Everywhere is buzzing with news of the Heartbleed vulnerability in OpenSSL. If you are living under a rock and have missed it just turn on the mainstream news. Not that you will get much detail there... this is a quick tutorial to show you how to test for the vulnerability using a handy Nmap NSE script (ssl-heartbleed.nse).
First you will need a working version of Nmap (at least version 6.25), this is not difficult to find or install. So lets jump ahead to running an NSE Script to detect the Heartbleed vulnerability.
ssl-heartbleed.nsescript included, no need to download it separately.
Download the NSE (ssl-heartbleed.nse) script and the tls.lua library that is required:
Now place the
tls.lua in the
nselib directory on the system you are running Nmap on. Now keep in mind I have not tested this on Windows, only Ubuntu Linux, however it should just be a matter of dropping it in the
nselib folder (C:\program files\nmap\nselib).
Running the actual
ssl-heartbleed.nse script is simply a matter of referencing it as a parameter to the Nmap command.
nmap -sV -p 443 --script=ssl-heartbleed.nse 192.168.1.1
It really is as simple as that, point to the nse script with the
--script= and you are cooking! Even better because this is using Nmap we can scan entire ranges of IP addresses for the vulnerability.
Here is an example of a test against one of my local systems that was running a vulnerable version of OpenVPN-AS.
Nmap scan report for mediacentre (192.168.1.5) Host is up (0.0059s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 443/tcp open ssl OpenSSL (SSLv3) | ssl-heartbleed: | VULNERABLE: | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption. | State: VULNERABLE | Risk factor: High | Description: | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves. | | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 | http://www.openssl.org/news/secadv_20140407.txt |_ http://cvedetails.com/cve/2014-0160/ Service Info: Host: firefly003; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Not good! looks to be well and truly vulnerable. OpenVPN had advised that upgrades are required, so it was a matter of a quick
dpkg -i to upgrade the OpenVPN-AS server on my home network. Now lets try again with another test.
Nmap scan report for mediacentre (192.168.1.5) Host is up (0.0011s latency). PORT STATE SERVICE VERSION 443/tcp open ssl OpenSSL (SSLv3) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds
Looks good to me, upgrade successful. For access, a HackerTarget.com membership is all that is required to use the hosted SSL Check. With a current membership additional testing can be undertaken with our OpenVAS scan option that also has a signature for detecting the Heartbleed bug.