In this post we are going to take a look that how we can exploit the Heartbleed(OpenSSL) vulnerability, So let's start without any further delay.
Heartbleed is a vulnerability in the OpenSSL Cryptographic software library. This vulnerability occurs in the Heartbeat Extension of OpenSSL TLS/DTLS (Transport Layer Security), hence the name. Successful exploitation of this vulnerability can result in disclosure of the server's private keys and even sensitive credentials, as we will see in this post.
Also Check: Mcafee Live Safe at Unbelievable Price(80% off)
In order to exploit this vulnerability, we first need to understand how heartbeat extension works and why it is used. The need for this extension arises, as in TLS, there is no such feature to check whether remote host is alive or not when no data transfer is occuring on both ends. This extension overcomes this limitation by sending heartbeat requests to the host and receiving appropriate responses. However in a vulnerable implementation, there is no validation on the length of bytes client requested for. Therefore, a remote attacker can craft an appropriate heartbeat request to retrieve a block of memory up to 64kb from the server’s memory.
For this post, we set up a target website hosted on a NGINX server that was compiled with vulnerable OpenSSL libraries. Enter the following command to start NGINX (don't forget sudo):
Step 2: Scanning for vulnerability:
There are various methods for discovering the Heartbleed vulnerability. One of the fastest and most effective ways is to, once again, use the powerful Nmap Scripting Engine. The ssl-heartbleed script we will use in this step comes with the default Nmap installation. Enter the following command to scan our target for Heartbleed:
Note: skillsetlocal.com is not a live website, it's a website hosted locally.
nmap -p 443 --script ssl-heartbleed skillsetlocal.com
Nmap clearly marked our target as VULNERABLE and provided some information about the vulnerability.
Step 3: Browsing to Homepage
It's worth noting that you cannot count on getting the same results (or gathering some specific information) every time you try exploiting Heartbleed. While some of the data leaked by the server may be valuable, in most cases, the contents of the dump will be random and depends on many factors, including the web browser used to access the website. For this post we will use the w3m browser. Later, you can try using a different browser (lynx) to see the difference for yourself.
Enter the following command to browse to our target website:
Hit y twice to accept the self-signed certificate.
Ignore the warning message and just wait a few seconds for the webpage to load. You should see a simple login form.
Step 4: Logging In
Use the down arrow key to navigate to the Username line, and then right arrow key or Tab to get to the beginning of the red line (after the opening bracket). Once there, hit Enter. In the TEXT: prompt that appears on the bottom, type in some username (select something that you would be able to find easily in a data dump).
Hit Enter to return to the form.
Hit the down arrow key, then Enter to open the Password: prompt on the bottom. Type in some password and hit Enter.
Finally, hit the down arrow key again to get to the *[Submit]* button and hit Enter.
Ignore the Bad certificate warnings and just wait a few seconds for the page to reload.
Step 5: Closing the Browser
To close the w3m browser, hit q, then y to confirm.
Step 6: Starting Metasploit Framework
There are numerous tools and scripts developed for exploiting Heartbleed. Metasploit also has an auxiliary module that can scan multiple hosts and retrieve data from them if they are vulnerable.
Run the following command to launch the Metasploit Framework:
Step 7: Selecting Module
Select the openssl-heartbleed module. Remember that you can always use Tab to autocomplete (Hint: if you hit Tab and nothing happens, double-check that you are typing everything in correctly):
Step 8: Viewing Options
Enter show options to see what we need to configure. You can see that the module can be used against SSLv3, 1.0, 1.1, and 1.2.
You can also see that the RPORT value is already set to 443 (default port for HTTPS), so we only need to set RHOSTS to the address of our target.
Step 9: Setting Scanner Options
Set the RHOSTS option to our target address:
set RHOSTS skillsetlocal.com
One last option we need to set up is VERBOSE, so it will display the captured data on the console. Enable VERBOSE as follows:
set VERBOSE true
Step 10: Running Scan
Now let's run our scan:
You can see that both username and password were captured in plaintext, even though a "secure" SSL connection was used.
This is a good illustration of how dangerous Heartbleed could be. To fix the vulnerability, upgrade to the non-vulnerable version of OpenSSL.
Also Read: Google Cloud Study Jam Videos
That's it for this post hope you like it, join our Telegram group HERE, for up-to-date articles or you can subscribe or you can sign-up, choice is yours and you won't regret it.