tasksubuntu12.04

ubuntu12.04  时间:2021-03-29  阅读:()
SEEDLabs–HeartbleedAttack1HeartbleedAttackLabCopyrightc2016WenliangDu,SyracuseUniversity.
ThedevelopmentofthisdocumentwaspartiallyfundedbytheNationalScienceFoundationunderAwardNo.
1303306and1318814.
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.
0InternationalLicense.
Ahuman-readablesummaryof(andnotasubstitutefor)thelicenseisthefollowing:Youarefreetocopyandredistributethematerialinanymediumorformat.
Youmustgiveappropriatecredit.
Ifyouremix,transform,orbuilduponthematerial,youmustdistributeyourcontributionsunderthesamelicenseastheoriginal.
Youmaynotusethematerialforcommercialpurposes.
1OverviewTheHeartbleedbug(CVE-2014-0160)isasevereimplementationawintheOpenSSLlibrary,whichen-ablesattackerstostealdatafromthememoryofthevictimserver.
Thecontentsofthestolendatadependonwhatisthereinthememoryoftheserver.
Itcouldpotentiallycontainprivatekeys,TLSsessionkeys,usernames,passwords,creditcards,etc.
ThevulnerabilityisintheimplementationoftheHeartbeatprotocol,whichisusedbySSL/TLStokeeptheconnectionalive.
Theobjectiveofthislabisforstudentstounderstandhowseriousthisvulnerabilityis,howtheattackworks,andhowtoxtheproblem.
TheaffectedOpenSSLversionrangeisfrom1.
0.
1to1.
0.
1f.
TheversioninourUbuntuVMis1.
0.
1.
2LabEnvironmentInthislab,weneedtosetuptwoVMs:onecalledattackermachineandtheothercalledvictimserver.
Weusethepre-builtSEEDUbuntu12.
04VM.
TheVMsneedtousetheNAT-Networkadapterforthenetworksetting.
ThiscanbedonebygoingtotheVMsettings,pickingNetwork,andclickingtheAdaptortagtoswitchtheadaptertoNAT-Network.
MakesurebothVMsareonthesameNAT-Network.
ThewebsiteusedinthisattackcanbeanyHTTPSwebsitethatusesSSL/TLS.
However,sinceitisillegaltoattackarealwebsite,wehavesetupawebsiteinourVM,andconducttheattackonourownVM.
Weuseanopen-sourcesocialnetworkapplicationcalledELGG,andhostitinthefollowingURL:https://www.
heartbleedlabelgg.
com.
Weneedtomodifythe/etc/hostsleontheattackermachinetomaptheservernametotheIPad-dressoftheserverVM.
Searchthefollowinglinein/etc/hosts,andreplacetheIPaddress127.
0.
0.
1withtheactualIPaddressoftheserverVMthathoststheELGGapplication.
127.
0.
0.
1www.
heartbleedlabelgg.
com3LabTasksBeforeworkingonthelabtasks,youneedtounderstandhowtheheartbeatprotocolworks.
Theheartbeatprotocolconsistsoftwomessagetypes:HeartbeatRequestpacketandHeartbeatResponsepacket.
ClientsendsaHeartbeatRequestpackettotheserver.
Whentheserverreceivesit,itsendsbackacopyofthereceivedmessageintheHeartbeatResponsepacket.
Thegoalistokeeptheconnectionalive.
TheprotocolisillustratedinFigure1.
SEEDLabs–HeartbleedAttack2Figure1:OverviewoftheHeartbeatProtocol3.
1Task1:LaunchtheHeartbleedAttack.
Inthistask,studentswilllaunchtheHeartbleedattackonoursocialnetworksiteandseewhatkindofdamagescanbeachieved.
TheactualdamageoftheHeartbleedattackdependsonwhatkindofinformationisstoredintheservermemory.
Iftherehasnotbeenmuchactivityontheserver,youwillnotbeabletostealusefuldata.
Therefore,weneedtointeractwiththewebserveraslegitimateusers.
LetusdoitastheSEEDLabs–HeartbleedAttack3administrator,anddothefollowings:Visithttps://www.
heartbleedlabelgg.
comfromyourbrowser.
Loginasthesiteadministrator.
(UserName:admin;Password:seedelgg)AddBobyasfriend.
(GotoMore->MembersandclickBoby->AddFriend)SendBobyaprivatemessage.
Afteryouhavedoneenoughinteractionaslegitimateusers,youcanlaunchtheattackandseewhatinformationyoucangetoutofthevictimserver.
WritingtheprogramtolaunchtheHeartbleedattackfromscratchisnoteasy,becauseitrequiresthelow-levelknowledgeoftheHeartbeatprotocol.
Fortunately,otherpeoplehavealreadywrittentheattackcode.
Therefore,wewillusetheexistingcodetogainrst-handexperienceintheHeartbleedattack.
