Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Testing your website for the heartbleed vulnerability with nmap - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Testing your website for the heartbleed vulnerability with nmap

We have received reports by many readers about buggy tools to test for the heartbleed vulnerability. Today I want to show you how easy it is to check for this vulnerability using a reliable tool as nmap.

You just need to trigger a version scan (-sV) along with the script (ssl-heartbleed). The following example with show a command that will scan 192.168.0.107 for this bug:

nmap -sV 192.168.0.107 --script=ssl-heartbleed

This will be the output for a non-vulnerable website. As you can see, no warnings are shown:

ssl-heartbleed output

If you are vulnerable, you will get the following:

Vulnerable message for heartbleed

For vulnerability testing, always use reliable tools which won't contain malicious code infecting your computer and won't give you false positive messages.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
My understanding is that you have to use the latest version of Nmap, AND you have to download the nmap script (http://nmap.org/nsedoc/scripts/ssl-heartbleed.html) as well as the tls.lua file(https://svn.nmap.org/nmap/nselib/tls.lua)

I had to. :)
Tri0x

17 Posts
For just "ssl-heartbleed" on non std port (-sV is slow):

edit ssl-heartbleed.nse portrule function to always return true

portrule = function(host, port)
-- return shortport.ssl(host, port) or sslcert.isPortSupported(port)
return true
end

[cgm@silver ~]$ nmap -p1133 --script=ssl-heartbleed 127.0.0.1

Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-18 21:29 EEST
Nmap scan report for 127.0.0.1
Host is up (0.13s latency).
PORT STATE SERVICE
1133/tcp open unknown
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
cgm00ff.net

2 Posts
The too-common practice of backporting makes anything based upon a version check unreliable and prone to false positives.
Ken

40 Posts
Do you suppose they could further revise the OpenSSL patch to not merely FIX the vulnerability, but also log the fact that an exploit attempt occured, so this information can be used to gather intelligence on potential attackers at the syslog collection point? :)
Mysid

146 Posts
This information would be much more useful if you mentioned that you need the script and where to find it and any other libraries etc. As it is it is useless.
Barton

3 Posts
thanks

http://www.tlca.net/forums
Barton
1 Posts
The script (ssl-heartbleed.nse) is in the latest version of nmap, as of today, anyways. I didn't need to download any additional files.
JeffSoh

31 Posts
The ssl-heartbleed.nse in nmap 6.46 will scan for the issue on ports other than 443. The original version did not, and had a few other issues.
Rob VandenBrink

497 Posts
ISC Handler
Thank you for sharing.
<a href="http://holy.be">Test my site</a>
Matthew

1 Posts

Sign Up for Free or Log In to start participating in the conversation!