tasksubuntu12.04

ubuntu12.04  时间:2021-03-29  阅读:()
SEEDLabs–HeartbleedAttack1HeartbleedAttackLabCopyrightc2016WenliangDu,SyracuseUniversity.
ThedevelopmentofthisdocumentwaspartiallyfundedbytheNationalScienceFoundationunderAwardNo.
1303306and1318814.
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.
0InternationalLicense.
Ahuman-readablesummaryof(andnotasubstitutefor)thelicenseisthefollowing:Youarefreetocopyandredistributethematerialinanymediumorformat.
Youmustgiveappropriatecredit.
Ifyouremix,transform,orbuilduponthematerial,youmustdistributeyourcontributionsunderthesamelicenseastheoriginal.
Youmaynotusethematerialforcommercialpurposes.
1OverviewTheHeartbleedbug(CVE-2014-0160)isasevereimplementationawintheOpenSSLlibrary,whichen-ablesattackerstostealdatafromthememoryofthevictimserver.
Thecontentsofthestolendatadependonwhatisthereinthememoryoftheserver.
Itcouldpotentiallycontainprivatekeys,TLSsessionkeys,usernames,passwords,creditcards,etc.
ThevulnerabilityisintheimplementationoftheHeartbeatprotocol,whichisusedbySSL/TLStokeeptheconnectionalive.
Theobjectiveofthislabisforstudentstounderstandhowseriousthisvulnerabilityis,howtheattackworks,andhowtoxtheproblem.
TheaffectedOpenSSLversionrangeisfrom1.
0.
1to1.
0.
1f.
TheversioninourUbuntuVMis1.
0.
1.
2LabEnvironmentInthislab,weneedtosetuptwoVMs:onecalledattackermachineandtheothercalledvictimserver.
Weusethepre-builtSEEDUbuntu12.
04VM.
TheVMsneedtousetheNAT-Networkadapterforthenetworksetting.
ThiscanbedonebygoingtotheVMsettings,pickingNetwork,andclickingtheAdaptortagtoswitchtheadaptertoNAT-Network.
MakesurebothVMsareonthesameNAT-Network.
ThewebsiteusedinthisattackcanbeanyHTTPSwebsitethatusesSSL/TLS.
However,sinceitisillegaltoattackarealwebsite,wehavesetupawebsiteinourVM,andconducttheattackonourownVM.
Weuseanopen-sourcesocialnetworkapplicationcalledELGG,andhostitinthefollowingURL:https://www.
heartbleedlabelgg.
com.
Weneedtomodifythe/etc/hostsleontheattackermachinetomaptheservernametotheIPad-dressoftheserverVM.
Searchthefollowinglinein/etc/hosts,andreplacetheIPaddress127.
0.
0.
1withtheactualIPaddressoftheserverVMthathoststheELGGapplication.
127.
0.
0.
1www.
heartbleedlabelgg.
com3LabTasksBeforeworkingonthelabtasks,youneedtounderstandhowtheheartbeatprotocolworks.
Theheartbeatprotocolconsistsoftwomessagetypes:HeartbeatRequestpacketandHeartbeatResponsepacket.
ClientsendsaHeartbeatRequestpackettotheserver.
Whentheserverreceivesit,itsendsbackacopyofthereceivedmessageintheHeartbeatResponsepacket.
Thegoalistokeeptheconnectionalive.
TheprotocolisillustratedinFigure1.
SEEDLabs–HeartbleedAttack2Figure1:OverviewoftheHeartbeatProtocol3.
1Task1:LaunchtheHeartbleedAttack.
Inthistask,studentswilllaunchtheHeartbleedattackonoursocialnetworksiteandseewhatkindofdamagescanbeachieved.
TheactualdamageoftheHeartbleedattackdependsonwhatkindofinformationisstoredintheservermemory.
Iftherehasnotbeenmuchactivityontheserver,youwillnotbeabletostealusefuldata.
Therefore,weneedtointeractwiththewebserveraslegitimateusers.
LetusdoitastheSEEDLabs–HeartbleedAttack3administrator,anddothefollowings:Visithttps://www.
heartbleedlabelgg.
comfromyourbrowser.
Loginasthesiteadministrator.
(UserName:admin;Password:seedelgg)AddBobyasfriend.
(GotoMore->MembersandclickBoby->AddFriend)SendBobyaprivatemessage.
Afteryouhavedoneenoughinteractionaslegitimateusers,youcanlaunchtheattackandseewhatinformationyoucangetoutofthevictimserver.
WritingtheprogramtolaunchtheHeartbleedattackfromscratchisnoteasy,becauseitrequiresthelow-levelknowledgeoftheHeartbeatprotocol.
Fortunately,otherpeoplehavealreadywrittentheattackcode.
Therefore,wewillusetheexistingcodetogainrst-handexperienceintheHeartbleedattack.
