:Site Navigation:
- 2010: A Discovery - I got interested - IP Range - Results: 175.45.176 - Results: 175.45.177 -
Results: 175.45.178 - Results: 175.45.179 -
- 2017 #1 #2 - New Scan- Results: 175.45.176 - Results:
175.45.177 - Results: 175.45.178 - Results: 175.45.179 - Results 210.52.109 -
[2017]
For some random reason i was going through my logs and noticed that HP security research did an analysis on
DPRK internet activities. Apparently my nmap scans we're the first ones, conducted roughly 1 month after DPRK actually went online, back in 2010.
Quote:
A comparison of a scan97 of North Korea’s IP ranges in November 2010, just one month after
North Korea made its first direct connection to the Internet, and a series of several scans we
conducted in May 2014, shows that North Korea has made significant headway in establishing its
Internet presence.
In the November 2010 scan, 175.45.176.0 - 175.45.176.16 showed a variety of devices including
D-link, Cisco, Linksys, HP, and Nokia devices, and a Juniper networks firewall. Operating systems
detected included FreeBSD 6.x, Linux 2.6.x, and Red Hat Enterprise Linux. 175.45.176.14 returned
“Naenara” as an html-title. Most hosts in the 175.45.176.xx and 175.45.177.xx ranges were
down. As of 2014, IP addresses 175.45.176.0 - 175.45.177.255 appear to be used for websites,
nameservers, databases, email, and voice over IP (VoIP). In November 2010, the 175.45.178.xx
range showed all hosts down,
98 and the 175.45.179.xx range showed most hosts were down.99
In 2014, several webservers and nameservers were found in the 175.45.178.xx range, and
several nameservers and mail servers were found in the 175.45.179.xx range. This comparison
demonstrates that there has been some growth in DPRK Internet infrastructure over the past four
years. However, it seemingly lags behind even most third world nations. The 2014 scans detected
dated technology that is potentially susceptible to multiple vulnerabilities and consistently
showed the same open ports and active devices on scanned hosts. It is not clear whether the
regime failed to notice and react to the scanning or whether the regime allows these open ports
and devices to be detected or spoofed to serve as a distraction or possible honeypot.
Source: HP Security Briefing
Episode 16, August 2014
Profiling an enigma: The mystery of North Korea’s cyber threat landscape
(local copy)
New Scan
So, this got me thinking, about what has changed over the last few years.
Currently a scan with similar parameters is running and hopefully i can give a quick overview
on what has changed in comparission to 2010 and what is currently visible to the world in the next few weeks.
In addition to the previous TCP Scan, i'll also be conducting a "quick" UDP scan of the common ports, over the same port range.
The currently running results can be downloaded in the top at the 2017 row.
2017-05-22: Update #1
Oddly, 3 days after i started the scan, suddently there were reports that the .kp domain was unreachable: source.. I wonder..
2017-05-23: Update #2 - ssh bruteforce flood
So, this could be completly unreleated, but since i started the scan, i noticed that my auth.log contains quite a few ssh connection tries, from various users on various ports oO .
PrancingPony ~ # cat /var/log/auth.log* | grep 'sshd.*Failed'
May 23 14:13:45 sshd[25912]: Failed password for invalid user root from 178.189.56.26 port 52841 ssh2
May 23 14:14:03 sshd[25915]: Failed password for invalid user goddard from 192.95.62.4 port 43862 ssh2
May 23 14:14:33 sshd[25935]: Failed password for invalid user godeardo from 139.59.16.203 port 36508 ssh2
May 23 14:16:31 sshd[26016]: Failed password for invalid user gon from 62.210.81.43 port 41695 ssh2
May 23 14:18:28 sshd[26076]: Failed password for invalid user gonzalo from 45.55.164.108 port 36818 ssh2
May 23 14:22:15 sshd[26192]: Failed password for invalid user gotardo from 191.101.228.20 port 56134 ssh2
May 23 14:22:59 sshd[26211]: Failed password for invalid user grace from 195.154.216.79 port 48678 ssh2
May 23 14:24:57 sshd[26257]: Failed password for invalid user gracjan from 69.164.198.191 port 36793 ssh2
May 23 14:27:08 sshd[26416]: Failed password for invalid user pi from 178.189.56.26 port 54329 ssh2
So, i have gathered the ip-d from the past 3 days and made them available and will update them, if i remember it: ssh_bruteforce_ips
I think this should be a nice list of ~5000 "borked" machines being used for a alphabetical dirctionary ssh bruteforce attack :)
If some one is interested in creating a similar list, just run this on your intertube activated system:
cat /var/log/auth.log* | grep 'sshd.*Failed' | awk '{print $13}' | uniq >> ssh_ips.txt
2010 -- A Discovery
So today i discoevered that the DPRK managed to get some servers in their country
This may be old news to some people, but since it is the only true communistic dictatorship
left in the world i thought that it is quite interesting.
The information is from 10.06.2010. Computer world reported that the 1024 internet adresses
reserved for DPRK have been registered to a company with connections to the Pyongyang government
I got interested
So a long story short i decided to take a look, after a few minutes of using the all mighty google
I discovered that their Korean Central News Agency moved their japan based hosting to DPRK.
