Heartbleed Exploit - Discovery & Exploitation
Key Takeaways
The video demonstrates the discovery and exploitation of the Heartbleed vulnerability in OpenSSL software, using tools like OWASP Bee-box and a Heartbleed POC Script.
Full Transcript
hey guys hackersploit here back again with another video welcome back to the bug bounty series now in this video i'm going to be taking a look at hot bleed and how to detect it and how to exploit it now many of you will be wondering apart from heartbleed heartbeat being a web-based vulnerability or why i'm actually including it within the bug bounty series and the answer is very very simple and that is of course the data that is exposed or is dumped from the memory of a particular server can lead to the exploitation of a particular web application and i'll get to that shortly so many of you who have heard of hud bleed already know what type of vulnerability it is but if this is your first time hearing about it heartbleed is essentially a security bug or vulnerability in the open ssl cryptography library which is widely used in the implementation of the transport layer or tls protocol all right so this vulnerability or this bug allows you to view information that would otherwise be protected by the ssl or tls encryption so it allows you to read memory of the system protected by the vulnerable version of openssl so you might be wondering well if this is truly a vulnerability that we can exploit well what versions of ssl more specifically openssl are vulnerable and the good news is this is quite an old vulnerability now or relatively old when you compare it to other new vulnerabilities being released and it currently only affects open ssl 1.0.1 now this brings of course into play the relevancy of this particular vulnerability and i think this is very very uh this is a very um important video to cover it may not be important when performing bug bounties but certainly important when performing ctfs or any other challenges that might require you to exploit um hot plate on a particular web server all right now the tools we'll be using in our in our environment are of course going to be b box i've covered b box in the previous videos uh it is essentially a vulnerable virtual machine that contains b-wap but the great thing about it is it does include uh uh it does include the heartbleed fundability on a particular port so i have mine running in vmware and we're ready to go the download link will be in the description section all right so let's get started now the first thing of course that you need to do is you need to scan or perform a vulnerability scan on a particular web server now of course the ports could be misconfigured and i'll get to that in a second so uh if we just go right over here i'm going to open up my browser and i have the ip address right over here of the of the be box web server and you can see it contains b web drupal get an evil folder phpmyadmin and the sqlite manager uh in our case we're just going to click on bwap and uh let me just log out and log back in uh so b uh and that is bug and i'm just going to log in the vulnerability we're looking for is the heartbleed vulnerability which is under a6 if i if i remember correctly which is under data exposure although that of course can give you a multitude of other pieces of data that all sort of blend into the other vulnerabilities for example authentication etc etc so uh we'll be taking a look at the heartbleed vulnerability i'll also be covering the poodle vulnerability and how to patch all of these particular ssl vulnerabilities but for now let's stick with the hot bleed i'm going to click on hack and right over here it gives you this little message telling you the engines web server is using a vulnerable open sl version so we know that and this is for be box only and it's going to tell you that hint login on port 8443 and launch the attack script all right so it's telling us so there we are we have the script here it does give you the upload.py script so i already have that set up i will be linking it in the description section the actual uh proof of concept script uh so you can uh it's essentially telling you to go to port 8443 and of course uh one could have performed the nmap scan so uh s uh well actually hold on and so the end map sv and we can also run advanced scan 68.1.105 and of course this web server has databases running on and of course as we have just been told it has an engine's uh session running so we'll leave that to scan but of course we know the port so that means if uh 192.168.1.105 and of course uh eight four four three and hit enter it's gonna load up right over here with that particular uh vulnerable uh open ssl certificate so that is fantastic so we know it does work now of course with the nmap scan we'll we'll just wait for the results that isn't important but of course i'm coming at this from a ctf perspective so we have performed the scan on your server and of course you've uh you've realized that you're either the web server that could be on port 403 is vulnerable to the art blade now what uh now you essentially move on to vulnerability scanning where you essentially test that particular port and and you actually test it to see if it is vulnerable to the uh the hard blade vulnerability you can perform this with nmap using the nmap scripts apologies for that that is the discord let me just quit the discord there um so you can do this with nmap scripts or you can do it with an auxiliary scanner with the metasploit console or with metasploit all right so let's do that right now uh uh what i'm gonna do is i'm just gonna bought this scan right over here because we already know the port and the particular ip so we are going to get started with nmap so i've talked about nmap scripts uh before you can check that video out if you want to so we're going to perform a pseudo nmap scan here we know the port is port 8443 let me just expand this so you can see what's going on and then we're going to use the script argument here and of course we specify the script which is hot bleed it is ssl heart bleed right over here and the ip which is 192.168.1.105 