• Subscribe to the low volume list for updates.

Testing Heartbleed with the Nmap NSE script

Everywhere is buzzing with news of the Heartbleed vulnerability in OpenSSL. This is a quick tutorial to show how to test for the vulnerability using a handy Nmap NSE script ssl-heartbleed.nse).

First, a working version of Nmap (at least version 6.25), this is not difficult to find or install. So lets jump ahead to running an NSE Script to detect the Heartbleed vulnerability.

Update: Since version 6.45 (2014) Nmap the ssl-heartbleed.nse script included, no need to download it separately.

Download the NSE (ssl-heartbleed.nse) script and the tls.lua library that is required:

ssl-heartbleed.nse tls.lua

Now place the tls.lua in the nselib directory on the system you are running Nmap on. Note: I have not tested this on Windows, only Ubuntu Linux, however it should just be a matter of dropping it in the nselib folder (C:\program files\nmap\nselib).

Running the actual ssl-heartbleed.nse script is simply a matter of referencing it as a parameter to the Nmap command.

nmap -sV -p 443 --script=ssl-heartbleed.nse

It really is as simple as that, point to the nse script with the --script= and you are cooking! Even better as this is using Nmap, we can scan entire ranges of IP addresses for the vulnerability.

Testing for the vulnerability

Here is an example of a test against one of my local systems that was running a vulnerable version of OpenVPN-AS.

Nmap scan report for mediacentre (
Host is up (0.0059s latency).
Not shown: 992 closed ports
443/tcp  open  ssl         OpenSSL (SSLv3)
| ssl-heartbleed: 
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      http://cvedetails.com/cve/2014-0160/
Service Info: Host:  firefly003; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Not good! looks to be well and truly vulnerable.

Upgrade OpenVPN

OpenVPN had advised that upgrades are required. It was a matter of a quick dpkg -i to upgrade the OpenVPN-AS server on my home network.

Lets try again with another test.

Nmap scan report for mediacentre (
Host is up (0.0011s latency).
443/tcp open  ssl     OpenSSL (SSLv3)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

Looks good to me, upgrade successful.

Additional testing can be undertaken with our OpenVAS scan.

Includes a signature for detecting the Heartbleed bug.

Check SSL/TLS services for vulnerabilities and weak ciphers.

Trusted tools. Hosted for easy access.