Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Blog de Haschek] I scanned the whole country of Austria and this is what I found
#1
Quote:Disclaimer: This article is the result of a few weeks of research. I did report the most disturbing things I found to the owners of the servers if I could find out who they are and the other problems were reported to Cert.at. Also I didn't try to login to any device/service/site that required a password.

First of all: How do you even get all IP addresses of a whole country?

This is very simple. IP adresses are not just "generated" by a country but rather assigned by a central authority. This means that there are lists of all IPs and their assigned countries.
Anyone can download such a list, enter 

Code:
grep Austria IP2LOCATION-LITE-DB1.CSV > austria.csv

 and run a simple script to convert the IPs to a usable format.

Austria has 11 million IPv4 addresses. 11.170.487 to be exact.
If you don't want to play around with IPs yourself, you can also use Shodan.io

First thing to check: Are any unpatched Windows machines on the net?


Surely no sysadmin in Austria would expose unfiltered Windows SMB ports to the Net, would they?

Code:
masscan -p445 --rate 300 -iL austria.ips -oG austria.445.scan && cat austria.445.scan | wc -l



1273 directly exposed Windows machines found


Oh boy. This fact alone would make most sysadmins sweat but since the ETERNALBLUE exploit was published by the Shadowbrokers, most IT people would agree that having unprotected Windows machines slurping on the web would not be a good idea.

The upside: None of the 1273 machines were vulnerable to ETERNALBLUE

Enough about Windows, what about open resolvers?


Have you ever heard of open resolvers? If not you must have heard about DDoS attacks. This is a real problem for the web.

It works like this: An attacker sends a small DNS query from a spoofed IP address (the one of their target) and the server responds with a much larger package to the spoofed IP. So the attacker only uses 40 bytes and the open resolver responds with a 4000 bytes answer to the victim. This way an attacker can pin down large company servers with no more upload speed than a normal smartphone can produce. Which happens fairly often

Let's check how many open resolvers are hosted in Austria


Let's scan all of Austria for Port 53 UDP


I have found exactly 8728 publicly exposed DNS servers in Austria. 0.08 % of all Austrian IPs are hosting DNS servers. Ok but most of them are secured

Code:
masscan -pU:53 -iL austria.ips -oG austria.53.scan && cat austria.53.scan | wc -l



But that doesn't mean much. More important is: Are these DNS servers also open resolvers?


Finding open resolvers


The method is simple: I'm using the command 

Code:
dig


 to find out if one of the IPs will resolve any address I'm feeding it. I looped the whole ip file and ran each Ip against 


Code:
dig +short test.openresolver.com TXT @ip.of.dns.server


 if it responds with "open-resolver-detected" I log and count it.


Sadly.. using this method I found out that around 25% of all austrian DNS servers were open resolvers. But to put it in perspective this is only about 0.02% of all Austrian IPs.


What else is exposed in Austria?

Glad you asked. The easiest thing to scan for is port 80 (Web servers and proxies)


[Image: vxcyrz.png]




Read more: https://blog.haschek.at/2019/i-scanned-austria.html

FYI this is an older blog post than normally permitted ie week old maximum (published 2019-02-08) but its pretty intriguing so shared it anyway.
[-] The following 3 users say Thank You to browneylad for this post:
  • darktwilight, harlan4096, silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Microsoft Edge 123.0.2420.61
Version 123.0.2420...harlan4096 — 10:01
Opera 109.0.5097.35
Opera 109.0.5097.3...harlan4096 — 09:58
LibreOffice 24.2.2
LibreOffice 24.2.2...harlan4096 — 09:58
AdGuard Browser Extension 4.3.35
AdGuard Browser Ex...harlan4096 — 09:56
AVLab.pl - Product Of The Year 2024 – Re...
Just in time for t...harlan4096 — 09:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
harlan4096's profile harlan4096
Administrator

>