On 17 December 2011, Kim Jong Un became the leader of North Korea. Two days later, on 19 December 2011, I started my first scan of North Korean Internet space. I was curious to see if their new leader would result in change on their Internet. That was three years ago. I've been keeping an eye on that network now and again.
Ever been curious about what North Korea's Internet looks like? People seem to be interested in that country's use of computers on the Internet more these days for some reason...
Back up a second, how does North Korea get Internet, anyway?
North Korea's Internet access is as unique as many other things about the country are. The country is said to have a fairly large internal domestic internet disconnected from the rest of the world. Most citizens with access to computers are only allowed to access this network, not the global computer network the rest of us connect to. But North Korea isn't completely cut off from the world, select people in North Korea, including government officials, visitors, journalists and other select people, have access to the same network the rest of us do.
Since only a small portion of the country has access to this network, North Korea has an extremely small presence on the Internet. All traffic in and out of North Korea, from computers inside the country to computers anywhere else on the globe, goes through a very limited set of connections. Generally, on a physical level, North Korean access to the Internet has been through a connection on the border with China, or through satellite links.
All IP addresses come in blocks and those blocks come in two flavors: allocated or assigned. Generally, allocated IP addresses are given to a network directly and are under complete control of that network. North Korea's direct IP allocation consists of 1024 IP addresses, which is where most of their Internet-visible network exists today, these are the addresses I scanned.
The allocated North Korean network range is 126.96.36.199/22:
inetnum: 188.8.131.52 - 184.108.40.206 netname: STAR-KP descr: Ryugyong-dong descr: Potong-gang District country: KP status: ALLOCATED PORTABLE mnt-by: APNIC-HM mnt-lower: MAINT-STAR-KP mnt-routes: MAINT-STAR-KP changed: 20091221 source: APNIC
North Korea also has two more blocks that are assigned to it, which means that another network has ultimate control over the addresses, but North Korea's computers are allowed to use them:
- 220.127.116.11/24 — this block is assigned to North Korea through China Unicom and was their original source of IP addresses before they were allocated their first block:
inetnum: 18.104.22.168 - 22.214.171.124 netname: KPTC country: CN descr: Customer of CNC status: ASSIGNED NON-PORTABLE changed: 20040803 mnt-by: MAINT-CN-ZM28 source: APNIC
- 126.96.36.199/24 — this block is assigned to North Korea by SatGate, a Russian Satellite company, and is the only block of known North Korea IPs under the European RIPE Registry as opposed to APNIC, the registry for the Asian Pacific region:
inetnum: 188.8.131.52 - 184.108.40.206 netname: SATGATE-FILESTREAM descr: Korean network country: KP admin-c: AVA205-RIPE admin-c: EVE7-RIPE tech-c: PPU4-RIPE tech-c: ANM47-RIPE status: ASSIGNED PA mnt-by: SATGATE-MNT source: RIPE
As you can see on the coverage map for SatGate, service to North Korea isn't likely coming from SatGate's known satellite beams. Instead, while the IP address allocation is coming through SatGate, the Internet service itself is likely coming through IntelSat. There's a number of IntelSat Satellites which could be providing service. IntelSat 22 has a good coverage pattern of the area:
But a bunch of their other satellites also provide coverage to parts of the Korean Peninsula with varying degrees of strength.
Most of the data we have, particularly the data gathered by the excellent Dyn Research (neé Renesys), seems to indicate that almost all North Korean traffic routes through China Unicom. The satellite connection is just a backup.
Anyway, long story short. My port scans focus solely on the 1024 IP addresses allocated to North Korea directly. This also appears to be the addresses the North Korean Internet services are actively using.
I've been doing some scans for a while. Unfortunately not all of them completed, for various reasons. I've included the ones that got a good section of the IP space. Three of them (March 2012, June 2014 & September 2014) are complete scans of the block. The rest are partial scans, usually hitting 80% of the block or so, before the log was truncated. All my scans were generated using the following commands with the well-known nmap port scanner:
nmap -p1-65535 -sV -O 220.127.116.11/22 -T4 > nk.scan & nmap -p1-65535 -sV -O 18.104.22.168/22 -T4 -Pn > nkall.scan &
Essentially, I scanned every port on every IP address, asking nmap to do its best with service detection and OS detection.
Feel free to browse through the scan logs. You can find them here. Share what you find.
There's also a filtered.scan file in each directory which has some basic filtering away of non-essential information. Feel free to browse through that instead of the raw logs.
Some things I've noticed
One of the things I was most interested in is trying to determine whether or not the number of visible computers on the Internet increased in North Korea after the power transition from Kim Jong Il to Kim Jong Un. The answer there is that for the most part, it hasn't increased much in terms of number of directly visible hosts, but if you look at the scans, you get the impression they're using it more.
You can also tell a bit about what North Korea's infrastructure looks like and how they run things. First off, most of North Korea's infrastructure runs on Linux. This probably isn't a huge surprise, since we know North Korea has their own Linux distro, Red Star OS, so it's easy to guess they might be fans. Luckily, Apache tends to report the flavor of Linux. And indeed, starting in scans this year, you see that some of their public facing web servers are running RedStar:
Nmap scan report for naenara.com.kp (22.214.171.124) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.15 ((RedStar 3.0) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.0-fips)
The latest scan includes three RedStar machines. Interestingly, the Red Hat machines they had running in earlier scans disappeared about this time, so it might be they deployed Red Star OS to replace their Red Hat machines.
They also use CentOS (4 in the latest scan, more than RedStar), a number of machines that don't report the flavor used and one machine which merely reports (Unix).