Thecodethatweuseiscalledattack.
py,whichwasoriginallywrittenbyJaredStafford.
Wemadesomesmallchangestothecodeforeducationalpurposes.
Youcandownloadthecodefromthelab'swebsite,changeitspermissionsotheleisexecutable.
Youcanthenruntheattackcodeasfollows:$.
/attack.
pywww.
heartbleedlabelgg.
comYoumayneedtoruntheattackcodemultipletimestogetusefuldata.
Tryandseewhetheryoucangetthefollowinginformationfromthetargetserver.
Usernameandpassword.
User'sactivity(whattheuserhasdone).
Theexactcontentoftheprivatemessage.
ForeachpieceofsecretthatyoustealfromtheHeartbleedattack,youneedtoshowthescreen-dumpastheproofandexplainhowyoudidtheattack,andwhatyourobservationsare.
3.
2Task2:FindtheCauseoftheHeartbleedVulnerabilityInthistask,studentswillcomparetheoutcomeofthebenignpacketandthemaliciouspacketsentbytheattackercodetondoutthefundamentalcauseoftheHeartbleedvulnerability.
TheHeartbleedattackisbasedontheHeartbeatrequest.
Thisrequestjustsendssomedatatotheserver,andtheserverwillcopythedatatoitsresponsepacket,soallthedataareechoedback.
Inthenormalcase,supposethattherequestincludes3bytesofdata"ABC",sothelengtheldhasavalue3.
Theserverwillplacethedatainthememory,andcopy3bytesfromthebeginningofthedatatoitsresponsepacket.
Intheattackscenario,therequestmaycontain3bytesofdata,butthelengtheldmaysay1003.
Whentheserverconstructsitsresponsepacket,itcopiesfromthestartingofthedata(i.
e.
"ABC"),butitcopies1003bytes,insteadof3bytes.
Theseextra1000typesobviouslydonotcomefromtherequestpacket;theycomefromtheserver'sprivatememory,andtheymaycontainotheruser'sinformation,secretkeys,password,etc.
Inthistask,wewillplaywiththelengtheldoftherequest.
First,let'sunderstandhowtheHeartbeatresponsepacketisbuiltfromFigure2.
WhentheHeartbeatrequestpacketcomes,theserverwillparsethepackettogetthepayloadandthePayloadlengthvalue(whichishighlightedinFigure2).
Here,thepayloadisonlya3-bytestring"ABC"andthePayloadlengthvalueisexactly3.
Theserverprogramwillblindlytakethislengthvaluefromtherequestpacket.
ItthenbuildstheresponsepacketbypointingtoSEEDLabs–HeartbleedAttack4Figure2:TheBenignHeartbeatCommunicationFigure3:TheHeartbleedAttackCommunicationthememorystoring"ABC"andcopyPayloadlengthbytestotheresponsepayload.
Inthisway,theresponsepacketwouldcontaina3-bytestring"ABC".
WecanlaunchtheHeartBleedattacklikewhatisshowninFigure3.
Wekeepthesamepayload(3bytes),butsetthePayloadlengtheldto1003.
TheserverwillagainblindlytakethisPayloadlengthvaluewhenbuildingtheresponsepacket.
Thistime,theserverprogramwillpointtothestring"ABC"andcopy1003bytesfromthememorytotheresponsepacketasapayload.
Besidesthestring"ABC",theextra1000bytesarecopiedintotheresponsepacket,whichcouldbeanythingfromthememory,suchassecretactivity,logginginformation,passwordandsoon.
OurattackcodeallowsyoutoplaywithdifferentPayloadlengthvalues.
Bydefault,thevalueissettoaquitelargeone(0x4000),butyoucanreducethesizeusingthecommandoption"-l"(letterell)SEEDLabs–HeartbleedAttack5or"--length"asshowninthefollowingexamples:$.
/attack.
pywww.
heartbleedlabelgg.
com-l0x015B$.
/attack.
pywww.
heartbleedlabelgg.
com--length83Yourtaskistoplaywiththeattackprogramwithdifferentpayloadlengthvaluesandanswerthefollow-ingquestions:Question2.
1:Asthelengthvariabledecreases,whatkindofdifferencecanyouobserveQuestion2.
2:Asthelengthvariabledecreases,thereisaboundaryvaluefortheinputlengthvari-able.
Atorbelowthatboundary,theHeartbeatquerywillreceivearesponsepacketwithoutattachinganyextradata(whichmeanstherequestisbenign).
Pleasendthatboundarylength.
Youmayneedtotrymanydifferentlengthvaluesuntilthewebserversendsbackthereplywithoutextradata.