Thecodethatweuseiscalledattack.
py,whichwasoriginallywrittenbyJaredStafford.
Wemadesomesmallchangestothecodeforeducationalpurposes.
Youcandownloadthecodefromthelab'swebsite,changeitspermissionsotheleisexecutable.
Youcanthenruntheattackcodeasfollows:$.
/attack.
pywww.
heartbleedlabelgg.
comYoumayneedtoruntheattackcodemultipletimestogetusefuldata.
Tryandseewhetheryoucangetthefollowinginformationfromthetargetserver.
Usernameandpassword.
User'sactivity(whattheuserhasdone).
Theexactcontentoftheprivatemessage.
ForeachpieceofsecretthatyoustealfromtheHeartbleedattack,youneedtoshowthescreen-dumpastheproofandexplainhowyoudidtheattack,andwhatyourobservationsare.
3.
2Task2:FindtheCauseoftheHeartbleedVulnerabilityInthistask,studentswillcomparetheoutcomeofthebenignpacketandthemaliciouspacketsentbytheattackercodetondoutthefundamentalcauseoftheHeartbleedvulnerability.
TheHeartbleedattackisbasedontheHeartbeatrequest.
Thisrequestjustsendssomedatatotheserver,andtheserverwillcopythedatatoitsresponsepacket,soallthedataareechoedback.
Inthenormalcase,supposethattherequestincludes3bytesofdata"ABC",sothelengtheldhasavalue3.
Theserverwillplacethedatainthememory,andcopy3bytesfromthebeginningofthedatatoitsresponsepacket.
Intheattackscenario,therequestmaycontain3bytesofdata,butthelengtheldmaysay1003.
Whentheserverconstructsitsresponsepacket,itcopiesfromthestartingofthedata(i.
e.
"ABC"),butitcopies1003bytes,insteadof3bytes.
Theseextra1000typesobviouslydonotcomefromtherequestpacket;theycomefromtheserver'sprivatememory,andtheymaycontainotheruser'sinformation,secretkeys,password,etc.
Inthistask,wewillplaywiththelengtheldoftherequest.
First,let'sunderstandhowtheHeartbeatresponsepacketisbuiltfromFigure2.
WhentheHeartbeatrequestpacketcomes,theserverwillparsethepackettogetthepayloadandthePayloadlengthvalue(whichishighlightedinFigure2).
Here,thepayloadisonlya3-bytestring"ABC"andthePayloadlengthvalueisexactly3.
Theserverprogramwillblindlytakethislengthvaluefromtherequestpacket.
ItthenbuildstheresponsepacketbypointingtoSEEDLabs–HeartbleedAttack4Figure2:TheBenignHeartbeatCommunicationFigure3:TheHeartbleedAttackCommunicationthememorystoring"ABC"andcopyPayloadlengthbytestotheresponsepayload.
Inthisway,theresponsepacketwouldcontaina3-bytestring"ABC".
WecanlaunchtheHeartBleedattacklikewhatisshowninFigure3.
Wekeepthesamepayload(3bytes),butsetthePayloadlengtheldto1003.
TheserverwillagainblindlytakethisPayloadlengthvaluewhenbuildingtheresponsepacket.
Thistime,theserverprogramwillpointtothestring"ABC"andcopy1003bytesfromthememorytotheresponsepacketasapayload.
Besidesthestring"ABC",theextra1000bytesarecopiedintotheresponsepacket,whichcouldbeanythingfromthememory,suchassecretactivity,logginginformation,passwordandsoon.
OurattackcodeallowsyoutoplaywithdifferentPayloadlengthvalues.
Bydefault,thevalueissettoaquitelargeone(0x4000),butyoucanreducethesizeusingthecommandoption"-l"(letterell)SEEDLabs–HeartbleedAttack5or"--length"asshowninthefollowingexamples:$.
/attack.
pywww.
heartbleedlabelgg.
com-l0x015B$.
/attack.
pywww.
heartbleedlabelgg.
com--length83Yourtaskistoplaywiththeattackprogramwithdifferentpayloadlengthvaluesandanswerthefollow-ingquestions:Question2.
1:Asthelengthvariabledecreases,whatkindofdifferencecanyouobserveQuestion2.
2:Asthelengthvariabledecreases,thereisaboundaryvaluefortheinputlengthvari-able.
Atorbelowthatboundary,theHeartbeatquerywillreceivearesponsepacketwithoutattachinganyextradata(whichmeanstherequestisbenign).
Pleasendthatboundarylength.
Youmayneedtotrymanydifferentlengthvaluesuntilthewebserversendsbackthereplywithoutextradata.
