Практика №2. Сканирование корпоративной инфраструктуры

# Практика №2. Сканирование корпоративной инфраструктуры #### Выполнил: *Студент 3-го курса Группа БСБО-05-20 Савин Егор Сергеевич* ### Проведем сканирование организаций mirea.tech и ptlab.ru через nmap. #### mirea.tech ``` zxc@ZXcLinux:~$ nmap mirea.tech Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-06 23:56 MSK Nmap scan report for mirea.tech (85.142.160.226) Host is up (0.0072s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 5.10 seconds ``` #### ptlab.ru ``` zxc@ZXcLinux:~$ nmap ptlab.ru Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 00:00 MSK Nmap scan report for ptlab.ru (85.142.160.226) Host is up (0.0058s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 4.60 seconds ``` Найдем по ip адресу 85.142.160.226 информацию. ![](https://i.imgur.com/kSbu8yN.png) ![](https://i.imgur.com/R9HZLQN.png) ![](https://i.imgur.com/U4oKchV.png) По данному IP нашелся третий домен : kb4-lab.ru Выполним поиск, используя команду whois ``` zxc@ZXcLinux:~$ whois 85.142.160.226 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '85.142.160.0 - 85.142.161.255' % Abuse contact for '85.142.160.0 - 85.142.161.255' is 'noc@mirea.ru' inetnum: 85.142.160.0 - 85.142.161.255 netname: MIREA-2-NET descr: Moscow State Institute for RadioEngeeniring, Electronics and descr: Moscow, Russia descr: pr-t Vernadskogo, 78 country: RU org: ORG-MIRE1-RIPE admin-c: DM9397-RIPE tech-c: MMSI2-RIPE status: ASSIGNED PA mnt-by: INFR-MNT created: 2018-08-08T10:15:00Z last-modified: 2022-11-14T09:42:40Z source: RIPE # Filtered organisation: ORG-MIRE1-RIPE org-name: State Educational Institution of Higher Professional Education "Moscow State Institute of a Radio engineering, Electronics and Automatics" (MIREA) country: RU org-type: OTHER address: MIREA address: Vernadskogo 78 address: 119454 address: Moscow address: Russian Federation phone: +7 499 7399505 phone: +7 495 9874717 admin-c: DM9397-RIPE tech-c: MMSI2-RIPE abuse-c: MMSI2-RIPE mnt-ref: INFR-MNT mnt-ref: MIREA-MNT mnt-by: INFR-MNT mnt-by: MIREA-MNT created: 2018-08-08T10:10:07Z last-modified: 2022-12-01T16:37:18Z source: RIPE # Filtered role: MIREA NOC org: ORG-MIRE1-RIPE address: RTU MIREA address: Vernadskogo, 78 address: 119454 address: Moscow address: Russian Federation phone: +7 499 7399505 phone: +7 495 9874717 admin-c: DM9397-RIPE tech-c: FL8858 nic-hdl: MMSI2-RIPE abuse-mailbox: noc@mirea.ru mnt-by: MIREA-MNT created: 2014-05-07T11:09:25Z last-modified: 2023-02-13T08:22:20Z source: RIPE # Filtered person: Dmitry Myakoshin address: 78, Vernadskogo prosp. address: 119454 Moscow address: Russia phone: +7 499 6008228 nic-hdl: DM9397-RIPE mnt-by: MSU-MNT mnt-by: MIREA-MNT created: 2011-06-23T12:13:31Z last-modified: 2022-11-02T11:52:45Z source: RIPE # Filtered % Information related to '85.142.160.0/23AS28800' route: 85.142.160.0/23 descr: Moscow State Institute for RadioEngeeniring, Electronics and descr: Moscow, Russia descr: pr-t Vernadskogo, 78 origin: AS28800 mnt-by: INFR-MNT created: 2018-08-08T17:10:38Z last-modified: 2018-08-08T17:10:38Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.106 (DEXTER) ``` ### Mirea.tech ``` zxc@ZXcLinux:~$ whois mirea.tech Domain Name: MIREA.TECH Registry Domain ID: D211589418-CNIC Registrar WHOIS Server: whois.reg.ru Registrar URL: https://www.reg.ru/ Updated Date: 2022-11-12T06:27:03.0Z Creation Date: 2020-11-30T20:53:37.0Z Registry Expiry Date: 2023-11-30T23:59:59.0Z Registrar: Registrar of Domain Names REG.RU, LLC Registrar IANA