Scanning the North Korean internet

r4yan profile picture

r4yan • published on 2021-11-093 min read

I started getting curious about the North Korean internet and discovered through research that they have very few IP addresses. Currently, they operate four IPv4 subnets named 'Ryugyong-dong' (175.45.176.0/24 through 175.45.179.0/24), which together form a single 175.45.176.0/22 subnet containing just 1,024 IPs.

I noticed that there were existing scans, but they were pretty old, so I decided to set up my own. I'm running frequent scans from VPS servers all over the world to see what's accessible and if they're blocking specific countries.

I'm mostly scanning the top 10,000 ports because scanning all 65,535 ports takes forever, and my tests showed they don't have much running on the high ports anyway. So, I bought some cheap VPS instances to run cron jobs that automatically publish and run scans day and night.

with all the data collected i started making some investigations and graphs

Brief Insights

By investigating the logs, I found some cool details about their network:

  • Operating Systems: It's a mix. I saw their own Red Star OS 4.0 (running Apache 2.2.15), plus some Linux distros and Windows Server (IIS 7.5).
  • Web Services: The KCNA (Korean Central News Agency) website is hosted right there.
  • Network Gear: Lots of Cisco routers and switches showing up, exposing SSH and Telnet.
  • File Transfer: Found some FTP servers running vsftpd or WU-FTPD.
  • Remote Access: RDP (port 3389) is open on several Windows servers, so they're definitely managing these remotely.
  • Common Ports: The usual suspects are open: 80, 443, 8888, 21, and 23.
  • Surprises: I even spotted some unexpected devices like Apple TV, Sony Ericsson phones, and Crestron automation systems.
  • Infrastructure: Saw signs of Synology storage and maybe some VMware/VirtualBox virtualization.

Graphs

as you can see most of their ports open are http and ssl, but for some reason most of these webservers don't load or respond so maybe i tought they only allow certain traffic seeing the pages or whatever

same thing can be seen here, but another interesting thing is their RedStarOS which is basically their own os that is relatively used a lot seeing from these scans

they also use a lot ftp,smb and other protocols for file sharing which was actually interesting

As mentioned before as a surprise, while surfing some scans i also came across some apple devices being used like here

bash
Nmap scan report for 175.45.176.69
Host is up (0.29s latency).
Not shown: 2999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((RedStar4.0))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: media device|general purpose|specialized
Running: Apple Apple TV 5.X, Apple Mac OS X 10.7.X, Crestron 2-Series
OS CPE: cpe:/a:apple:apple_tv:5.2.1 cpe:/a:apple:apple_tv:5.3 cpe:/o:apple:mac_os_x:10.7.4 cpe:/o:crestron:2_series
OS details: Apple TV 5.2.1 or 5.3, Apple Mac OS X 10.7.4 (Lion) (Darwin 11.4.2), Crestron XPanel control system
Uptime guess: 17.123 days (since Sun Sep  5 22:15:43 2021)

Which made me think that, even though they hate most of the world, they still use and rely on its software and hardware.

github repository : https://github.com/R4yGM/NorthKoreaScans