Tohelpyouwiththis,whenthenumberofreturnedbytesissmallerthantheexpectedlength,thepro-gramwillprint"ServerprocessedmalformedHeartbeat,butdidnotreturnanyextradata.
"3.
3Task3:CountermeasureandBugFixToxtheHeartbleedvulnerability,thebestwayistoupdatetheOpenSSLlibrarytothenewestversion.
Thiscanbeachievedusingthefollowingcommands.
Itshouldbenotedthatonceitisupdated,itishardtogobacktothevulnerableversion.
Therefore,makesureyouhavenishedtheprevioustasksbeforedoingtheupdate.
YoucanalsotakeasnapshotofyourVMbeforetheupdate.
#sudoapt-getupdate#sudoapt-getupgradeTask3.
1TryyourattackagainafteryouhaveupdatedtheOpenSSLlibrary.
Pleasedescribeyourobser-vations.
Task3.
2TheobjectiveofthistaskistogureouthowtoxtheHeartbleedbuginthesourcecode.
ThefollowingC-stylestructure(notexactlythesameasthesourcecode)istheformatoftheHeartbeatrequest/responsepacket.
struct{HeartbeatMessageTypetype;//1byte:requestortheresponseuint16payload_length;//2byte:thelengthofthepayloadopaquepayload[HeartbeatMessage.
payload_length];opaquepadding[padding_length];}HeartbeatMessage;Thersteld(1byte)ofthepacketisthetypeinformation,andthesecondeld(2bytes)isthepayloadlength,followedbytheactualpayloadandpaddings.
Thesizeofthepayloadshouldbethesameasthevalueinthepayloadlengtheld,butintheattackscenario,payloadlengthcanbesettoadifferentvalue.
Thefollowingcodesnippetshowshowtheservercopiesthedatafromtherequestpackettotheresponsepacket.
SEEDLabs–HeartbleedAttack6Listing1:ProcesstheHeartbeatrequestpacketandgeneratetheresponsepacket1/*Allocatememoryfortheresponse,sizeis1byte2*messagetype,plus2bytespayloadlength,plus3*payload,pluspadding4*/56unsignedintpayload;7unsignedintpadding=16;/*Useminimumpadding*/89//Readfromtypefieldfirst10hbtype=*p++;/*Afterthisinstruction,thepointer11*pwillpointtothepayload_lengthfield*.
1213//Readfromthepayload_lengthfield14//fromtherequestpacket15n2s(p,payload);/*Functionn2s(p,payload)reads16bits16*frompointerpandstorethevalue17*intheINTvariable"payload".
*/181920pl=p;//plpointstothebeginningofthepayloadcontent2122if(hbtype==TLS1_HB_REQUEST)23{24unsignedchar*buffer,*bp;25intr;2627/*Allocatememoryfortheresponse,sizeis1byte28*messagetype,plus2bytespayloadlength,plus29*payload,pluspadding30*/3132buffer=OPENSSL_malloc(1+2+payload+padding);33bp=buffer;3435//Enterresponsetype,lengthandcopypayload36*bp++=TLS1_HB_RESPONSE;37s2n(payload,bp);3839//copypayload40memcpy(bp,pl,payload);/*plisthepointerwhich41*pointstothebeginning42*ofthepayloadcontent*/4344bp+=payload;4546//Randompadding47RAND_pseudo_bytes(bp,padding);4849//thisfunctionwillcopythe3+payload+paddingbytes50//fromthebufferandputthemintotheheartbeatresponse51//packettosendbacktotherequestclientside.
52OPENSSL_free(buffer);SEEDLabs–HeartbleedAttack753r=ssl3_write_bytes(s,TLS1_RT_HEARTBEAT,buffer,543+payload+padding);55}PleasepointouttheproblemfromthecodeinListing1andprovideasolutiontoxthebug(i.
e.
,whatmodicationisneededtoxthebug).
Youdonotneedtorecompilethecode;justdescribehowyoucanxtheprobleminyourlabreport.
Moreover,pleasecommentonthefollowingdiscussionsbyAlice,Bob,andEvaregardingthefunda-mentalcauseoftheHeartbleedvulnerability:Alicethinksthefundamentalcauseismissingtheboundarycheckingduringthebuffercopy;Bobthinksthecauseismissingtheuserinputvalidation;Evathinksthatwecanjustdeletethelengthvaluefromthepackettosolveeverything.
4SubmissionStudentsneedtosubmitadetailedlabreporttodescribewhattheyhavedoneandwhattheyhaveobserved.
Reportshouldincludetheevidencestosupporttheobservations.
Evidencesincludepackettraces,screendumps,etc.
References[1]Heartbleedattack-Implementation:https://alexandreborgesbrazil.
les.
wordpress.
com/2014/04/hearbleedattackversiona1.
pdf[2]Heartbleedattack-Interestingexplanation:http://xkcd.
com/1354/