ID: 1606 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Registrant State/Province: BASHKORTOSTAN Registrant Country: RU Registrant Phone: +7.9174141521 Registrant Email: sadykovildar@mail.ru Admin Phone: +7.9174141521 Admin Email: sadykovildar@mail.ru Tech Phone: +7.9174141521 Tech Email: sadykovildar@mail.ru Name Server: NS1.REG.RU Name Server: NS2.REG.RU DNSSEC: unsigned Billing Phone: +7.9174141521 Billing Email: sadykovildar@mail.ru Registrar Abuse Contact Email: abuse@reg.ru Registrar Abuse Contact Phone: +7.4955801111 ``` ### Ptlab.ru ``` zxc@ZXcLinux:~$ whois ptlab.ru % TCI Whois Service. Terms of use: % https://tcinet.ru/documents/whois_ru_rf.pdf (in Russian) % https://tcinet.ru/documents/whois_su.pdf (in Russian) domain: PTLAB.RU nserver: ns1.reg.ru. nserver: ns2.reg.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGRU-RU admin-contact: http://www.reg.ru/whois/admin_contact created: 2021-03-16T15:17:11Z paid-till: 2024-03-16T15:17:11Z free-date: 2024-04-16 source: TCI Last updated on 2023-04-06T21:56:31Z ``` ### kb4-lab.ru ``` zxc@ZXcLinux:~$ whois kb4-lab.ru % TCI Whois Service. Terms of use: % https://tcinet.ru/documents/whois_ru_rf.pdf (in Russian) % https://tcinet.ru/documents/whois_su.pdf (in Russian) domain: KB4-LAB.RU nserver: ns1.expired.reg.ru. nserver: ns2.expired.reg.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGRU-RU admin-contact: http://www.reg.ru/whois/admin_contact created: 2022-03-23T16:09:43Z paid-till: 2023-03-23T16:09:43Z free-date: 2023-04-25 source: TCI Last updated on 2023-04-07T15:56:30Z ``` Просканируем все хосты через nmap: ``` zxc@ZXcLinux:~$ nmap -v -sn -T4 85.142.160.0/23 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 19:01 MSK Initiating Ping Scan at 19:01 Scanning 512 hosts [2 ports/host] Completed Ping Scan at 19:01, 11.77s elapsed (512 total hosts) Initiating Parallel DNS resolution of 6 hosts. at 19:01 Completed Parallel DNS resolution of 6 hosts. at 19:01, 0.34s elapsed Nmap scan report for 85.142.160.0 [host down] Nmap scan report for test.mirea.ru (85.142.160.1) Host is up (0.019s latency). Nmap scan report for 85.142.160.2 [host down] Nmap scan report for 85.142.160.3 [host down] Nmap scan report for 85.142.160.4 [host down] Nmap scan report for 85.142.160.5 [host down] Nmap scan report for 85.142.160.6 [host down] Nmap scan report for 85.142.160.7 [host down] Nmap scan report for 85.142.160.8 [host down] Nmap scan report for 85.142.160.9 [host down] Nmap scan report for 85.142.160.10 [host down] Nmap scan report for 85.142.160.11 [host down] Nmap scan report for 85.142.160.12 [host down] Nmap scan report for 85.142.160.13 [host down] Nmap scan report for 85.142.160.14 [host down] Nmap scan report for 85.142.160.15 [host down] Nmap scan report for 85.142.160.16 [host down] ... Nmap scan report for 85.142.161.245 [host down] Nmap scan report for 85.142.161.246 [host down] Nmap scan report for 85.142.161.247 [host down] Nmap scan report for 85.142.161.248 [host down] Nmap scan report for 85.142.161.249 [host down] Nmap scan report for 85.142.161.250 [host down] Nmap scan report for 85.142.161.251 [host down] Nmap scan report for 85.142.161.252 [host down] Nmap scan report for 85.142.161.253 [host down] Nmap scan report for 85.142.161.254 [host down] Nmap scan report for 85.142.161.255 [host down] Read data files from: /usr/bin/../share/nmap Nmap done: 512 IP addresses (6 hosts up) scanned in 12.18 seconds ``` Найдено шесть хостов: 85.142.160.1 под доменом test.mirea.ru 85.142.160.98 85.142.160.99 