AnsweredAssumed Answered

HeartBleed: exploit process explained against test website

Question asked by Nicola Bressan on May 2, 2014

Here's how the Heartbleed exploit can be used against a website.


Testing target (kindly provided by Qualys):




after register in this website an user can freely download a crypted file: supersecret.txt.enc (example file, secret because crypted with private key of webserver)




an attacker can use a simple tool like heartleech ( to attack the website


so first step is: download the tool (git cloning the project or simply compiling the heartbleed.c, following instructions in the website above)


after getting the tool, we see that there are different working modes:


./heartleech target_site --dump file


will continuosly send malicious heartbleed packets to webserver getting more and more memory data dumps in a file that can be analyzed later...


./heartleech target_site --autopwn


will instead automatically fetch the certificate from the website and then continue downloading information until it finds a matching private key within the heartbleed information data


we are more interested in this auto-mode


so running:


./heartleech --autopwn


in terminal will return us the private key, great find!




having the private key, we just need to save it in a file, called for example private.key (great fantasy) and extract the data from the secret file we have download before is just the matter of a command:




So the secure content of the file is now decrypted, the secret phrase is:


Darth Vader is Luke's father.

and Leia is Luke's sister.


This is amazing simple, go and try yourself!


I would like to thank Qualys for providing the target for live testing and Wolfgang Kandek for providing the interesting webinar "A Post-Mortem on Heartbleed - What Worked and What Didn't" still available for playback at