In this article we will Learn about LAB: Heartbleed Vulnerability.
Introduction about Heartbleed Vulnerability:
Heartbleed is a security flaw that was found in the OpenSSL Cryptographic library. This vulnerability occurs when using OpenSSL’s TLS/TDLS (Transport Layer Security) Heartbeat Extension, hence its name. Successful exploitation of this vulnerability could lead to the disclosure of server private keys and sometimes sensitive credentials.
The Basics of Abuse:
To exploit this vulnerability, we need to understand how the presence signal extension works and why it is used. The need for this extension arises because there is no such feature in TLS to check whether the remote host is alive or not when there is no data transfer at both ends. This extension overcomes this limitation by sending presence signal requests to the host and receiving appropriate responses. However, in the vulnerable implementation, there is no validation of the length of bytes requested by the client. Thus, a remote attacker can create a matching heartbeat request to read a number of bytes from the server’s memory.
Presence message sent by the attacker.
|TLS1_HB_REQUEST||65535 byte||1 byte|
As can be seen, in the presence signal message above, the attacker says that the payload data is 1 byte, but sends a payload length of 65535 bytes, leading the vulnerable server to read those bytes from its memory.
- Install Wamp Server
- Configure Wamp to use SSL
- Configure Wamp to listen on the NAT network interface
- Configure the root password for PhpMyAdmin
- Exploiting the Heartbleed vulnerability
Install Wamp Server
Setting up a lab for this vulnerability is pretty simple. We will be using wamp version 2 32-bit version with OpenSSL 1.0.1 32-bit binary. All the required files for lab setup can be downloaded from the link below.
Download VM Files – https://drive.google.com/open?id=0B9Dl0ONdsnRnNExiMzRjUWl2Y3M
Download Win7 Lab VM – https://www.dropbox.com/s/7ewnafvqb0900pb/W7Client_v5.rar?dl=0
Download Kali Lab VM – https://www.dropbox.com/s/64yjrhl02yioto2/Kali_v5u.rar?dl=0
Step 1: After extracting all files we will install Wamp server on our VM as follows:
Now select your default browser in our machine we have o only Internet Explorer, so we are selecting IE as our default browser.
Untick “Launch WampServer 2 Now” as we need to do some configurations before
Step 2: At this step, we have successfully installed Wamp Server. Now we are going to configure it to use SSL. To do that, we will be extracting the files from vulnerable openSSL version.
Copy above-selected files and paste these in C:wampbinapacheApache2.2.21bin folder as follows.
Configure Wamp Server to use SSL
Step 1: Now we will generate SSL certificates and key files. To do this, open a command prompt window in the current Apache bin folder and run commands like this:
OpenSSL genrsa -des3 -out server.key 1024
After that type in the following command: openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt -config C:wampbinapacheapache2.2.21confopenssl.cnf
After that type the following command one by one:
xcopy server.key server.key.orig
openssl rsa -in server.key.orig -out server.key
Step 2: Create a folder named ssl in C:wampbinapacheApache2.2.21 directory.
Step 3: Copy server.key and server.crt files created in step 1 to ssl folder as follows.
Copy and replace the configuration files from downloaded VM files (httpd.conf and httpd-ssl.conf) in following directories.
httpd.conf – C:wampbinapacheApache2.2.21conf
httpd-ssl.conf – C:wampbinapacheApache2.2.21confextra
Step 5: Start Wamp Server.
If everything went well, you should be able to browse the wamp server at https://localhost
which will show you SSL certificate error which is shown below:
Configure Wamp to listen on the NAT network interface
Step 1: Now we need to enable the wamp server on our NAT network interface to access it from our attacking machine. To do this, we execute the command “ipconfig /all” in the command line and note the IP address of the NAT network interface as follows.
Note: In case you don’t know how to configure two systems on a NAT network interface, please refer to the “SETTING UP YOUR NAT NETWORK” section here.
Further, we need to define the NAT Network Interface IP address in Apache config files. To do that
Open C:wampbinapacheApache2.2.21confhttpd.conf file, comment the line “Listen 80” and add your NAT network interface IP address as follows.
Open C:wampbinapacheApache2.2.21confextrahttpd-ssl.conf file, comment the line “Listen
443” and add your NAT network interface IP address as follows.
Configure root password for PhpMyAdmin
Step 1: Since we will be stealing the MySQL root password during the exploit phase, we need to create it as follows:
Open the Mysql console from the Wamp menu
For Password, press enter and execute the following query to set a password for the root user.
SQL Query for password set : set password for ‘root’@’localhost’ = password(‘tester123’);
Step 2: To reflect above changes in current wamp configuration We need to copy two files from the downloaded VM files as follows:
copy and paste config.inc.php file in C:wampappsphpmyadmin220.127.116.11 directory
copy and paste phpmyadmin.conf file in C:wampalias directory
Further, we will be restarting wamp server to reflect current changes.
If everything is configured properly, you will now be able to browse Wamp Server at your NAT network Interface IP address.
Browse PHPMyAdmin via https and enter a password set earlier via MySQL prompt.
Exploiting the vulnerability
To exploit this vulnerability, we will use the infamous Metasploit framework from Rapid 7. We will run Metasploit by typing MSF in the command console on our Kali machine.
Step 1: We searched for available remedies for the heartbleed vulnerability and came up with the following results.
Step 2: We issue use command to use the auxiliary module by typing use auxiliary/scanner/ssl/openssl_heartbleed
Step 3: We configured the module and set RHOSTS to our vulnerable win7 machine and set RPORT to 443.
Note: We need to enable VERBOSE mode by typing set VERBOSE true to view the memory dump.
As can be seen, we were successfully able to fetch MySQL root password highlighted with green color. We can also see the cookies of root user highlighted in red color.