Month: April 2014

Detecting OpenSSL-Heartbleed with Nmap & Exploiting with Metasploit

You can now quickly detect the OpenSSL-Heartbleed vulnerability very quickly on a network using the ever popular nmap command, and with the latest modules from Metasploit you can quickly see the exploit in action.

For this tutorial I will be using a WordPress server and Kali Linux running in two separate VMWare virtual machines.

For a vulnerable server, I used one of Turnkey Linux WordPress VMs.  There are security updates available for Turnkey’s WordPress, but during the VM setup, and for this tutorial, I purposefully told the VM NOT to install the security updates so I could test for the OpenSSL vulnerability.

Once the WordPress VM was configured (just answer a few simple questions) I then fired up my Kali Linux VM.

Nmap has created a Heartbleed script that does a great job of detecting vulnerable servers. The script may not be available in your version of Kali, so you may have to manually install it.

Detecting Exploit with Nmap

If the Open-Heartbleed script is not already included in your nmap install, you will need to manually install it.

This is pretty easy, just visit the OpenSSL-Heartbleed nmap Script page, copy and save the nmap nse script file to your nmap “scripts” directory as seen below:

Heartbleed nmap script save

You will also need the nmap “tls.lua” library file, save this to the nmap “nselib” directory as seen below:

Heartbleed nmap tls library

That is it, we can now use the heartbleed script in nmap to detect vulnerable systems.

To use the command the syntax is:

nmap -sV --script=ssl-heartbleed <target>

All we need to plug in is the IP address of our target test WordPress site, 192.168.1.70 in this instance:

heartbleed nmap script command

And if the target machine is vulnerable we will see this:

nmap heartbleed vulnerable detected

State: VULNERABLE
Risk Factor: High

Exploiting with Metasploit

Now that we know we have a vulnerable server, we can use the latest Metasploit OpenSSL-Heartbleed module to exploit it. (Note: you can use the module to detect vulnerable systems also)

Update metasploit to get the latest modules. Just type “msfupdate” at a Kali command prompt:

msfupdate

Now run “msfconsole” to start Metasploit and you will be presented with the Metasploit console:

Metasploit prompt

Next search for the heartbleed modules:

heartbleed search

Notice there are two, we will just be using the scanner.

Type, “use auxiliary/scanner/ssl/openssl_heartbleed“:

heartbleed metasploit module

We are just going to set two options, “set VERBOSE” to true and we need to “set RHOSTS” to our target IP address as seen below:

verbose rhosts

And finally, just “run” the exploit:

heartbleed leaked data

If you click on the picture above, you will see that Metasploit communicated with the server and was able to pull random data from the server’s memory.

The important thing to note here is that it pulls random data from memory. There is no guarantee that you will find account credentials, session cookie data or critical data every time you run this. But the danger is in the fact that it could display sensitive data.

Thus the best practice (if you haven’t already) is to check your systems for the heartbleed vulnerability and patch them immediately. After the systems are patched change any passwords on the effected machines.

As always, never run security scans or checks on systems that you do not own or have approval to scan.

If you enjoyed this tutorial and want to learn more about Kali Linux and Metasploit, check out my latest book on Amazon, “Basic Security Testing with Kali Linux“.

Protecting Passwords and Sensitive Data – With a Pen!

Many companies and government agencies will attempt to obfuscate printed confidential data or credentials by blacking them out with a marker before releasing reports publicly or discarding them. In many cases this is a very ineffectual method of protecting data from prying eyes.

The solution? A pen!

Here is a quick example – Let’s take this made up social security number:

SSN number

Now, if we had this social security number on a paper that was going to be publicly released, many will just take a black marker and swipe over it. This seems to work great when the marker ink is wet, but when it dries, many times you can still see the data underneath!

Like so:

SSN number blocked out

A little hard to see, but if we zoom in a bit:

SSN number blocked out zoomed

As you can see, all the numbers are still very visible.

I used to do a lot of field network support. When onsite we would be handed a lot of printed confidential information. At times people would literally just write credentials on pieces of paper and hand them to us and say something like, “I am going to lunch, but here is my password”.

The paper would look something like this:

Username password

If you don’t have immediate access to a shredder, what can you do to make this information more secure or obfuscated before discarding it?

The power of the pen!

Many numbers and letters have the basic shape of others. Simply take a pen and convert them to look like something else.

Like so:

SSN obfuscated

What works better is adding extra information to the data to obfuscate it even further, like so:

Username password Obfuscated

“T’s” can become “F’s”, “L” can become “U”‘s, numerous letters and numbers can be made to look like “8’s” and “B’s”. Use your imagination!

Now, compare the obfuscated social security number and account information with the originals above and notice the differences.

If you recovered the obfuscated ones, could you guess the correct data?