i'm going to hit enter we're going to wait for the results and there we are we can see that ssl hot blade is vulnerable and we want to look for the risk factor you can see that the risk factor is high which means we have a good chance of exploiting this it also gives it gives you these versions as i mentioned it is vulnerable on versions 1.01 and the beta version of 1.02 which is understandable because it actually makes sense that they did have a beta for the next version in any case you have the various cves so you can read more about the vulnerability here now that we've actually performed the vulnerability scan with nmap let's take take a look at how to do it with metasploit so ms msf console uh let's run that and we'll give that a few seconds to start up the middle play framework here there we are fantastic and we again as i mentioned the scan is an auxiliary module which is great it also expands on the functionality in regards to exploiting this particular vulnerability i'll explain that in a second so what you can do is just simply say search open ssl open this cell and hot bleed or you can essentially just use the uh the the uh sorry about that that looks like an uh incorrect spelling or a typo there open ssl hot plate and there we are we have it right over here so this is the name of the module so we have auxiliary scanner as an openness a lot blade and it was uh released on 2014 on the year 2014 so you can take a look at the description open ssl hot blade information leak so this also expands on the vulnerability or the um all the functionality so i'm just going to copy that we're going to use this particular module and we're going to show the options here show options you can see we have quite a few options i'm going to be covering the important ones only so again you can specify the tls version that you want to use uh in our case we're going to say set our hosts because that's the most important bit here uh set arrows 192.168.1.105 uh set our port uh 8443 that is the port we're targeting and now if we show the info in regards to this particular module we can see that it expands on its functionality when it comes down to the actions now i don't know whether i've talked about actions with metasploit before but for example we can set the action to dump this will dump the memory contents we can also set it to dump the private keys we're not going to be taking a look at that right now i doubt it will leak any any of the private keys of the of that particular certificate uh and we have scan which is what we're going to do so we're going to start off with set action scan and i'm going to uh enter and hit run and that is going to run the vulnerability scanner and right over here it tells you how bleed responds with leak and that tells us that of course we have this particular server is vulnerable to the heartbleed attack on that particular port now if we set our action to dump that is essentially going to dump the memory contents and what we can do is uh or what i'm going to do really is i'm just going to log in and out because i want to demonstrate a particular vulnerability here so i'm going to go into bwap and i'm going to log out and i'm just going to log in one more time and i'll explain why so there we are we've logged in excellent and that has nothing to do with what we're doing right now essentially just to do with the leak so we're going to set action oops sorry that is set action dump and we're going to run this so you can see that it's it's actually stored the data into a bin file right over here so the dump is stored into a bin file which is very very convenient so what i can do is i can copy this and we can essentially just open up a new tab here and i will put in strings and let me just reduce the font size and we can actually see the contents of this bin file now the best way to analyze a bin file is of course to look for strings that are readable and you can use the strings tag right over here and immediately you can see a dump of this particular web server and for example right over here we have a bit of data we have the b web um email we also have a bit of the data being sent onto the web page and that is to do with a particular challenge let's see if we can find anything important here we should be able to find the php session id which is what i was getting to so there we are immediately we can see we have the cookie we have the php session id of this particular user oops sorry about that of this particular user here uh and you can see uh that we get the php session id which we can of course you can of course confirm it with your proxy um whether that being purple's app with what whatever the case what i was getting to is with data like the php session id that means we can impersonate this particular user which is the uh the administrator with the user b and the password uh bug which means we can perform various types of attacks on the database using uh various tools you you get the idea we can now expound on our on our attack surface on this particular web application now that we've exploited the session id which of course means we can uh essentially impersonate this user and uh more than that we of course have the login details or the login credentials which are the user b and the password bug so that gives you an idea of how powerful this particular vulnerability is and how it can be used by attackers to essentially get tons of information about the web server not really the you you in most cases or in some cases you might get the password the username of the password but uh important bits of information like the php session id are very very important here so that is how to go about it using the auxiliary module the auxiliary the auxiliary module with metasploit sorry about that and now let's talk about using the proof of concept script um so i'm just going to exit here and we have it on my desktop it is the heartbeat.python script right over here now i will be posting it in the description and of course if you are using be box it does give you a link to that particular script that you can use to test on your particular server all right so