15
Feel the Beat, mmm… Drop! Understanding HeartBleed

Understanding heartbleed by Dustin Noe

Embed Size (px)

Citation preview

Feel the Beat, mmm… Drop!

Understanding HeartBleed

About Me

• UMUC Computer Science Student• Cyber Padawan• My History• Languages I like:– Python, JavaScript (Node env.), Java, Bash

Scripting, and C++

SUBTITLE/BY LINE

The Heartbeat Extension

“DTLS is designed to secure traffic running on top of unreliable transport protocols.  Usually, such protocols have no session management.  The only mechanism available at the DTLS layer to figure out if a peer is still alive is a costly renegotiation, particularly when the application uses unidirectional traffic.  Furthermore, DTLS needs to perform path MTU (PMTU) discovery but has no specific message type to realize it without affecting the transfer of user messages.

FROM RFC6520

The Heartbeat Extension

TLS is based on reliable protocols, but there is not necessarily a feature available to keep the connection alive without continuous data transfer.

FROM RFC6520

The Heartbeat Extension

The Heartbeat Extension as described in this document overcomes theselimitations.  The user can use the new HeartbeatRequest message, which has to be answered by the peer with a HeartbeartResponse immediately.  To perform PMTU discovery, HeartbeatRequest messages containing padding can be used as probe packets, as described in [RFC4821].”

FROM RFC6520

The Heartbeat Extension

• The original Heartbeat extension commit• https://

github.com/openssl/openssl/commit/bd6941cfaa31ee8a3f8661cb98227a5cbcc0f9f3

• Committed by Robin Seggelmann• Reviewed by “steve”

THE CODE

Explotation

• https://heartbleed.ais.uni-kassel.de

VULNERABLE SITE

Exploitation

• nmap ssl-heartbleed• https://

nmap.org/nsedoc/scripts/ssl-heartbleed.html• Command– nmap --script ssl-heartbleed <target>

DETECTION

Exploitation

• use auxiliary/scanner/ssl/openssl_heartbleed• RPORT defaults to 443• set RHOST <target>• set ACTION DUMP• run

METASPLOIT

Exploitation

• My personal favorite• Custom Script, easily modified for needs• https://

gist.github.com/dustinnoe/aea76a97f2eb4f31144e

• Forked from existing project• Accepts a list of regex patterns

Custom Script/Heartbleed.py

Exploitation

• Modulus and two primes• Check every offset• Reconstruct the key with some fancy math• Can take hours or days depending on the

server

Getting the Keys

Contact Me

• http://dustinnoe.com• [email protected]• Come to the VIP reception