Tuesday, April 15, 2025
sevastopol.gov.ru OSINT analysis
Okay, I have analyzed the "Stolen Crimea-SpiderFoot.json" file containing the OSINT analysis of sevastopol.gov.ru. Here is a report based on the data within that file:
OSINT Analysis Report: sevastopol.gov.ru
This report details the findings from the provided OSINT analysis JSON file concerning the website sevastopol.gov.ru.
1. Network Architecture of sevastopol.gov.ru
Primary IP Address: The main domain sevastopol.gov.ru and its primary subdomain www.sevastopol.gov.ru resolve to the IP address 213.59.161.38.
Hosting Provider / ASN: This IP address belongs to AS59833, identified as SEVTELECOM-AS, owned by JSC Sevastopol Telekom.
Geographical Location: The ASN owner address is listed as 15, General Petrov, 299011, Sevastopol, RUSSIAN FEDERATION. Urlscan.io results also geolocate the IP to RU (Russia) and UA (Ukraine). DuckDuckGo results categorize the site under "Federal cities of Russia", "Cities in Crimea", "Southern Federal District", and also "Disputed territories in Europe" and "Cities with special status in Ukraine".
Nameservers: The authoritative nameservers listed for sevastopol.gov.ru are ns.gov.ru and ns1.sevtelecom.ru. This indicates reliance on both general Russian government DNS infrastructure and the local Sevtelecom infrastructure.
Mail Exchanger: The MX record points to mxs.armgs.team.
2. Important Network Information (IPs, Subdomains, Outliers)
Key IP Address: 213.59.161.38 is the central IP for the main site and several subdomains.
Identified Subdomains: The scan identified the following subdomains resolving to 213.59.161.38 or CNAME'd to www.sevastopol.gov.ru:
www.sevastopol.gov.ru
da.sevastopol.gov.ru
dag.sevastopol.gov.ru
do.sevastopol.gov.ru
doc.sevastopol.gov.ru
git.sevastopol.gov.ru
gtn.sevastopol.gov.ru
zdrav.sevastopol.gov.ru
Other Identified Subdomains (Resolution Status Unclear/Failed in Scan):
localhost.sevastopol.gov.ru
ns.sevastopol.gov.ru
autodiscover.sevastopol.gov.ru (Referenced in SSL certs)
mail.sevastopol.gov.ru (Referenced in SSL certs)
owa.sevastopol.gov.ru (Referenced in SSL certs)
Outliers/Unusual Usage:
Access Forbidden (403 Errors): Attempts to access sevastopol.gov.ru, www.sevastopol.gov.ru, and associated http/https versions via spidering resulted in HTTP 403 Forbidden errors, indicating access controls or WAF blocking.
Not Found (404 Errors): Spidering attempts against several key subdomains (da, dag, do, doc, git, gtn, zdrav) resulted in HTTP 404 Not Found errors, suggesting these subdomains might not host web content or were misconfigured/offline during the scan.
Affiliate Domains: A large number of .gov.ru domains (e.g., mintrud.gov.ru, minfin.gov.ru, economy.gov.ru, fsin.gov.ru, rospatent.gov.ru, etc.) were identified as affiliates, primarily through VirusTotal data associated with the scanned subdomains. This extensive interlinking is typical of government web ecosystems.
Mail Server: The use of mxs.armgs.team as the mail exchanger is noteworthy. The domain armgs.team is registered to VK LLC (a major Russian internet company) via a Russian registrar.
3. Russian Government Connections & Website Content
Direct Government Connections:
The .gov.ru TLD itself signifies a Russian government entity.
The use of ns.gov.ru as a primary nameserver directly links the domain to Russian government DNS infrastructure. The SPF record also references IPs within the 95.173.128.0 range, associated with the Russian Government Internet Network (RGIN).
The ASN owner (JSC Sevastopol Telekom) address is listed within Sevastopol, designated as part of the RUSSIAN FEDERATION in the data.