we have it on my desktop so there we are hardly dot uh py you can go ahead and take a look at the script and analyze it right over here so it is a poc which is again proof of concept and you can go ahead and look at the vulnerability uh you can take a look at the script sorry so to run it again uh we simply type in python and then we have heartbleed here dot python and we type in 0.1.105 and the syntax is simply uh we specify the particular port because the port could be different and the port in this case is 8443. we hit enter and what it does is it gives us a warning telling us the server returned more data than it should and that the server is vulnerable and it also gives us a dump of the of the memory of the particular server and right over here we have all empty data so nothing has been caught over there but right over here we have the exact data that we are able to get using the auxiliary scanner we have the user and the password and we also have the php session id if i can find it there we are php session id so that is also what ties into what i was getting at in regards to authentication flaws within a particular web application so now that we've actually seen how to exploit it and what data we can get from it let me just close off the video explaining why this is important now of course as i said this is not really a popular vulnerability mostly because it has been patched and it's very very hard to find websites that have currently not patched it probably websites that are running uh that that were developed a long time ago and have not been maintained but this comes into play when dealing with ctfs that could be on hack the box of walnhub so if you do ever run into this particular vulnerability this video will help you learn how to detect it and exploit it with a multitude of tools you can use the uh you can use the original python file which is the output.python file you can also use the nmap while the nmap script is just used to detect the vulnerability you can use the auxiliary module with metasploit that allows you to dump the uh the actual contents of the memory and of course dump the keys if that's what you're looking for so that's going to be it for this video guys thank you so much for watching if you have any questions or suggestions let me know in the comment section on my social networks or on at the forum at hackersplate.org and i'll be seeing you in the next video peace guys [Music]
Original Description
Hey guys! welcome to the Bug Bounty Hunting series where we will be learning everything we need to know so that you can begin your journey in Bug Bounty Hunting. In this video, I will be showing you how to discover and exploit the Heartbleed vulnerability. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
OWASP Bee-box: https://sourceforge.net/projects/bwapp/files/bee-box/
Heartbleed POC Script: https://github.com/ctfs/write-ups-2014/blob/master/plaid-ctf-2014/heartbleed/heartbleed.py
Get Our Courses:
The Complete Linux System Administration Bootcamp: https://hackersploit.io/courses/the-complete-linux-system-administration-course
The Complete Ethical Hacking Bootcamp 2019: https://hackersploit.io/courses/the-complete-ethical-hacking-bootcamp
Python For Ethical Hacking: https://hackersploit.io/courses/python-for-ethical-hacking
Our Platforms:
Hsploit: https://hsploit.com/
HackerSploit Forum: https://hackersploit.org/
HackerSploit Academy: https://hackersploit.io/
HackerSploit Podcast: https://soundcloud.com/hackersploit
iTunes: https://itunes.apple.com/us/podcast/the-hackersploit-podcast/id1439732519?mt=2
⭐SUPPORT HACKERSPLOIT BY USING THE FOLLOWING LINKS:
NordVPN: https://nordvpn.org/hacker
Use the link above or the code below for 77% Off your order
Promo Code: hacker
Patreon: http://patreon.com/hackersploit
I Hope you enjoy/enjoyed the video.
If you have any questions or suggestions feel free to ask them in the comments section or on my social networks.
🔗 HackerSploit Website: https://hsploit.com/
🔹 SUPPORT THE CHANNEL
NordVPN Affiliate Link: https://nordvpn.org/hacker
Patreon: http://patreon.com/hackersploit
🔹 GET OUT COURSES
Get a special discount on our courses:
The Complete Deep Web Course 2018:
https://www.udemy.com/the-complete-deep-web-course-2017/?couponCode=DWCBP2017
🔹 SOCIAL NETWORKS - Connect With Us!
-------------------------------
Facebook:
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from HackerSploit · HackerSploit · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
Wireshark Tutorial for Beginners - Installation
HackerSploit
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
Wireshark Tutorial for Beginners - Capture options
HackerSploit
Wireshark Tutorial for Beginners - Filters
HackerSploit
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
Zenmap Tutorial For Beginners
HackerSploit
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
VPN And DNS For Beginners | Kali Linux
HackerSploit
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
Steganography Tutorial - Hide Messages In Images
HackerSploit
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
Best Linux Distributions For Penetration Testing
HackerSploit
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
Terminator - Kali Linux - Multiple Terminals
HackerSploit
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
Q&A #2 - Mr Robot?
HackerSploit
Metasploit Community Web GUI - Installation And Overview
HackerSploit
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
ARP Spoofing With arpspoof - MITM
HackerSploit
WordPress Vulnerability Scanning With WPScan
HackerSploit
Generating A PHP Backdoor with weevely
HackerSploit
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
MITM With Ettercap - ARP Poisoning
HackerSploit
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Hack Smarter Labs — Dark: From Unauthenticated WordPress Bug to Root
Medium · Cybersecurity
I Tried Teaching My Non‑Tech Friend How to Spot a Scam Email. Here’s What Actually Worked
Medium · Cybersecurity
The Password Mistake Almost Everyone Makes (And How to Fix It in 5 Minutes)
Medium · Cybersecurity
NahamStore CTF (XSS)
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI