Upload
ec-council
View
34
Download
1
Tags:
Embed Size (px)
Citation preview
About Me
• UMUC Computer Science Student• Cyber Padawan• My History• Languages I like:– Python, JavaScript (Node env.), Java, Bash
Scripting, and C++
SUBTITLE/BY LINE
The Heartbeat Extension
“DTLS is designed to secure traffic running on top of unreliable transport protocols. Usually, such protocols have no session management. The only mechanism available at the DTLS layer to figure out if a peer is still alive is a costly renegotiation, particularly when the application uses unidirectional traffic. Furthermore, DTLS needs to perform path MTU (PMTU) discovery but has no specific message type to realize it without affecting the transfer of user messages.
FROM RFC6520
The Heartbeat Extension
TLS is based on reliable protocols, but there is not necessarily a feature available to keep the connection alive without continuous data transfer.
FROM RFC6520
The Heartbeat Extension
The Heartbeat Extension as described in this document overcomes theselimitations. The user can use the new HeartbeatRequest message, which has to be answered by the peer with a HeartbeartResponse immediately. To perform PMTU discovery, HeartbeatRequest messages containing padding can be used as probe packets, as described in [RFC4821].”
FROM RFC6520
The Heartbeat Extension
• The original Heartbeat extension commit• https://
github.com/openssl/openssl/commit/bd6941cfaa31ee8a3f8661cb98227a5cbcc0f9f3
• Committed by Robin Seggelmann• Reviewed by “steve”
THE CODE
The Heartbeat Extension
• Who is “steve”?• Steve Marquess and Stephen Henson• http://www.buzzfeed.com/chrisstokelwalker/t
he-internet-is-being-protected-by-two-guys-named-st#.rjRvzkKQ7
• http://www.nytimes.com/2014/04/19/technology/heartbleed-highlights-a-contradiction-in-the-web.html?_r=0
THE CODE
The Heartbeat Extension
• Bug introduced on Dec 31, 2011• https://github.com/openssl/openssl/commit/
bd6941cfaa31ee8a3f8661cb98227a5cbcc0f9f3
THE CODE
The Heartbeat Extension
• Bug fixed on Apr 5, 2014• https://github.com/openssl/openssl/commit/
96db9023b881d7cd9f379b0c154650d6c108e9a3
THE CODE
Explotation
• https://heartbleed.ais.uni-kassel.de
VULNERABLE SITE
Exploitation
• nmap ssl-heartbleed• https://
nmap.org/nsedoc/scripts/ssl-heartbleed.html• Command– nmap --script ssl-heartbleed <target>
DETECTION
Exploitation
• use auxiliary/scanner/ssl/openssl_heartbleed• RPORT defaults to 443• set RHOST <target>• set ACTION DUMP• run
METASPLOIT
Exploitation
• My personal favorite• Custom Script, easily modified for needs• https://
gist.github.com/dustinnoe/aea76a97f2eb4f31144e
• Forked from existing project• Accepts a list of regex patterns
Custom Script/Heartbleed.py
Exploitation
• Modulus and two primes• Check every offset• Reconstruct the key with some fancy math• Can take hours or days depending on the
server
Getting the Keys
Contact Me
• http://dustinnoe.com• [email protected]• Come to the VIP reception