Search This Blog


Sunday, April 13, 2014

Description and demonstration of the Heartbleed bug in OpenSSL

There is a ton of posts on the Internet about the new bug in OpenSSL. I'm not going to repeat what others wrote  but rather give us a small demonstration.

Heartbeat packet description in SSL protocol suite

This is excellent blog posts we can take a look at the openssl code analysis and see where exactly the bug was hidden: Diagnosis of the OpenSSL Heartbleed Bug.

If you want to learn more how to build an potential exploid you can read and watch this:

A working code for a prof of concept can be found here:


How do I know if my site is vulnerable?

There are potentially many different ways how you can test if a site is vulnerable. As two extreme examples (a) we could write a simple SSL client and try to sent an hearbeat packet (not so trivial and requires some knowledge about the ssl protocol itself) or (b) search for a site on Internet that do the testing for us. I would definitively avoid (b). These sites can store the URL you provided and try to exploit you later.

A more simple and elegant solution can be built using openssl cli client tool instead. By running as single line script you can test if a server supports heartbeat or not. Next you have to find if the version of the OpenSSL you use is vulnerable.
$ openssl s_client -connect -tlsextdebug
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Free SSL/
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU= - DATACorp SGC
 3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU= - DATACorp SGC
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 4 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Server certificate
subject=/OU=Domain Control Validated/OU=Free SSL/
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
No client certificate CA names sent
SSL handshake has read 6784 bytes and written 376 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: EF16DB45C3D67F69A480645C5267C4FDC44F41FD4CF4911194E986FC21E72F62
    Master-Key: 9DF3223AAF1520D6437E643E83E4AD5B1A590776F375B7ED082E024F3EC9EB43617A0D1F7715DF299EA483F905095465
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - c5 00 41 79 f6 38 12 30-bf 5f 85 54 f7 93 09 1c   ..Ay.8.0._.T....
    0010 - c1 60 e2 23 ca 90 8f 17-0c 4a 9f db cc 40 0e ea   .`.#.....J...@..
    0020 - 55 b0 f8 49 f1 7e b0 4e-78 0f 36 4a 58 3a 60 e2   U..I.~.Nx.6JX:`.
    0030 - b4 2b 22 a2 49 e8 c5 42-d0 00 ad a6 ec 49 b3 4d   .+".I..B.....I.M
    0040 - 28 b1 c3 ad 03 c6 53 de-a3 e7 ec c8 aa ed 5e 97   (.....S.......^.
    0050 - 75 12 5e 9f 5f eb cf a9-4a ab b7 85 bf cd e0 12   u.^._...J.......
    0060 - 2c ec 0b 05 4f cf ac 16-e9 65 40 1b a8 60 dc 3a   ,...O....e@..`.:
    0070 - 99 a0 cf 7a 65 0b 4c 74-a5 fc a5 16 11 48 e2 94   ...ze.Lt.....H..
    0080 - 19 0e 17 a8 03 d0 d0 4b-a4 14 7e 49 05 75 36 65   .......K..~I.u6e
    0090 - d4 70 63 fa a7 92 5a 14-63 97 00 cf 6b 5b 45 36   .pc...Z.c...k[E6

    Start Time: 1397426832
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
GET /heartbleed HTTP/1.1

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Apr 2014 22:02:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Strict-Transport-Security: max-age=86400

<!doctype html>
  <title>Heartbleed Challenge</title>

From the output we can see that:
  • We connect to the server
  • There are many packages exchange between the client (our openssl cli tool) and the web server; the packets types and formats are defined in the relevant RFC documents for SSL/TLS
  • Option tlsextdebug instructs openssl to print out TLS extensions the server supports
  • We can immediately see if the option is supported by our www server; what we have o do next is to check if the version of OpenSSL that we run is vulnerable or not 
  • It is important to note that regardless if the www server supports the heartbeat extension or not you as a client can sent any legitimate HTTP requests; the whole problem is that if your client sent an heartbeat packet that was on purpose malicious the server in its response can reveal a lot more data that it should.

Tuesday, April 8, 2014

Can I use Shortest Path Bridging hardware to build my SDN network

Recently I've come across a document that compares a number of existing network overlays in SDN architecture: The 2013 Guide to Network Visualization and SDN.

What is new and interesting is the solution from Avaya. Instead of using VXLAN, STT and GRE like all other vendors they use SPB (we wrote about this here How does switch fabric network work) to build the SDN solution.

How does switch fabric network work

A network engineer can list a number of issues you can potentially run when using STP protocol  in your switch network. Over the years the network industry has created successor protocols like RSTP or MSTP. Both are improvements and offer much better convergence time and respond much quicker to switch topology changes. One of the major disadvantages for networks that relay on STP is the fact that they don't support multipathing. It means once network topology converges there will be blocked path between switches that are elected and managed by STP. This often redundant links can't be used because of a loop risk.

But there are better solutions today on the market to design better layer 2 Ethernet networks (more scalable, with higher throughput and with active link redundancy as an example). The 2 most popular are based on SPB and TRILL protocols. Both of them are used as a foundation in switch fabrics products. To better understand both of them the pictures below provide a side by side comparison. This was taken from Avaya document: Compare and Contrast SPB and TRILL.

Avaya is a SPB promoted so the comparison is a bit waited towards SPB but nevertheless it gives some inside view into both protocols.


