# Практика №2.
## Сканирование корпоративной инфраструктуры
Выполнил:
Студент 3 курса
**Группа БСБО-05-20**
**Сафронов А.М.**
## Провести сканирование организаций с помощью Nmap, Nessus
**Список организаций:**
* *Mirea.tech*
* *Ptlab.ru*
### Nmap
Попробуем узнать базовую информацию, просто просканировав данные домены:
```
nmap -oN ./scan ptlab.ru
```
```
Nmap scan report for ptlab.ru (85.142.160.226)
Host is up (0.021s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
```
```
nmap -oN ./scan mirea.tech
```
```
Nmap scan report for mirea.tech (85.142.160.226)
Host is up (0.017s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
```
Как мы можем заметить, оба домена имеют один и тот же ip адрес.
Теперь воспользуемся гуглом и попробуем получить информацию по данному адресу:
*Whois information*
```
% Information related to '85.142.160.0 - 85.142.161.255'
inetnum: 85.142.160.0 - 85.142.161.255
netname: MIREA-2-NET
descr: Moscow State Institute for RadioEngeeniring, Electronics and
descr: Moscow, Russia
descr: pr-t Vernadskogo, 78
country: RU
org: ORG-MIRE1-RIPE
admin-c: DM9397-RIPE
tech-c: MMSI2-RIPE
status: ASSIGNED PA
notify: noc@mirea.ru
notify: noc@runnet.ru
mnt-by: INFR-MNT
created: 2018-08-08T10:15:00Z
last-modified: 2022-11-14T09:42:40Z
organisation: ORG-MIRE1-RIPE
org-name: State Educational Institution of Higher Professional Education "Moscow State Institute of a Radio engineering, Electronics and Automatics" (MIREA)
country: RU
org-type: OTHER
address: MIREA
address: Vernadskogo 78
address: 119454
address: Moscow
address: Russian Federation
phone: +7 499 7399505
phone: +7 495 9874717
e-mail: noc@mirea.ru
admin-c: DM9397-RIPE
tech-c: MMSI2-RIPE
abuse-c: MMSI2-RIPE
notify: noc@runnet.ru
mnt-ref: INFR-MNT
mnt-ref: MIREA-MNT
mnt-by: INFR-MNT
mnt-by: MIREA-MNT
created: 2018-08-08T10:10:07Z
last-modified: 2022-12-01T16:37:18Z
role: MIREA NOC
org: ORG-MIRE1-RIPE
address: RTU MIREA
address: Vernadskogo, 78
address: 119454
address: Moscow
address: Russian Federation
phone: +7 499 7399505
phone: +7 495 9874717
e-mail: noc@mirea.ru
admin-c: DM9397-RIPE
tech-c: FL8858
nic-hdl: MMSI2-RIPE
notify: noc@mirea.ru
abuse-mailbox: noc@mirea.ru
mnt-by: MIREA-MNT
created: 2014-05-07T11:09:25Z
last-modified: 2023-02-13T08:22:20Z
source: RIPE
person: Dmitry Myakoshin
address: 78, Vernadskogo prosp.
address: 119454 Moscow
address: Russia
e-mail: myakoshin@mirea.ru
phone: +7 499 6008228
nic-hdl: DM9397-RIPE
mnt-by: MSU-MNT
mnt-by: MIREA-MNT
created: 2011-06-23T12:13:31Z
last-modified: 2022-11-02T11:52:45Z
source: RIPE
% Information related to '85.142.160.0'
route: 85.142.160.0/23
descr: Moscow State Institute for RadioEngeeniring, Electronics and
descr: Moscow, Russia
descr: pr-t Vernadskogo, 78
origin: AS28800
notify: noc@runnet.ru
mnt-by: INFR-MNT
created: 2018-08-08T17:10:38Z
last-modified: 2018-08-08T17:10:38Z
```
*Parent whois information*
```
inetnum: 85.142.0.0 - 85.143.255.255
netname: RU-NIKS-20041217
org: ORG-CR1-RIPE
country: RU
admin-c: RUN3-RIPE
tech-c: RUN3-RIPE
mnt-routes: INFR-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: INFR-MNT
status: ALLOCATED PA
created: 2004-12-17T14:35:50Z
last-modified: 2022-11-10T10:28:32Z
organisation: ORG-CR1-RIPE
org-name: Federal State Institution "Federal Scientific Research Institute for System Analysis of the Russian Academy of Sciences"
country: RU
org-type: LIR
address: Leninsky prospekt, 32a
address: 119334
address: Moscow
address: RUSSIAN FEDERATION
phone: +74959381875
fax-no: +74959528040
e-mail: lir-adm@niks.su
abuse-c: AR16874-RIPE
admin-c: AO22-RIPE
admin-c: AS10629-RIPE
admin-c: MVK17-RIPE
mnt-ref: INFR-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: INFR-MNT
created: 2004-04-17T11:57:00Z
