OWASP Exercises: Exploiting the Heartbleed Bug

Developed with
QA

Lab Steps

lock
Load the Virtual Machines (Kali & Heartbleed)
lock
Navigate to the Victim Website
lock
Test to Confirm the Webserver is Vulnerable
lock
Create Data to Extract from the Server
lock
Configure MetaSploit to Exploit the Heartbleed Server
lock
Exploit the Heartbleed Server

The hands-on lab is part of this learning path

Introduction to Ethical Hacking Tools
course-steps
10
certification
3
lab-steps
15
description
9

Ready for the real environment experience?

DifficultyIntermediate
Time Limit1h
Students108
Ratings
4.5/5
starstarstarstarstar-half

Description

The Heartbleed bug is a serious vulnerability that was found to exist on webservers using the OpenSSL cryptographic library, a popular implementation of the TLS protocol for webservers. This exploit will work on any unpatched webservers running an OpenSSL instance in either client or server mode. The vulnerability was disclosed in 2014, although the bug was found to have been present since a software patch in September 2012. It allows attackers to perform a buffer overflow attack, where they can read more information than they should be allowed to and can, therefore, read the entire contents of a webserver's memory buffer - an area where the server stores data ready for processing or that is yet to be overwritten by other processes. This could include passwords, key strings, hashes and all manner of other sensitive information that other users are inputting onto the server during normal use.

In this lab, you will perform the Heartbleed attack using the MetaSploit Framework in order to dump the contents of a vulnerable webserver using an unpatched version of OpenSSL.

Learning Objectives

Upon completion of this lab you will be able to:

  • Set up MetaSploit to exploit a server vulnerable to Heartbleed attacks

Intended Audience

This lab is intended for:

  • Individuals who want to learn how to defend their servers against Heartbleed attacks
  • Security engineers who want to understand whether their servers are vulnerable to attacks
  • Individuals who want to understand how a Heartbleed attack is performed on a server

Prerequisites

This lab has no prerequisites.

 

Updates

July 9th, 2020 - Enabled direct browser RDP connection for a streamlined experience

About the Author

Students565
Labs6
Courses1
Learning paths1

Richard Beck is Director of Cyber Security at QA. He works with customers to build effective and successful security training solutions tailored for business needs. Richard has over 15 years' experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in the Defence, Financial Services and HMG. Richard sits on a number of security advisory panels and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). Richard is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.