They can be found at: http://175.45.179.68/
My curiosity rised again, they have a working server? A quick look with Tamper Data plugin for firefox
returned that they are using... wait for it:
175.45.179.68 -> Server=Microsoft-IIS/5.0
Strange ain't it, that they are using MS services. Especially that they are using Windows 2000 based IIS...
Is it legal? Anyways, i decided to fireup ye olde trusty nmap to find out more
You can find the results in the next section. Have fun with the north koreans and their so called
Internet Expert, who knows STRONG webdesign!
IP Range
The DPRK Currently has the following IP ranges:
175.45.176.0 - 175.45.179.255 : 175.45.176/22 : kp : 175.45.176 - 175.45.179 : APNIC
[via APNIC]
The Preview
---
Discovered open port 80/tcp on 175.45.176.14 <-- Looks like someone has a http service running there
Discovered open port 80/tcp on 175.45.176.7 <-- wow another http service oO
Discovered open port 25/tcp on 175.45.176.10 <-- SMTP service?
Discovered open port 443/tcp on 175.45.176.7 <-- Woah and https, shame that their certificate is invalid
--- Snip Snip ---
* Issuer: root@spwebh2.star.net.kp
* CN = spwebh2.star.net.kp
* OU = SomeOrganizationalUnit
* O = SomeOrganization
* L = SomeCity
* S = SomeState
* C = --
* Valid From: ?October-?06-?10 08:19:01
--- Snip Snip ---
This also refers to a wierd page: spwebh2.star.net.kp, shame that this one isn't online : (
Also if you accept the certificate you will see, that the communists are really true to their life style! They use Red Hat Linux.
Discovered open port 110/tcp on 175.45.176.14 <-- POP3 mail, Mr. Jong-Il, has some true skills with the interweb! I wonder what happens when i email Kim.Jong-il@175.45.176.14 ?
Discovered open port 25/tcp on 175.45.176.11 <-- _ANOTHER_ smtp? Just because you have 22 million people living there, not to mention all those intranet PC's that everyone has
Discovered open port 443/tcp on 175.45.176.14 <-- Another https!? Seriously, Mr. Jong-Il, just because you can doesen't mean that you have to : /
And when you accept the certificate: Could not connect to Session DBMS
Discovered open port 8080/tcp on 175.45.176.14 <-- https, It seems to be down : /
Discovered open port 443/tcp on 175.45.176.6 <-- https, Ditto, i has a sad : (
IP: 175.45.176
--- snip snip ---
Download the whole results as txt
--- snip snip ---
Small example:
Completed Parallel DNS resolution of 255 hosts. at 21:53, 0.49s elapsed
Nmap scan report for 175.45.176.1 [host down]
[...]
Nmap scan report for 175.45.176.13 [host down]
Initiating SYN Stealth Scan at 21:53
Scanning 8 hosts [65535 ports/host]
Discovered open port 443/tcp on 175.45.176.14
Discovered open port 443/tcp on 175.45.176.7
Discovered open port 443/tcp on 175.45.176.6
Discovered open port 110/tcp on 175.45.176.14
Discovered open port 25/tcp on 175.45.176.11
Discovered open port 25/tcp on 175.45.176.10
Discovered open port 80/tcp on 175.45.176.14
Discovered open port 80/tcp on 175.45.176.7
Discovered open port 80/tcp on 175.45.176.6
Discovered open port 8080/tcp on 175.45.176.14
Nmap done: 255 IP addresses (11 hosts up) scanned in 3167.77 seconds
IP: 175.45.177
--- snip snip ---
Download the whole results as txt
--- snip snip ---
Small example:
Discovered open port 23/tcp on 175.45.177.198
Nmap scan report for 175.45.177.198
Host is up (0.39s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco router
Nmap done: 255 IP addresses (6 hosts up) scanned in 2309.51 seconds
IP: 175.45.178
--- snip snip ---
Download the whole results as txt
--- snip snip ---
Small example:
Nmap scan report for 175.45.178.1 [host down]
[...]
Nmap scan report for 175.45.178.255 [host down]
Nmap done: 255 IP addresses (0 hosts up) scanned in 14.41 seconds
Raw packets sent: 288 (8.556KB) | Rcvd: 455 (24.350KB)
This one was pretty ineventful... it seems that none of the IP's are assigned : (
Now i has a sad
IP: 175.45.179
--- snip snip ---
Download the whole results as txt
--- snip snip ---
Small example:
Discovered open port 25/tcp on 175.45.179.67
Discovered open port 110/tcp on 175.45.179.67
Discovered open port 80/tcp on 175.45.179.68
Nmap done: 255 IP addresses (2 hosts up) scanned in 658.45 seconds
I know that i am the last person who should comment about web design and setting up a webserver, but c'mon it's the north koreans, i'm sorry if i pissed some of you guys off, you can flame me @ here
Official Mirrors: http://dprk.sipsik.net/ - http://web.zone.ee/wasabe/ - http://hot.ee/zmm/
Page Last Modified: Tue, 23/05/2017 19:00 GMT+1