17.1 Introduction to Metasploit Flashcards
Like Shellshock, _______ was a major vulnerability when it was discovered, affecting every device running OpenSSL.
Heartbleed
What are the following ways Heartbleed differs from Shellshock? (3)
- Unlike Shellshock, Heartbleed does not allow remote code execution
- It’s a **sensitive data exposure** vulnerability that allows attackers to dump confidential information from a victim’s RAM.
- This bypasses standard access controls and allows attackers to potentially read recently used data on the target’s device, including passwords, private keys, etc.
How does the CVE officially refer to the Heartbleed bug?
This bug is officially referred to as CVE-2014-0160
Why is CVE-2014-0160 called the Heartbleed bug?
There is a bug in OpenSSL’s Heartbeat extension. When exploited, it leaks (“bleeds”) memory content from the server to the attacker and the attacker to the server.
What is OpenSSL
OpenSSL provides cryptographic services such as SSL/TLS to the applications and services.
Which versions of OpenSSL are affected by this CVE-2014-0160?
OpenSSL 1.0.1 through 1.0.1f.
Provide a brief description of the following types of sensitive information that can be retrieved from the Heartbleed bug.
- Primary key material: Encryption keys, which are the prime target. These leaked secret keys allow the attacker to decrypt any traffic to the protected services and to impersonate the service at will.
- Secondary key material: Data such as user credentials.
- Protected: The data that is handled by the company that was attacked. This could include, for example, medical records and credit cards.
- Collateral: Other details that have been exposed to the attacker in the leaked memory content. This may contain technical details such as memory addresses, and security measures such as canaries used to protect against overflow attacks.
Explain how the heartbleed vulnerability works:
- Clients and servers use OpenSSL to encrypt information transported across a network.
- This process also involves the client sending “heartbeats” to servers. These heartbeats are essentially a call and response to make sure that the connection to the server is still alive.
- Heartbeats contain the necessary headers and padding to transport and detail these messages from server to client and vice versa. An important detail in the heartbeat is length.
- A heartbeat can be crafted to contain only 1 byte, but to tell the server that it contains 16K bytes.
- In an attempt to copy what the server believes is a 16K byte heartbeat, it will replicate the 1 byte that the attacker sent, and randomly copy 15.999K bites of data from its own RAM.
- This memory can be useless padding sent during transmissions. But it can also include valuable payloads like private encryption keys or user credentials.
Exploitation is a multi-step process. You must: (3)
- Identify vulnerabilities.
- Identify specific exploits that correspond to that vulnerability.
- Prepare and test the exploit payload.
__________ is a tool suite (a program comprised of multiple tools) for hacking servers and other networked devices.
**Metasploit** is a tool suite (a program comprised of multiple tools) for hacking servers and other networked devices.
The main tools we’ll focus on are:
- **MSFconsole**: The main interface for Metasploit. Offers a centralized console to access all the options and modules. MSFconsole runs on your local machine, not on the machines you compromise.
- **Meterpreter**: A Linux-style shell that Metasploit launches when you successfully break into a target machine. Unlike MSFconsole, Meterpreter runs on the machines you compromise, not on your local machine.
Remember MSFconsole is a unified interface for a variety of different functions. Each of these functions is called a _______.
MSFconsole has tools for port and _______ as well as ________. In addition to exploitation, Metasploit lets you save the results of scans to a database for easy review.
Remember MSFconsole is a unified interface for a variety of different functions. Each of these functions is called a **module**
MSFconsole has tools for port and service scanning as well as enumeration. In addition to exploitation, Metasploit lets you save the results of scans to a database for easy review.
What are the 4 different kinds of modules that MSFconsole uses:
- **Auxiliary modules**: Used for information gathering, enumeration, and port scanning. Can also be used for things like connecting to SQL databases and performing man-in-the-middle attacks.
- **Exploit modules**: Generally used to deliver exploit code to a target system.
- **Post modules**: Offers post-exploitation tools such as the ability to extract password hashes and access tokens. Provides modules for taking a screenshot, key-logging, and downloading files. You’ll explore these during the next class.
- **Payload modules**: Used to create malicious payloads to use with an exploit. If possible, the aim is to upload a copy of Meterpreter, which is the default payload of Metasploit.
What command launches Metasploit?
msfconsole
How would you search for a heartbleed exploits?
search heartbleed
