forked from robertdavidgraham/heartleech
-
Notifications
You must be signed in to change notification settings - Fork 0
/
heartleech.8.html
217 lines (185 loc) · 9.92 KB
/
heartleech.8.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
<!DOCTYPE html>
<html>
<head>
<meta http-equiv='content-type' value='text/html;charset=utf8'>
<meta name='generator' value='Ronn/v0.7.3 (http://github.com/rtomayko/ronn/tree/0.7.3)'>
<title>heartleech(8) - Exploits OpenSSL heartbleed vulnerability</title>
<style type='text/css' media='all'>
/* style: man */
body#manpage {margin:0}
.mp {max-width:100ex;padding:0 9ex 1ex 4ex}
.mp p,.mp pre,.mp ul,.mp ol,.mp dl {margin:0 0 20px 0}
.mp h2 {margin:10px 0 0 0}
.mp > p,.mp > pre,.mp > ul,.mp > ol,.mp > dl {margin-left:8ex}
.mp h3 {margin:0 0 0 4ex}
.mp dt {margin:0;clear:left}
.mp dt.flush {float:left;width:8ex}
.mp dd {margin:0 0 0 9ex}
.mp h1,.mp h2,.mp h3,.mp h4 {clear:left}
.mp pre {margin-bottom:20px}
.mp pre+h2,.mp pre+h3 {margin-top:22px}
.mp h2+pre,.mp h3+pre {margin-top:5px}
.mp img {display:block;margin:auto}
.mp h1.man-title {display:none}
.mp,.mp code,.mp pre,.mp tt,.mp kbd,.mp samp,.mp h3,.mp h4 {font-family:monospace;font-size:14px;line-height:1.42857142857143}
.mp h2 {font-size:16px;line-height:1.25}
.mp h1 {font-size:20px;line-height:2}
.mp {text-align:justify;background:#fff}
.mp,.mp code,.mp pre,.mp pre code,.mp tt,.mp kbd,.mp samp {color:#131211}
.mp h1,.mp h2,.mp h3,.mp h4 {color:#030201}
.mp u {text-decoration:underline}
.mp code,.mp strong,.mp b {font-weight:bold;color:#131211}
.mp em,.mp var {font-style:italic;color:#232221;text-decoration:none}
.mp a,.mp a:link,.mp a:hover,.mp a code,.mp a pre,.mp a tt,.mp a kbd,.mp a samp {color:#0000ff}
.mp b.man-ref {font-weight:normal;color:#434241}
.mp pre {padding:0 4ex}
.mp pre code {font-weight:normal;color:#434241}
.mp h2+pre,h3+pre {padding-left:0}
ol.man-decor,ol.man-decor li {margin:3px 0 10px 0;padding:0;float:left;width:33%;list-style-type:none;text-transform:uppercase;color:#999;letter-spacing:1px}
ol.man-decor {width:100%}
ol.man-decor li.tl {text-align:left}
ol.man-decor li.tc {text-align:center;letter-spacing:4px}
ol.man-decor li.tr {text-align:right;float:right}
</style>
</head>
<!--
The following styles are deprecated and will be removed at some point:
div#man, div#man ol.man, div#man ol.head, div#man ol.man.
The .man-page, .man-decor, .man-head, .man-foot, .man-title, and
.man-navigation should be used instead.
-->
<body id='manpage'>
<div class='mp' id='man'>
<div class='man-navigation' style='display:none'>
<a href="#NAME">NAME</a>
<a href="#SYNOPSIS">SYNOPSIS</a>
<a href="#DESCRIPTION">DESCRIPTION</a>
<a href="#OPTIONS">OPTIONS</a>
<a href="#SIMPLE-EXAMPLES">SIMPLE EXAMPLES</a>
<a href="#SEE-ALSO">SEE ALSO</a>
<a href="#AUTHORS">AUTHORS</a>
</div>
<ol class='man-decor man-head man head'>
<li class='tl'>heartleech(8)</li>
<li class='tc'></li>
<li class='tr'>heartleech(8)</li>
</ol>
<h2 id="NAME">NAME</h2>
<p class="man-name">
<code>heartleech</code> - <span class="man-whatis">Exploits OpenSSL heartbleed vulnerability</span>
</p>
<h2 id="SYNOPSIS">SYNOPSIS</h2>
<p>heartleech <var>host</var> [--p <var>port</var>] [--dump <var>filename</var>] [--autopwn] [--threads <var>n</var>]</p>
<p>heartleech --read <var>filename</var> --cert <var>certficate</var></p>
<p>heartleech --scanlist <var>file</var></p>
<h2 id="DESCRIPTION">DESCRIPTION</h2>
<p><strong>heartleech</strong> exploits the well-known "heartbleed" bug in <= OpenSSL-1.0.1f.
It has a number of features that improve over other heartbleed exploits,
such as automatically extracting the SSL private-key (autopwn).</p>
<h2 id="OPTIONS">OPTIONS</h2>
<ul>
<li><p><code><host></code>: the target's name, IPv4 address, or IPv6 address. IPv4 ranges
separated by a dash work. This can
optionally have a port as part of the name using a colon
(e.g. <code>www.google.com:25</code>). Will try to use STARTTLS on appropriate ports
instead of raw SSL.</p></li>
<li><p><code>--autopwn</code>: sets "auto-pwn" mode, which automatically searches the bleeding
buffers for the private-key. If the private-key is found, it will be
printed to <var>stdout</var>, and the program will exit.</p></li>
<li><p><code>--cert</code>: in offline mode, this option tells the program the certificate to
load. A certificate, containing the public-key, is needed in order to
search data for the matching components of a private key. In online
mode, this option isn't necessary, because the certificate is fetched
from the server duing the SSL handshake.</p></li>
<li><p><code>-d</code>: sets the 'debug' flag, which causes a lot of debug information to
be printed to <var>stderr</var>. Using this will help diagnose connection problems.
