... IP cameras, printers, automated process control systems and much more

Disclaimer : The article is the result of several weeks of work. I told the biggest problems to the server owners if I could find them, and to others about them in Cert.at. In addition, I did not try to enter any device / service / site requiring a password.

First of all: how to get all the IP-addresses of the whole country?

It is very simple. IP addresses are not “generated” by the country, but are assigned by the central authority. This means that there are lists of all IP addresses by country.

Anyone can download this list . Type grep Austria IP2LOCATION-LITE-DB1.CSV > austria.csv and run a simple script to convert the IP addresses to a convenient format.

11 million IPv4 addresses have been allocated to Austria. More precisely, 11 170 487.

If you do not want to mess around with your IP addresses yourself , use Shodan.io .

First target: unpatched Windows

Of course, no sysadmin in the country will put Windows SMB ports on the Network without filtering, right?

masscan -p445 --rate 300 -iL austria.ips -oG austria.445.scan && cat austria.445.scan | wc -l

1273 fully open systems found under Windows .

Wow. This fact alone will make system administrators sweat, but since the Shadowbrokers published the ETERNALBLUE exploit, most IT specialists will agree that it’s not very good to put unprotected Windows machines on the Network.

A positive point: none of the 1273 machines were vulnerable to ETERNALBLUE .

Enough about Windows, what about open resolvers?

Have you ever heard of open resolvers? If not, then you heard about DDoS attacks ? This is a real problem on the Internet.

It works like this: the attacker sends a small DNS request from a fake IP address (attack target), and the server responds to this IP address with a much larger packet. The attacker spends only 40 bytes of traffic, and an open resolver sends the victim 4,000 bytes. Thus, the attacker can attack the servers of large companies with volume traffic even from a regular smartphone. What happens quite often .

Check how many open resolvers in Austria.

We scan all Austria on port UDP 53

I found in the country exactly 8728 publicly accessible DNS servers, which is 0.08% of all Austrian IP addresses.

masscan -pU:53 -iL austria.ips -oG austria.53.scan && cat austria.53.scan | wc -l

But that means little. More importantly, are they open resolvers?

Search for open resolvers

The method is simple: with the help of the dig command, we check if the random address that I provide will work on the IP resolving. For the file with all IPs, I dig +short test.openresolver.com TXT @ip.of.dns.server command dig +short test.openresolver.com TXT @ip.of.dns.server . If an open-resolver-detected response is received, the address is written to the log.

Sadly ... using this method, I discovered that 25% of all Austrian DNS servers were open resolvers . However, in general, it is only 0.02% of Austrian IP addresses.

What else is vulnerable in Austria?

I'm glad you asked. The easiest thing to check is port 80 (web servers and proxies).

Web servers

67,626 Austrian IP addresses are answered on port 80 (http). Of these, 40,776 responded to a simple GET request (such a browser can send), and if you delete error messages, then 17,392 really working web servers remain.


The most popular Apache (from those that sent the Server header). The oldest version I found - Apache 1.3.12 from 2012 - runs on a Windows server. Double nightmare.

I also found four servers on Windows CE devices. This system was released in 1996, and support was completely discontinued in 2013.


Other old devices

Visualization 17,000 websites

I wrote a script that takes a screenshot of any site using WKHTMLTOIMAGE to create a collage later. The first collage turned out to be rather boring, as many sites display only a white page or error messages. I had to put the filter on the minimum number of colors in the image.

Just keep in mind that these are not all Austrian sites, but only the main pages that give out the web server to all IP addresses.

Here is what a collage.


Full version 3000 × 14500px occupies 12 MB

Printers ... why not?

I found nine HP printers without logins, fully accessible from the Internet. There were no passwords and even the seal worked.


Printers without passwords (yes, I can print them)

This screenshots have the opportunity to send a fax through the website. But the owner was lucky: since the device has a fax number, I called him and he deleted his printer from the Internet. Well done!

Webcams

Home security system showing someone's home


Someone edited the text layer on top of the image and wrote “1984”

These are just two of more than 300 IP cameras that broadcast video without passwords. If anything, all the cameras can be found here .

Finally, I'll show you some weird things I found.

Smart House. Control of light and speakers


Sewage treatment plant

Conclusion

Austria is a small country, but in the field of information security it has the same problems as the others. Hazards should be more clearly recognized, and device suppliers and manufacturers should help users by offering safe default configurations.

Companies should hire good system administrators to monitor the network infrastructure and keep the servers up to date.