In February, the Austrian Christian Haschek published an interesting article on his blog entitled . Of course, I became interested in what would happen if this study was repeated, but with Ukraine. Several weeks of round-the-clock collection of information, a couple more days to prepare the article, and during this research, conversations with various representatives of our society, then clarify, then find out more. Please under catβ¦
TL; DR
No special tools were used to collect information (although several people advised using the same OpenVAS to make the research more thorough and informative). With the security of IPs that relate to Ukraine (more on how it was determined below), the situation, in my opinion, is quite bad (and definitely worse than what is happening in Austria). No attempts have been made or planned to exploit the discovered vulnerable servers.
First of all: how can you get all the IP addresses that belong to a certain country?
It's actually very simple. IP addresses are not generated by the country itself, but allocated to it. Therefore, there is a list (and it is public) of all countries and all the IPs that belong to them.
Everyone can and then filter it grep Ukraine IP2LOCATION-LITE-DB1.CSV> ukraine.csv
, allows you to bring the list into a more usable form.
Ukraine owns almost as many IPv4 addresses as Austria, more than 11 million 11 to be exact (for comparison, Austria has 640).
If you don't want to play with IP addresses yourself (and you shouldn't!), then you can use the service .
Are there any unpatched Windows machines in Ukraine that have direct access to the Internet?
Of course, not a single conscious Ukrainian will open such access to their computers. Or will it be?
masscan -p445 --rate 300 -iL ukraine.ips -oG ukraine.445.scan && cat ukraine.445.scan | wc -l5669 Windows machines with direct access to the network were found (in Austria there are only 1273, but thatβs a lot).
Oops. Are there any among them that could be attacked using ETHERNALBLUE exploits, which have been known since 2017? There was not a single such car in Austria, and I hoped that it would not be found in Ukraine either. Unfortunately, it's no use. Found 198 IP addresses that did not close this "hole" at home.
DNS, DDoS and the depth of the rabbit hole
Enough about Windows. Let's see what we have with DNS servers, which are open-resolvers and can be used for DDoS attacks.
It works like this. The attacker sends a small DNS request, and the vulnerable server responds to the victim with a packet that is 100 times larger. Boom! Corporate networks can quickly collapse from such a volume of data, and an attack requires the bandwidth that a modern smartphone can provide. And such attacks were even on GitHub.
Let's see if there are such servers in Ukraine.
masscan -pU 53 -iL ukraine.ips -oG ukraine.53.scan && cat ukraine.53.scan | wc -lThe first step is to find those that have open port 53. As a result, we have a list of 58 IP addresses, but this does not mean that all of them can be used for a DDoS attack. It is necessary that the second requirement is met, namely, they must be an open-resolver.
To do this, we can use a simple dig command and see that we can βdigβ dig + short test.openresolver.com TXT @ip.of.dns.server. If the server responded with open-resolver-detected, then it can be considered a potential target of attack. Open resolvers make up approximately 25%, which is comparable to Austria. In terms of total number, this is about 0,02% of all Ukrainian IPs.
What else can be found in Ukraine?
Glad you asked. Itβs easier (and the most interesting for me personally) to look at the IP with open port 80 and whatβs running on it.
web server
260 Ukrainian IPs respond to port 849 (http). 80 addresses responded positively (125 status) to a simple GET request that your browser can send. The rest produced one or another error. It is interesting that 444 servers issued a status of 200, and the rarest statuses were 853 (request for proxy authorization) and the completely non-standard 500 (IP not in the βwhite listβ) for one response.
Apache is absolutely dominant - 114 servers use it. The oldest version I found in Ukraine is 544, released on October 1.3.29, 29 (!!!). nginx is in second place with 2003 servers.
11 servers use WinCE, which was released in 1996, and they finished patching it in 2013 (there are only 4 of these in Austria).
The HTTP/2 protocol uses 5 servers, HTTP/144 - 1.1, HTTP/256 - 836.
Printersβ¦becauseβ¦why not?
2 HP, 5 Epson and 4 Canon, which are accessible from the network, some of them without any authorization.
webcams
Itβs not news that in Ukraine there are a LOT of webcams broadcasting themselves to the Internet, collected on various resources. At least 75 cameras broadcast themselves to the Internet without any protection. You can look at them .
What's next?
Ukraine is a small country, like Austria, but has the same problems as large countries in the IT sector. We need to develop a better understanding of what is safe and what is dangerous, and equipment manufacturers must provide safe initial configurations for their equipment.
In addition, I collect partner companies (), which can help you ensure the integrity of your own IT infrastructure. The next step I plan to do is a security review of Ukrainian sites. Don't switch!
Source: habr.com