85.142.160.104 85.142.160.106 85.142.160.226 Найдем информацию о новом домене через команду whois ### test.mirea.ru ``` zxc@ZXcLinux:~$ whois test.mirea.ru % TCI Whois Service. Terms of use: % https://tcinet.ru/documents/whois_ru_rf.pdf (in Russian) % https://tcinet.ru/documents/whois_su.pdf (in Russian) No entries found for the selected source(s). Last updated on 2023-04-07T16:06:30Z ``` Информации нет. Просканируем все адреса через nmap ### 85.142.160.1 ``` zxc@ZXcLinux:~$ nmap -v -T4 -A 85.142.160.1 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 19:11 MSK NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 19:11 Completed NSE at 19:11, 0.00s elapsed Initiating NSE at 19:11 Completed NSE at 19:11, 0.00s elapsed Initiating NSE at 19:11 Completed NSE at 19:11, 0.00s elapsed Initiating Ping Scan at 19:11 Scanning 85.142.160.1 [2 ports] Completed Ping Scan at 19:11, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:11 Completed Parallel DNS resolution of 1 host. at 19:11, 0.00s elapsed Initiating Connect Scan at 19:11 Scanning test.mirea.ru (85.142.160.1) [1000 ports] Discovered open port 443/tcp on 85.142.160.1 Completed Connect Scan at 19:11, 3.97s elapsed (1000 total ports) Initiating Service scan at 19:11 Scanning 1 service on test.mirea.ru (85.142.160.1) Completed Service scan at 19:11, 13.36s elapsed (1 service on 1 host) NSE: Script scanning 85.142.160.1. Initiating NSE at 19:11 Completed NSE at 19:12, 5.41s elapsed Initiating NSE at 19:12 Completed NSE at 19:12, 0.42s elapsed Initiating NSE at 19:12 Completed NSE at 19:12, 0.00s elapsed Nmap scan report for test.mirea.ru (85.142.160.1) Host is up (0.0082s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 443/tcp open ssl/http nginx | http-methods: |_ Supported Methods: GET POST |_http-title: Site doesn't have a title (text/html). |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=IOS-Self-Signed-Certificate-3508525419 | Issuer: commonName=IOS-Self-Signed-Certificate-3508525419 | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2019-06-27T03:55:44 | Not valid after: 2020-01-01T00:00:00 | MD5: 08f9 2370 1671 cdc9 3449 cef7 446c da89 |_SHA-1: d381 2035 b1cf 640d 15d7 2ca7 c665 3284 7250 8706 | tls-nextprotoneg: |_ http/1.1 NSE: Script Post-scanning. Initiating NSE at 19:12 Completed NSE at 19:12, 0.00s elapsed Initiating NSE at 19:12 Completed NSE at 19:12, 0.00s elapsed Initiating NSE at 19:12 Completed NSE at 19:12, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.29 seconds ``` ### 85.142.160.98 ``` zxc@ZXcLinux:~$ nmap -v -T4 -A 85.142.160.98 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 19:22 MSK NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 19:22 Completed NSE at 19:22, 0.00s elapsed Initiating NSE at 19:22 Completed NSE at 19:22, 0.00s elapsed Initiating NSE at 19:22 Completed NSE at 19:22, 0.00s elapsed Initiating Ping Scan at 19:22 Scanning 85.142.160.98 [2 ports] Completed Ping Scan at 19:22, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:22 Completed Parallel DNS resolution of 1 host. at 19:23, 10.42s elapsed Initiating Connect Scan at 19:23 Scanning 85.142.160.98 [1000 ports] Discovered open port 443/tcp on 85.142.160.98 Discovered open port 80/tcp on 85.142.160.98 Completed Connect Scan at 19:23, 4.83s elapsed (1000 total ports) Initiating Service scan at 19:23 Scanning 2 services on 85.142.160.98 Completed Service scan at 19:25, 131.41s elapsed (2 services on 1 host) NSE: Script scanning 85.142.160.98. Initiating NSE at 19:25 Completed NSE at 19:26, 