Scan your network for Heartbleed vulnerabilities with Nmap

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, April 10, 2014

Follow me on Twitter as @mattiasgeniar

Nmap now has an NSE script (Nmap Scripting Engine) to detect SSL Heartbleed vulnerabilities. You can find how to patch yourself in my previous blogpost: Patch against the heartbleed OpenSSL bug (CVE-2014-0160).

First, download nmap. If your on Mac, “brew install nmap” should do the trick. On Linux, your package manager should have nmap readily available.

Get the latest version of Nmap

This NSE script requires at least Nmap version 6.25 or later. Make sure you’re on the latest version before trying this.

To check your nmap version, add “–version”:

$  nmap --version

Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-apple-darwin13.0.0
Compiled with: liblua-5.2.2 openssl-1.0.1f nmap-libpcre-7.6 libpcap-1.3.0 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: kqueue poll select

Download the extra TLS LUA

Since the heartbleed bug is an SSL vulnerability, you’ll need some extra TLS libraries. Download the tls.lua file to the Nmap share directory (most likely /usr/local/share/nmap/nselib/) and store it as tls.lua.

Download the SSL-Heartbleed NSE script

Then, run nmap with the NSE script on port 443. You can download the ssl-heartbleed.nse script via the NSE website. Save it on your local drive and refer to it via the –script $FILENAME parameter to nmap.

$ nmap -T4 -p 443 -n -Pn --open 192.168.0.0/24 --script nse/ssl-heartbleed.nse

The above should list all your IPs that have an open 443 port together with a remark if they’re vulnerable or not.

The parameters explained;

  1. -T4: an agressive scan, will be detected via IDS/IPS’s, but it’s the fastest
  2. -p 443: only scan port 443 (you may want to extend your reach if you have alternative SSL-enabled ports)
  3. -n: no name resolution, faster scans
  4. -Pn: no Ping Scan first, assume all hosts are up, don’t waste time with ICMP
  5. –open: only list the hosts with open ports
  6. 192.168.0.0/24: the IP range to scan
  7. –script nse/ssl-heartbleed.nse: the file location of the NSE script to scan for Heartbleed vulnerabilities

The result, if a vulnerable host has been found, looks like this.

Nmap scan report for 192.168.0.5
Host is up (0.017s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed:
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic
|        software library. It allows for stealing information intended to be protected
|        by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1)
|       of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory
|       of systems protected by the vulnerable OpenSSL versions and could allow for
|       disclosure of otherwise encrypted confidential information as well as the
|       encryption keys themselves.
|
|     References:
|       http://cvedetails.com/cve/2014-0160/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://www.openssl.org/news/secadv_20140407.txt

Good luck patching!

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.