thehat Posted June 5, 2014 Report Share Posted June 5, 2014 ## Cupid 0.1## Author: Luis Grangeia ## lgrangeia@sysvalue.com## twitter.com/lgrangeia# INTRODUCTIONCupid is a pair of patches for hostapd-2.1 and wpa_supplicant-2.1 to exploit heartbleed on Wireless networks that use EAP Authentication methods based on TLS (specifically OpenSSL)Please see presentation slides for a simple introduction to cupid:Luis Grangeia, Partner and security services manager at Sysvalue s.a.# COMPILATIONGet wpa_supplicant-2.1 and/or hostapd-2.1, apply the respective patch and compile. I don't recommend doing a "make install" as you'll be replacingyour systems binaries with non-functional copies (functional only for exploitingheartbleed).# USAGEBoth patches come with a "heartbleed.conf" file that can be used to tweak behaviour. It must be present and placed on the same directory you're running the binary. Refer to the file for details.--> wpa_supplicant:Use the included test_wpasupplicant.conf and change the ssid to the network you're wanting to test heartbleed for.Fire up wireshark or tcpdump on the interface to check for TLS heartbeat requests/responses. I usually do:# airmon-ng start wlan0and then monitor the whole thing on the mon0 interface (use filter 'EAP || SSL'for a better picture).fire up wpa_supplicant:./wpa_supplicant -i wlan0 -dd -c ~/testconfs/test_wpasupplicant.confLook at the output of wireshark to see if the network you're attacking is vulnerable.--> hostapdUse the included test_hostapd.conf. You may have to set up certificates and an empty eap_user file. I've included these for reference as well.Fire up wireshark as described above.Note that you need a wireless adapter supporting host AP mode.fire up hostapd:./hostapd -d test_hostapd.confThen try to connect to the "bleedingheart" network with your mobile device orlaptop, and it will try to heartbleed it. You can put any login/password combination.To see if the patch works just install a vulnerable OpenSSL version and try toexploit your local copy of wpa_supplicant or a fresh install of hostapd.### FUTURE WORKPlease let me know if you find vulnerable devices and give me their version andif possible a packet dump of the actual attack.TODO: - Code is still very incomplete, just a PoC - Does not decrypt the heartbeat response if encrypted (not the case if pre-handshake) - Should output the heartbeat responses to a file - Test more devices/networks!Sursa: https://github.com/lgrangeia/cupid Quote Link to comment Share on other sites More sharing options...
mrtornado Posted June 5, 2014 Report Share Posted June 5, 2014 daca cineva se apuca sa-l testeze sa zica si aici daca merge sau nu pls Quote Link to comment Share on other sites More sharing options...
