NSE:ssl-heartbleed and Metasploit


As a Red Teamer if you encounter OpenSSL and a Webserver you should check to see if the machine is vulnerable to the "Heartbleed" security flaw.

Essentially the vulnerability works like this;  Heartbleed takes advantage of older TLS and allows an attacker to read data that resides in memory of the target machine.  Below you will see two techniques, one through nmap that informs us that the target is indeed vulnerable and one with metasploit.  The second option has additional features that actually lets us read the data that is being grabbed from memory

We can quickly check to see if a target is vulnerable by using nmap.

#nmap -p 443 --script ssl-heartbleed <IP> 

Additionally we can use metasploit (scanner/ssl/openssl_heartbleed) to check if the target is vulnerable.  

With both tools being extremely valuable let's take a look at the image below and see if we can dig a little bit deeper.  
Using the same (scanner/ssl/openssl_heartbleed)
1) Load the scanner
2) Set Target
3) Test if vulnerable by launching with "run"
4 and 5) Here we are going to set "action" to SCAN followed by setting action to "DUMP".  After we "run" DUMP the output from the heartbleed has been stored in a ".bin" file.  AWESOME!

So this is good, we have a copy of the data that was "stolen."  

How do we read this?  We use a utility called strings.  

Copy the file location and use strings to read the bin file.  A lot of the data is illegible however you can see things of value, in this case a variable written in base64, in other cases you may find PHP Session IDs, which can be used for forging cookies.

[1] https://nmap.org/nsedoc/scripts/ssl-heartbleed.html

Popular Posts