tasksubuntu12.04

ubuntu12.04  时间:2021-03-29  阅读:()
SEEDLabs–HeartbleedAttack1HeartbleedAttackLabCopyrightc2016WenliangDu,SyracuseUniversity.
ThedevelopmentofthisdocumentwaspartiallyfundedbytheNationalScienceFoundationunderAwardNo.
1303306and1318814.
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.
0InternationalLicense.
Ahuman-readablesummaryof(andnotasubstitutefor)thelicenseisthefollowing:Youarefreetocopyandredistributethematerialinanymediumorformat.
Youmustgiveappropriatecredit.
Ifyouremix,transform,orbuilduponthematerial,youmustdistributeyourcontributionsunderthesamelicenseastheoriginal.
Youmaynotusethematerialforcommercialpurposes.
1OverviewTheHeartbleedbug(CVE-2014-0160)isasevereimplementationawintheOpenSSLlibrary,whichen-ablesattackerstostealdatafromthememoryofthevictimserver.
Thecontentsofthestolendatadependonwhatisthereinthememoryoftheserver.
Itcouldpotentiallycontainprivatekeys,TLSsessionkeys,usernames,passwords,creditcards,etc.
ThevulnerabilityisintheimplementationoftheHeartbeatprotocol,whichisusedbySSL/TLStokeeptheconnectionalive.
Theobjectiveofthislabisforstudentstounderstandhowseriousthisvulnerabilityis,howtheattackworks,andhowtoxtheproblem.
TheaffectedOpenSSLversionrangeisfrom1.
0.
1to1.
0.
1f.
TheversioninourUbuntuVMis1.
0.
1.
2LabEnvironmentInthislab,weneedtosetuptwoVMs:onecalledattackermachineandtheothercalledvictimserver.
Weusethepre-builtSEEDUbuntu12.
04VM.
TheVMsneedtousetheNAT-Networkadapterforthenetworksetting.
ThiscanbedonebygoingtotheVMsettings,pickingNetwork,andclickingtheAdaptortagtoswitchtheadaptertoNAT-Network.
MakesurebothVMsareonthesameNAT-Network.
ThewebsiteusedinthisattackcanbeanyHTTPSwebsitethatusesSSL/TLS.
However,sinceitisillegaltoattackarealwebsite,wehavesetupawebsiteinourVM,andconducttheattackonourownVM.
Weuseanopen-sourcesocialnetworkapplicationcalledELGG,andhostitinthefollowingURL:https://www.
heartbleedlabelgg.
com.
Weneedtomodifythe/etc/hostsleontheattackermachinetomaptheservernametotheIPad-dressoftheserverVM.
Searchthefollowinglinein/etc/hosts,andreplacetheIPaddress127.
0.
0.
1withtheactualIPaddressoftheserverVMthathoststheELGGapplication.
127.
0.
0.
1www.
heartbleedlabelgg.
com3LabTasksBeforeworkingonthelabtasks,youneedtounderstandhowtheheartbeatprotocolworks.
Theheartbeatprotocolconsistsoftwomessagetypes:HeartbeatRequestpacketandHeartbeatResponsepacket.
ClientsendsaHeartbeatRequestpackettotheserver.
Whentheserverreceivesit,itsendsbackacopyofthereceivedmessageintheHeartbeatResponsepacket.
Thegoalistokeeptheconnectionalive.
TheprotocolisillustratedinFigure1.
SEEDLabs–HeartbleedAttack2Figure1:OverviewoftheHeartbeatProtocol3.
1Task1:LaunchtheHeartbleedAttack.
Inthistask,studentswilllaunchtheHeartbleedattackonoursocialnetworksiteandseewhatkindofdamagescanbeachieved.
TheactualdamageoftheHeartbleedattackdependsonwhatkindofinformationisstoredintheservermemory.
Iftherehasnotbeenmuchactivityontheserver,youwillnotbeabletostealusefuldata.
Therefore,weneedtointeractwiththewebserveraslegitimateusers.
LetusdoitastheSEEDLabs–HeartbleedAttack3administrator,anddothefollowings:Visithttps://www.
heartbleedlabelgg.
comfromyourbrowser.
Loginasthesiteadministrator.
(UserName:admin;Password:seedelgg)AddBobyasfriend.
(GotoMore->MembersandclickBoby->AddFriend)SendBobyaprivatemessage.
Afteryouhavedoneenoughinteractionaslegitimateusers,youcanlaunchtheattackandseewhatinformationyoucangetoutofthevictimserver.
WritingtheprogramtolaunchtheHeartbleedattackfromscratchisnoteasy,becauseitrequiresthelow-levelknowledgeoftheHeartbeatprotocol.
Fortunately,otherpeoplehavealreadywrittentheattackcode.
Therefore,wewillusetheexistingcodetogainrst-handexperienceintheHeartbleedattack.