Website Content (Russia, Ukraine, Cybersecurity):
Direct Content: The OSINT scan was unable to retrieve actual content from the live website or its subdomains due to HTTP 403 (Forbidden) and 404 (Not Found) errors. Therefore, no direct analysis of the site's published text regarding the Russian government, the war in Ukraine, or cybersecurity is possible from this data.
Inferred Content/Context: DuckDuckGo search results associated with the domain describe Sevastopol as the largest city in Crimea, a major port/naval base for Russia's Black Sea Fleet, internationally recognised as part of Ukraine but occupied and annexed by Russia, and designated a federal city of Russia. Categories include "Federal cities of Russia", "Cities in Crimea", "Disputed territories in Europe", "Crimean Federal District", "Southern Federal District", "Holocaust locations in Russia", and "Holocaust locations in Ukraine". This reflects the disputed status and geopolitical context of Sevastopol.
4. Cybersecurity Infrastructure & Potential Vulnerabilities
Web Application Firewall (WAF): The scan explicitly identified the presence of "Positive Technologies PT Application Firewall" on both sevastopol.gov.ru and www.sevastopol.gov.ru. This is a Russian WAF solution. The 403 Forbidden errors encountered during spidering are likely due to this WAF blocking the scan attempts.
Web Server Technologies: No specific web server software (like Apache, Nginx) was identified for the main domain or its subdomains in the provided data, likely due to the WAF obscuring details or the 403/404 errors preventing detection.
SSL/TLS Certificates: Numerous SSL certificates were found associated with the domain, issued by various authorities over time (Let's Encrypt, GlobalSign, COMODO/Sectigo). Many certificates listed in the scan data appear to be expired based on their Not After dates (ranging from 2016 to 2024). This suggests potentially poor certificate lifecycle management at the time of the scan, though the current live status is unknown from this data. The most recent certificate listed was issued by "GlobalSign GCC R6 AlphaSSL CA 2023" valid until Nov 2025.
Potential Vulnerabilities (Based on Identified Technology):
PT Application Firewall: Like any security product, WAFs can have vulnerabilities. Common WAF issues include bypass techniques (exploiting parsing discrepancies, protocol variations, or specific rule weaknesses) and potential misconfigurations. Specific CVEs require external searching.
Expired Certificates: Using expired SSL certificates poses a security risk, preventing browsers from validating the site's identity and potentially exposing users to man-in-the-middle attacks. (Note: This reflects the state at the time of the scan).
General OSINT Findings: The presence of numerous subdomains (some returning 404s) increases the potential attack surface. The reliance on external services like armgs.team for mail introduces dependencies and potential points of failure or compromise.
Summary:
The sevastopol.gov.ru domain is hosted by JSC Sevastopol Telekom (ASN 59833) in Sevastopol, designated as part of the Russian Federation in the OSINT data. It utilizes Russian government DNS infrastructure (ns.gov.ru) and relies on a Russian WAF (Positive Technologies PT Application Firewall) for security. Direct content analysis was not possible due to access restrictions (403/404 errors). The site's context, as reflected in search engine results, clearly points to its status as a government entity in Russian-annexed Crimea. Potential security concerns identified at the time of the scan included expired SSL certificates and numerous subdomains, some of which were inaccessible. The effectiveness and potential vulnerabilities of the PT Application Firewall would require further, specialized investigation beyond the scope of this file.
Okay, I have reviewed the search results regarding vulnerabilities in the Positive Technologies PT Application Firewall.
Here is the updated report incorporating information about the WAF:
OSINT Analysis Report: sevastopol.gov.ru
This report details the findings from the provided OSINT analysis JSON file concerning the website sevastopol.gov.ru, supplemented with information about the identified Web Application Firewall (WAF).
1. Network Architecture of sevastopol.gov.ru
Primary IP Address: The main domain sevastopol.gov.ru and its primary subdomain www.sevastopol.gov.ru resolve to the IP address 213.59.161.38.
