Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014.
Today we will discover how to detect the vulnerability and then demonstrate how to exploit that vulnerability. Currently this vulnerability only exploits version 1.0.1 of the OpenSSL library, so if you are running this version, update.
The application we will be exploiting for this example will be bWapp, (https://sourceforge.net/projects/bwap…) we have used this before in previous tutorials. It is an intentionally vulnerable web application that we will take advantage of.
Once you have installed the bWapp application virtual machine and start it up. So firstly we will need to do a vulnerability scan on the web server. so let’s grab the IP of the web app, in our case it’s 192.168.1.105. Your own IP may be different depending on what DHCP assigns it.
Once you are logged in you need to choose Heartbleed Vulnerability from the drop down menu and press Hack.
This will bring us to the Heartbleed vulnerability page on the web app. And right off the bat it gives a hint into how to exploit the web page. We can see that the logon port is 8443.
We will also provide the attack script needed to exploit this vulnerability (https://github.com/ctfs/write-ups-201…), so you will need to download the heartbleed.py file.
So once you are all set up the last thing we will need is our attacking machine. For this tutorial we ar using ParrotOS (https://parrotlinux.org/).
So firstly we need to do a vulnerability scan, so open up a command terminal and start an nmap scan.
sudo namp -sV -A 192.168.1.1.5
This will tell us that port 8443 is open and accepting connections. While that is scanning let’s go to port 8443 in our web browser. In our case the URL will be the following.
Once you open that we can take a look at the SSL certificate running on the page.
As we can see the certificate is not secure, so the connection is not secure. So our script should work on this web page. So let’s run the script. Again we will use nmap.
sudo namp -p 8443 --script ssl-heartbleed 192.168.1.105
The p flag denotes the port number and we will use the script flag to see if the web page is vulnerable to Heartbleed.
So the nmap scan reveals the the web page is indeed vulnerable to Heartbleed and the risk factor is High. It also gives us the version of OpenSSL which is 1.0.1 which we mentioned earlier.
To exploit this vulnerability we will need to start Metasploit.
Once you are set up we can go ahead and set some parameters. So lets search for the OpenSSL module.
So this is the module we will be using. So next we need to tell Metasploit to use this module for our exploit.
Next we need to set some parameters. Because as we can see above the RHOSTS setting has no value, so let’s give it our attacking machine IP. Also the port 443 is set by default, so we need to change that to 8443.
set RHOSTS 192.168.1.105 set RPORT 8443 show info
The show info command will confirm we have set everything up correctly.
Next we are going to run a vulnerability scan from within the Metasploit framework.
set action SCAN run
This also confirms that certificate is vulnerable to this exploit, perfect. As an attacker it is always nice to test these things as much as possible to cement our suspicions.
Next we want to run our hearbleed.py script against the web app and what it will do is dump the hex values of the web page on screen for us.
python ./hearbleed.py 192.168.1.105
As we can see, there’s logon details for a user and also the PHP Session cookie. We think it was named Heartbleed because of the dump resembling a bleeding heart 🙂
Thanks for reading guys and don’t forget to like this post, comment and of course, subscribe for more posts like this!!