Skip to main content

Posts

Showing posts from May, 2014

Testing the CVE2014-0160 HeartBleed Attack - Part I

This is part one of a multi-part series associated with the HeartBleed vulnerability.  This part deals with getting your environment setup with a vulnerable SSL webserver (using Kali Linux), and the client software used to test for and exploit it.

Setup the vulnerable web server.

Kali Linux already has apache installed, so simply enable the SSL mod, create a directory to hold the key material, generate the private key and ssl cert, and restart the server to

sudo a2enmod ssl
sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
sudo openssl req -x509 -nodes - days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/webserver.key -out /etc/apache2/ssl/webserver.crt
Then you'll need to edit the ssl site configuration to enable it for your ip address (not the one below).

vi /etc/apache2/sites-available/default-ssl Add the information for your server.

ServerName 192.168.4.134:443
and change the following lines to use the newly generated key material:

SSLCertificateFile /etc/apache2/ssl/webserver.cr…