Heartbleed Network Capture and Detection
The Heartbleed vulnerability uses a software flaw in openssl, which uses a Heartbeat Request within SSL/TLS to expose up to 64KB of data on a Web server. In this demo, we probe for the vulnerability, and then capture the network packets. The network trace of probing for the vulnerability is: here.
You can search for Heartbeat Request with:
tcp matches "\x18\x03"Figure 1: Heartbeat Request
Figure 2: Searching for Heartbeat Request
Snort detection
We can see that the TLS Heartbeat Request has a packet payload with a hexadecimal pattern of 0x18, 0x03, 0x02 and 0x00. With Snort, we can detect this pattern with a signature of:
alert tcp any any -> any 443 (msg:"Heartbeat request"; content:"|18 03 02 00|"; rawbytes;sid:100000)
Next running the vulnerabilty scan, we get an alert of:
[**] [1:100000:0] Heartbeat request [**] [Priority: 0] 04/16-13:03:11.524491 172.16.121.1:64670 -> 172.16.121.150:443 TCP TTL:64 TOS:0x0 ID:11426 IpLen:20 DgmLen:60 DF ***AP*** Seq: 0xFBF142E1 Ack: 0x61B93B9D Win: 0x2000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 712292260 2460366
Detailed analysis
We can now perform a detailed analysis with:
The crafted packets sent are:
hello = h2bin(''' 16 03 02 00 dc 01 00 00 d8 03 02 53 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 01 ''') hbv10 = h2bin(''' 18 03 01 00 03 01 40 00 ''') hbv11 = h2bin(''' 18 03 02 00 03 01 40 00 ''')
Thus we can search for these packets using:
tcp matches "\x16\x03x02x00"and then can view the result, which shows that the result is non-encrypted (as shown in Figure 2).
Figure 2: Non-encrypted response
Heartbleed Payload
We can now analyse the detail of the packet send which exploits the vulnerability [Presentation]