Recently I was asked to present a live hack in front of an audience and I decided go back in time to the heartbleed bug. I say back in time but actually many sites are still vulnerable believe it or not.
Little recap on what heartbleed is. For a brief history of CVE-2014-0160 you can read the CVE or check out the Wikipedia page. Essentially it was a bug discovered in April 2014 that affects OpenSSL version 1.0.1 thru 1.0.1f. By exploiting the bug you can see in memory data even ssl key information. Several attacks were documented using this attack including the Canada Revenue Agency reporting theft of Social Insurance Numbers belonging to about 900 taxpayers.
So on to the lab to make the hack happen. First we need a system with the proper versions of OpenSSL that have not been patched and since the patch was available so quickly we have to once again go back in time. Easiest way is Ubuntu 12.04 iso download. It shipped with OpenSSL 1.0.1 and so long as we don’t run “apt-get upgrade” we should be fine.
So I downloaded Ubuntu-12.04 ISO and installed it and did not upgrade it so I kept it in the state it would have been in 2012.
#sudo apt-get install apache2 #sudo a2enmode ssl #service apache2 restart #service apache2 status #sudo a2ensite default-ssl #service apache2 reload #service apache2 restart
At this point you should have a VM running of Ubuntu 12.04. I have a VM running Kali Linux on the same host. To carry out the attack steps you will need Kali or access to the Metasploit console.
Next come the needed files for Apache. And we will need to type these commands in order to enable the ssl and default certs for Apache. Run these from the Ubuntu terminal.
You now have a working web server using https on port 443. In my demo I had the IP of the Ubuntu web server as 192.168.9.133.
Next we can quickly test the version of OpenSSL and also verify the ssl connection to the server.
#openssl version -a
This should return something similar to OpenSSL 1.0.1 and a date.
Now to test the ssl connection we just setup.
#openssl s_client -connect 192.168.9.133:443 -tlsextdebug
This will print a lot of text and what we are looking for here is the word Connected.
On to the hack.
Leave the Ubuntu server running and now lets load your Kali Linux VM and load the metasploit console.
So here are the commands we need to run.
This will load the Metasploit Framework console.
This will search the database for heartbleed exploits.
We now need to load the exploit module listed.
set verbose true
Set the output to show everything.
set rhosts 192.168.9.133
We now set the IP address of the Ubuntu machine we are attacking.
Run the exploit and see the results.
If you want to watch the hack click the embedded video below.
This was a great demo hack to show people how easy it is and also to help educate them on how you can protect yourself.
Thanks and I hope you enjoyed this and found it useful.