国内云服务器 1核 2G 2M 15元/月 萤光云

标题【萤光云双十二 全场6折 15元/月 续费同价】今天站长给大家推荐一家国内云厂商的双十二活动。萤光云总部位于福建福州,其成立于2002 年。主打高防云服务器产品,主要提供福州、北京、上海 BGP 和香港 CN2 节点。萤光云的高防云服务器自带 50G 防御,适合高防建站、游戏高防等业务。这家厂商本次双十二算是性价比很高了。全线产品6折,上海 BGP 云服务器折扣更大 5.5 折(测试了一下是金...

WebHorizon($10.56/年)256MB/5G SSD/200GB/日本VPS

WebHorizon是一家去年成立的国外VPS主机商,印度注册,提供虚拟主机和VPS产品,其中VPS包括OpenVZ和KVM架构,有独立IP也有共享IP,数据中心包括美国、波兰、日本、新加坡等(共享IP主机可选机房更多)。目前商家对日本VPS提供一个8折优惠码,优惠后最低款OpenVZ套餐年付10.56美元起。OpenVZCPU:1core内存:256MB硬盘:5G NVMe流量:200GB/1G...

Hostodo:$19.99/年KVM-1GB/12GB/4TB/拉斯维加斯

Hostodo发布了几款采用NVMe磁盘的促销套餐,从512MB内存起,最低年付14.99美元,基于KVM架构,开设在拉斯维加斯机房。这是一家成立于2014年的国外VPS主机商,主打低价VPS套餐且年付为主,基于OpenVZ和KVM架构,产品性能一般,数据中心目前在拉斯维加斯和迈阿密,支持使用PayPal或者支付宝等付款方式。下面列出几款NVMe硬盘套餐配置信息。CPU:1core内存:512MB...

ubuntu12.04为你推荐
网易网盘关闭入口网易网盘怎么打不开了微信回应封杀钉钉微信大封杀"违规"了吗蓝色骨头手机蓝色骨头为什么还没上映www.yahoo.com.hk香港的常用网站www.119mm.comwww.kb119.com 这个网站你们能打开不?mole.61.com摩尔庄园的米米号和密码我都忘了 只记得注册的邮箱 怎么办-_-125xx.com高手指教下,www.fshxbxg.com这个域名值多少钱?www.niuav.com给我个看电影的网站www.kanav001.com长虹V001手机小游戏下载的网址是什么杨丽晓博客杨丽晓是如何进入娱乐圈的?
域名注册godaddy 中文域名申请 流媒体服务器 12306抢票助手 地址大全 智能骨干网 网站木马检测工具 河南移动网 drupal安装 优酷黄金会员账号共享 域名与空间 空间登入 starry ledlamp 摩尔庄园注册 后门 卡巴斯基官网下载 阿里云邮箱个人版 hdroad 优惠服务器 更多