Thecodethatweuseiscalledattack.
py,whichwasoriginallywrittenbyJaredStafford.
Wemadesomesmallchangestothecodeforeducationalpurposes.
Youcandownloadthecodefromthelab'swebsite,changeitspermissionsotheleisexecutable.
Youcanthenruntheattackcodeasfollows:$.
/attack.
pywww.
heartbleedlabelgg.
comYoumayneedtoruntheattackcodemultipletimestogetusefuldata.
Tryandseewhetheryoucangetthefollowinginformationfromthetargetserver.
Usernameandpassword.
User'sactivity(whattheuserhasdone).
Theexactcontentoftheprivatemessage.
ForeachpieceofsecretthatyoustealfromtheHeartbleedattack,youneedtoshowthescreen-dumpastheproofandexplainhowyoudidtheattack,andwhatyourobservationsare.
3.
2Task2:FindtheCauseoftheHeartbleedVulnerabilityInthistask,studentswillcomparetheoutcomeofthebenignpacketandthemaliciouspacketsentbytheattackercodetondoutthefundamentalcauseoftheHeartbleedvulnerability.
TheHeartbleedattackisbasedontheHeartbeatrequest.
Thisrequestjustsendssomedatatotheserver,andtheserverwillcopythedatatoitsresponsepacket,soallthedataareechoedback.
Inthenormalcase,supposethattherequestincludes3bytesofdata"ABC",sothelengtheldhasavalue3.
Theserverwillplacethedatainthememory,andcopy3bytesfromthebeginningofthedatatoitsresponsepacket.
Intheattackscenario,therequestmaycontain3bytesofdata,butthelengtheldmaysay1003.
Whentheserverconstructsitsresponsepacket,itcopiesfromthestartingofthedata(i.
e.
"ABC"),butitcopies1003bytes,insteadof3bytes.
Theseextra1000typesobviouslydonotcomefromtherequestpacket;theycomefromtheserver'sprivatememory,andtheymaycontainotheruser'sinformation,secretkeys,password,etc.
Inthistask,wewillplaywiththelengtheldoftherequest.
First,let'sunderstandhowtheHeartbeatresponsepacketisbuiltfromFigure2.
WhentheHeartbeatrequestpacketcomes,theserverwillparsethepackettogetthepayloadandthePayloadlengthvalue(whichishighlightedinFigure2).
Here,thepayloadisonlya3-bytestring"ABC"andthePayloadlengthvalueisexactly3.
Theserverprogramwillblindlytakethislengthvaluefromtherequestpacket.
ItthenbuildstheresponsepacketbypointingtoSEEDLabs–HeartbleedAttack4Figure2:TheBenignHeartbeatCommunicationFigure3:TheHeartbleedAttackCommunicationthememorystoring"ABC"andcopyPayloadlengthbytestotheresponsepayload.
Inthisway,theresponsepacketwouldcontaina3-bytestring"ABC".
WecanlaunchtheHeartBleedattacklikewhatisshowninFigure3.
Wekeepthesamepayload(3bytes),butsetthePayloadlengtheldto1003.
TheserverwillagainblindlytakethisPayloadlengthvaluewhenbuildingtheresponsepacket.
Thistime,theserverprogramwillpointtothestring"ABC"andcopy1003bytesfromthememorytotheresponsepacketasapayload.
Besidesthestring"ABC",theextra1000bytesarecopiedintotheresponsepacket,whichcouldbeanythingfromthememory,suchassecretactivity,logginginformation,passwordandsoon.
OurattackcodeallowsyoutoplaywithdifferentPayloadlengthvalues.
Bydefault,thevalueissettoaquitelargeone(0x4000),butyoucanreducethesizeusingthecommandoption"-l"(letterell)SEEDLabs–HeartbleedAttack5or"--length"asshowninthefollowingexamples:$.
/attack.
pywww.
heartbleedlabelgg.
com-l0x015B$.
/attack.
pywww.
heartbleedlabelgg.
com--length83Yourtaskistoplaywiththeattackprogramwithdifferentpayloadlengthvaluesandanswerthefollow-ingquestions:Question2.
1:Asthelengthvariabledecreases,whatkindofdifferencecanyouobserveQuestion2.
2:Asthelengthvariabledecreases,thereisaboundaryvaluefortheinputlengthvari-able.
Atorbelowthatboundary,theHeartbeatquerywillreceivearesponsepacketwithoutattachinganyextradata(whichmeanstherequestisbenign).
Pleasendthatboundarylength.
Youmayneedtotrymanydifferentlengthvaluesuntilthewebserversendsbackthereplywithoutextradata.