96.57s elapsed Initiating NSE at 19:26 Completed NSE at 19:27, 30.00s elapsed Initiating NSE at 19:27 Completed NSE at 19:27, 0.00s elapsed Nmap scan report for 85.142.160.98 Host is up (0.0060s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http? 443/tcp open ssl/http nginx 1.16.1 | ssl-cert: Subject: commonName=*.mirea.ru | Subject Alternative Name: DNS:*.mirea.ru, DNS:mirea.ru | Issuer: commonName=GlobalSign GCC R3 DV TLS CA 2020/organizationName=GlobalSign nv-sa/countryName=BE | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-10-31T10:21:47 | Not valid after: 2023-12-02T10:21:46 | MD5: fda6 7b20 0cc2 df8b bdfa 1977 bfb2 fb23 |_SHA-1: 3e7e 826c a91d 6cff b405 93a0 394d b64f 309d 962b | http-robots.txt: 1 disallowed entry |_*.pdf$ NSE: Script Post-scanning. Initiating NSE at 19:27 Completed NSE at 19:27, 0.00s elapsed Initiating NSE at 19:27 Completed NSE at 19:27, 0.00s elapsed Initiating NSE at 19:27 Completed NSE at 19:27, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 274.24 seconds ``` ### 85.142.160.99 ``` zxc@ZXcLinux:~$ nmap -v -T4 -A 85.142.160.99 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 19:29 MSK NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 19:29 Completed NSE at 19:29, 0.00s elapsed Initiating NSE at 19:29 Completed NSE at 19:29, 0.00s elapsed Initiating NSE at 19:29 Completed NSE at 19:29, 0.00s elapsed Initiating Ping Scan at 19:29 Scanning 85.142.160.99 [2 ports] Completed Ping Scan at 19:29, 2.00s elapsed (1 total hosts) Nmap scan report for 85.142.160.99 [host down] NSE: Script Post-scanning. Initiating NSE at 19:29 Completed NSE at 19:29, 0.00s elapsed Initiating NSE at 19:29 Completed NSE at 19:29, 0.00s elapsed Initiating NSE at 19:29 Completed NSE at 19:29, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 2.68 seconds ``` ### 85.142.160.104 ``` zxc@ZXcLinux:~$ nmap -v -T4 -A 85.142.160.104 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 19:31 MSK NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 19:31 Completed NSE at 19:31, 0.00s elapsed Initiating NSE at 19:31 Completed NSE at 19:31, 0.00s elapsed Initiating NSE at 19:31 Completed NSE at 19:31, 0.00s elapsed Initiating Ping Scan at 19:31 Scanning 85.142.160.104 [2 ports] Completed Ping Scan at 19:31, 2.00s elapsed (1 total hosts) Nmap scan report for 85.142.160.104 [host down] NSE: Script Post-scanning. Initiating NSE at 19:31 Completed NSE at 19:31, 0.00s elapsed Initiating NSE at 19:31 Completed NSE at 19:31, 0.00s elapsed Initiating NSE at 19:31 Completed NSE at 19:31, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 2.70 seconds ``` ### 85.142.160.106 ``` zxc@ZXcLinux:~$ nmap -v -T4 -A 85.142.160.106 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 19:31 MSK NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 19:31 Completed NSE at 19:31, 0.00s elapsed Initiating NSE at 19:31 Completed NSE at 19:31, 0.00s elapsed Initiating NSE at 19:31 Completed NSE at 19:31, 0.00s elapsed Initiating Ping Scan at 19:31 Scanning 85.142.160.106 [2 ports] Completed Ping Scan at 19:31, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:31 Completed Parallel DNS resolution of 1 host. at 19:31, 0.27s elapsed Initiating Connect Scan at 19:31 Scanning 85.142.160.106 [1000 ports] Increasing send delay for 85.142.160.106 from 0 to 5 due to 11 out of 11 dropped probes since last increase. Increasing send delay for 85.142.160.106 from 5 to 10 due to 11 out of 11 dropped probes since last increase. Connect Scan Timing: About 15.60% done; ETC: 