tasksubuntu12.04

ubuntu12.04  时间:2021-03-29  阅读:()
SEEDLabs–HeartbleedAttack1HeartbleedAttackLabCopyrightc2016WenliangDu,SyracuseUniversity.
ThedevelopmentofthisdocumentwaspartiallyfundedbytheNationalScienceFoundationunderAwardNo.
1303306and1318814.
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.
0InternationalLicense.
Ahuman-readablesummaryof(andnotasubstitutefor)thelicenseisthefollowing:Youarefreetocopyandredistributethematerialinanymediumorformat.
Youmustgiveappropriatecredit.
Ifyouremix,transform,orbuilduponthematerial,youmustdistributeyourcontributionsunderthesamelicenseastheoriginal.
Youmaynotusethematerialforcommercialpurposes.
1OverviewTheHeartbleedbug(CVE-2014-0160)isasevereimplementationawintheOpenSSLlibrary,whichen-ablesattackerstostealdatafromthememoryofthevictimserver.
Thecontentsofthestolendatadependonwhatisthereinthememoryoftheserver.
Itcouldpotentiallycontainprivatekeys,TLSsessionkeys,usernames,passwords,creditcards,etc.
ThevulnerabilityisintheimplementationoftheHeartbeatprotocol,whichisusedbySSL/TLStokeeptheconnectionalive.
Theobjectiveofthislabisforstudentstounderstandhowseriousthisvulnerabilityis,howtheattackworks,andhowtoxtheproblem.
TheaffectedOpenSSLversionrangeisfrom1.
0.
1to1.
0.
1f.
TheversioninourUbuntuVMis1.
0.
1.
2LabEnvironmentInthislab,weneedtosetuptwoVMs:onecalledattackermachineandtheothercalledvictimserver.
Weusethepre-builtSEEDUbuntu12.
04VM.
TheVMsneedtousetheNAT-Networkadapterforthenetworksetting.
ThiscanbedonebygoingtotheVMsettings,pickingNetwork,andclickingtheAdaptortagtoswitchtheadaptertoNAT-Network.
MakesurebothVMsareonthesameNAT-Network.
ThewebsiteusedinthisattackcanbeanyHTTPSwebsitethatusesSSL/TLS.
However,sinceitisillegaltoattackarealwebsite,wehavesetupawebsiteinourVM,andconducttheattackonourownVM.
Weuseanopen-sourcesocialnetworkapplicationcalledELGG,andhostitinthefollowingURL:https://www.
heartbleedlabelgg.
com.
Weneedtomodifythe/etc/hostsleontheattackermachinetomaptheservernametotheIPad-dressoftheserverVM.
Searchthefollowinglinein/etc/hosts,andreplacetheIPaddress127.
0.
0.
1withtheactualIPaddressoftheserverVMthathoststheELGGapplication.
127.
0.
0.
1www.
heartbleedlabelgg.
com3LabTasksBeforeworkingonthelabtasks,youneedtounderstandhowtheheartbeatprotocolworks.
Theheartbeatprotocolconsistsoftwomessagetypes:HeartbeatRequestpacketandHeartbeatResponsepacket.
ClientsendsaHeartbeatRequestpackettotheserver.
Whentheserverreceivesit,itsendsbackacopyofthereceivedmessageintheHeartbeatResponsepacket.
Thegoalistokeeptheconnectionalive.
TheprotocolisillustratedinFigure1.
SEEDLabs–HeartbleedAttack2Figure1:OverviewoftheHeartbeatProtocol3.
1Task1:LaunchtheHeartbleedAttack.
Inthistask,studentswilllaunchtheHeartbleedattackonoursocialnetworksiteandseewhatkindofdamagescanbeachieved.
TheactualdamageoftheHeartbleedattackdependsonwhatkindofinformationisstoredintheservermemory.
Iftherehasnotbeenmuchactivityontheserver,youwillnotbeabletostealusefuldata.
Therefore,weneedtointeractwiththewebserveraslegitimateusers.
LetusdoitastheSEEDLabs–HeartbleedAttack3administrator,anddothefollowings:Visithttps://www.
heartbleedlabelgg.
comfromyourbrowser.
Loginasthesiteadministrator.
(UserName:admin;Password:seedelgg)AddBobyasfriend.
(GotoMore->MembersandclickBoby->AddFriend)SendBobyaprivatemessage.
Afteryouhavedoneenoughinteractionaslegitimateusers,youcanlaunchtheattackandseewhatinformationyoucangetoutofthevictimserver.
WritingtheprogramtolaunchtheHeartbleedattackfromscratchisnoteasy,becauseitrequiresthelow-levelknowledgeoftheHeartbeatprotocol.
Fortunately,otherpeoplehavealreadywrittentheattackcode.
Therefore,wewillusetheexistingcodetogainrst-handexperienceintheHeartbleedattack.
