Nmap now has an NSE script (Nmap Scripting Engine) to detect SSL Heartbleed vulnerabilities. You can find how to patch yourself in my previous blogpost: Patch against the heartbleed OpenSSL bug (CVE-2014-0160) .
First, download nmap . If you’re on Mac, “brew install nmap” should do the trick. On Linux, your package manager should have nmap readily available.
Get the latest version of Nmap#
This NSE script requires at least Nmap version 6.25 or later. Make sure you’re on the latest version before trying this. Any Nmap from 6.45 onwards (April 2014) already ships the ssl-heartbleed script and its tls.lua dependency, so on a current Nmap you can skip the two manual download steps below and jump straight to running it.
To check your nmap version, add “–version”:
$ nmap --version
Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-apple-darwin13.0.0
Compiled with: liblua-5.2.2 openssl-1.0.1f nmap-libpcre-7.6 libpcap-1.3.0 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: kqueue poll select
(Only on old Nmap) download the extra TLS LUA#
On a current Nmap you can skip this section. Back in April 2014 the script wasn’t bundled yet: since the heartbleed bug is an SSL vulnerability, you needed some extra TLS libraries. You downloaded the tls.lua file to the Nmap share directory (most likely /usr/local/share/nmap/nselib/) and stored it as tls.lua.
(Only on old Nmap) download the SSL-Heartbleed NSE script#
Similarly, on a pre-6.45 Nmap you downloaded the ssl-heartbleed.nse script via the NSE website , saved it on your local drive and referred to it via the –script $FILENAME parameter.
Run the scan#
On any modern Nmap the script is built in, so you just reference it by name (no path, no .nse):
$ nmap -T4 -p 443 -n -Pn --open 192.168.0.0/24 --script ssl-heartbleed
The above should list all your IPs that have an open 443 port together with a remark if they’re vulnerable or not.
The parameters explained;
- -T4: an agressive scan, will be detected via IDS/IPS’s, but it’s the fastest
- -p 443: only scan port 443 (you may want to extend your reach if you have alternative SSL-enabled ports)
- -n: no name resolution, faster scans
- -Pn: no Ping Scan first, assume all hosts are up, don’t waste time with ICMP
- –open: only list the hosts with open ports
- 192.168.0.0/24: the IP range to scan
- –script ssl-heartbleed: the name of the bundled NSE script that scans for Heartbleed vulnerabilities
The result, if a vulnerable host has been found, looks like this.
Nmap scan report for 192.168.0.5
Host is up (0.017s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic
| software library. It allows for stealing information intended to be protected
| by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| Description:
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1)
| of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory
| of systems protected by the vulnerable OpenSSL versions and could allow for
| disclosure of otherwise encrypted confidential information as well as the
| encryption keys themselves.
|
| References:
| http://cvedetails.com/cve/2014-0160/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_ http://www.openssl.org/news/secadv_20140407.txt
Good luck patching!