Network Capture and Detection
The Heartbleed vulnerability uses a software flaw in openssl, which uses a Heartbeat Request within SSL/TLS to expose up to 64KB of data on a Web server. In this demo, we probe for the vulnerability, and then capture the network packets. These are at:
https://dl.dropboxusercontent.com/u/40355863/heartbleed.zip
You can search for Heartbeart Request with:
tcp matches "\x18\x03"
If we follow the network trace, we see the memory capture coming back:
...........SC[...r....+..H...9... ....w.3....f... .".!.9.8.........5............... ... .........3.2.....E.D...../...A.................................I......... .4.2... ........... ...................................#...........B...>..SM..Z..@..%.4..b.....G.L..Okd..m....................#......................0...0.............j..p].0 ..*.H.. .....0.1.0 ..U....ubuntu0.. 140415192450Z. 240412192450Z0.1.0 ..U....ubuntu0.."0 ..*.H.. ..........0.. ......K...7.....Z....bQ.u(5..I'.QJ.......x.!7*H"+.EG..>b.gD.._.....{.R+/...q}.....g...yE.<=q..(.r........\.iI>.....v.yv.+..F#..U....L..#D[..6...L.F@h..0....j.U..\D.J.....{ke... ..s.N......^e...+.DV..?..O.~4....... or.#...-....6....&..{..Y|R.f. $>.k....S....0......... 0.0...U....0.0 ..*.H.. ..........R_...;...d...?Q.V.).YI.....vY...2a4.;.ubF..4.....H....&..w....u...y".=.2g..o7..}..]0......y5H.F.. k.T.v@B5..9".3..../Gb...u.7wm.[.....{. 9.......H...m..Z N.e....m.....E...g..y).q.5`...E(..U>".)......Hw.........:.E.p........s..C.).E/O.r...KNoW..^..l..........K...G...A.%.?y....x.7..H.......B...F.B.....&....4(.L..=.....]2....=.b.n.;..."\.k.J.....M..g9...y%.....~..JOL..=.A...J7O.Q...\)6.P.@...p.....[...{.........XS....o..b..v....e.. ...x..w.|..t..e..hM....^.u.> ..X|..c_...h...kl..A....j..3G....=.8........#pG..S.....L...}..j->=m..p.9....../k...$........: t.S..........L.......t..E.8..F0h.................@....@..@....SC[...r....+..H...9... ....w.3....f... .".!.9.8.........5............... ... .........3.2.....E.D...../...A.................................I......... .4.2... ........... ...................................#.......-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive If-Modified-Since: Tue, 15 Apr 2014 19:24:48 GMT If-None-Match: "b1-4f719c0d83492-gzip" .....U. .[D.)K.....................................................................
Snort detection
We can see that the TLS Heartbeat Request has a packet payload with a hexadecimal pattern of 0x18, 0x03, 0x02 and 0x00. With Snort, we can detect this pattern with a signature of:
alert tcp any any -> any 443 (msg:"Heartbeat request"; content:"|18 03 02 00|"; rawbytes;sid:100000)
Next running the vulnerabilty scan, we get an alert of:
[**] [1:100000:0] Heartbeat request [**] [Priority: 0] 04/16-13:03:11.524491 172.16.121.1:64670 -> 172.16.121.150:443 TCP TTL:64 TOS:0x0 ID:11426 IpLen:20 DgmLen:60 DF ***AP*** Seq: 0xFBF142E1 Ack: 0x61B93B9D Win: 0x2000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 712292260 2460366
Detailed analysis
We can now perform a detailed analysis with:
The crafted packets sent are:
hello = h2bin(''' 16 03 02 00 dc 01 00 00 d8 03 02 53 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 01 ''') hbv10 = h2bin(''' 18 03 01 00 03 01 40 00 ''') hbv11 = h2bin(''' 18 03 02 00 03 01 40 00 ''')
Thus we can search for these packets using:
tcp matches "\x16\x03x02x00"
and then can view the result, which shows that the result is non-encrypted (as shown in Figure 3).