• Lucifer

Heartbleed Exploitation

In this post we are going to take a look that how we can exploit the Heartbleed(OpenSSL) vulnerability, So let's start without any further delay.


Heartbleed Exploitation

Heartbleed is a vulnerability in the OpenSSL Cryptographic software library. This vulnerability occurs in the Heartbeat Extension of OpenSSL TLS/DTLS (Transport Layer Security), hence the name. Successful exploitation of this vulnerability can result in disclosure of the server's private keys and even sensitive credentials, as we will see in this post.

Also Check: Mcafee Live Safe at Unbelievable Price(80% off)


In order to exploit this vulnerability, we first need to understand how heartbeat extension works and why it is used. The need for this extension arises, as in TLS, there is no such feature to check whether remote host is alive or not when no data transfer is occuring on both ends. This extension overcomes this limitation by sending heartbeat requests to the host and receiving appropriate responses. However in a vulnerable implementation, there is no validation on the length of bytes client requested for. Therefore, a remote attacker can craft an appropriate heartbeat request to retrieve a block of memory up to 64kb from the server’s memory.


Step 1:


For this post, we set up a target website hosted on a NGINX server that was compiled with vulnerable OpenSSL libraries. Enter the following command to start NGINX (don't forget sudo):


sudo /usr/local/nginx/sbin/nginx



Step 2: Scanning for vulnerability:


There are various methods for discovering the Heartbleed vulnerability. One of the fastest and most effective ways is to, once again, use the powerful Nmap Scripting Engine. The ssl-heartbleed script we will use in this step comes with the default Nmap installation. Enter the following command to scan our target for Heartbleed:


Note: skillsetlocal.com is not a live website, it's a website hosted locally.


nmap -p 443 --script ssl-heartbleed skillsetlocal.com

Heartbleed Exploitation

Nmap clearly marked our target as VULNERABLE and provided some information about the vulnerability.

Step 3: Browsing to Homepage


It's worth noting that you cannot count on getting the same results (or gathering some specific information) every time you try exploiting Heartbleed. While some of the data leaked by the server may be valuable, in most cases, the contents of the dump will be random and depends on many factors, including the web browser used to access the website. For this post we will use the w3m browser. Later, you can try using a different browser (lynx) to see the difference for yourself.


Enter the following command to browse to our target website:


w3m https://skillsetlocal.com



Hit y twice to accept the self-signed certificate.


Heartbleed Exploitation

Ignore the warning message and just wait a few seconds for the webpage to load. You should see a simple login form.


Step 4: Logging In


Use the down arrow key to navigate to the Username line, and then right arrow key or Tab to get to the beginning of the red line (after the opening bracket). Once there, hit Enter. In the TEXT: prompt that appears on the bottom, type in some username (select something that you would be able to find easily in a data dump).


Heartbleed Exploitation
Heartbleed Exploitation

Hit Enter to return to the form.

Heartbleed Exploitation

Hit the down arrow key, then Enter to open the Password: prompt on the bottom. Type in some password and hit Enter.

Finally, hit the down arrow key again to get to the *[Submit]* button and hit Enter.

Heartbleed Exploitation

Ignore the Bad certificate warnings and just wait a few seconds for the page to reload.


Step 5: Closing the Browser


To close the w3m browser, hit q, then y to confirm.

Heartbleed Exploitation

Step 6: Starting Metasploit Framework


There are numerous tools and scripts developed for exploiting Heartbleed. Metasploit also has an auxiliary module that can scan multiple hosts and retrieve data from them if they are vulnerable.


Run the following command to launch the Metasploit Framework:


msfconsole -L


Step 7: Selecting Module


Select the openssl-heartbleed module. Remember that you can always use Tab to autocomplete (Hint: if you hit Tab and nothing happens, double-check that you are typing everything in correctly):


use auxiliary/scanner/ssl/openssl_heartbleed


Step 8: Viewing Options


Enter show options to see what we need to configure. You can see that the module can be used against SSLv3, 1.0, 1.1, and 1.2.


show options

Heartbleed Exploitation

You can also see that the RPORT value is already set to 443 (default port for HTTPS), so we only need to set RHOSTS to the address of our target.

Step 9: Setting Scanner Options


Set the RHOSTS option to our target address:


set RHOSTS skillsetlocal.com

Heartbleed Exploitation

One last option we need to set up is VERBOSE, so it will display the captured data on the console. Enable VERBOSE as follows:


set VERBOSE true


Step 10: Running Scan


Now let's run our scan:


run

You can see that both username and password were captured in plaintext, even though a "secure" SSL connection was used.

Heartbleed Exploitation

This is a good illustration of how dangerous Heartbleed could be. To fix the vulnerability, upgrade to the non-vulnerable version of OpenSSL.


Also Read: Google Cloud Study Jam Videos


That's it for this post hope you like it, join our Telegram group HERE, for up-to-date articles or you can subscribe or you can sign-up, choice is yours and you won't regret it.

 
Join Telegram Group

©2020 by Payground. Proudly created with Wix.com