Nmap now has an NSE script (Nmap Scripting Engine) to detect SSL Heartbleed vulnerabilities. You can find how to patch yourself in my previous blogpost: Patch against the heartbleed OpenSSL bug (CVE-2014-0160) .
First, download nmap . If your on Mac, “brew install nmap” should do the trick. On Linux, your package manager should have nmap readily available.
Get the latest version of Nmap#
This NSE script requires at least Nmap version 6.25 or later. Make sure you’re on the latest version before trying this.
To check your nmap version, add “–version”:
$ nmap --version Nmap version 6.40 ( http://nmap.org ) Platform: x86_64-apple-darwin13.0.0 Compiled with: liblua-5.2.2 openssl-1.0.1f nmap-libpcre-7.6 libpcap-1.3.0 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: kqueue poll select
Download the extra TLS LUA#
Since the heartbleed bug is an SSL vulnerability, you’ll need some extra TLS libraries. Download the tls.lua file to the Nmap share directory (most likely /usr/local/share/nmap/nselib/) and store it as tls.lua.
Download the SSL-Heartbleed NSE script#
Then, run nmap with the NSE script on port 443. You can download the ssl-heartbleed.nse script via the NSE website . Save it on your local drive and refer to it via the –script $FILENAME parameter to nmap.
$ nmap -T4 -p 443 -n -Pn --open 192.168.0.0/24 --script nse/ssl-heartbleed.nse
The above should list all your IPs that have an open 443 port together with a remark if they’re vulnerable or not.
The parameters explained;
- -T4: an agressive scan, will be detected via IDS/IPS’s, but it’s the fastest
- -p 443: only scan port 443 (you may want to extend your reach if you have alternative SSL-enabled ports)
- -n: no name resolution, faster scans
- -Pn: no Ping Scan first, assume all hosts are up, don’t waste time with ICMP
- –open: only list the hosts with open ports
- 192.168.0.0/24: the IP range to scan
- –script nse/ssl-heartbleed.nse: the file location of the NSE script to scan for Heartbleed vulnerabilities
The result, if a vulnerable host has been found, looks like this.
Nmap scan report for 192.168.0.5 Host is up (0.017s latency). PORT STATE SERVICE 443/tcp open https | ssl-heartbleed: | VULNERABLE: | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic | software library. It allows for stealing information intended to be protected | by SSL/TLS encryption. | State: VULNERABLE | Risk factor: High | Description: | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) | of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory | of systems protected by the vulnerable OpenSSL versions and could allow for | disclosure of otherwise encrypted confidential information as well as the | encryption keys themselves. | | References: | http://cvedetails.com/cve/2014-0160/ | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 |_ http://www.openssl.org/news/secadv_20140407.txt
Good luck patching!