mercredi 29 mai 2013

Hands on Iranian Internet - Part 1 : where is Charly ?

A couple of months ago, we've been investigating on Blue Coat Systems role in syrian censorship and a large scale man in the middle attack. A few days ago, some Telecomix agents posted a scary paste on Pastebin. Blue Coat is still selling hardware to syria, dispite a $ 2,800,000 fine for circumventing the embargo on Syria last year. It's a fact that Middle East is a wide market for some french (like Qosmos or Amesys) and american firms (like Cisco or Blue Coat).

Blue Coat Systems sells a wide range of security appliances including advanced cache control, deep packet inspection, trafic shaping and firewall features. In other words, those security appliance can be used for networks security purposes as well for networks censorship and surveillance. Selling this kind of devices to Iran or Syria is not a trivial business. We all know that a connected devices, a computer or a smartphone can be your best friend and your worst enemy too, especially in a country where bloggers are sentenced up to 19 and a half years in prison.

After yesterday's article exposing brand new Blue Coat devices in Syria, we focused on Syria's best allies. So we naturally focused on Iran. ShodanHQ previously identified 171 Blue Coat devices all concentrated in two cities : Chadegan (138 devices) and Shahreza (33 devices). Theses devices are owned by local iranian ISP and mobile operators. Blue Coat seems to be very popular in Iran, but Cisco remains leader on iranian market.
Several europeans and americans hardware manufacturers sell censorship and surveillances solutions in Iran.

Let's visit iranian Internet

ISP : Ravand IR : (Nmap Scan)
descr:          RAV-164-138-21-0-0
origin:         AS59431
mnt-by:         AA97621-MNT
source:         RIPE # Filtered

If you need to keep an eye on iranians connectivity, here is where to have a look : 

MRTG crashes in the iranian way are quite funny because they give you the username and password of the database :
But let's watch the internetz as an iranian do, from Jahanonline Network
Ok, so we have Facebook, Twitter and Youtube filtered... but not Youporn. I guess mollahs are scared by people who communicates with each other, but porn seems ok ;)

The filtering is a basic DNS filtering, iranian can access Facebook Twitter or Youtube using IP the adress instead of domain name :

# ping
PING ( 56 data bytes
64 bytes from seq=0 ttl=74 time=292.632 ms
64 bytes from seq=1 ttl=74 time=301.794 ms
64 bytes from seq=2 ttl=74 time=298.166 ms
64 bytes from seq=3 ttl=74 time=282.198 ms

--- ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 282.198/293.697/301.794 ms
XM.v5.3.2# ping facebook.oom
PING facebook.Com ( 56 data bytes

When i try to ping a filtered website, i can see that my request is redirected on a lan IP address : Every filtered request will fail blocking on this IP address.

Let's launch a simple traceroute from an iranian busybox on this :

XS5.ar2313.v3.6.1.4866.110330.1248# traceroute
traceroute to (, 30 hops max, 40 byte packets
 1 (  2.563 ms  2.484 ms  2.456 ms
 2 (  4.809 ms  4.556 ms  2.823 ms
 3 (  12.181 ms  9.761 ms  7.379 ms
 4 (  13.407 ms  11.098 ms  8.213 ms
 5 (  9.017 ms  11.883 ms  26.27 ms
 6 (  10.973 ms  12.403 ms  12.813 ms
 7 (  11.884 ms  9.022 ms  11.777 ms
 8 (  17.677 ms  16.697 ms  19.568 ms
 9  * * *
10  * * *
11  * * *
12  * * *

The first hop is a VPN :

 1 (  2.563 ms  2.484 ms  2.456 ms

Whatever the website, filtered or not, you want to reach, every requested are routed through this VPN to ITC AS. is in fact which redirects to

The second hop in our traceroute from an iranian IP address is a cisco router with only a telnetd openend, a 1984 "big brother" port is filtered ;)
This IP adress is owned by Jahanonline (AS49872)

descr:          Jahanonline Route
origin:         AS49872
mnt-by:         MNT-JAHANONLINE
mnt-lower:      MNT-JAHANONLINE
mnt-routes:     MNT-JAHANONLINE
source:         RIPE # Filtered

