Investigating North Korea's Netblock – Part 1: Hosts

Early last year, I performed a few scans of North Korea’s netblock with the goal of just finding out a bit more information about their internet infrastructure. This is the first in a series of three posts, all of which will be tagged as dprknet once they have been posted over the next couple of days.

This was originally posted on my blog on 01/02/11

North Korea is a highly secretive dictatorship which keeps itself largely secluded from the rest of the world. I’ll save the details on its human rights abuses for another post as this one is focusing on their presence on the internet (or lack thereof).

Very few people have access to the internet in North Korea, however it does have an allocated netblock:

# Country: KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF
# ISO Code: KP
# Total Networks: 1
# Total Subnets:  1,024
175.45.176.0/22

Out of curiosity, I decided to probe the hosts in their netblock.

A quick syn scan using nmap -v -sn 175.45.176.0/22 showed that 11 hosts were online:

175.45.176.3
175.45.176.7
175.45.176.14
175.45.176.129
175.45.176.131
175.45.177.193
175.45.177.194
175.45.177.197
175.45.177.198
175.45.177.201
175.45.177.209

I wonder what’s running on them? Let’s do another scan, this time attempting to identify services running on them by using nmap -v -Pn -sV -O -iL nk_online:

  • 175.45.176.3
    • Nothing of note, nmap suggests possibly Cisco PIX firewall.
  • 175.45.176.7
    • Ports 80 and 443
      • RHEL (5?) Apache test page displayed.
      • 404 to get the server info line: Apache/2.2.3 (Red Hat) Server at spwebh2.star.net.kp Port 443
      • Also tried spwebh1.star.net.kp, which points to 175.45.176.6 – But that server appears to be down at time of writing.
  • 175.45.176.14
    • Ports 80, 110, 443 and 8080
      • 80 and 443 are Apache, apparently running the site normally at http://www.kcckp.net (kcckp.net points to 46.182.18.160, an IP belonging to a German company).
      • Server info for 80 and 443: Apache httpd 2.2.10 ((Unix) mod_ssl/2.2.10 OpenSSL/0.9.8g PHP/5.2.8)
      • 110 is possibly POP3.
      • 8080 appears to be an Icecast streaming server.
  • 175.45.176.129
    • Nothing of note, nmap also suggests possibly another Cisco PIX firewall.
  • 175.45.176.131
    • Nothing of note, no OS fingerprint suggestions from nmap.
  • 175.45.177.193
    • Nothing of note, no OS fingerprint suggestions from nmap.
  • 175.45.177.194
    • Nothing of note, nmap suggests possibly Cisco IOS – Switch?
  • 175.45.177.197
    • Nothing of note, no OS fingerprint suggestions from nmap.
  • 175.45.177.198
    • Port 23 (telnet!)
      • Appears to be running Cisco IOS.
      • Connecting using telnet gives this output:
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco" with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace  and  with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------

User Access Verification

Username:
  • 175.45.177.201
    • Nothing of note, no OS fingerprint suggestions from nmap.
  • 175.45.177.209
    • Nothing of note, no OS fingerprint suggestions from nmap.
Some interesting stuff there, particularly the websites and the open telnet port. I’ve noticed that I don’t get consistent results as to which hosts are up or not, but I’ll keep trying to see what else I get. Additionally, a lot of ports are appearing as filtered – But I suspect that’s more of an issue with the network between myself and the target netblock rather than anything else.

– Phasma

About these ads

Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 167 other followers

%d bloggers like this: