1
00:00:00,210 --> 00:00:02,550
The Heartbleed vulnerability.

2
00:00:04,110 --> 00:00:05,310
Sounds tragic, doesn't it?

3
00:00:06,330 --> 00:00:10,740
But open SSL is an open source cryptographic software library.

4
00:00:11,930 --> 00:00:18,680
It implements the transport layer security or TLC and Secure Sockets Layer or SSL protocols.

5
00:00:19,850 --> 00:00:27,500
And Heartbleed is indeed a very serious vulnerability caused by a flaw in open SSL.

6
00:00:28,570 --> 00:00:36,970
So, in short, Heartbleed allows anyone to read the memory of systems protected by the vulnerable versions

7
00:00:37,090 --> 00:00:38,440
of the open SSL.

8
00:00:39,680 --> 00:00:45,860
So this compromises private keys, names and passwords of the users and the actual content.

9
00:00:47,770 --> 00:00:52,330
Anyone can easily trick a vulnerable Web server into sending sensitive information.

10
00:00:54,300 --> 00:01:01,350
This allows attackers to eavesdrop on communications and then steal data directly from the services

11
00:01:01,350 --> 00:01:05,520
and the users and to impersonate the services and users.

12
00:01:07,140 --> 00:01:12,900
Now beatbox as a service to test the vulnerability to heart bleed.

13
00:01:14,380 --> 00:01:18,490
So to discover the service, we need to perform an Allport scan.

14
00:01:19,540 --> 00:01:27,670
But I don't want to run this scam, so I'm just going to run a service scan on a specific box port,

15
00:01:28,450 --> 00:01:29,590
so open terminal.

16
00:01:31,160 --> 00:01:33,350
Type and map dash S.

17
00:01:33,350 --> 00:01:36,110
S and IP address a B box.

18
00:01:38,610 --> 00:01:41,910
And the number is 84, 43.

19
00:01:42,890 --> 00:01:46,700
And then add dash as V for service scan.

20
00:01:48,620 --> 00:01:52,580
And you might have to wait for a while, but the result will appear soon.

21
00:01:53,860 --> 00:01:59,160
Still waiting and waiting and waiting.

22
00:02:00,370 --> 00:02:01,750
Now, here's a result.

23
00:02:02,740 --> 00:02:11,680
So the port is open and it is NASL Service and Ndeye and Exurbia version 1.0 four runs their.

24
00:02:13,050 --> 00:02:18,630
OK, so we discover that port and then we can check if the service is vulnerable or not.

25
00:02:19,940 --> 00:02:23,160
So Unmap has many scripts to extend its capability.

26
00:02:23,570 --> 00:02:29,000
It has a script for checking Heartbleed vulnerability, so let's delete the service scan from the previous

27
00:02:29,000 --> 00:02:34,310
command and then add script SSL, dash Heartbleed and hit enter.

28
00:02:37,370 --> 00:02:40,860
And it will quickly check and the service is vulnerable.

29
00:02:41,030 --> 00:02:41,570
What do you know?

30
00:02:42,760 --> 00:02:45,820
OK, now, so to exploit it, we are going to use Métis boy.

31
00:02:46,960 --> 00:02:52,210
Actually, there are many scripts and tools out there to do this, you can run one of them as well,

32
00:02:52,690 --> 00:02:54,880
but I like using Métis Point for this example.

33
00:02:56,250 --> 00:02:58,020
Now, it may take a little time to open.

34
00:03:01,160 --> 00:03:02,360
So now we can start.

35
00:03:03,660 --> 00:03:11,920
And there is an auxiliary module for Heartbleed in Métis Point, so choose it, use auxillary slash

36
00:03:11,970 --> 00:03:16,080
scanner, slash SSL, slash open SSL, underscore Heartbleed.

37
00:03:18,120 --> 00:03:19,860
Then type show actions.

38
00:03:22,000 --> 00:03:31,390
Dump gathers what's in the memory of the target Keys detects and then gathers the private keys in the

39
00:03:31,390 --> 00:03:37,000
memory of the target and scan checks to see if the server is vulnerable or not.

40
00:03:38,130 --> 00:03:41,930
Oh, I forgot this action and I did it within, man.

41
00:03:42,220 --> 00:03:42,950
That's OK.

42
00:03:44,500 --> 00:03:49,510
So anyway, let's ignore that and say the action to dump.

43
00:03:51,720 --> 00:03:54,180
And then it shows the options.

44
00:03:55,560 --> 00:04:00,150
So I think we need a change only our hosts and our port.

45
00:04:01,160 --> 00:04:04,070
So let's set our host to IP address of Bubis.

46
00:04:07,820 --> 00:04:11,330
And then set our report to 84 or 43.

47
00:04:12,230 --> 00:04:14,300
And there ain't nothing left to set.

48
00:04:15,710 --> 00:04:18,290
So before running the module, go to Firefox.

49
00:04:19,900 --> 00:04:25,180
And let's just visit some pages to load up the memory with some new data.

50
00:04:26,440 --> 00:04:27,500
I'm going to log out.

51
00:04:29,120 --> 00:04:33,950
And go to HDB service on Port 443 on beboppers.

52
00:04:38,490 --> 00:04:42,030
And now we add exception to this security error.

53
00:04:44,360 --> 00:04:45,950
So now I'm going to log in again.

54
00:04:47,650 --> 00:04:53,380
And then open chrome and go to the same application, copy and paste your URL.

55
00:04:54,460 --> 00:04:56,680
Except the security warning.

56
00:04:58,260 --> 00:05:00,120
OK, I'm going to log in.

57
00:05:02,240 --> 00:05:03,980
Then log out again.

58
00:05:05,550 --> 00:05:07,770
This time, I'm going to log in with another user.

59
00:05:10,420 --> 00:05:15,220
So I hope it's enough to load some of the important data into the memory box, we'll see.

60
00:05:16,270 --> 00:05:20,050
So I did it manually, you can now do it automatically if you want.

61
00:05:21,500 --> 00:05:23,360
But anyway, Open Meadows boy.

62
00:05:24,730 --> 00:05:25,900
And run the module.

63
00:05:27,810 --> 00:05:30,080
So, yeah, you may have to wait for a few seconds.

64
00:05:31,410 --> 00:05:37,740
OK, so here is a module and it is executed and it saves a result in this file.

65
00:05:38,980 --> 00:05:41,400
So let's have a look at that file, shall we?

66
00:05:42,900 --> 00:05:45,900
So this data comes directly from the memory of PAYBOX.

67
00:05:46,960 --> 00:05:55,120
And you get this without spending a long time to find an appropriate payload, so it is precious.

68
00:05:56,660 --> 00:05:58,250
So let's look at the output.

69
00:06:00,140 --> 00:06:04,040
We have cookies, usernames, passwords now.

70
00:06:04,430 --> 00:06:08,510
I really don't want to take this lightly, but just think about.

71
00:06:09,710 --> 00:06:16,720
If you were to perform this attack on a server that's used by thousands or more users, right?

72
00:06:17,180 --> 00:06:19,270
I mean, it's a known vulnerability.

73
00:06:19,730 --> 00:06:23,600
It was covered in the press just not too long ago.

74
00:06:24,630 --> 00:06:27,600
So that means in the real world, you really do need to scan for.