Detect Exploit openSSL Heartbleed vulnerability using Nmap and Metasploit on Kali Linux

Read full details here: Detect Exploit openSSL Heartbleed vulnerability using Nmap and Metasploit on Kali Linux

Background

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). This guide is specifically designed to show how to detect exploit openSSL Heartbleed vulnerability using Nmap and Metasploit on Kali Linux.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords.

Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160.

Discovery and Naming

The bug was named by an engineer at the firm Codenomicon, a Finnish cybersecurity company, which also created the bleeding heart logo, and launched the domain Heartbleed.com to explain the bug to the public. According to Codenomicon, Neel Mehta first reported the bug to OpenSSL, but both Google and Codenomicon discovered it independently. Codenomicon reports April 3 as their date of discovery of the bug and as their date of notification of NCSC-FI (formerly known as CERT-FI) for vulnerability coordination.

Affected and non-affected OpenSSL versions

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

1. OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
2. OpenSSL 1.0.1g is NOT vulnerable
3. OpenSSL 1.0.0 branch is NOT vulnerable
4. OpenSSL 0.9.8 branch is NOT vulnerable

The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems. A major contributing factor has been that TLS versions 1.1 and 1.2 came available with the first vulnerable OpenSSL version (1.0.1) and security community has been pushing the TLS 1.2 due to earlier attacks against TLS.

Affected operating systems?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

1. Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
2. Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
3. CentOS 6.5, OpenSSL 1.0.1e-15
4. Fedora 18, OpenSSL 1.0.1e-4
5. OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
6. FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
7. NetBSD 5.0.2 (OpenSSL 1.0.1e)
8. OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

1. Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
2. SUSE Linux Enterprise Server
3. FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
4. FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
5. FreeBSD 10.0p1 – OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
6. FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

That’s a lot of system’s that are vulnerable. We all thought Linux is secured and open source being the bearer of security flag, apparently not anymore!

This attack in UNDETECTABLE

Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. Some Intrusion detection and Intrusion prevention systems can pick up this attack but they need to have specific rules. With SSL deemed safe, not many organization would actually implement that. That means many secured system vulnerable.

It affects 32 bit and 64 bit systems alike. There is no total of 64 kilobytes limitation to the attack, that limit applies only to a single heartbeat. Attacker can either keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed.

This means, an attacker can attack both 32 and 64 bit systems alike, can repeat this attack as many times they want and no one will know as the connection is deemed safe and no logs will be generated about an attack. This is PROBABLY the worst bug that was discovered in any system. It is also speculated that NSA, CIA and many security organizations were aware of this vulnerability and abused this till now. While this can not be confirmed, but the possibilities are really scary!

What we are going to do in this guide?

This guide will demonstrate the following:

1. How to setup a openSSL Heartbleed vulnerable system with Apache and SSL.
2. How to scan for openSSL Heartbleed vulnerable system with Nmap.
3. How to exploit openSSL Heartbleed vulnerability with MetaSploit on Kali Linux.

Scanning is quite easy, you just need to find a target and use Nmap to scan it. Offensive Security’s MetaSploit is another fantastic tool to use to exploit this vulnerability. Together, they can be used to exploit any vulnerable system.

Our setup

Because I can’t directly show how to exploit a live target (and most common target’s are already being patched).. I will demonstrate this using the following method:

Target System:

• Freshly installed Kali Linux version 1.0.6 (it is vulnerable).
• OpenSSL version 1.0.1e built before April 7 2014. (that’s when the fix was released)
• Setup Apache Web server.
• Enable SSL support on Apache Web server.

Attacking System

• Kali 1.0.6 fully updated and upgraded (specifically MetaSploit and Nmap)

Read the rest of it here: Detect Exploit openSSL Heartbleed vulnerability using Nmap and Metasploit on Kali Linux