Cyberspelunking: A 2600 Guide to Exploring the Internet
by //dug0ut
We have a term for the weekend curiosities known to hackers. Instead of spending too much time going into the details of what we actually did (in a way that only we ourselves really understood), we would simply smile and say that we went "cyberspelunking." We knew that we each had our own definition for it, and that we didn't fully understand the others', but we knew that it meant that the other was deep in thought chasing some curious itch down repeated rabbit holes for nothing other than the joy of learning something new. Sometimes it was code. Sometimes it was a new or really old operating system. Sometimes it was a network. Sometimes it was a boat, school bus, crock-pot, radio, television, or any other oddity that caught someone's interest to an unhealthy degree.
We called it cyberspelunking because people got uncomfortable when they overheard the word "hacking," or would join in with a mocking tone. Cyberspelunking seems to be an accurate way of conveying the same curiosities with a positive connotation or, at the very least, with a word that society has not yet twisted. The phrase was coined by a former boss of mine who would ask what we did over the weekend but, not being as technical as the rest of us, would quickly get bored or lose interest. It was never rude, and he enjoyed our excitement. Around this time, he was planning his retirement adventures. One day, he was reading a magazine about spelunking, called me over, and giggled while asking me what did for the weekend. Before I had a chance to answer, he asked "Did you do some cyberspelunking?!" and continued to chuckle to himself.
He retired shortly after, began his adventures with his wife, but sadly passed away a few months later.
I thought the phrase was perfect, and that small encounter plays in my head quite often.
No Set of Steps - Go Explore
Spelunking is the act of cave exploration, and cyber is the buzzword of choice for the Internet. Cyberspelunking is simply the act of exploring the Internet in a non-malicious manner. There is just as much to learn from Open-Source Intelligence (OSINT) as there is from trespassing and exploitation. I like to discover and explore the infrastructure of other countries. Everyone experiences the Internet differently and I like to try to imagine how someone from a foreign country would experience the Internet.
What is Belize Like?
Let's take a look at the infrastructure of Belize. It isn't a place I know much about, other than that it is small and it is a popular tourist location at the moment. I like to start with Wikipedia for a quick summary. You'll often find information about population size, telecom providers, brief history, and sometimes Top-Level Domains (TLDs) or links to government sites for that country. The official Belize Wikipedia entry is all we are after here.
A brief review of the wiki entry provides some useful information for us to get started with. The population size is right around 400,000 people, which is pretty damn small. There are multiple languages spoken, and multiple ethnicities living throughout the country. It appears that there are two primary telecom providers: Belize Telemedia Limited and Speednet. Speednet was created to attempt to break the monopoly of BTL. There are official wiki entries for both companies, each linking to their official domains.
There appear to be over a dozen colleges/universities in Belize. The .bz TLD is the official TLD for Belize, and it is maintained by the University of Belize. The other official TLDs are com.bz, .edu.bz, .gov.bz, .net.bz, and .org.bz, but it appears that standard .net, .com, .org, and also .biz are common for Belizians. It looks like the "Telecommunications in Belize" wiki entry has done a lot of legwork for me.
It appears that most of these stats come from 2012. I doubt this is still accurate, as I'm sure more IPv4 addresses have been allocated since then. I'm also sure there are more hosts online, and the number of Internet users increased. This still seems like a manageable amount for us to dig through.
Belize Internet Routes - BGP ASN FTW LOL
I'm not that awesome at routing. It is something that I've always planned on studying harder, but instead I just pick up more tidbits here and there. I am familiar with BGP Sinkhole attacks (yay - something else for you to search), which is enough for me to know that the Border Gateway Protocol (BGP) used by most larger entities will be broadcasting the routes for BTL and Speednet as well as any other large provider.
In order to find the routes, first we have to find the Autonomous System Number (ASN) registered to the telecom providers. MX ToolBox has always been reliable and has been online for a while now. If it is down, there are plenty of other BGP ASN search tools. I've gone ahead and provided the ASNs and the netblocks they're advertising now.