You can then run a black marker over it if you prefer, (always follow your organization’s policy on handling and discarding sensitive information) but as you can see from the examples, this is very effective.

There are times when printed reports with confidential data on them need to be publicly released, there are times when credentials or other important data will be written down, and there are times when a paper shredder may not be right at hand.

Physically changing the data, works much better than trying to scribble the data out or using a black marker alone. And it only takes a few seconds to obfuscate sensitive data with a pen!

Putin and the BLM verses the Power of the Internet

Vladimir Putin has been trying very hard to convince the world that he needs to intervene in Ukraine to “protect” Pro-Russian citizens. Half way around the world, the Bureau of Land Management has tried to convince the US that it is protecting endangered turtles from trespassing cattle in Nevada. Both causes have been undermined by the power of the internet.

Reports have been flooding out of Ukraine of captured Russian intelligence officers, troops operating inside Ukrainian borders with identifying unit patches and tags removed, and even of a Russian bank making $200 and $500 daily payments to Russian “terrorists” working to destabilize the Eastern region of Ukraine.

This video allegedly shows a Russian Army Lieutenant Colonel giving orders to police officers in the Ukrainian town of Horlivka:

Pro-Russian forces have stirred up riots, taken over police and government buildings and have even attacked an airport. All the while about 40,000 Russian combat troops are hanging near Ukraine’s border. This has put Ukraine in a catch-22, either they let the unrest continue and risk civil war, or move against the trouble areas with force risking an invasion by Putin to “protect” Russian citizens like he did in Crimea.

Other than what some call Putin’s propaganda machine, the Russian Times (RT.com), no one is really falling for Putin’s cause. The internet has been saturated with anti-Russian social media posts, revealing pictures of what appear to be Russian troops in Ukraine, and reports of captured Russian operatives.

The outcome has been dramatic. Tens of thousands are protesting in Moscow and the UN even released a report claiming ethnic Russians in eastern Ukraine falsely claimed assault.

Closer to home, the US Bureau of Land Management (BLM) sent a mini-army of a couple hundred enforcement agents, contract workers, K-9 units and snipers into Nevada to “protect” endangered desert turtles. BLM claimed trespassing free roaming cattle from Clive Bundy’s ranch was putting endangered animals at risk. So they sent a large force in to confiscate the cattle.

Within days the internet was filled with images like this:

 bundy ranch 1st amendment

Apparently the BLM set up fenced in areas for reporters. Well this didn’t go over very well – no one used them and pictures again flooded the internet of the “First Amendment Area” signs with another sign added underneath saying, “The First Amendment is not an Area”. The fenced in areas were removed shortly thereafter.

Report of abuse by Federal officers also flooded the internet. One scuffle ensued between BLM officers and Bundy family members & supporters. A statement to the press by the BLM stated that the scuffle started when a K-9 dog was kicked. But again, this video flooded the interwebs showing that the real story might be different:

You can see from the video that at 23 seconds, a federal agent tackles a 50 year old lady from behind and seems to throw her to the ground. At 1:04 a K-9 officer appears to give both verbal and visual command for his dog to bite, and then again at 1:06.

The protestor seems to kick the dog after he tried to bite him.

Social Media exploded comparing the events in Nevada with Waco Texas and Ruby Ridge. The effect was immediate. People from as far away as New Hampshire began flocking to Nevada to stand in the gap with Clive and his family. This included armed members of several state militia and veteran groups.

The BLM has since stood down and has decided to fight the battle out in court. But again more reports have surfaced via the internet that the BLM wants to remove the cattle so that a Solar Power plant can be installed by a Chinese company, and that it has nothing whatsoever to do with trying to save turtles.

Some websites are claiming that the solar power plant report isn’t true, but it is very odd that the Federal Government would send in such a strong force to protect some turtles from cows. Especially when our southern border which needs additional help seems to get none.

But the truth is that in both cases presented here, the conflict in Ukraine and the BLM’s actions in Nevada, social media has had a huge impact of both public opinion and public action.

Amazing Real Time Cyber Threat Map by Kaspersky

Kaspersky Real Time Map Globe

Kaspersky has created an interactive Cyber Threat Map website where you can track statistics of it’s security product results in real time. And it is amazing!

The picture above shows the Global view, but you can also view the display as a flat map:

Kaspersky Real Time Map

You can also move the map around and click on any country to see it’s current statistics, as seen below:

Kaspersky Real Time Map Poland

I know it just shows one company’s results, but wow what a slick representation of what is going on in the world. I honestly found myself a bit entranced while viewing it, somewhat like watching a campsite fire.

And to think that these are malware results from around the world. Just stunning!

I can foresee a lot of companies displaying this on large monitors in their security centers.

Great job!