Thecodethatweuseiscalledattack.
py,whichwasoriginallywrittenbyJaredStafford.
Wemadesomesmallchangestothecodeforeducationalpurposes.
Youcandownloadthecodefromthelab'swebsite,changeitspermissionsotheleisexecutable.
Youcanthenruntheattackcodeasfollows:$.
/attack.
pywww.
heartbleedlabelgg.
comYoumayneedtoruntheattackcodemultipletimestogetusefuldata.
Tryandseewhetheryoucangetthefollowinginformationfromthetargetserver.
Usernameandpassword.
User'sactivity(whattheuserhasdone).
Theexactcontentoftheprivatemessage.
ForeachpieceofsecretthatyoustealfromtheHeartbleedattack,youneedtoshowthescreen-dumpastheproofandexplainhowyoudidtheattack,andwhatyourobservationsare.
3.
2Task2:FindtheCauseoftheHeartbleedVulnerabilityInthistask,studentswillcomparetheoutcomeofthebenignpacketandthemaliciouspacketsentbytheattackercodetondoutthefundamentalcauseoftheHeartbleedvulnerability.
TheHeartbleedattackisbasedontheHeartbeatrequest.
Thisrequestjustsendssomedatatotheserver,andtheserverwillcopythedatatoitsresponsepacket,soallthedataareechoedback.
Inthenormalcase,supposethattherequestincludes3bytesofdata"ABC",sothelengtheldhasavalue3.
Theserverwillplacethedatainthememory,andcopy3bytesfromthebeginningofthedatatoitsresponsepacket.
Intheattackscenario,therequestmaycontain3bytesofdata,butthelengtheldmaysay1003.
Whentheserverconstructsitsresponsepacket,itcopiesfromthestartingofthedata(i.
e.
"ABC"),butitcopies1003bytes,insteadof3bytes.
Theseextra1000typesobviouslydonotcomefromtherequestpacket;theycomefromtheserver'sprivatememory,andtheymaycontainotheruser'sinformation,secretkeys,password,etc.
Inthistask,wewillplaywiththelengtheldoftherequest.
First,let'sunderstandhowtheHeartbeatresponsepacketisbuiltfromFigure2.
WhentheHeartbeatrequestpacketcomes,theserverwillparsethepackettogetthepayloadandthePayloadlengthvalue(whichishighlightedinFigure2).
Here,thepayloadisonlya3-bytestring"ABC"andthePayloadlengthvalueisexactly3.
Theserverprogramwillblindlytakethislengthvaluefromtherequestpacket.
ItthenbuildstheresponsepacketbypointingtoSEEDLabs–HeartbleedAttack4Figure2:TheBenignHeartbeatCommunicationFigure3:TheHeartbleedAttackCommunicationthememorystoring"ABC"andcopyPayloadlengthbytestotheresponsepayload.
Inthisway,theresponsepacketwouldcontaina3-bytestring"ABC".
WecanlaunchtheHeartBleedattacklikewhatisshowninFigure3.
Wekeepthesamepayload(3bytes),butsetthePayloadlengtheldto1003.
TheserverwillagainblindlytakethisPayloadlengthvaluewhenbuildingtheresponsepacket.
Thistime,theserverprogramwillpointtothestring"ABC"andcopy1003bytesfromthememorytotheresponsepacketasapayload.
Besidesthestring"ABC",theextra1000bytesarecopiedintotheresponsepacket,whichcouldbeanythingfromthememory,suchassecretactivity,logginginformation,passwordandsoon.
OurattackcodeallowsyoutoplaywithdifferentPayloadlengthvalues.
Bydefault,thevalueissettoaquitelargeone(0x4000),butyoucanreducethesizeusingthecommandoption"-l"(letterell)SEEDLabs–HeartbleedAttack5or"--length"asshowninthefollowingexamples:$.
/attack.
pywww.
heartbleedlabelgg.
com-l0x015B$.
/attack.
pywww.
heartbleedlabelgg.
com--length83Yourtaskistoplaywiththeattackprogramwithdifferentpayloadlengthvaluesandanswerthefollow-ingquestions:Question2.
1:Asthelengthvariabledecreases,whatkindofdifferencecanyouobserveQuestion2.
2:Asthelengthvariabledecreases,thereisaboundaryvaluefortheinputlengthvari-able.
Atorbelowthatboundary,theHeartbeatquerywillreceivearesponsepacketwithoutattachinganyextradata(whichmeanstherequestisbenign).
Pleasendthatboundarylength.
Youmayneedtotrymanydifferentlengthvaluesuntilthewebserversendsbackthereplywithoutextradata.