Nmap scan report for
Host is up (0.18s latency).
Not shown: 984 closed ports
23/tcp   open     telnet         Cisco router telnetd
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
1068/tcp filtered instl_bootc
1069/tcp filtered cognex-insight
1070/tcp filtered gmrupdateserv
1080/tcp filtered socks
1434/tcp filtered ms-sql-m
1984/tcp filtered bigbrother
2967/tcp filtered symantec-av
3128/tcp filtered squid-http
3168/tcp filtered poweronnud
6000/tcp filtered X11
6666/tcp filtered irc
6667/tcp filtered irc
Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios

The last IP adress is very interesting, it appears to be an AS12880 (Information Technology Company) adress. Great news for me... this AS seems to peer with every ISP in Iran. Iranian Big Brother might be somewhere here. answers ping but an external port scan shows no open ports.

The censorship infrastructure might be difficult to spot on ITC Network. Some devices may operate in passive mode, with no public reachable IP address. But as we can visit iranian Internet as iranians do, we'll try in the next article to understand who and which devices are filtering Internet in Iran.

mercredi 1 août 2012

☠ Bahrainy Days

It's been more than one year since i did not write anything on this blog. It's also been more than one year i'm getting a close look to Syria with my friends of Telecomix, FHIMT and During this year, we've been tracking european and american companies selling surveillance technologies to countries that use them against political opponents to identify them, track them, arrest them, torture them, and then kill them.

But we did not forget Bahrain.

We identified through a leaked official document that Finfisher technology (aka UK company Gamma Group), was responsible for Bahrain's activists tracking in this country. Finfisher is a collection of intrusive tools to break into any computer, maintaining access and spy in deep anyone connected on the Internet.

The leaked document is in Arab, translations will be soon available in french and in english on

Stay tuned

dimanche 17 avril 2011

☠ Bahrainy Night البحرين


You might have follow us yesterday night doing a bunch of tourism in the wonderful Syrian Internet. As we had pretty much fun playing with Bachar, we thought Hamad could get jealous.
This pad is dedicated to you Hamad.

You can kill your people and shit on freedom in Bahrein... but never forget hackers are watching at you... we're close... even closer.

We do not attack, we're just tourists. Then we take pictures to show them to our friends from the Internets.

Hope you'll enjoy our journey as we did


Leak it Baby :

First step : asking a good friend the best way to have a nice touristic journey :

Second step : Dropping some small stones to get sure we won't get lost

9 ( 118.911 ms ( 101.096 ms 101.239 ms
10 ( 117.310 ms ( 119.919 ms 120.602 ms
11 ( 116.242 ms 115.735 ms 119.568 ms
12 ( 100.865 ms * 105.516 ms
..... has address

Third step : you will have to visit the customs

inetnum: -
descr:Bahrain Internet Exchange

Nothing to declare ? Ok let's jump to the next step, enjoying the journey and taking pictures.
Ok it's time for getting change with local currency,

The most beautiful places in the country

<HTML dir=rtl><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1256" /><title>:: وزارة الداخلية | شرطة خدمة المجتمع | التبليغ الإلكتروني ::</title><META http-equiv=Content-Type content="text/html; charset=windows-1256"><META content="MSHTML 6.00.2800.1106" name=GENERATOR><META content=FrontPage.Editor.Document name=ProgId><META http-equiv=Content-Language content=ar-bh><style type="text/css"><!-- body {
Staying in touch with Hamad :<

rDNS record for
12/tcp open unknown
23/tcp open telnet
80/tcp open http
1025/tcp open NFS-or-IIS
1080/tcp open socks
8080/tcp open http-proxy
21/tcp open ftp
23/tcp open telnet
80/tcp open http
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1025/tcp open NFS-or-IIS
1080/tcp open socks
8080/tcp open http-proxy

... We're not snipers, we did not shoot, we did not hack, we did not deface...what about your security forces ?

