In the previous chapters, we learned more about protocols and their analysis techniques. In this chapter, we will learn how Wireshark helps us perform a security analysis and try to cover the security aspects in these area application and network by covering these topics:
The Heartbeat protocol (RFC6520) runs on top of the Record layer protocol (the Record layer protocol is defined in SSL).
The Heartbleed bug (CVE-2014-0160) exists in selected OpenSSL versions (1.0.1 to 1.0.1f) that implement the Heartbeat protocol.
This bug is a serious vulnerability that allows attackers to read larger portions of memory (including private keys and passwords) during Heartbeat response.
The Heartbeat protocol runs on top of the Record layer identified as record type (24) in SSL/TLS. In Wireshark, a display filter ssl.record.content_type == 24
can be used to show the HeartBeat message. Heartbeat messages are Heartbeat Request and HeartBeat Response.
Open the heartbleed.pcap
packet capture file in Wireshark and set the display filter to ssl.record.content_type == 24
.
Wireshark will display only encrypted heartbeat messages. The first one is the Heartbeat Request message. In this message, the length (ssl.record.length == 112
) of the Heartbeat Request is set to 112 bytes, as shown in the screenshot:
Whenever a Heartbeat Request message is send to the server, the server answers with a corresponding Heartbeat Response message.
In the given packet, the Heartbeat Response length (ssl.record.length == 144
) is set to 144
, which means the server has returned more data (32-bytes more) than expected. This extra information is known as the heartbleed; this bleed may contain sensitive information such as passwords and private keys:
To test the heartbleed, use the following steps:
openssl
library:[bash ]# openssl version OpenSSL 1.0.1c 10 May 2012
[bash #]openssl req -sha256 -new -newkey rsa:2048 -nodes -keyout ./server.key -out ./server.csr -subj "/C=PU/ST=Anish/L=Test/O=Security Analysus /OU=Heartbleed/CN=myhost.com" [bash #]openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.pems
[bash ]# openssl s_server -www -cipher AES256-SHA -key ./server.key -cert ./server.pem -accept 443
[bash ]# tcpdump port 443 –s0 –w heartbleed.pcap &
If the SSL/TLS server is reachable through the public network, online filippo can be used. Other tools (such as Heartbeat Detector, which is a shell script) can also be used for this purpose:
3.21.98.207