Hosting Provider / ASN: This IP address belongs to AS59833, identified as SEVTELECOM-AS, owned by JSC Sevastopol Telekom.
Geographical Location: The ASN owner address is listed as 15, General Petrov, 299011, Sevastopol, RUSSIAN FEDERATION. Urlscan.io results also geolocate the IP to RU (Russia) and UA (Ukraine). DuckDuckGo results categorize the site under "Federal cities of Russia", "Cities in Crimea", "Southern Federal District", and also "Disputed territories in Europe" and "Cities with special status in Ukraine".
Nameservers: The authoritative nameservers listed for sevastopol.gov.ru are ns.gov.ru and ns1.sevtelecom.ru. This indicates reliance on both general Russian government DNS infrastructure and the local Sevtelecom infrastructure.
Mail Exchanger: The MX record points to mxs.armgs.team.
2. Important Network Information (IPs, Subdomains, Outliers)
Key IP Address: 213.59.161.38 is the central IP for the main site and several subdomains.
Identified Subdomains: The scan identified the following subdomains resolving to 213.59.161.38 or CNAME'd to www.sevastopol.gov.ru:
www.sevastopol.gov.ru
da.sevastopol.gov.ru
dag.sevastopol.gov.ru
do.sevastopol.gov.ru
doc.sevastopol.gov.ru
git.sevastopol.gov.ru
gtn.sevastopol.gov.ru
zdrav.sevastopol.gov.ru
Other Identified Subdomains (Resolution Status Unclear/Failed in Scan):
localhost.sevastopol.gov.ru
ns.sevastopol.gov.ru
autodiscover.sevastopol.gov.ru (Referenced in SSL certs)
mail.sevastopol.gov.ru (Referenced in SSL certs)
owa.sevastopol.gov.ru (Referenced in SSL certs)
Outliers/Unusual Usage:
Access Forbidden (403 Errors): Attempts to access sevastopol.gov.ru, www.sevastopol.gov.ru, and associated http/https versions via spidering resulted in HTTP 403 Forbidden errors, indicating access controls or WAF blocking.
Not Found (404 Errors): Spidering attempts against several key subdomains (da, dag, do, doc, git, gtn, zdrav) resulted in HTTP 404 Not Found errors, suggesting these subdomains might not host web content or were misconfigured/offline during the scan.
Affiliate Domains: A large number of .gov.ru domains (e.g., mintrud.gov.ru, minfin.gov.ru, economy.gov.ru, fsin.gov.ru, rospatent.gov.ru, etc.) were identified as affiliates, primarily through VirusTotal data associated with the scanned subdomains. This extensive interlinking is typical of government web ecosystems.
Mail Server: The use of mxs.armgs.team as the mail exchanger is noteworthy. The domain armgs.team is registered to VK LLC (a major Russian internet company) via a Russian registrar.
3. Russian Government Connections & Website Content
Direct Government Connections:
The .gov.ru TLD itself signifies a Russian government entity.
The use of ns.gov.ru as a primary nameserver directly links the domain to Russian government DNS infrastructure. The SPF record also references IPs within the 95.173.128.0 range, associated with the Russian Government Internet Network (RGIN).
The ASN owner (JSC Sevastopol Telekom) address is listed within Sevastopol, designated as part of the RUSSIAN FEDERATION in the data.
Website Content (Russia, Ukraine, Cybersecurity):
Direct Content: The OSINT scan was unable to retrieve actual content from the live website or its subdomains due to HTTP 403 (Forbidden) and 404 (Not Found) errors. Therefore, no direct analysis of the site's published text regarding the Russian government, the war in Ukraine, or cybersecurity is possible from this data.