Tohelpyouwiththis,whenthenumberofreturnedbytesissmallerthantheexpectedlength,thepro-gramwillprint"ServerprocessedmalformedHeartbeat,butdidnotreturnanyextradata.
"3.
3Task3:CountermeasureandBugFixToxtheHeartbleedvulnerability,thebestwayistoupdatetheOpenSSLlibrarytothenewestversion.
Thiscanbeachievedusingthefollowingcommands.
Itshouldbenotedthatonceitisupdated,itishardtogobacktothevulnerableversion.
Therefore,makesureyouhavenishedtheprevioustasksbeforedoingtheupdate.
YoucanalsotakeasnapshotofyourVMbeforetheupdate.
#sudoapt-getupdate#sudoapt-getupgradeTask3.
1TryyourattackagainafteryouhaveupdatedtheOpenSSLlibrary.
Pleasedescribeyourobser-vations.
Task3.
2TheobjectiveofthistaskistogureouthowtoxtheHeartbleedbuginthesourcecode.
ThefollowingC-stylestructure(notexactlythesameasthesourcecode)istheformatoftheHeartbeatrequest/responsepacket.
struct{HeartbeatMessageTypetype;//1byte:requestortheresponseuint16payload_length;//2byte:thelengthofthepayloadopaquepayload[HeartbeatMessage.
payload_length];opaquepadding[padding_length];}HeartbeatMessage;Thersteld(1byte)ofthepacketisthetypeinformation,andthesecondeld(2bytes)isthepayloadlength,followedbytheactualpayloadandpaddings.
Thesizeofthepayloadshouldbethesameasthevalueinthepayloadlengtheld,butintheattackscenario,payloadlengthcanbesettoadifferentvalue.
Thefollowingcodesnippetshowshowtheservercopiesthedatafromtherequestpackettotheresponsepacket.
SEEDLabs–HeartbleedAttack6Listing1:ProcesstheHeartbeatrequestpacketandgeneratetheresponsepacket1/*Allocatememoryfortheresponse,sizeis1byte2*messagetype,plus2bytespayloadlength,plus3*payload,pluspadding4*/56unsignedintpayload;7unsignedintpadding=16;/*Useminimumpadding*/89//Readfromtypefieldfirst10hbtype=*p++;/*Afterthisinstruction,thepointer11*pwillpointtothepayload_lengthfield*.
1213//Readfromthepayload_lengthfield14//fromtherequestpacket15n2s(p,payload);/*Functionn2s(p,payload)reads16bits16*frompointerpandstorethevalue17*intheINTvariable"payload".
*/181920pl=p;//plpointstothebeginningofthepayloadcontent2122if(hbtype==TLS1_HB_REQUEST)23{24unsignedchar*buffer,*bp;25intr;2627/*Allocatememoryfortheresponse,sizeis1byte28*messagetype,plus2bytespayloadlength,plus29*payload,pluspadding30*/3132buffer=OPENSSL_malloc(1+2+payload+padding);33bp=buffer;3435//Enterresponsetype,lengthandcopypayload36*bp++=TLS1_HB_RESPONSE;37s2n(payload,bp);3839//copypayload40memcpy(bp,pl,payload);/*plisthepointerwhich41*pointstothebeginning42*ofthepayloadcontent*/4344bp+=payload;4546//Randompadding47RAND_pseudo_bytes(bp,padding);4849//thisfunctionwillcopythe3+payload+paddingbytes50//fromthebufferandputthemintotheheartbeatresponse51//packettosendbacktotherequestclientside.
52OPENSSL_free(buffer);SEEDLabs–HeartbleedAttack753r=ssl3_write_bytes(s,TLS1_RT_HEARTBEAT,buffer,543+payload+padding);55}PleasepointouttheproblemfromthecodeinListing1andprovideasolutiontoxthebug(i.
e.
,whatmodicationisneededtoxthebug).
Youdonotneedtorecompilethecode;justdescribehowyoucanxtheprobleminyourlabreport.
Moreover,pleasecommentonthefollowingdiscussionsbyAlice,Bob,andEvaregardingthefunda-mentalcauseoftheHeartbleedvulnerability:Alicethinksthefundamentalcauseismissingtheboundarycheckingduringthebuffercopy;Bobthinksthecauseismissingtheuserinputvalidation;Evathinksthatwecanjustdeletethelengthvaluefromthepackettosolveeverything.
4SubmissionStudentsneedtosubmitadetailedlabreporttodescribewhattheyhavedoneandwhattheyhaveobserved.
Reportshouldincludetheevidencestosupporttheobservations.
Evidencesincludepackettraces,screendumps,etc.
References[1]Heartbleedattack-Implementation:https://alexandreborgesbrazil.
les.
wordpress.
com/2014/04/hearbleedattackversiona1.
pdf[2]Heartbleedattack-Interestingexplanation:http://xkcd.
com/1354/