last-modified: 2022-11-10T10:28:35Z
source: RIPE
role: NIKS NOC
remarks: Russian Federal University Network
address: Brusov per., 21-2,
address: 125009
address: Moscow
address: RUSSIAN FEDERATION
phone: +74959692617
fax-no: +74959692617
e-mail: noc@niks.su
nic-hdl: RUN3-RIPE
org: ORG-CR1-RIPE
admin-c: KEB78-RIPE
tech-c: KEB78-RIPE
tech-c: VM5808-RIPE
notify: noc@niks.su
abuse-mailbox: incident@runnet.ru
mnt-by: INFR-MNT
created: 2018-08-07T20:09:51Z
last-modified: 2022-11-10T10:33:55Z
source: RIPE
% Information related to '85.142.0.0'
route: 85.142.0.0/15
descr: RUNNet
descr: Russian Federal University Network
origin: AS3267
notify: noc@runnet.ru
mnt-by: INFR-MNT
mnt-routes: INFR-MNT
created: 2018-08-01T15:41:03Z
last-modified: 2018-08-01T15:41:03Z
```
**Подробнее изучим домен mirea.tech**
*Whois information*
```
Domain Name: MIREA.TECH
Registry Domain ID: D211589418-CNIC
Registrar WHOIS Server: whois.reg.ru
Registrar URL: https://www.reg.ru/
Updated Date: 2022-11-12T06:27:03.0Z
Creation Date: 2020-11-30T20:53:37.0Z
Registry Expiry Date: 2023-11-30T23:59:59.0Z
Registrar: Registrar of Domain Names REG.RU, LLC
Registrar IANA ID: 1606
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization:
Registrant State/Province: BASHKORTOSTAN
Registrant Country: RU
Registrant Phone: +79174141521
Registrant Email: sadykovildar@mail.ru
Admin Phone: +79174141521
Admin Email: sadykovildar@mail.ru
Tech Phone: +79174141521
Tech Email: sadykovildar@mail.ru
Name Server: NS1.REG.RU
Name Server: NS2.REG.RU
DNSSEC: unsigned
Billing Phone: +79174141521
Billing Email: sadykovildar@mail.ru
Registrar Abuse Contact Email: abuse@reg.ru
Registrar Abuse Contact Phone: +74955801111
```
**Теперь домен ptlab.ru:**
*Whois information*
```
domain: PTLAB.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2021-03-16T15:17:11Z
paid-till: 2024-03-16T15:17:11Z
free-date: 2024-04-16
source: TCI
```
При сканировании обнаружили еще один домен kb4-lab.ru
*Whois information*
```
domain: KB4-LAB.RU
nserver: ns1.expired.reg.ru.
nserver: ns2.expired.reg.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGRU-RU
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2022-03-23T16:09:43Z
paid-till: 2023-03-23T16:09:43Z
free-date: 2023-04-25
source: TCI
```
Таким образом мы имеем всего 3 домена по данному ip адресу **(85.142.160.226)**:
* mirea.tech
* ptlab.ru
* kb4-lab.ru
---
Теперь займемся непосредственно сканированием через **nmap**.
Пробуем пропинговать все хосты в сети
```
nmap -v -sn -T4 85.142.160.0/23
```
```
Nmap scan report for 85.142.160.0 [host down]
Nmap scan report for test.mirea.ru (85.142.160.1)
Host is up (0.017s latency).
Nmap scan report for 85.142.160.2 [host down]
...
Nmap scan report for 85.142.160.94 [host down]
Nmap scan report for 85.142.160.95 [host down]
Nmap scan report for 85.142.160.96 [host down]
Nmap scan report for 85.142.160.97 [host down]
Nmap scan report for 85.142.160.98
Host is up (0.020s latency).
Nmap scan report for 85.142.160.99
Host is up (0.024s latency).
Nmap scan report for 85.142.160.100 [host down]
Nmap scan report for 85.142.160.101 [host down]
Nmap scan report for 85.142.160.102 [host down]
Nmap scan report for 85.142.160.103 [host down]
Nmap scan report for 85.142.160.104
Host is up (0.026s latency).
Nmap scan report for 85.142.160.105
Host is up (0.029s latency).
Nmap scan report for 85.142.160.106
Host is up (0.021s latency).
Nmap scan report for 85.142.160.107 [host down]
Nmap scan report for 85.142.160.108 [host down]
Nmap scan report for 85.142.160.109 [host down]
...
Nmap scan report for 85.142.160.223 [host down]
Nmap scan report for 85.142.160.224 [host down]
Nmap scan report for 85.142.160.225 [host down]
Nmap scan report for 85.142.160.226
Host is up (0.016s latency).
