Archive for February, 2012

The Spy Hunter, Part III – Solution

Posted in Packet Challenge, Spy Hunter on 14 February, 2012 by Alec Waters

Part III was a different kind of challenge. For the first time, players were on the offensive, acting as Agents rather than reacting as Investigators. Out of over 220 downloads of the mission brief, only a single Yellow Sun agent managed to complete the challenge – hats off to Marcelo Mandolesi, Agent Of The Month! Marcelo’s excellent writeup is below, but first, a quick word from me:

Sponsor Alec! I hope you have fun with these challenges; I certainly have fun creating them! I’m running the 2012 Brighton Half Marathon on Sunday 19th of February in aid of Help for Heroes – please sponsor me if you can by clicking the link to the right:

Now, over to Marcelo:

Discover how to access the GMTA website

Open up the OperationCHASTISE.pcap file with Wireshark and follow the TCP stream of the IRC packets. There we find the following URL.

This leads to: https://gmta.nybblecomms.42 which means we need to add the .42 top-level domain DNS servers to be able to browse to it. The DNS servers can easily be found here: Run a nslookup gmta.nybblecomms.42 and we see that the IP address is 2001:6f8:608:7:221:5aff:feab:5144.

My ISP is not IPv6 friendly so that left me with making a Teredo tunnel. After some configuration I verified that I was able to browse IPv6 websites and could access the NybbleComms website. This shows the Teredo tunnel successfully working.

The trick was to change the type from “client” to “enterpriseclient” and adding a static route for all ipv6 traffic to use the Teredo interface with the following respective commands:

netsh interface Teredo set state enterpriseclient
netsh interface ipv6 add rouate ::/0 interface=10

(the interface number is listed at the beginning of the route print command’s output)

Take a look at the bottom of the website and we find that the GMTA’s public key is available for download here: https://gmta.nybblecomms.42/GMTA-CA.pem.

Discover the date and time of NybbleComms’ next test missile firing

Going back to the IRC conversation, we find that the time and dates of the missile firings are publicly known. Their support is kind enough to give us the notice.
The notice is written in the “Notices to Airmen” format. After some patient Googling, you can translate the message to say:

  • QWMLW = missile, gun or rocket firing will take place
  • Within a 40 nautical mile radius of the coordinates 52.132237 North 0.973028 East
  • EGUW = Wattisham Airfield (a military airport in Wattisham UK)
  • On February 18th 2012 from 10:00 AM to 10:30 AM UTC/GMT. This means that the launch time is at 10:00AM but the notice announcement lasts until 10:30.

Recover enough cryptographic material to allow the signing of a fake, but valid, MTP

Time to take a look at another TCP stream in the pcap file. Starting at packet number 220, we see some encrypted SSH traffic. I wonder what’s happening in IRC right when this starts. Go to packet number 217 and we find the dev support guy saying “Let me transfer that private key for you”.

It seems that this is our chance to get a copy of the GMTA’s private key which will allow us to sign the public key retrieved from the website. The dialog in IRC tells us that the dev support guy keeps a copy of the private key on his Ubuntu Gutsy and gives us a clue that this is very vulnerable. Doing some searches for SSH vulnerabilities around 2007-2008 leads us to this: which states:

Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

Doing some more searches leads us to these set of tools: designed to take advantage of this vulnerability. First you have to export only the SSH packets from Wireshark and use the tool tcpick to split the traffic into server and client streams. Running the ssh_decoder.rb file on these two files lets us see the normally encrypted SSH traffic.

The data that is relevant for us is stored in the sshdecrypt.1.client.dat file because the client transferred the key to the server. Note that the Ruby script required the –c switch which means that the client is vulnerable, not the server. By running strings on the .dat file we have the private key as well as his username and password.

Discover the location of the BATCAVE

The briefing document gives a clue that the re-examining the social media profiles of SIBHOD operatives may be useful. It appears that Ultra Venona has tweeted this link: which leads to a SQL 2008 Express database. Take a look inside and we find a database called placesDB with the following information.

The location of the BATCAVE is stored in this database in SQL’s geography data type. We can use the STAsText method to convert the binary data to readable form.

The coordinates of the BATCAVE are 52.106428 North 1.58205 East. It appears to be an underground bunker on the East coast of England. Notice that this bears resemblance to the SIBHOD logo.

Assembling the MTP certificate

First we have to setup our openssl environment. Note I will skip a lot of the detail in configuring the openssl configuration file. Copy an existing openssl.cnf from the web and edit it to use the GMTA’s public and private keys.

Certificate = GMTA-CA.pem
private_key = GMTA-CA.key.pem

Configure the NotBefore and NotAfter times of the certificate by adding the following two lines to the [ CA_default ] section of openssl.cnf. Since the launch is at 10:00 AM I chose 09:56AM and 10:04AM as my start and end dates.

default_startdate = 120218095600Z
default_enddate = 120218100400Z

Add the following information to the [ req_distinguished_name ] section of openssl.cnf. The OU field should equal “WARHEAD-FAE” because thermobaric explosives are effective against underground bunkers. The CN field should equal “52.106428×1.58205” for the coordinates of the BATCAVE. The rest of the fields do not matter but I made them match the GMTA’s public key.

[ req_distinguished_name ]
0.organizationName = NybbleComms
organizationalUnitName = WARHEAD-FAE
localityName = Guildford
stateOrProvinceName = Surrey
countryName = GB
commonName = 52.106428×1.58205

The following section will configure the X509v3 extensions which will make the Authority Key Identifier equal the GMTA’s cert.

[ usr_cert ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

Run this command to create a certificate request:

openssl req -new -nodes -out req.pem -config openssl.cnf

Run this command to create the certificate and sign it:

openssl ca -out MTP.pem -config openssl.cnf -infiles req.pem

Convert the pem file to der format:

openssl x509 -in MTP.pem -outform der -out MTP.der

View the contents of the certificate:

openssl x509 –in MTP.der –inform –text -noout

The Authority Key Identifier matches and all the other required fields look good too.

Upload the MTP to the Guided Missile Targeting Authority

The GMTA website requires a Userid and Password field as well as the MTP certificate.

Packet number 395 in the pcap file contains MySQL traffic with a username and password of “launchmaster” and “one2ThreeBOOM”.

Supply the certificate and these credentials and we verify that it has accepted our forged certificate.

Nice shot, Marcelo! The question now is, will NybbleComms notice the unauthorised MTP in time to revoke it? Or will Yellow Sun finally be rid of their two greatest threats? Stay tuned for Part IV!


The abbreviation-laden NOTAM retrieved from the IRC chat reveals the location of NybbleComm’s launch site, correctly identified by Marcelo as RAF Wattisham. Taking a closer look at the site reveals the missile sitting on its pad:

The layout of the pads is that of a Bloodhound surface-to-air missile installation; you can read all about this specific one here.

As for the location of the BATCAVE, it’s actually the site of an experimental over the horizon radar system codenamed Cobra Mist; the BATCAVE itself is at the focal point of the antenna array. The radar itself was a failure, despite a nine-figure price tag.

Finally, the real Operation CHASTISE was this one, which I imagine a lot of people are familiar with.

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at