• Subscribe to the low volume list for updates.

Testing Heartbleed with the Nmap NSE script

Everywhere is buzzing with news of the Heartbleed vulnerability in OpenSSL. If you are living under a rock and have missed it just turn on the mainstream news. Not that you will get much detail there... this is a quick tutorial to show you how to test for the vulnerability using a handy Nmap NSE script (ssl-heartbleed.nse).

First you will need a working version of Nmap (at least version 6.25), this is not difficult to find or install. So lets jump ahead to running an NSE Script to detect the Heartbleed vulnerability.

 Update: The latest version of Nmap (6.45 released 14/04/14) has the ssl-heartbleed.nse script included, no need to download it separately.

Download the NSE (ssl-heartbleed.nse) script and the tls.lua library that is required:

ssl-heartbleed.nse tls.lua

Now place the tls.lua in the nselib directory on the system you are running Nmap on. Now keep in mind I have not tested this on Windows, only Ubuntu Linux, however it should just be a matter of dropping it in the nselib folder (C:\program files\nmap\nselib).

Running the actual ssl-heartbleed.nse script is simply a matter of referencing it as a parameter to the Nmap command.

nmap -sV -p 443 --script=ssl-heartbleed.nse 192.168.1.1

It really is as simple as that, point to the nse script with the --script= and you are cooking! Even better because this is using Nmap we can scan entire ranges of IP addresses for the vulnerability.

Here is an example of a test against one of my local systems that was running a vulnerable version of OpenVPN-AS.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0059s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE     VERSION
443/tcp  open  ssl         OpenSSL (SSLv3)
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      http://cvedetails.com/cve/2014-0160/
Service Info: Host:  firefly003; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Not good! looks to be well and truly vulnerable. OpenVPN had advised that upgrades are required, so it was a matter of a quick dpkg -i to upgrade the OpenVPN-AS server on my home network. Now lets try again with another test.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0011s latency).
PORT    STATE SERVICE VERSION
443/tcp open  ssl     OpenSSL (SSLv3)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

Looks good to me, upgrade successful. For access, a HackerTarget.com membership is all that is required to use the hosted SSL Check. With a current membership additional testing can be undertaken with our OpenVAS scan option that also has a signature for detecting the Heartbleed bug.

15 Comments

  • Derp
    Is there a way to scan other ports?
  • noname
    Just add the additional ports to the original command, separated by commas. Ex: nmap -sV -p 443,4433,4443,8443,4100 –script=ssl-heartbleed.nse 192.168.1.1
  • Fr0ntSight
    Which version of nmap does this require? I am running 5.21 and it doesn't work..ubuntu 12.04
    • You will need at least version 6.25 of Nmap, compiling from source is not too difficult and you get all the goodness of the latest version including many NSE scripts. :)
      • Fr0ntSight
        Cool..Thanks for the info.
    • zoloha
      a successful ubuntu guide here http://www.cirgan.net/scanning-openssl-heartbleed-bug-with-nmap/
      • Fr0ntSight
        Thanks for the link! I'll check it out.
  • Veru usefull http://aliciaarango.com/
  • Mil gracias http://juanguillermozuluagacardona.com/
  • Fr0ntSight
    I have it running but it doesn't show anything below: PORT STATE SERVICE VERSION So none of the text that is formatted like this shows: | ssl-heartbleed: | VULNERABLE: | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption. Any ideas?
  • Intel.Security_consultant
    Hi, do you have any update for windows based zenmap?
  • Brad Allison
    $ yum --noplugins --showduplicates --enablerepo * --disablerepo *-source --disablerepo C5.*,c5-media,*debug*,*-source search sslcert.lua Warning: No matches found for: sslcert.lua No Matches found
  • Brad Allison
    Even after downloading all the missing .lua script files needed for this (did a wget -r on https://svn.nmap.org/nmap/nselib/ ), it still fails.... $ nmap -p 443 --script ../../../ssl-heartbleed myservers.com Starting Nmap 5.51 ( http://nmap.org ) at 2014-04-17 15:54 UTC NSE: failed to initialize the script engine: /usr/share/nmap/nse_main.lua:384: ./unittest.lua:29: attempt to call field 'module' (a nil value) stack traceback: [C]: in function 'assert' /usr/share/nmap/nse_main.lua:384: in function 'new' /usr/share/nmap/nse_main.lua:578: in function 'get_chosen_scripts' /usr/share/nmap/nse_main.lua:1006: in main chunk [C]: ? QUITTING!
  • juan
    muito obrigado, é muito útil https://juanguillermozuluagac.wordpress.com
  • jorge massoud
    Host is up (0.0011s latency).