You should use this the first time you connect to a new host, just to make
sure things are working well.</p></li>
<li><p><code>--dump <filename></code>: the file where bleeding information is stored. Typically,
the user will use this program to grab data from a server, then use
other tools to search those files for things, such as cookies, passwords,
and private strings.</p></li>
<li><p><code>--ipver <ver></code>: sets the version of IP to use, either 4 for IPv4 or 6 for
IPv6. Otherwise, the program tries to guess from the address given,
or chooses whichever is first when doing a DNS lookup. Shorter options
of <code>--ipv6</code> and <code>--ipv4</code> also work.</p></li>
<li><p><code>--loop <count></code>: the number of times to loop and try a heartbeat again. The
default count is 1000000 (one-million). A count of 1 grabs just a single
heartbeat.</p></li>
<li><p><code>--port <port></code>: the port number to connect to on the target machine. If not
specified, the port number 443 will be used.</p></li>
<li><p><code>--proxy <host:port></code>: use the Socks5n proxy. If the port is not specified,
it defaults to 9150. This is intended for use with the Tor network, but
should work with any Socks5 proxy. These uses the 'name' feature, so to
that it'll be the Tor exit node resolving the DNS name, not the local
host.</p></li>
<li><p><code>--rand</code>: randomizes the size of heartbleed requests. Normally, the program
requests for the max 64k size, but with this setting, each request
will have a random size between 200 and 64k. Some believe that heartbeats
of different size will produce different results.</p></li>
<li><p><code>--read</code>: instead of running live against a server, this option causes
the program to run forensics on existing files, looking for private
keys. The option <code>--cert</code> must also be used.</p></li>
<li><p><code>--raw</code>: send the hearbeat requests before SSL negotiation is complete. Use
this option on targets where the post-handshake heartbeats don't work.</p></li>
<li><p><code>--scan</code>: scans target to test if vulnerable, instead of dumping. This
ends the connection immediately. A verdict will be printed to <var>stdout</var>,
either VULNERABLE, SAFE, or INCONCLUSIVE. Most systems marked INCONCLUSIVE
are in fact safe.</p></li>
<li><p><code>--scanlist <filename></code>: reads a list of targets from a file instead of
reading them from a command-line, and also sets the <code>--scan</code> flag. Use
this when you have thousands of targets to scan. Note that if you have
a lot of targets, you should also set the <code>--threads</code> to a high number.</p></li>
<li><p><code>--threads <count></code>: uses more than one thread, scanning/dumping a lot
faster. Setting 1000 threads would not be unreasonable, especially when
scanning a lot of targets.</p></li>
<li><p><code>--timeout <n></code>: sets the timeout for read operations on a socket, which
defaults to 6 seconds. Note that connection timeouts are much longer, set
by the operating system, and not currently configurable.</p></li>
</ul>
<h2 id="SIMPLE-EXAMPLES">SIMPLE EXAMPLES</h2>
<p>The following is the easiest way to use the program, to grab the private-key
form the server in 'auto-pwn' mode:</p>
<pre><code>$ heartleech www.example.com --autopwn --threads 5
</code></pre>
<p>This auto-pwn mode will search for the heartbeat payloads looking for the
components of the private-key that matches the server's certificate (which
it automatically retrieves). When a certificate is found, it's printed to
<var>stdout</var>. The user can then copy it to a file and use it for anythign that
private-keys can be used for. Using multiple threads downloads faster.</p>
<p>Heartbleed information contains more than just private keys. On a typical
web-server, it'll contain session cookies (useful for sidejacking) and
passwords. In that case, the way to use this program is to save all the
heartbleed information into a file. Note that these files quickly grow
to gigabytes in size:</p>
<pre><code>$ heartleech www.example.com --dump bleed.bin --threads 6
<ctrl-c>
$ grep -iobUaP "Cookie:.*\n" bleed.bin
</code></pre>
<p>You can scan for vulnerable targets instead of dumping information:</p>
<pre><code>$ heartleech --scanlist hostlist.txt --scan 10.0.0.0-10.0.0.255:992 --threads 1000
</code></pre>
<p>Hosts in the this file use the same format as other hostnames, meaning they
can be ranges, and also have ports specified. Scan speed is likely dictated by
the number of threads you have. You can have a lot of threads, but scanning
will still be slower than <code>masscan</code>. The "verdict" from scanning is</p>
<pre><code>* `SAFE` if we know for certain the target is safe, because it either
doesn't support heartbeats at all, or is patched against the bug
* `VULNERABLE` if we know for certain that the target is vulnerable,
because we got back a bleed
* `INCONCLUSIVE` if we don't get a response -- which usually means that the
target is safe, but we can't tell for sure
</code></pre>
<h2 id="SEE-ALSO">SEE ALSO</h2>
<p><span class="man-ref">masscan<span class="s">(8)</span></span></p>
<h2 id="AUTHORS">AUTHORS</h2>
<p>This tool was written by Robert Graham. The source code is available at
https://github.com/robertdavidgraham/heartbleed</p>
<ol class='man-decor man-foot man foot'>
<li class='tl'></li>
<li class='tc'>May 2014</li>
<li class='tr'>heartleech(8)</li>
</ol>
</div>
</body>
</html>