19:34 (0:02:48 remaining) Connect Scan Timing: About 29.40% done; ETC: 19:35 (0:02:26 remaining) Connect Scan Timing: About 43.15% done; ETC: 19:35 (0:02:00 remaining) Connect Scan Timing: About 56.90% done; ETC: 19:35 (0:01:32 remaining) Connect Scan Timing: About 70.70% done; ETC: 19:35 (0:01:03 remaining) Connect Scan Timing: About 84.50% done; ETC: 19:35 (0:00:33 remaining) Completed Connect Scan at 19:35, 214.78s elapsed (1000 total ports) Initiating Service scan at 19:35 NSE: Script scanning 85.142.160.106. Initiating NSE at 19:35 Completed NSE at 19:35, 0.00s elapsed Initiating NSE at 19:35 Completed NSE at 19:35, 0.00s elapsed Initiating NSE at 19:35 Completed NSE at 19:35, 0.00s elapsed Nmap scan report for 85.142.160.106 Host is up (0.0043s latency). All 1000 scanned ports on 85.142.160.106 are in ignored states. Not shown: 1000 filtered tcp ports (no-response) NSE: Script Post-scanning. Initiating NSE at 19:35 Completed NSE at 19:35, 0.00s elapsed Initiating NSE at 19:35 Completed NSE at 19:35, 0.00s elapsed Initiating NSE at 19:35 Completed NSE at 19:35, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 215.92 seconds ``` ### 85.142.160.226 ``` zxc@ZXcLinux:~$ nmap -v -T4 -A 85.142.160.226 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-07 19:40 MSK NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 19:40 Completed NSE at 19:40, 0.00s elapsed Initiating NSE at 19:40 Completed NSE at 19:40, 0.00s elapsed Initiating NSE at 19:40 Completed NSE at 19:40, 0.00s elapsed Initiating Ping Scan at 19:40 Scanning 85.142.160.226 [2 ports] Completed Ping Scan at 19:40, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:40 Completed Parallel DNS resolution of 1 host. at 19:40, 0.07s elapsed Initiating Connect Scan at 19:40 Scanning 85.142.160.226 [1000 ports] Discovered open port 80/tcp on 85.142.160.226 Discovered open port 443/tcp on 85.142.160.226 Completed Connect Scan at 19:40, 3.95s elapsed (1000 total ports) Initiating Service scan at 19:40 Scanning 2 services on 85.142.160.226 Completed Service scan at 19:40, 16.18s elapsed (2 services on 1 host) NSE: Script scanning 85.142.160.226. Initiating NSE at 19:40 Completed NSE at 19:40, 27.64s elapsed Initiating NSE at 19:40 Completed NSE at 19:40, 6.14s elapsed Initiating NSE at 19:40 Completed NSE at 19:40, 0.00s elapsed Nmap scan report for 85.142.160.226 Host is up (0.0076s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http nginx 1.14.2 |_http-title: Did not follow redirect to https://85.142.160.226/ |_http-server-header: nginx/1.14.2 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS 443/tcp open ssl/http nginx 1.14.2 | tls-nextprotoneg: | h2 |_ http/1.1 |_http-server-header: nginx/1.14.2 | ssl-cert: Subject: commonName=*.kb4-lab.ru | Subject Alternative Name: DNS:*.kb4-lab.ru | Issuer: commonName=R3/organizationName=Let's Encrypt/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-03-27T20:42:43 | Not valid after: 2022-06-25T20:42:42 | MD5: 8729 aa4b 6264 7694 4ea3 d805 6ee0 7be9 |_SHA-1: 0e87 72fd 6019 c3ff 68cd 9ef8 3955 8fc6 ca99 4e83 |_ssl-date: TLS randomness does not represent time |_http-title: 502 Bad Gateway | tls-alpn: | h2 |_ http/1.1 NSE: Script Post-scanning. Initiating NSE at 19:40 Completed NSE at 19:40, 0.00s elapsed Initiating NSE at 19:40 Completed NSE at 19:40, 0.00s elapsed Initiating NSE at 19:40 Completed NSE at 19:40, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.86 seconds ``` ### Nessus Nessus заблокирован в России, поэтому его использовать не получится.