From Paris with Love

Fo0 & Bluetouff

dimanche 24 octobre 2010

Samsung GalaxyS : Android made comfortable

Even if i did not get the time play with my new phone, a Samsung Galaxy S, i must say i feel quite excited to plan some hacky stuff with it and Android OS that it runs. Android is a really cool platform that lets advanced users play with modified firmwares to extends its features. Officials and beta firmware for the Galaxy S can be found here, this page could save your life if something goes wrong with the following hacks. Consider having a look on the new Samsung Flash wiki page and on the i9000 official flashing guide. If your are not familiar with flashing devices or running tools that could brick your phone, please, do not even try.

Here is my first impression for this device :
  • Effortless root ;
  • Multitask ;
  • Android has many useful apps that just works for a professional use (excellent email app, SIP, tethering that actually works for no money ...) ;
  • Android makes your phone highly hackable, and some apps like Touiteur a very good surprise.
Issues :
  • No SSHd by default, I just recommend QuickSSHd, an inexpensive but useful app ;
  • A strange behavior with GPS, Samsung USA recently admitted an issue and was planning to fix it in september. Did not see such a (official) fix yet;
  • Memory acces may sometimes be slow which is a software issue but a lag fix can be applied once the phone rooted. The 1Ghz CPU should be fast enough.
  • Last point that is not related to the phone itself, but to operators that filter http requests from a tethered computer browser, but should I need more than a ssh term ? Well, a browser might be useful so you will easily find a way to cheat them by modify the user agent parameter of your browser, using this plugin for Chrome or this one for Firefox.
What could be improved
  • The default factory firmware with the GPS bug but I recently moved to Froyo, not an official firmware, but the GPS works perfectly on this one.
  • There are not as much great 3D games on Android. If you're a gamer, excepting being an absolute fan of Asphalt 5 you should consider using an iPhone. I hope some companies like Gameloft or Electronic Arts will launch more 3D games on Android.

dimanche 8 août 2010

Tunneblick quick and dirty configuration

I had few troubles with adding a new configuration in Tunneblick, a cool free VPN software for OSX. The documentation of my provider was not so clear and a small mistake took me some time get started.

I had already a previous configuration and when i read the documentation of my new VPN provider, i was told to drop the config files in the openvpn folder located in the Library folder, in my Home directory. Of course, i had no "openvpn" folder located here. After a few greps, i found the good place : on Snow Leopard, you have to put your configuration files in /Users/yourname/Library/Application\ Support/Tunnelblick/Configurations/

So here's the trick :

First clean the configurations folder from your previous VPN provider config files :

$ cd /Users/yourname/Library/Application\ Support/Tunnelblick/Configurations/
$ rm *

Move to the folder where your new VPN provider configuration files are :

$ cd /User/yourname/Desktop/MyConfFiles
Check that you have copied your .pem, .crt and .key with others config files, then copy your new configuration files to to the Tunnelblick configuration folder :

$ cp * /Users/yourname/Library/Application\ Support/Tunnelblick/Configurations/

If you have some .ovpn you get an error launching Tunnelblick, you might have to rename the .ovpn extension to .conf

mercredi 21 juillet 2010

Dell puts Firefox in jail

Applicative virtualization is now a security oriented feature implemented by Dell for Mozilla Firefox web browser. The french website PCInpact explains that only Internet Explorer 8 and Chrome have implemented a sandbox to prevent the risk of a browsing security exploitation that could compromise the whole system.
Firefox is now so popular that Dell decided to provide it's own secured environment with Kace (a Dell subsidiary). Kace not only prevents Firefox vulnerabilities, it also protects users from the use of critical plugins like Flash and Adobe Reader.
Anyway, this won't protect users against malicious plugins use.

Here's a small demo of Kace secure browsing.

mardi 20 juillet 2010

Swedish Pirate Party becomes an ISP

The Piratpartiet (Swedish Pirate Party) seems about to become an ISP. It's the first known initiative of that kind for a politic party to provide a connexion to the Internets, but it seems to be a very good way to deliver a service that ethically gives an answer to the fight for Net Neutrality. Pirateisp will provide soon connexions from 10mb to 1gb, you can check the pricelist here (prices are from 26 to 55€).

Two months ago, Arstechnica wrote that the Piratpartiet was considering being ISP for the Pirate Bay.

The domain name has been registered to Rene Malmgren.