Monday, March 31, 2014

How to list numbers next to ACL rules on Cisco

How to list numbers next to the ACL rules on Cisco

sh  access-list outside-acl | e \ \
access-list 101; 86 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit ip object-group WHITELIST-IPS any 0xc4d2a54e
access-list 101 line 2 extended permit icmp any any object-group ICMP-ALLOWED (hitcnt=576916) 0x994c9516
access-list 101 line 3 extended deny ip any host (hitcnt=31708) 0x8e8cc2a6
access-list 101 line 5 remark !*!*!*!*!*!*!*!*!*!
access-list 101 line 6 remark RULES CONTROLLED BY AUTOMATION
access-list 101 line 7 remark !*!*!*!*!*!*!*!*!*!
access-list 101 line 8 extended permit ip host host (hitcnt=0) 0xa9809ff7
access-list 101 line 9 extended permit ip any host (hitcnt=0) 0xa9809ff7

Sunday, March 30, 2014

How to automatically prefill command on the Linux bash

Linux Bash is one of the most famous Linux shells. It offers a great number of features like for example spawning and controlling process, redirecting streams, supporting scripts and a flexible way to control you editing line.


How to automatically pre-populate a command on the shell after prompt.

Solution description

The shell has tree default streams: stdout, stdin and stderr. By manipulating the stdin of the process we can simulate typing a command.

Reference implementation

The original script can be found here:

  • Compile first the program
gcc -o type-command type-command.c
  • Run for the firs time
# ./type-command
type-command: the variable TYPE_CMD_ENABLED is not set, set it to 'no' to surpress this message; set the TYPE_CMD_TYPE for the command to type

Example: export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date
  • Export the variable to controls if the program should try to type a command or not
# export TYPE_CMD_ENABLED=yes
# ./type-command
  • Specify the command that you wish to be typed
# export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date
# ./type-command
# date
Sun Mar 30 19:27:55 UTC 2014>


Saturday, March 29, 2014

How to create a sequence of replace commands to change your file

Use existing plugin: RegReplace

We could write a custom plugin using the Sublime API or try to use a plugin that promises to offer this functionality already:


We have a following structured but not consistently formatted data that we would like to adjust so it is easier toread and work with.

To reformat the text we can use the above plugin and define a series of regex that match and modify text.
  • Installed RegReplace plugin.
  • Create a reg_replace.sublime-settings in your Sublime2\Data\Packages\User\ directory and define the regex commands we want to use.
    "replacements": {
        // add teh .<digit> when is missing
        "ig_order_add_dot_digit": {
            "find": "([0-9][0-9]) at",
            "replace": "\\1.0 at"
//            "greedy": true,
//            "case": false
        "ig_order_add_dot_digit2": {
            "find": "([0-9][0-9]) *- ",
            "replace": "\\1.0 - ",
            "greedy": true
        "ig_order_fix_spaces": {
            "find": "/(201[0-9]) *",
            "replace": "/\\1 "
        "ig_order_fix_spaces2": {
            "find": "-   -    -  ",
            "replace": "-    -    -     "
        "ig_order_change_android_str": {
            "find": "AndroidApp",
            "replace": "AndrAp"
        "ig_order_remove_str": {
            "find": "/s ",
            "replace": " ",
            "greedy": true
        "ig_order_fix_header": {
            "find": "(Date) *(Time) *(Activity) *(Market) *(Period) *(Channel) *(Currency) *(Size) *(Level) *(Stop) *(Type) *(Limit) *(Result)",
            "replace": "Date        Time    Activity Market                                               Period              Channel Cur Size Level  Stop Type Limit Result",
            "greedy": true

        "ig_transactions_fix_header": {
            "find": "(Type) *(Date) *(Ref) *(Market) *(Period) *(Opening) *(Ccy) *(Size) *(Closing) *(P/L)",
            "replace": "Type    Date        Ref         Market                                                  Period            Opening Ccy Size    Closing P/L",
            "greedy": true
       "ig_transactions_add_dot_digit": {
            "find": "([0-9][0-9]) +£",
            "replace": "\\1.0 £"
        "ig_transactions_add_dot_digit2": {
            "find": "(£ +.*\\..* +)([0-9]+) +",
            "replace": "\\1\\2.0 "
        "ig_transactions_fix_plus_minus_sign": {
            "find": "([0-9]+\\.[0-9]+ +[0-9]+\\.[0-9]+ +)([0-9]+\\.[0-9]+)",
            "replace": "\\1 \\2"

  • Define the final  regex command to run and associate a a keyboard short in Default (Windows).sublime-keymap file
        "keys": ["alt+ctrl+t"],
        "command": "reg_replace",
        "args": {"replacements": [
                                    // orders

                                    // transactions

                                ],  "find_only": true}
  • When you activate the regex chain command it will first show what part of the file are going to be changed
  • Accept the "yes" option at the bottom and reformat the file

How to write a plugin for Sublime editor

Below is a list of links for Sublime API and Sublime commands if you want to write a custom plugins.

Sublime API


Debug best practices

Once you follow the steps below everything you do in the editor will be logged on the console.
  • Open Sublime console: Ctrl+~
  • Enable verbose and debug within the editor
  • Example commands to try on the console 
view.run_command("goto_line", {"line": 7})
view.window().run_command("show_minimap", {"key": True})