Tohelpyouwiththis,whenthenumberofreturnedbytesissmallerthantheexpectedlength,thepro-gramwillprint"ServerprocessedmalformedHeartbeat,butdidnotreturnanyextradata.
"3.
3Task3:CountermeasureandBugFixToxtheHeartbleedvulnerability,thebestwayistoupdatetheOpenSSLlibrarytothenewestversion.
Thiscanbeachievedusingthefollowingcommands.
Itshouldbenotedthatonceitisupdated,itishardtogobacktothevulnerableversion.
Therefore,makesureyouhavenishedtheprevioustasksbeforedoingtheupdate.
YoucanalsotakeasnapshotofyourVMbeforetheupdate.
#sudoapt-getupdate#sudoapt-getupgradeTask3.
1TryyourattackagainafteryouhaveupdatedtheOpenSSLlibrary.
Pleasedescribeyourobser-vations.
Task3.
2TheobjectiveofthistaskistogureouthowtoxtheHeartbleedbuginthesourcecode.
ThefollowingC-stylestructure(notexactlythesameasthesourcecode)istheformatoftheHeartbeatrequest/responsepacket.
struct{HeartbeatMessageTypetype;//1byte:requestortheresponseuint16payload_length;//2byte:thelengthofthepayloadopaquepayload[HeartbeatMessage.
payload_length];opaquepadding[padding_length];}HeartbeatMessage;Thersteld(1byte)ofthepacketisthetypeinformation,andthesecondeld(2bytes)isthepayloadlength,followedbytheactualpayloadandpaddings.
Thesizeofthepayloadshouldbethesameasthevalueinthepayloadlengtheld,butintheattackscenario,payloadlengthcanbesettoadifferentvalue.
Thefollowingcodesnippetshowshowtheservercopiesthedatafromtherequestpackettotheresponsepacket.
SEEDLabs–HeartbleedAttack6Listing1:ProcesstheHeartbeatrequestpacketandgeneratetheresponsepacket1/*Allocatememoryfortheresponse,sizeis1byte2*messagetype,plus2bytespayloadlength,plus3*payload,pluspadding4*/56unsignedintpayload;7unsignedintpadding=16;/*Useminimumpadding*/89//Readfromtypefieldfirst10hbtype=*p++;/*Afterthisinstruction,thepointer11*pwillpointtothepayload_lengthfield*.
1213//Readfromthepayload_lengthfield14//fromtherequestpacket15n2s(p,payload);/*Functionn2s(p,payload)reads16bits16*frompointerpandstorethevalue17*intheINTvariable"payload".
*/181920pl=p;//plpointstothebeginningofthepayloadcontent2122if(hbtype==TLS1_HB_REQUEST)23{24unsignedchar*buffer,*bp;25intr;2627/*Allocatememoryfortheresponse,sizeis1byte28*messagetype,plus2bytespayloadlength,plus29*payload,pluspadding30*/3132buffer=OPENSSL_malloc(1+2+payload+padding);33bp=buffer;3435//Enterresponsetype,lengthandcopypayload36*bp++=TLS1_HB_RESPONSE;37s2n(payload,bp);3839//copypayload40memcpy(bp,pl,payload);/*plisthepointerwhich41*pointstothebeginning42*ofthepayloadcontent*/4344bp+=payload;4546//Randompadding47RAND_pseudo_bytes(bp,padding);4849//thisfunctionwillcopythe3+payload+paddingbytes50//fromthebufferandputthemintotheheartbeatresponse51//packettosendbacktotherequestclientside.
52OPENSSL_free(buffer);SEEDLabs–HeartbleedAttack753r=ssl3_write_bytes(s,TLS1_RT_HEARTBEAT,buffer,543+payload+padding);55}PleasepointouttheproblemfromthecodeinListing1andprovideasolutiontoxthebug(i.
e.
,whatmodicationisneededtoxthebug).
Youdonotneedtorecompilethecode;justdescribehowyoucanxtheprobleminyourlabreport.
Moreover,pleasecommentonthefollowingdiscussionsbyAlice,Bob,andEvaregardingthefunda-mentalcauseoftheHeartbleedvulnerability:Alicethinksthefundamentalcauseismissingtheboundarycheckingduringthebuffercopy;Bobthinksthecauseismissingtheuserinputvalidation;Evathinksthatwecanjustdeletethelengthvaluefromthepackettosolveeverything.
4SubmissionStudentsneedtosubmitadetailedlabreporttodescribewhattheyhavedoneandwhattheyhaveobserved.
Reportshouldincludetheevidencestosupporttheobservations.
Evidencesincludepackettraces,screendumps,etc.
References[1]Heartbleedattack-Implementation:https://alexandreborgesbrazil.
les.
wordpress.
com/2014/04/hearbleedattackversiona1.
pdf[2]Heartbleedattack-Interestingexplanation:http://xkcd.
com/1354/