Tohelpyouwiththis,whenthenumberofreturnedbytesissmallerthantheexpectedlength,thepro-gramwillprint"ServerprocessedmalformedHeartbeat,butdidnotreturnanyextradata.
"3.
3Task3:CountermeasureandBugFixToxtheHeartbleedvulnerability,thebestwayistoupdatetheOpenSSLlibrarytothenewestversion.
Thiscanbeachievedusingthefollowingcommands.
Itshouldbenotedthatonceitisupdated,itishardtogobacktothevulnerableversion.
Therefore,makesureyouhavenishedtheprevioustasksbeforedoingtheupdate.
YoucanalsotakeasnapshotofyourVMbeforetheupdate.
#sudoapt-getupdate#sudoapt-getupgradeTask3.
1TryyourattackagainafteryouhaveupdatedtheOpenSSLlibrary.
Pleasedescribeyourobser-vations.
Task3.
2TheobjectiveofthistaskistogureouthowtoxtheHeartbleedbuginthesourcecode.
ThefollowingC-stylestructure(notexactlythesameasthesourcecode)istheformatoftheHeartbeatrequest/responsepacket.
struct{HeartbeatMessageTypetype;//1byte:requestortheresponseuint16payload_length;//2byte:thelengthofthepayloadopaquepayload[HeartbeatMessage.
payload_length];opaquepadding[padding_length];}HeartbeatMessage;Thersteld(1byte)ofthepacketisthetypeinformation,andthesecondeld(2bytes)isthepayloadlength,followedbytheactualpayloadandpaddings.
Thesizeofthepayloadshouldbethesameasthevalueinthepayloadlengtheld,butintheattackscenario,payloadlengthcanbesettoadifferentvalue.
Thefollowingcodesnippetshowshowtheservercopiesthedatafromtherequestpackettotheresponsepacket.
SEEDLabs–HeartbleedAttack6Listing1:ProcesstheHeartbeatrequestpacketandgeneratetheresponsepacket1/*Allocatememoryfortheresponse,sizeis1byte2*messagetype,plus2bytespayloadlength,plus3*payload,pluspadding4*/56unsignedintpayload;7unsignedintpadding=16;/*Useminimumpadding*/89//Readfromtypefieldfirst10hbtype=*p++;/*Afterthisinstruction,thepointer11*pwillpointtothepayload_lengthfield*.
1213//Readfromthepayload_lengthfield14//fromtherequestpacket15n2s(p,payload);/*Functionn2s(p,payload)reads16bits16*frompointerpandstorethevalue17*intheINTvariable"payload".
*/181920pl=p;//plpointstothebeginningofthepayloadcontent2122if(hbtype==TLS1_HB_REQUEST)23{24unsignedchar*buffer,*bp;25intr;2627/*Allocatememoryfortheresponse,sizeis1byte28*messagetype,plus2bytespayloadlength,plus29*payload,pluspadding30*/3132buffer=OPENSSL_malloc(1+2+payload+padding);33bp=buffer;3435//Enterresponsetype,lengthandcopypayload36*bp++=TLS1_HB_RESPONSE;37s2n(payload,bp);3839//copypayload40memcpy(bp,pl,payload);/*plisthepointerwhich41*pointstothebeginning42*ofthepayloadcontent*/4344bp+=payload;4546//Randompadding47RAND_pseudo_bytes(bp,padding);4849//thisfunctionwillcopythe3+payload+paddingbytes50//fromthebufferandputthemintotheheartbeatresponse51//packettosendbacktotherequestclientside.
52OPENSSL_free(buffer);SEEDLabs–HeartbleedAttack753r=ssl3_write_bytes(s,TLS1_RT_HEARTBEAT,buffer,543+payload+padding);55}PleasepointouttheproblemfromthecodeinListing1andprovideasolutiontoxthebug(i.
e.
,whatmodicationisneededtoxthebug).
Youdonotneedtorecompilethecode;justdescribehowyoucanxtheprobleminyourlabreport.
Moreover,pleasecommentonthefollowingdiscussionsbyAlice,Bob,andEvaregardingthefunda-mentalcauseoftheHeartbleedvulnerability:Alicethinksthefundamentalcauseismissingtheboundarycheckingduringthebuffercopy;Bobthinksthecauseismissingtheuserinputvalidation;Evathinksthatwecanjustdeletethelengthvaluefromthepackettosolveeverything.
4SubmissionStudentsneedtosubmitadetailedlabreporttodescribewhattheyhavedoneandwhattheyhaveobserved.
Reportshouldincludetheevidencestosupporttheobservations.
Evidencesincludepackettraces,screendumps,etc.
References[1]Heartbleedattack-Implementation:https://alexandreborgesbrazil.
les.
wordpress.
com/2014/04/hearbleedattackversiona1.
pdf[2]Heartbleedattack-Interestingexplanation:http://xkcd.
com/1354/

