Another Blue Coat Device in Iran (Respina, Infotech International)

In “Some Devices Wander by Mistake: Planet Blue Coat Redux,” Citizen Lab located nearly a dozen footprints for Blue Coat proxy devices located on Iranian networks. Blue Coat Systems’ response and liabilities since have been minimal, so here is another on the Broadband Pool for Iranshahr PoP on Respina Networks in Iran, which appears to be associated with Infotech International.

Screen Shot 2013-08-09 at 5.44.09 PM

nmap -p- -A 92.242.223.221

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-09 03:15 IRDT
Stats: 0:04:35 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 73.39% done; ETC: 03:21 (0:01:40 remaining)
Nmap scan report for 92.242.223.221
Host is up (0.0038s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Blue Coat ftpd
22/tcp open ssh OpenSSH 5.6 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 1024 95:33:1a:03:41:3b:10:ba:0b:d9:fe:a9:da:0e:cf:f3 (RSA1)
|_1024 f8:89:0f:d2:ac:ab:4a:4c:bb:25:2d:65:f2:63:2b:f2 (RSA)
8082/tcp open ssl/http Blue Coat SG210 http proxy config
|_sslv2: server still supports SSLv2
|_html-title: Site doesn’t have a title (text/plain; charset=utf-8).
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = 92.242.223.221
Device type: proxy server|general purpose|storage-misc|specialized
Running (JUST GUESSING) : Blue Coat SGOS 5.X (96%), FreeBSD 5.X|6.X|5.x|7.X (92%), Apple Mac OS X 10.3.X|10.4.X (90%), VMware ESX Server 3.X|4.X (89%)
Aggressive OS guesses: Blue Coat SG510 proxy server (SGOS 5.2.2.5) (96%), Blue Coat SG810 web proxy (SGOS 5.3.1.9) (96%), Blue Coat SG510-series proxy server (SGOS 5.1.3.7) (95%), Blue Coat SG210 proxy se
rver (SGOS 5.2.3.3 – 5.2.3.9) (95%), FreeBSD 5.4-RELEASE (92%), FreeNAS 0.69RC2 (FreeBSD 6.4-RELEASE-p3) (92%), FreeBSD 6.0-RELEASE (92%), FreeBSD 6.0-RELEASE – 6.2-RELEASE (92%), FreeBSD 6.1-RELEASE – 6.
2 (92%), FreeBSD 6.0-STABLE – 6.2-RELEASE (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 11 hops
Service Info: OS: SGOS; Device: proxy server

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.60 ms 87.107.121.113
2 1.90 ms 81.12.48.89
3 1.69 ms 62.220.97.124
4 2.86 ms p2p.huawei-rtr.aryasat.dist-sw.aryasat.ir (78.154.32.177)
5 2.08 ms 78.38.255.100
6 1.66 ms 10.201.22.115
7 1.55 ms 10.10.53.94
8 2.58 ms 192.168.119.25
9 3.12 ms 192.168.119.76
10 3.25 ms 192.168.91.19
11 3.68 ms 92.242.223.221

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 415.32 seconds

openssl s_client -connect 92.242.223.221:8082

CONNECTED(00000003)
depth=0 C = ” “, ST = Some-State, O = Blue Coat SG900 Series, OU = 4412240214, CN = 192.168.60.90
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ” “, ST = Some-State, O = Blue Coat SG900 Series, OU = 4412240214, CN = 192.168.60.90
verify return:1

Certificate chain
0 s:/C= /ST=Some-State/O=Blue Coat SG900 Series/OU=4412240214/CN=192.168.60.90
i:/C= /ST=Some-State/O=Blue Coat SG900 Series/OU=4412240214/CN=192.168.60.90

