• Subscribe to the low volume list for updates.

Testing Heartbleed with the Nmap NSE script

Everywhere is buzzing with news of the Heartbleed vulnerability in OpenSSL. If you are living under a rock and have missed it just turn on the mainstream news. Not that you will get much detail there... this is a quick tutorial to show you how to test for the vulnerability using a handy Nmap NSE script ssl-heartbleed.nse).

First you will need a working version of Nmap (at least version 6.25), this is not difficult to find or install. So lets jump ahead to running an NSE Script to detect the Heartbleed vulnerability.

 Update: The latest version of Nmap (6.45 released 14/04/14) has the ssl-heartbleed.nse script included, no need to download it separately.

Download the NSE (ssl-heartbleed.nse) script and the tls.lua library that is required:

ssl-heartbleed.nse tls.lua

Now place the tls.lua in the nselib directory on the system you are running Nmap on. Note: I have not tested this on Windows, only Ubuntu Linux, however it should just be a matter of dropping it in the nselib folder (C:\program files\nmap\nselib).

Running the actual ssl-heartbleed.nse script is simply a matter of referencing it as a parameter to the Nmap command.

nmap -sV -p 443 --script=ssl-heartbleed.nse 192.168.1.1

It really is as simple as that, point to the nse script with the --script= and you are cooking! Even better as this is using Nmap, we can scan entire ranges of IP addresses for the vulnerability.

Testing for the vulnerability

Here is an example of a test against one of my local systems that was running a vulnerable version of OpenVPN-AS.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0059s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE     VERSION
443/tcp  open  ssl         OpenSSL (SSLv3)
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      http://cvedetails.com/cve/2014-0160/
Service Info: Host:  firefly003; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Not good! looks to be well and truly vulnerable.

Upgrade OpenVPN

OpenVPN had advised that upgrades are required. It was a matter of a quick dpkg -i to upgrade the OpenVPN-AS server on my home network.

Lets try again with another test.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0011s latency).
PORT    STATE SERVICE VERSION
443/tcp open  ssl     OpenSSL (SSLv3)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

Looks good to me, upgrade successful.

Additional testing can be undertaken with our OpenVAS scan.

Includes a signature for detecting the Heartbleed bug.

Check SSL/TLS services for vulnerabilities and weak ciphers.

Trusted tools. Hosted for easy access.