I scanned all of Austria and found ...
- Transfer
... IP cameras, printers, process control systems and much more
Disclaimer : The article is the result of several weeks of work. I informed the server owners about the biggest problems if I could find them, and about others - in Cert.at. In addition, I did not try to log into any device / service / site that requires a password.
First of all: how to get all the IP addresses of an entire country?
It is very simple. IP addresses are not “generated” by the country, but are assigned by the central authority. This means that there are lists of all IP addresses by country.
Anyone can download such a list . Enter
grep Austria IP2LOCATION-LITE-DB1.CSV > austria.csv
and run a simple script to convert IP addresses to a convenient format. 11 million IPv4 addresses allocated to Austria. More precisely, 11,170,487.
If you don't want to bother with IP addresses yourself , use Shodan.io .
First Target: Unpatched Windows
Of course, no system administrator in the country will expose Windows SMB ports to the Network without filtering, right?
masscan -p445 --rate 300 -iL austria.ips -oG austria.445.scan && cat austria.445.scan | wc -l
Found 1273 fully open systems under Windows .
Wow. This fact alone will cause the sweat system administrators, but since Shadowbrokers published exploit ETERNALBLUE , the majority of IT-specialists agree that it is not very well stand in the network unprotected Windows-machines.
Positive point: none of the machines in 1273 was not vulnerable to ETERNALBLUE .
Enough about Windows, what about open resolvers?
Have you ever heard of open resolvers? If not, can you hear about DDoS attacks ? This is a real problem on the Internet.
It works like this: an attacker sends a small DNS query from a fake IP address (the target of the attack), and the server responds to this IP address with a much larger packet. An attacker spends only 40 bytes of traffic, and an open resolver sends 4,000 bytes to the victim. Thus, an attacker can attack the servers of large companies with massive traffic even from a regular smartphone. Which happens quite often .
Check how many open resolvers in Austria.
Scan all of Austria using UDP port 53
I found exactly 8728 public DNS servers in the country, which is 0.08% of all Austrian IP addresses.
masscan -pU:53 -iL austria.ips -oG austria.53.scan && cat austria.53.scan | wc -l
But that doesn’t mean much. More importantly, are they open resolvers?
Search for open resolvers
The method is simple: using the command, we
dig
check whether the resolving of the random address that I provide will work on this IP. For a file with all IPs, I put a command in a loop dig +short test.openresolver.com TXT @ip.of.dns.server
. If an open-resolver-detected response is received , the address is logged. Sadly ... using this method, I found that 25% of all Austrian DNS servers were open resolvers . However, in general it is only 0.02% of Austrian IP addresses.
What else is vulnerable in Austria?
I'm glad you asked. The easiest way is to check port 80 (web servers and proxies).
Web servers
67 626 Austrian IP addresses respond on port 80 (http). Of these, 40,776 responded to a simple GET request (this can be sent by the browser), and if you delete the error messages, then 17,392 truly working web servers remain.
The most popular Apache (the one that sent the header
Server
). The oldest version I found - Apache 1.3.12
from 2012 - runs on a Windows server. Double nightmare. I also found four servers on the devices
Windows CE
. This system was released in 1996, and support was completely discontinued in 2013. Other old devices
Visualization of 17,000 websites
I wrote a script that takes a screenshot of any site using WKHTMLTOIMAGE to create a collage later. The first collage turned out to be rather boring, as many sites display only a white page or error messages. I had to put a filter on the minimum number of colors in the image.
Just keep in mind that these are not all Austrian sites, but only the front pages that the web server provides for all IP addresses.
Here's the collage. Full 3000 × 14500px version takes up 12 MB
Printers ... why not?
I found nine HP printers without logins, fully accessible from the Internet. There were no passwords and even printing worked.
Printers without passwords (yes, I can print on them)
This screen shot also has the ability to send a fax via the website. But the owner was lucky: since the device has a fax number, I called him and he removed his printer from the Internet. Well done!
Webcams
Home security system showing someone’s home.
Someone edited the text layer on top of the picture and wrote “1984”.
These are just two of the more than 300 IP cameras that broadcast video without passwords. If anything, all cameras can be found here .
Lastly, I’ll show you some strange things that I found.
Smart House. Light and speaker control
Conclusion
Austria is a small country, but in the field of information security it has the same problems as the rest. Hazards should be more clearly recognized, and device vendors and manufacturers should help users by offering secure default configurations.
Companies should hire good system administrators to monitor network infrastructure and keep servers up to date.