Nmap scan report for 85.142.160.227 [host down]
Nmap scan report for 85.142.160.228 [host down]
Nmap scan report for 85.142.160.229 [host down]
```
Можем заметить, что несколько хостов подняты:
1. 85.142.160.1
2. 85.142.160.98
3. 85.142.160.99
4. 85.142.160.104
5. 85.142.160.105
6. 85.142.160.106
7. 85.142.160.226
Так же обнаружили новый домен: test.mirea.ru
**Теперь давайте просканируем все адреса**
#### nmap scan report 85.142.160.1
```
nmap -v -T4 -A -oN ./scan 85.142.160.1
```
```
Nmap scan report for test.mirea.ru (85.142.160.1)
Host is up (0.0024s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
| ssl-cert: Subject: commonName=IOS-Self-Signed-Certificate-3508525419
| Issuer: commonName=IOS-Self-Signed-Certificate-3508525419
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2019-06-27T03:55:44
| Not valid after: 2020-01-01T00:00:00
| MD5: 08f923701671cdc93449cef7446cda89
|_SHA-1: d3812035b1cf640d15d72ca7c665328472508706
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_ http/1.1
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET POST
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: bridge|general purpose
Running (JUST GUESSING): Oracle Virtualbox (98%), QEMU (92%)
OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu
Aggressive OS guesses: Oracle Virtualbox (98%), QEMU user mode network gateway (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=17 (Good luck!)
IP ID Sequence Generation: Incremental
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.24 ms 10.0.2.2
2 0.28 ms test.mirea.ru (85.142.160.1)
```
#### nmap report 85.142.160.98
```
sudo nmap -v -T4 -A -oN ./scan_map_3 85.142.160.98
```
```
Nmap scan report for 85.142.160.98
Host is up (0.0018s latency).
All 1000 scanned ports on 85.142.160.98 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 2.00 ms 10.0.2.2
2 2.06 ms 85.142.160.98
```
#### nmap report 85.142.160.99
```
sudo nmap -v -T4 -A -oN ./scan_map_3 85.142.160.98
```
```
Nmap scan report for 85.142.160.99
Host is up (0.0018s latency).
All 1000 scanned ports on 85.142.160.99 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 1.94 ms 10.0.2.2
2 1.95 ms 85.142.160.99
```
#### nmap report 85.142.160.104-106
```
sudo nmap -v -T4 -A -oN ./scan_map_3 85.142.160.98
```
```
Nmap scan report for 85.142.160.104
Host is up (0.0089s latency).
All 1000 scanned ports on 85.142.160.104 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 85.142.160.105
2 2.87 ms 85.142.160.104
Nmap scan report for 85.142.160.105
Host is up (0.018s latency).
All 1000 scanned ports on 85.142.160.105 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 2.59 ms 10.0.2.2
2 2.79 ms 85.142.160.105
Nmap scan report for 85.142.160.106
Host is up (0.018s latency).
All 1000 scanned ports on 85.142.160.106 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 85.142.160.105
2 2.87 ms 85.142.160.106
```
#### nmap report 85.142.160.226
```
sudo nmap 85.142.160.226 -v -A -oN ./scan_nmap
```
```
Nmap scan report for 85.142.160.226
Host is up (0.0029s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open tcpwrapped
| http-methods:
|_ Supported Methods: POST OPTIONS
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to https://85.142.160.226/
443/tcp open tcpwrapped
| ssl-cert: Subject: commonName=*.kb4-lab.ru
| Subject Alternative Name: DNS:*.kb4-lab.ru
| Issuer: commonName=R3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-27T20:42:43
| Not valid after: 2022-06-25T20:42:42
| MD5: 8729aa4b626476944ea3d8056ee07be9
|_SHA-1: 0e8772fd6019c3ff68cd9ef839558fc6ca994e83
| http-methods:
|_ Supported Methods: HEAD POST OPTIONS
|_http-server-header: nginx/1.14.2
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| tls-nextprotoneg:
| h2
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|WAP|switch|storage-misc
Running (JUST GUESSING): Sony Ericsson embedded (94%), Linux 2.4.X|2.6.X (92%), Huawei embedded (86%), Netgear embedded (85%)
OS CPE: cpe:/h:sonyericsson:u8i_vivaz cpe:/o:linux:linux_kernel:2.4.20 cpe:/h:huawei:quidway_s5600 cpe:/o:linux:linux_kernel:2.6.22
Aggressive OS guesses: Sony Ericsson U8i Vivaz mobile phone (94%), Tomato 1.28 (Linux 2.4.20) (92%), Huawei Quidway S5600 switch (86%), Tomato firmware (Linux 2.6.22) (85%), Netgear SC101 Storage Central NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 2.31 ms 10.0.2.2
2 2.32 ms 85.142.160.226
```
---
### Nessus
Из-за того, что nessus заблокирован в России, к тому же, если использовать VPN, все равно никак не удается активировать код. Поэтому пришлось обойтись без него.
Sign in with Wallet
Connect another wallet