Server certificate
—–BEGIN CERTIFICATE—–
MIIDLTCCApagAwIBAgIEIEqFAzANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHOTAw
IFNlcmllczETMBEGA1UECxMKNDQxMjI0MDIxNDEWMBQGA1UEAxMNMTkyLjE2OC42
MC45MDAeFw0xMzAzMDIwNzIzNDdaFw0xNTAzMDIwNzIzNDdaMHAxCzAJBgNVBAYT
AiAgMRMwEQYDVQQIEwpTb21lLVN0YXRlMR8wHQYDVQQKExZCbHVlIENvYXQgU0c5
MDAgU2VyaWVzMRMwEQYDVQQLEwo0NDEyMjQwMjE0MRYwFAYDVQQDEw0xOTIuMTY4
LjYwLjkwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrP8lp9JYXjBTj2Jjb
vISPlN6SnxT5u5qLsqB5Z9vrgECS7N6xodo+y45riz7YRzKdw73/oN1jYuqB40Le
ofzINGFKhmz7y1uJw3+YKlnF1qdzvw9hcLM7E0jTFA37ox4gCOeciatRtClDwFGg
gjlsoKZITKJ3Lon9p/+7O5EAoQIDAQABo4HTMIHQMB0GA1UdDgQWBBRSg229ISku
I6ERx62wiZGzNh9+CjCBnQYDVR0jBIGVMIGSgBRSg229ISkuI6ERx62wiZGzNh9+
CqF0pHIwcDELMAkGA1UEBhMCICAxEzARBgNVBAgTClNvbWUtU3RhdGUxHzAdBgNV
BAoTFkJsdWUgQ29hdCBTRzkwMCBTZXJpZXMxEzARBgNVBAsTCjQ0MTIyNDAyMTQx
FjAUBgNVBAMTDTE5Mi4xNjguNjAuOTCCBCBKhQMwDwYDVR0TAQH/BAUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOBgQAekRf/NvJXT8K8hEEsZzXNd9L/eB8pAaywDshExbap
rF4wEZ8vJHe26vAI2nt0pAwNa/iVkaDm9obhpKVvQIwFD/ZRXRbvtsXelDqLobWf
CfvzDHQkk5CQe2FrNV/BPcwc3HsIxRUVKpVmZEY3byzlWQx0b/Kd5ujDVHGkkI6h
jg==
—–END CERTIFICATE—–
subject=/C= /ST=Some-State/O=Blue Coat SG900 Series/OU=4412240214/CN=192.168.60.90
issuer=/C= /ST=Some-State/O=Blue Coat SG900 Series/OU=4412240214/CN=192.168.60.90

No client certificate CA names sent

SSL handshake has read 986 bytes and written 423 bytes

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 3332DFE4AEEB29A1DE473ADF924AE256A5280CEC5C55FBF7B77D5DEA3FAE0E01
Session-ID-ctx:
Master-Key: B775A5DE8A557ABBB69FC51EB25CF1B1E74CF522E40C4A2048D361B5EC2F4BA8003DB3858755266F19332A68B61600E9
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1376003731
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

read:errno=0

whois 92.242.223.221

#

# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
#
# Query terms are ambiguous. The query is assumed to be:
# “n 92.242.223.221”
#
# Use “?” to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=92.242.223.221?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 92.0.0.0 – 92.255.255.255
CIDR: 92.0.0.0/8
OriginAS:
NetName: 92-RIPE
NetHandle: NET-92-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2007-03-27
Updated: 2009-05-18
Ref: http://whois.arin.net/rest/net/NET-92-0-0-0-1

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgAbuseHandle: RNO29-ARIN
OrgAbuseName: RIPE NCC Operations
OrgAbusePhone: +31 20 535 4444
OrgAbuseEmail: hostmaster@ripe.net
OrgAbuseRef: http://whois.arin.net/rest/poc/RNO29-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘92.242.216.0 – 92.242.223.255’

% Abuse contact for ‘92.242.216.0 – 92.242.223.255’ is ‘abuse@respina.net’

inetnum: 92.242.216.0 – 92.242.223.255
netname: RESPINA
descr: Broadband Pool for Iranshahr PoP
country: IR
admin-c: PN2434-RIPE
tech-c: MS19636-RIPE
status: ASSIGNED PA
mnt-by: MNT-RSPN
source: RIPE # Filtered

person: Mehdi Sabour
address: No. 19, Arak St., Gharani Ave., Tehran, Iran, Zip Code: 15989
phone: +98 21 8892 4363
fax-no: +98 21 8890 4866
abuse-mailbox: abuse@respina.net
nic-hdl: MS19636-RIPE
mnt-by: MNT-RSPN
source: RIPE # Filtered

person: Pouya Nasirabadi
address: No. 19, Arak St., Gharani Ave., Tehran, Iran, Zip Code: 15989
phone: +98 21 8892 4363
fax-no: +98 21 8890 4866
abuse-mailbox: abuse@respina.net
nic-hdl: PN2434-RIPE
mnt-by: MNT-RSPN
source: RIPE # Filtered

% Information related to ‘92.242.216.0/21AS42337’

route: 92.242.216.0/21
descr: Respina-Route
origin: AS42337
mnt-by: MNT-RSPN
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.67.4 (WHOIS2)