Inferred Content/Context: DuckDuckGo search results associated with the domain describe Sevastopol as the largest city in Crimea, a major port/naval base for Russia's Black Sea Fleet, internationally recognised as part of Ukraine but occupied and annexed by Russia, and designated a federal city of Russia. Categories include "Federal cities of Russia", "Cities in Crimea", "Disputed territories in Europe", "Crimean Federal District", "Southern Federal District", "Holocaust locations in Russia", and "Holocaust locations in Ukraine". This reflects the disputed status and geopolitical context of Sevastopol.
4. Cybersecurity Infrastructure & Potential Vulnerabilities
Web Application Firewall (WAF): The scan explicitly identified the presence of "Positive Technologies PT Application Firewall" on both sevastopol.gov.ru and www.sevastopol.gov.ru. This is a Russian WAF solution known to protect against common web threats like the OWASP Top 10, application-level DDoS attacks, and uses machine learning and virtual patching capabilities. The 403 Forbidden errors encountered during spidering are likely due to this WAF blocking the scan attempts.
Web Server Technologies: No specific web server software (like Apache, Nginx) was identified for the main domain or its subdomains in the provided data, likely due to the WAF obscuring details or the 403/404 errors preventing detection.
SSL/TLS Certificates: Numerous SSL certificates were found associated with the domain, issued by various authorities over time (Let's Encrypt, GlobalSign, COMODO/Sectigo). Many certificates listed in the scan data appear to be expired based on their Not After dates (ranging from 2016 to 2024). This suggests potentially poor certificate lifecycle management at the time of the scan, though the current live status is unknown from this data. The most recent certificate listed was issued by "GlobalSign GCC R6 AlphaSSL CA 2023" valid until Nov 2025.
Potential Vulnerabilities:
PT Application Firewall: While the recent search did not reveal specific, high-profile CVEs publicly documented against PT Application Firewall itself, any WAF can potentially have vulnerabilities. Common WAF issues include bypass techniques (exploiting parsing discrepancies, protocol variations, or specific rule weaknesses) and potential misconfigurations. Positive Technologies frequently identifies vulnerabilities in other vendors' products and recommends PT Application Firewall as a mitigation tool. A dedicated security assessment would be needed to identify specific weaknesses.
Expired Certificates: Using expired SSL certificates (as indicated in the scan data from the past) poses a security risk, preventing browsers from validating the site's identity and potentially exposing users to man-in-the-middle attacks.
General OSINT Findings: The presence of numerous subdomains (some returning 404s) increases the potential attack surface. The reliance on external services like armgs.team for mail introduces dependencies and potential points of failure or compromise.
Summary:
The sevastopol.gov.ru domain is hosted by JSC Sevastopol Telekom (ASN 59833) in Sevastopol, designated as part of the Russian Federation in the OSINT data. It utilizes Russian government DNS infrastructure (ns.gov.ru) and relies on a Russian WAF (Positive Technologies PT Application Firewall) for security. Direct content analysis was not possible due to access restrictions (403/404 errors) during the scan. The site's context, as reflected in search engine results, clearly points to its status as a government entity in Russian-annexed Crimea. Potential security concerns identified at the time of the scan included expired SSL certificates and numerous subdomains, some of which were inaccessible. While no specific public CVEs for the PT Application Firewall were found in a brief search, any WAF can have potential weaknesses requiring further investigation.
Friday, April 11, 2025
Counter Deception
Taken from Counter Deception from DefCon 32 Tim Cross & Greg Conti talk.
https://youtu.be/gHqDEMrqTjE?si=GfWtC5JReTqC5M_E
Subscribe to:
Posts (Atom)
-
🅆🄷🄴🅁🄴 🅂🄰🄽🄲🅃🄸🄾🄽🅂 🄲🄰🄽🄽🄾🅃 🅃🅁🄴🄰🄳 An American...
-
TARGET LIST Business corporations: Gazprom - https://www.gazprom.ru/ Lukoil - https://lukoil.ru Magnet - https://magnit.ru/ Norilsk Nick...
