Here's how the Heartbleed exploit can be used against a website.
Testing target (kindly provided by Qualys): https://hbdemo.kandek.com
after register in this website an user can freely download a crypted file: supersecret.txt.enc (example file, secret because crypted with private key of webserver)
an attacker can use a simple tool like heartleech (https://github.com/robertdavidgraham/heartleech) to attack the website
so first step is: download the tool (git cloning the project or simply compiling the heartbleed.c, following instructions in the website above)
after getting the tool, we see that there are different working modes:
./heartleech target_site --dump file
will continuosly send malicious heartbleed packets to webserver getting more and more memory data dumps in a file that can be analyzed later...
./heartleech target_site --autopwn
will instead automatically fetch the certificate from the website and then continue downloading information until it finds a matching private key within the heartbleed information data
we are more interested in this auto-mode
./heartleech hbdemo.kandek.com --autopwn
in terminal will return us the private key, great find!
having the private key, we just need to save it in a file, called for example private.key (great fantasy) and extract the data from the secret file we have download before is just the matter of a command:
So the secure content of the file is now decrypted, the secret phrase is:
Darth Vader is Luke's father.
and Leia is Luke's sister.
This is amazing simple, go and try yourself!
I would like to thank Qualys for providing the target for live testing and Wolfgang Kandek for providing the interesting webinar "A Post-Mortem on Heartbleed - What Worked and What Didn't" still available for playback at http://event.qualys.com/797ENI74200015u00aTee00