Lets be clear, I’m all about the offensive side of information security. I’m a pentester and I enjoy popping, rooting, owning and pwning all the things. I am aware that what we do is there to assist and encourage better defensive countermeasures but I just leave that to the experts. My colleague sitting nearby has the more unfortunate “defensive” job consisting of writing detections for all the evil things I do.

After eavesdropping on one of his conversations about downloading Apache server and configuring it with vulnerable version on OpenSSL, and since as I was in a good mood, I saved him the hours of pain he was racing towards and helped him build a test environment for the Heartbleed vulnerability.

All he really needed for the IDS signature is the Heartbleed traffic. I figured others out there are having to write protections for this so here is how to build a Heartbleed test environment in 5 minutes or less.

First of all, boot up a couple of test VMs, or just one if you enjoy being aggravated. One we will use as the victim machine and the other one will be the attacker’s machine.

Victim Machine Configuration

1. Ensure Perl is installed.

2. Grab a copy of glitchwrks Heartbleed Honeypot from:

   a. Packet Storm: http://packetstormsecurity.com/files/126068/hb_honeypot.pl.txt (Official) b. Pastebin: http://pastebin.com/5zUbJXe7 (Mirror)

3. Modify the code if you want to change your port or protocol settings

   my $sock = new IO::Socket::INET (
     LocalPort => '443', # <== Set your port you want to listen on here (1 to 65535)
     Proto => 'tcp', # <== Set your protocol you want to use here (tcp/udp)
     Listen => 1, # <== Leave this alone
     Reuse => 1, # <== Leave this alone too
   );
   

4. Ensure that you have sufficient privileges (root / sudo / administrator required for low port numbers) to execute the file and run it with the following command:

   perl hb_honeypot.pl
   

Attacker Machine Configuration

1. Ensure Python is installed.

2. Grab a copy of Jared Staffords Heartbleed PoC from:

   a. S3: http://s3.jspenguin.org/ssltest.py (Official)

   b. Pastebin: http://pastebin.com/WmxzjkXJ (Mirror)

3. Run the PoC with the following command:

   python ssltest.py <victim_ip> -p
   

The honeypot script will just listen for a connection and reply with garbage until it sees the actual Heartbleed payload, at which point it will respond with a fake, although funny, memory content dump.

A successful connection should look like this.

This method also gives a clean .pcap file too that can be used for creating all sorts of IDS signatures.

I hope this post helps some researchers, developers or our defense brethren.

Keep on sploiting,

norsec0de