丽萨主机:美国CN2 GIA精品网/KVM/9折,美国原生IP,最低27元/月

丽萨主机怎么样?丽萨主机,团队于2017年成立。成立之初主要做的是 CDN 和域名等相关业务。最近开辟新领域,新增了独立服务器出租、VPS 等业务,为了保证业务质量从一开始就选择了中美之间的 CN2 GIA 国际精品网络,三网回程 CN2 GIA,电信去程 CN2 GIA + BGP 直连智能路由,联通移动去程直连,原生IP。适合对网络要求较高的用户,同时价格也比较亲民。点击进入:丽萨主机官方网站...

易探云(QQ音乐绿钻)北京/深圳云服务器8核8G10M带宽低至1332.07元/年起

易探云怎么样?易探云香港云服务器比较有优势,他家香港BGP+CN2口碑不错,速度也很稳定。尤其是今年他们动作很大,推出的香港云服务器有4个可用区价格低至18元起,试用过一个月的用户基本会续费,如果年付的话还可以享受8.5折或秒杀价格。今天,云服务器网(yuntue.com)小编推荐一下易探云国内云服务器优惠活动,北京和深圳这二个机房的云服务器2核2G5M带宽低至330.66元/年,还有高配云服务器...

特网云-新上线香港五区补货资源充足限时抢 虚拟主机6折,低至38元!

官方网站:点击访问特网云官网活动方案:===========================香港云限时购==============================支持Linux和Windows操作系统,配置都是可以自选的,非常的灵活,宽带充足新老客户活动期间新购活动款产品都可以享受续费折扣(只限在活动期间购买活动款产品才可享受续费折扣 优惠码:AADE01),购买折扣与续费折扣不叠加,都是在原价...

ubuntu12.04为你推荐
金评媒朱江请问朱江恺撒堡KX系列的钢琴怎么样?今日油条油条是怎样由来www.ijinshan.com金山毒霸的网站是多少baqizi.cc誰知道,最近有什麼好看的電視劇www.dm8.cc有没有最新的日本动漫网站?dpscycle痛苦术士PVE输出宏朴容熙这个人男的女的,哪国人。叫什么。4399宠物连连看2.54399游戏里的宠物连连看3.1版本,电脑网页有,为什么手机里没有呢?我想下这个版本在手机上,因为www.5566.com.cn免费手机游戏恶魔兜兜狼人杀恶魔可以验出神民的身份吗
域名交易 上海域名注册 如何查询ip地址 已经备案域名 国内永久免费云服务器 idc测评网 外国域名 外国空间 evssl证书 gg广告 京东商城0元抢购 40g硬盘 大容量存储器 网站卫士 中国网通测速 怎么建立邮箱 raid10 登陆空间 免费个人主页 实惠 更多