HeartBleed Vulnerability : Explained And Remediation
HeartBleed Vulnerability : Explained And Remediation
In April 2014, vulnerability in OpenSSL, the cryptographic Software library, was found code named HeartBleed.
[highlight]About OpenSSL:[/highlight] : OpenSSL is extensively used with web applications and web servers for the Implementation of SSL/TLS, hence responsible for the transmission of the data in encrypted form over web.
[highlight]HeartBeats in Open SSL: [/highlight]For SSL to work, your computer connects and transfers data in form of HeartBeats that are basically making the server aware that the client is up and running. These Heartbeats are small data packets sent back and forth between web servers and Clients to make sure the connection is still working. (Consider these heartbeats as the Keep-Alive Packets)
[highlight]Enter HeartBleed : [/highlight]
The servers could be fooled into sending system-stored data in response to a Heartbeat ping — data which could include passwords, encryption keys and other sensitive data.
This allows the Attacker to read the memory of the servers implementing OpenSSL. This unauthorized access to the memory gives attackers the Secret keys, allowing them to Decrypt on SSL connections, and deliver the usernames and passwords.
Heartbleed allows attackers to recover data blocks of up to 64 kb, which is sent in response to a malcrafted Heartbeat Request.
The number of such Heartbeats that an attacker can send to the vulnerable server is practically unlimited. Hence HeartBleed Vulnerability opens doors for hackers to get sensitive information about the users of a Vulnerable web Server implementing OpenSSL.
Another way of exploiting HeartBleed Vulnerability is to obtain the Private Key for the Digital Certificate of the Webserver (implementing OpenSSL with Heartbeat Plugin) , then using it in Man In the Middle Attack to Decrypt the HTTPS Traffic .
Two thirds of the Webservers have been affected by the HeartBleed Bug in OpenSSL including websites, email providers and Instant Messaging Services.
Open SSL Versions Affected by the Heartbleed Vulnerability: OpenSSL versions 1.0.1 through 1.0.1f contain the vulnerability.
Remediation of HeartBleed bug
- Update and Recompile Systems/Servers using the Vulnerable Versions of Open SSL without the Heartbeat extension.
- Replace all the certificates -regardless of issuer- on web servers (mitigate the risks of security breach).
- Reset passwords to SSL and code-signing management consoles.
Lastly, HeartBleed is not Vulnerability in SSL/TLS, but rather a bug in OpenSSL HeartBeat implementation. SSL/TLS is still the DE-FACTO standard for encrypting the data over HTTP/Internet, and SSL/TLS is not broken.
SSL/TLS is not broken, yet.
Do you know what is social engineering, the first time I heard about social engineering I was like what the heck is this but when I dug deep into it, it was pretty simple. Many people would argue that social engineering is one of the most simple and effective means for gathering information about a target. Social engineering is the process of exploiting the “human” weakness that is inherent in every organization. When utilizing social engineering, the attacker’s goal is to get an employee to divulge some information that should be kept confidential.
Let us assume you are conducting a penetration test on an organization. During your early reconnaissance, you discover an e-mail address for one of the company’s sales people. You understand that sales people are highly likely to return product inquiry e-mails. As a result, you sent an e-mail from an anonymous address feigning interest in a particular product. In reality, you did not care about the product. The real purpose of sending the e-mail is to get a reply from the sales person so you can review the e-mail headers contained in the response. This process will allow you to gather additional information about the company’s internal e-mail servers.
Let us take our social engineering example one step further. Suppose our salesman’s name is mark twain which we found this information during our reconnaissance of the company website and in the signature of his e-mail response. Let us assume that in this example, when you sent the employee the product inquiry e-mail, you received an automatic reply with the notification that mark twain was “currently out of the office travelling overseas” and “would be gone for two weeks with only limited e-mail access.”
A classic example of social engineering would be to impersonate mark twain and call the target company’s tech support number asking for help resetting your password because you are overseas and cannot access your webmail. If you are lucky, the tech support people will believe your story and reset the password. Assuming they use the same password, you now have access to mark twain’s e-mail and other network resources like VPN for remote access, or FT P for uploading sales figures and customer orders.
Social engineering, like reconnaissance in general, takes both time and practice. Not everyone makes a good social engineer, not even myself I don’t consider to be a social engineer. In order to be successful, you must be supremely confident, knowledgeable of the situation, and flexible enough to go “off script.” If you are conducting social engineering over the phone, it can be extremely helpful to have detailed and well-written notes in case you are asked about some obscure detail.
Another example of social engineering is to leave USB thumb drives or CD s at the target organization. The thumb drives should be distributed to several locations in or near the organization. The parking lot, the lobby, the bathroom, and an employee’s desk are all great “drop” locations. It is human nature for most people to insert the thumb drive or CD into their PC just to see what is on the drive. In this example though, the thumb drive or CD is preloaded with a self-executing backdoor program that automatically launches when the drive is inserted into the computer. The backdoor is capable of bypassing the company firewall and will dial home to the attacker’s computer, leaving the target exposed and giving the attacker a clear channel into the organization.so as you can see from this passage that it’s a very mean process but you know that’s what hackers do we destroy stuff ,well the black hats from the wild west to be more specific those are the hackers that destroys stuff.