North Korea generally wants your new software stacks to get off their lawn. They haven't embraced the Web 2.X rails chop shop style web development popular in some other countries. Instead their webservers have active modules or services for JSP, PHP, Perl and Python. Their choice of server software is similar: Apache for HTTP (web), BIND for DNS and Cisco equipment at the border. For SMTP (email), they expose a bunch of different services, from Cisco PIX smptd running on their routers, to sendmail on a machine. Their mailservers sometimes expose Cyrus on POP3's port. Oh, they're also into Icecast for their streaming media servers, though it's unclear whether they're still using the same thing now. They've also had some Windows machines running IIS, (up until about 2013 or so) so they've got a more diverse infrastructure environment going on than just Linux machines everywhere.
For the most part, their infrastructure hasn't changed a whole bunch over the period I've been scanning them. Though North Korea does seem to bring up an increasing number of sites running on the various webservers they have on their slice of the Internet.
One of their routers appear to be configurable remotely, which is one of those things likely to catch eyes:
Nmap scan report for 126.96.36.199 Not shown: 65523 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh Cisco SSH 1.25 (protocol 1.99) 23/tcp open telnet Cisco router telnetd 80/tcp open http Cisco IOS http config 443/tcp open ssl/http Cisco IOS http config
So that's a quick view of some of the visible infrastructure-y parts of their network. I just grabbed the highlights, leaning towards the more current scans. There's a bunch of different services running, browse through the full scans for more.
More interesting is the computers that show up on their network, even for brief periods of time. It seems that while most computers in North Korea are kept behind the edge infrastructure, some computer does show up right on the public Internet.
Apples apples everywhere, but not a bite to eat
In a 20 March 2012 scan, I saw MacBook Air that reported itself as 4,1 model which means it was a "Late 2008" model. It's got a pretty unusual networking footprint, not something you see out of the box:
map scan report for 188.8.131.52 Host is up (0.35s latency). Not shown: 65521 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.6 (protocol 2.0) 88/tcp open kerberos-sec Microsoft Windows kerberos-sec 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 548/tcp open afp? 593/tcp filtered http-rpc-epmap 3689/tcp open rendezvous? 4444/tcp filtered krb524 4488/tcp open unknown 5900/tcp open vnc Apple remote desktop vnc 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cg i-bin/servicefp-submit.cgi : SF-Port548-TCP:V=5.50%I=7%D=3/20%Time=4F687DAA%P=x86_64-redhat-linux-gnu%r SF:(SSLSessionReq,223,"\x01\x03\0\0Q\xec\xff\xff\0\0\x02\x13\0\0\0\0\x000\ SF:0>\0b\0\0\x9f\xfb\x1badministrator\xd5s\x20MacBook\x20Air\0\x9b\0\xab\0 SF:\xff\x01p\x01\x8f\rMacBookAir4,1\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x SF:06AFP3\.1\x06AFPX03\x06\tDHCAST128\x04DHX2\x06Recon1\rClient\x20Krb\x20 SF:v2\x03GSS\x0fNo\x20User\x20Authent\x15\+\xc3\xd9\xf9Q\[\xc7\xa1\x02\xa7 SF:D\x88D\xb2\(\x05\x08\x02\xaf-\xb1&\x02\$\x14\x07\xfe\x80\0\0\0\0\0\0\x0 SF:2\0\0\xff\xfe\0\r\x06\x02\$\x14\x07\xfe\x80\0\0\0\0\0\0b\xc5G\xff\xfe\x SF:03\[f\x02\$\x14\x07\xfd\0e\x87R\xd7!\xa4b\xc5G\xff\xfe\x03\[f\x02\$\x0f SF:\x04175\.45\.177\.38\x01oafpserver/LKDC:SHA1\.AA6C3E197C870B839764D57E8 SF:9AF4A940C95B060@LKDC:SHA1\.AA6C3E197C870B839764D57E89AF4A940C95B060\0\x SF:1dadministrator\xe2\x80\x99s\x20MacBook\x20Air\0\0\0\x80`~\x06\x06\+\x0
My guess is this means the MacBook was running RECON Suite which is apparently some sort of enterprise system management software. I'm not too familiar with it.
Bottom line: there are MacBooks in North Korea. This one might be some journalist's machine, which seems like a likely explanation. Though there are really more services running on it than one would think would be a good idea. VNC? On public North Korean IP space? You sure that's a good idea?
Lest you think that North Korea is completely backwards and can't get keep up with new technologies, let's set something straight right now. They've totally got VMware:
Nmap scan report for 184.108.40.206 Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone Running: Microsoft Windows 2008|Phone|Vista|7 OS CPE: cpe:/o:microsoft:windows_server_2008::beta3 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_7 OS details: Microsoft Windows Server 2008 Beta 3, Microsoft Windows Phone 7.5, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
This looks like your standard Windows machine running in a VM. I didn't see evidence of these on the network until September 2014 or so. Which means exposing virtual machines on the public Internet may be a newer thing for them. But even so, they've probably been playing with it inside their internal network for awhile now.
Enjoy the scans, have fun, let folks know if you see anything interesting.
Credits, Sources, etc.
Your friendly North Korean network observer: nknetobserver
Excellent routing analysis: Renesys (now Dyn Research)
Other analysis of North Korea's network space: HP Security Research
SatGate coverage map: http://satgate.net/images/new_maps/map_index.jpg
IntelSat coverage maps: http://exnetapps.intelsat.com/flash/coverage-maps/index.html