin: 
|_95.173.136.71 (kremlin.ru)
|_tor-consensus-checker: ERROR: Script execution failed (use -d to debug)
| whois-domain: 
| 
| Domain name record found at whois.tcinet.ru
| % TCI Whois Service. Terms of use:
| % https://tcinet.ru/documents/whois_ru_rf.pdf (in Russian)
| % https://tcinet.ru/documents/whois_su.pdf (in Russian)
| 
| domain:        KREMLIN.RU
| nserver:       acl.dns.ripn.net.
| nserver:       bcl.dns.ripn.net.
| nserver:       ccl.dns.ripn.net.
| nserver:       ns2.gov.ru.
| nserver:       ns.gov.ru.
| state:         REGISTERED, DELEGATED, VERIFIED
| org:           Special Communications and Information Service of the Federal Guard Service of the Russian Federation (Spetssvyaz FSO RF)
| taxpayer-id:   7702358248
| registrar:     CC-RU
| admin-contact: http://www.cctld.ru
| created:       1998-07-22T12:02:55Z
| paid-till:     2025-07-31T21:00:00Z
| free-date:     2025-09-01
| source:        TCI
| 
| Last updated on 2025-01-23T01:43:01Z
|_
|_whois-ip: ERROR: Script execution failed (use -d to debug)

Post-scan script results:
|_ip-geolocation-map-bing: Need to specify an API key, get one at https://www.bingmapsportal.com/.
|_ip-geolocation-map-google: Need to specify an API key, get one at https://developers.google.com/maps/documentation/static-maps/.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 219.62 seconds

de aquí lo único mas que se extrae es el subdominio admin.accred.kremlin.ru

Escaneo sin afectar a redes locales ni intermedias, sólo al objetivo

puton@kremlin:$ sudo nmap -Pn --script=brute --exclude 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 95.173.136.72
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-23 03:46 CET
Nmap scan report for 95.173.136.72
Host is up.
All 1000 scanned ports on 95.173.136.72 are filtered

Nmap done: 1 IP address (1 host up) scanned in 202.38 seconds

En este caso no encontró nada
rusia/aprendiendo-nmap-kremlin.txt · Última modificación: 2025/01/25 04:05 por anonimo

Herramientas de la página

Excepto donde se indique lo contrario, el contenido de este wiki esta bajo la siguiente licencia: CC Attribution 4.0 International
CC Attribution 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki