Investigating North Korea's Netblock – Part 1: Hosts
Posted by on May 29, 2012
Early last year, I performed a few scans of North Korea’s netblock with the goal of just finding out a bit more information about their internet infrastructure. This is the first in a series of three posts, all of which will be tagged as dprknet once they have been posted over the next couple of days.
This was originally posted on my blog on 01/02/11
North Korea is a highly secretive dictatorship which keeps itself largely secluded from the rest of the world. I’ll save the details on its human rights abuses for another post as this one is focusing on their presence on the internet (or lack thereof).
Very few people have access to the internet in North Korea, however it does have an allocated netblock:
# Country: KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF # ISO Code: KP # Total Networks: 1 # Total Subnets: 1,024 175.45.176.0/22Out of curiosity, I decided to probe the hosts in their netblock.
A quick syn scan using nmap -v -sn 175.45.176.0/22 showed that 11 hosts were online:
175.45.176.3 175.45.176.7 175.45.176.14 175.45.176.129 175.45.176.131 175.45.177.193 175.45.177.194 175.45.177.197 175.45.177.198 175.45.177.201 175.45.177.209I wonder what’s running on them? Let’s do another scan, this time attempting to identify services running on them by using nmap -v -Pn -sV -O -iL nk_online:
- 175.45.176.3
- Nothing of note, nmap suggests possibly Cisco PIX firewall.
- 175.45.176.7
- Ports 80 and 443
- SSL cert is for spwebh2.star.net.kp, which points to this IP.
- RHEL (5?) Apache test page displayed.
- 404 to get the server info line: Apache/2.2.3 (Red Hat) Server at spwebh2.star.net.kp Port 443
- Also tried spwebh1.star.net.kp, which points to 175.45.176.6 – But that server appears to be down at time of writing.
- 175.45.176.14
- Ports 80, 110, 443 and 8080
- 80 and 443 are Apache, apparently running the site normally at http://www.kcckp.net (kcckp.net points to 46.182.18.160, an IP belonging to a German company).
- Server info for 80 and 443: Apache httpd 2.2.10 ((Unix) mod_ssl/2.2.10 OpenSSL/0.9.8g PHP/5.2.8)
- 110 is possibly POP3.
- 8080 appears to be an Icecast streaming server.
- 175.45.176.129
- Nothing of note, nmap also suggests possibly another Cisco PIX firewall.
- 175.45.176.131
- Nothing of note, no OS fingerprint suggestions from nmap.
- 175.45.177.193
- Nothing of note, no OS fingerprint suggestions from nmap.
- 175.45.177.194
- Nothing of note, nmap suggests possibly Cisco IOS – Switch?
- 175.45.177.197
- Nothing of note, no OS fingerprint suggestions from nmap.
- 175.45.177.198
- Port 23 (telnet!)
- Appears to be running Cisco IOS.
- Connecting using telnet gives this output:
----------------------------------------------------------------------- Cisco Router and Security Device Manager (SDM) is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco". The default username and password have a privilege level of 15. Please change these publicly known initial credentials using SDM or the IOS CLI. Here are the Cisco IOS commands. username privilege 15 secret 0 no username cisco Replace and with the username and password you want to use. For more information about SDM please follow the instructions in the QUICK START GUIDE for your router or go to http://www.cisco.com/go/sdm ----------------------------------------------------------------------- User Access Verification Username:
- 175.45.177.201
- Nothing of note, no OS fingerprint suggestions from nmap.
- 175.45.177.209
- Nothing of note, no OS fingerprint suggestions from nmap.
Some interesting stuff there, particularly the websites and the open telnet port. I’ve noticed that I don’t get consistent results as to which hosts are up or not, but I’ll keep trying to see what else I get. Additionally, a lot of ports are appearing as filtered – But I suspect that’s more of an issue with the network between myself and the target netblock rather than anything else.
– Phasma
Comments are closed.