Hostinger 限时外贸美国主机活动 低至月12元且赠送1个COM域名

Hostinger 商家我们可能一些新用户不是太熟悉,因为我们很多新人用户都可能较多的直接从云服务器、独立服务器起步的。而Hostinger商家已经有将近十年的历史的商家,曾经主做低价虚拟主机,也是比较有知名度的,那时候也有接触过,不过一直没有过多的使用。这不这么多年过去,Hostinger商家一直比较稳妥的在运营,最近看到这个商家在改版UI后且产品上也在活动策划比较多。目前Hostinger在进...

DediPath($1.40),OpenVZ架构 1GB内存

DediPath 商家成立时间也不过三五年,商家提供的云服务器产品有包括KVM和OPENVZ架构的VPS主机。翻看前面的文章有几次提到这个商家其中机房还是比较多的。其实对于OPENVZ架构的VPS主机以前我们是遇到比较多,只不过这几年很多商家都陆续的全部用KVM和XEN架构替代。这次DediPath商家有基于OPENVZ架构提供低价的VPS主机。这次四折的促销活动不包括512MB内存方案。第一、D...

vpsdime:VPS内存/2核/VPS,4G内存/2核/50gSSD/2T流量/达拉斯机房达拉斯机房,新产品系列-Windows VPS

vpsdime上了新产品系列-Windows VPS,配置依旧很高但是价格依旧是走低端线路。或许vpsdime的母公司Nodisto IT想把核心产品集中到vpsdime上吧,当然这只是站长个人的猜测,毕竟winity.io也是专业卖Windows vps的,而且也是他们自己的品牌。vpsdime是一家新上来不久的奇葩VPS提供商,实际是和backupspy以及crowncloud等都是同一家公司...

ubuntu12.04为你推荐
sherylsandbergLean In是一个怎样的组织怎么查询商标怎样查询商标有没有被注册方法有哪些?怎么查询商标想要知道一个商标是否被注册,在哪里查到的比较权威?杨紫别祝我生日快乐关于“致自己生日”的唯美句子有哪些?李子柒年入1.6亿将55g铁片放入硫酸铜溶液中片刻,取出洗净,干燥后,称重为56.6g,问生成铜多少g??求解题步骤及答案原代码源代码是什么意思啊8090lu.com8090lu.com怎么样了?工程有进展吗?99nets.com99nets网游模拟娱乐社区怎么打不开了?????????谁能告诉我 ???、kb123.netwww.zhmmjyw.net百度收录慢?www.123qqxx.com我的首页http://www.hao123.com被改成了http://www.669dh.cn/?yhc
鲁诺vps 万网免费域名 怎样申请域名 smartvps kdata 监控宝 idc是什么 phpmyadmin配置 中国网通测速 卡巴斯基破解版 空间登入 备案空间 服务器维护 cxz lamp的音标 徐州电信 购买空间 北京主机托管 hdchina 美国代理服务器 更多