gcorelabs远东khabarovsk伯力Cloud云服务器测评,告诉你gcorelabs云服务器怎么样

说明一下:gcorelabs的俄罗斯远东机房“伯力”既有“Virtual servers”也有“CLOUD SERVICES”,前者是VPS,后者是云服务器,不是一回事;由于平日大家习惯把VPS和云服务器当做一回事儿,所以这里要特别说明一下。本次测评的是gcorelabs的cloud,也就是云服务器。 官方网站:https://gcorelabs.com 支持:数字加密货币、信用卡、PayPal...

10GBIZ(月$2.36 ), 香港和洛杉矶CN2 GIA

10GBIZ服务商经常有看到隔壁的一些博客分享内容,我翻看网站看之前有记录过一篇,只不过由于服务商是2020年新成立的所以分享内容比较谨慎。这不至今已经有将近两年的服务商而且云服务产品也比较丰富,目前有看到10GBIZ服务商有提供香港、美国洛杉矶等多机房的云服务器、独立服务器和站群服务器。其中比较吸引到我们用户的是亚洲节点的包括香港、日本等七星级网络服务。具体我们看看相关的配置和线路产品。第一、香...

数脉科技:六月优惠促销,免备案香港物理服务器,E3-1230v2处理器16G内存,350元/月

数脉科技六月优惠促销发布了!数脉科技对香港自营机房的香港服务器进行超低价促销,可选择30M、50M、100Mbps的优质bgp网络。更大带宽可在选购时选择同样享受优惠,目前仅提供HKBGP、阿里云产品,香港CN2、产品优惠码续费有效,仅限新购,每个客户可使用于一个订单。新客户可以立减400元,或者选择对应的机器用相应的优惠码,有需要的朋友可以尝试一下。点击进入:数脉科技官方网站地址数脉科技是一家成...

ubuntu12.04为你推荐
摩拜超15分钟加钱摩拜单车不是按骑行时间收费吗,我怎么只要开锁就要支付一元(而且只骑十几分钟)openeuleropen opening opens opened有什么区别商标注册流程及费用我想注册商标一般需要什么流程和费用?刘祚天你们知道21世纪的DJ分为几种类型吗?(答对者重赏)www.baitu.com谁有免费的动漫网站?99nets.com99nets网游模拟娱乐社区怎么打不开了?????????谁能告诉我 ???、菊爆盘请问网上百度贴吧里有些下载地址,他们就直接说菊爆盘,然后后面有字母和数字,比如dk几几几的,www.493333.comwww.xiaonei.com鹤城勿扰齐齐哈尔,又叫鹤城吗?蜘蛛机器人在《红色警戒2共和国之辉》中,对付“蜘蛛机器人”的最好武器是什么?
如何注册网站域名 已经备案域名 免费主机 徐正曦 nerds 免费申请网站 web服务器安全 爱奇艺会员免费试用 免费外链相册 工信部icp备案查询 攻击服务器 杭州电信 阿里云邮箱怎么注册 godaddy退款 带宽测速 cc加速器 asp简介 卡巴下载 blaze neicun 更多