In this recipe, we will use our previously compiled Heartbleed exploit to extract information about the vulnerable Bee-box server (https://192.168.56.103:8443/ in this recipe).
The Bee-box virtual machine can be downloaded from https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/ and the installation instructions are there too.
In the previous recipe, we generated an executable from the Heartbleed exploit; we will now use that to exploit the vulnerability on the server.
As Heartbleed is a vulnerability that extracts information from the server's memory, it may be necessary to browse and send requests to the server's HTTPS pages on port 8443 (https://192.168.56.103:8443/) before attempting the exploit in order to have some information to extract.
- If we check the TCP port 8443 on Bee-box, we will find it is vulnerable to Heartbleed.
sslscan 192.168.56.103:8443
- Now, let's move on to the exploit. Firstly, we move to the folder that contains the executable exploit:
cd heartbleed - Then, we check the options of the program, as shown:
./heartbleed --help
- We will try to exploit 192.168.56.103 on port 8443, obtaining the maximum leak and saving the output to a text file
hb_test.txt:./heartbleed -s 192.168.56.103 -p 8443 -f hb_test.txt -t 1
- Now, if we check the contents of
hb_test.txt:cat hb_test.txt
Our exploit extracted information from the HTTPS server and, from that, we can see a session ID and even a full login request including a username and password in clear text.
- If you want to skip all the binary data and see only the readable characters in the file, use the
stringscommand:strings hb_test.txt
As mentioned in Chapter 4, Finding Vulnerabilities, Heartbleed vulnerability allows an attacker to read information from the OpenSSL server memory in clear text, which means that we don't need to decrypt or even intercept any communication between the client and the server, we simply ask the server what's in its memory and it responds with the unencrypted information.
In this recipe, we have used a publicly available exploit to perform the attack and obtained at least one valid session ID. It is sometimes possible to find passwords or other sensitive information with Heartbleed dumps.
Finally, the strings command displays only printable strings in files, skipping all the special characters thereby making it easier to read.