Chuyển đến nội dung chính

Hacking the Heartbleed Vulnerability

Welcome back, my greenhorn hackers!
In recent weeks, the Heartbleed vulnerability of OpenSSL has been dominating the information security headlines. This vulnerability enables an attacker to extract data from the server's memory that may contain authentication credentials, cookies, the servers private key, and personally identifiable info (PII) that could be used for identity theft. As a result, websites around the world have been scrambling to close this hole. Fortunately for us, many still have not, and many may never be closed.
Basically, OpenSSL is an encryption library used in HTTPS (secure HTTP). The idea is that any data traveling over this secured version of HTTP should be secure and encrypted. During communication, OpenSSL uses a "heartbeat" that echoes back data to verify that the data was received correctly. It's kind of like one machine telling the other, "Yes, I got that data and you can send more now."
The Heartbleed vulnerability enables a hacker to trick OpenSSL by sending a single byte of data while telling the server it sent 64K bytes of data. The server will then send back 64K bytes of data to be checked and echoed back. The server will then respond with 64K of random data from its memory.
In this tutorial, I'll show you a simple exploit for getting that OpenSSL to spill the contents of its memory and possibly give us the user's credentials and other information.

Step 1Update Metasploit

The first step is to update Metasploit to get the new auxiliary module for Heartbleed. Type:
  • kali > msfupdate
Metasploit will then go through the long and slow process of updating its modules and framework. Be patient here, it takes awhile.
When you are finally returned to the Kali prompt, the update has completed.

Step 2Start Metasploit

Now, we need to start the Metasploit console. At any terminal prompt, type:
  • kali > msfconsole
You should be greeted with a screen like that below.

Step 3Find Heartbleed

Now, we need to find the new Heartbleed module. We can use the built-in search feature in Metasploit. Type:
  • search heartbleed
This should bring up two auxiliary modules for Heartbleed. Select the first one as I've highlighted below.

Step 4Use Auxiliary Module

Next, we need to load this payload. Simply type:
  • use auxiliary/scanner/ssl/openssl_heartbleed
This will load the heartbleed module.
Whenever I am using a new module, I like to look at the info page. Once we have loaded the module, type:
  • msf > info
As we can see in the screenshot below, this reveals the options that need to set in order to use this module and a description of the module.

Step 5Set Options

Although this module has numerous options, the critical one is RHOSTS (notice the plural here). Let's set it to a target website I set up on my network that is still vulnerable to Heartbleed.
  • msf > set RHOSTS 192.168.1.169

Step 6Run the Module

Finally, set the option 'verbose" to "true". This will provide us with verbose output.
  • msf > set verbose true
And now let's run it:
  • msf > run
As you can see in the screenshot below, the server leaked about 64K bytes of what was in its memory.

Step 7Success

If credentials, personally identifiable information (PII), or the server's private key had been in memory, they would have leaked out as well. Of course, we could set up this Heartbleed scanner to run repeatedly to gather the info in memory at a continual basis, eventually gaining access to all the info that traversed RAM.
In my next Heartbleed post, we will start working on a scanner script to scan the world for websites and servers still vulnerable to the Heartbleed vulnerability, so make sure to come back. While you're waiting, you can use your spare time to increase your skills in Metasploit by knowing all of the commands and hacking scripts available.
Nhãn:

Bài đăng phổ biến từ blog này

Tổng Hợp Về Tấn công XSS và Bypass

1-        XSS là gì ?        XSS(  Cross-Site Scripting ) là một trong những kỹ thuật hack website phổ biến nhất hiện nay bằng cách chèn vào url, chèn qua các thanh tìm kiếm hoặc chèn ở bất cứ 1 textbox nào những thẻ HTML hoặc những đoạn mã script nguy hiểm, từ đó chiếm quyền điều khiển của victim hoặc thực hiện những mệnh lệnh mà hacker đưa ra. 2-        Nguyên lý hoạt động XSS        Khi website đã bị chèn các thẻ html hay những đoạn mã script nghĩa là đã gửi các request từ máy client đến server  nhằm chèn vào đó các thông tin vượt quá tầm kiểm soát của server. Khi người sử dụng click vào những link đó thì toàn bộ cookies, mật khẩu lưu trên trình duyệt được gửi về cho hacker qua email hoặc 1 file nào đó trên host đã được thiết lập từ trước hoặc bị dẫn tới 1 trang fishing mà hacker đã thiết lập từ trước hay bị cài đặt các chương trình virus, Trojan, backdoor...
Đọc thêm

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...
Đọc thêm

Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Today we are going to perform penetration testing with part II of previous lab, download it from  here . Now install the iso image in VM ware and start it. In this lab task level is intermediate and challenge is to gain access of administration console and then upload a PHP webshell. Start Kali Linux then open the terminal and  type netdiscover  command for scanning network. Here  192.168.1.102  is my target IP which is shown in the screenshot. Now explore this IP in browser. When you will open target IP in browser you will get a web page having heading My Awesome Photoblog . On the top of left side it contains some tags: home; test; ruxcon; 2010; all pictures; admin. Now  Click  on  test . The given URL : http://192.168.1.102/cat.php?id=1  will run sql query for  ID 1  now let try to find out whether the above URL is vulnerable to sql injection or not by adding( ‘) apostrophe at last of URL: http://192.168.1.102/cat.p...
Đọc thêm