AS10269 - Belize Telemedia Limited
170.0.180.0/22 170.0.182.0/24 179.42.192.0/18 179.42.192.0/18 190.197.0.0/17 190.197.0.0/20 190.197.17.0/24 190.197.18.0/23 190.197.20.0/22 190.197.24.0/21 190.197.32.0/20 190.197.48.0/22 190.197.51.0/24 190.197.53.0/24 190.197.56.0/22 190.197.58.0/24 190.197.60.0/22 190.197.64.0/19 190.197.96.0/22 190.197.96.0/24 190.197.100.0/22 190.197.104.0/24 190.197.104.0/21 190.197.110.0/24 190.197.112.0/22 190.197.115.0/24 190.197.116.0/22 190.197.120.0/21 200.32.192.0/24 200.32.192.0/19 200.32.192.0/18 200.32.195.0/24 200.32.198.0/24 200.32.205.0/24 200.32.213.0/24 200.32.218.0/24 200.32.221.0/24 200.32.222.0/23 200.32.224.0/22 200.32.228.0/24 200.32.228.0/22 200.32.232.0/21 200.32.240.0/20 200.32.253.0/24 |
AS262239 - Speednet Communications Limited
186.65.88.0/22 196.52.81.0/24 196.55.4.0/24 |
AS266762 - Smart Com (Belize) Limited
45.234.88.0/22 |
A Quick Dive
Throughout this process, I saw plenty more AS numbers. I will leave those for you to find. AS266762 was downstream of AS262239, so I went ahead and included it. There were quite a few downstream of BTL. Those downstream addresses are likely to be small ISP resellers. Let's check out AS266762 because it is only advertising a small number of address ranges.
I like to start with censys.io to check address ranges for open ports, while other people like Shodan. I say use both.
For those that are unfamiliar, Censys and Shodan are Internet search engines which constantly scan ports instead of crawling web pages like traditional search engines. Searching for the address ranges listed under AS266762, I found a surprising amount of Telnet and SSH ports open, and plenty of web services. Let's do our scan for common web ports and then use AQUATONE to connect up and screenshot them all.
$ nmap -Pn -n -sT -vv -T 5 --open -p 80,81,82,443,8080,8180,8181,8888,8443,9443,8000,1080,3128 45.234.88.0/22 -oA smart-bz-webports $ cat smart-bz-webports.xml | ./aquatone -nmap |
AQUATONE will go through every open port found in the Nmap scan and attempt to take a screenshot of the landing page. In the directory that you ran AQUATONE from, there will be multiple folders and a report.html. View the report in your web browser, and you'll see the screenshots grouped together based on similar services found. In my case, I found quite a few firewalls, a few VPNs, some webcams, and some electrical boxes.
I don't crack accounts, but I'll try logging in with default credentials. Especially if it is a system I have never encountered before. When doing this, I never make any changes or interact with anything that could potentially cause a change. I like to check logs to see who else has been here. I like to look through configs and see where else they lead me.
One "smart electric meter" I found contained default credentials (found with a quick Yandex/Google search). Upon logging in, I was greeted with a large warning screen which stated that real electrical systems were being maintained by this device, and that dumb changes have the potential for physical damage or harm. I was prompted to change the password, but was given the option to skip. Always skip. (How dumb is that though? An admin set this up. Why were they not forced to change it then? Horrible practice for them, but it works out for us.) Looking through the logs showed that someone else had been there before us by a few weeks. The device was sending reports via email, and showed the Yahoo! account which was receiving the reports. The more malicious individuals may change the SMTP server setting to a server they control and capture the email creds, but I chose to do some quick OSINT over the address instead.
A quick Yandex/Google search immediately took me to a Facebook page of a small electrician contractor in Belize. Interesting, and makes sense based off how we found the address. Maybe send a quick email and let them know their system is open. There isn't too much more to do on the device, so it's time to move on.
I'll leave the rest of the exploration to you.
Happy Hacking!
Safe Spelunking!