So here is a very interesting topic on how to extract information from DNS servers which can be a valuable asset to any hacker. DNS servers are an excellent target for hackers and penetration testers i use this technique all the time. They usually contain information that is considered highly valuable to attackers. DNS is a core component of both our local networks and the Internet. Among other things, DNS is responsible for the process of translating domain names to IP addresses which is pretty useful in our world of diverse hacking . It is much easier for us to remember “google.com” rather than http://74.125.95.105. However, machines prefer the reverse which I find pretty weird at first.
DNS serves acts as the middle man to perform this translation process. As penetration testers, it is important to focus on the DNS servers that belong to our target. The reason is simple. In order for DNS to function properly, it needs to be aware of both the IP address and the corresponding domain name of each computer on its network. In terms of reconnaissance, gaining full access to a company’s DNS server is like finding a finding a blueprint to the organization. But in this case the blueprint contains a full listing of internal IP addresses that belong to our target.
Remember one of the key elements of information gathering is to collect IP addresses that belong to the target right. Another reason why picking on DNS is so enjoyable is that in many cases to me these servers tend to operate on the “if it isn’t broke bogus stuff, don’t touch it” principle. Inexperienced network administrators often regard their DNS servers with suspicion and mistrust. Oftentimes, they choose to ignore the box completely because they do not fully understand it. As a result touching, patching, updating, or changing configurations on the DNS server is often a low priority. Add this to the fact that most DNS servers appear to be very stable (as long as the administrator is not monkeying with it) and you have a recipe for a security disaster.
These admins wrongly learn early in their career that the less they mess with their DNS servers, the less trouble it seemed to cause them which is true can’t hurt them for that. As a penetration tester, given the number of misconfigured and unpatched DNS servers that abound today, it is natural to assume that many current network admins operate under this same principle. So the next logical question becomes, how do we access this virtual pot of gold? Before we can begin the process of examining a DNS server, we need an IP address. Some of these references were by host names, whereas others were by IP addresses. Using the host command, we can translate any host names into IP addresses and add these IPs to the potential target list. Again, you must be sure to double- and triple-check that the IP you collect is within your authorized scope before continuing.
Now that we have a list of DNS IP addresses that belong to or serve our target we can begin the process of interrogating DNS to extract information which can be a little painful at times. Although it is becoming more rare to find, one of our first tasks when interacting with a target DNS is to attempt a zone transfer. Remember DNS servers contain a series of records that match up the IP address and host name for all the devices that the servers are aware of. Many networks deploy multiple DNS servers for the sake of redundancy or load balancing. As a result, DNS servers need a way to share information. This “sharing” process occurs through the use of a zone transfer. During a zone transfer, also commonly referred to as AXFR, one DNS server will send all the host-to-IP mappings it contains to another DNS server. This process allows multiple DNS servers to stay in sync. Even if we are unsuccessful in performing a zone transfer, we should still spend time investigating any DNS servers that fall within our authorized scope.
So there you have it, I hope you learnt something although it’s a bit long, but here is a little tip. if you are going to be a hacker you have to read a lot and that’s where most hackers fail because they get inspired to be a hacker for the wrong reasons and so when it gets hard they quit, so what I would advise you to do is never give up and you will make it. although I am not really a hacker anymore due to various reasons when I started I was wondering what the hell is this, but I work through those moments when my code doesn’t seem to click right until I reach on a another level remember hackers rule!!!!!!!!.
So you want to know about Footprinting which is a very basic tool for any hacker, you see Footprinting is the act of gathering information about a computer system and the companies it belongs to. Footprinting is the first step hackers take in their hacking process, even I did footprinting at first. Footprinting is important because to hack a system the hacker must first know everything there is to know about it.
Below I will give you examples of the steps and services a hacker would use to get information from a website, now buckle up and get ready to hack.
- First, a hacker would start gathering information on the targets website i call this stealth mode. Things a hacker would basically look for are e-mails and names. This information could come in handy if the hacker was planning to attempt a social engineering attack against the company.
- Next the hacker would get the IP address of the website. By going to http://www.selfseo.com/find_ip_address_of_a_website.php and inserting the web site URL, it will spit out its IP address.
- Next the hacker would Ping the server to see if it is up and running. There’s no point in trying to hack an offline server right. http://just-ping.com pings a website from 34 different locations in the world. Insert the website name or IP address and hit “Ping”. If all packets went through, then the server is up and your ready to rock and roll.
- Next the hacker would do a Whois lookup on the company website. Go to http://whois.domaintools.com and put in the target website. As you can see this gives a HUGE amount of information about the company. You see the company e-mails, address, names, when the domain was created, when the domain expires, the domain name servers, and more!
- A hacker can also take advantage of search engines to search sites for data. For example, a hacker could search a website through Google by searching “site:www.the-target-site.com” this will display every page that Google has of the website. You could narrow down the number of results by adding a specific word after. For example the hacker could search “site:www.the-target-site.com email”. This search could list several emails that are published on the website. Another search you could do in Google is “inurl:robots.txt this would look for a page called robots.txt. If a site has the file “robots.txt”, it displays all the directories and pages on the website that they wish to keep anonymous from the search engine spiders. Occasionally you might come across some valuable information that was meant to be kept private in this file. Now that’s it, use it and see what kind of results you get and remember hackers rule!!!!!.
No comments