Security: Check a webserver for heartbleed vulnerability with nmap

Hi,

here is a short tutorial to check a webserver with nmap.

Update to the latest version of nmap. Otherwise nmap would not work (Error message:/usr/bin/../share/nmap/scripts/ssl-heartbleed.nse:40: This script requires the tls.lua library….). For example debian wheezy. Add the backport repository “deb http://ftp.uni-erlangen.de/debian/ wheezy-backports main” to /etc/apt/sources.list.

Refresh sources

root@debdev:/# apt-get update

Install the latest nmap version

root@debdev:/# apt-get install -t wheezy-backports nmap

Check version

root@debdev:/# nmap -V

Nmap version 6.40 ( http://nmap.org )
Platform: i686-pc-linux-gnu
Compiled with: liblua-5.2.1 openssl-1.0.1e libpcre-8.30 libpcap-1.3.0 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Get the heartbleed script and the tls library

wget http://nmap.org/svn/nselib/tls.lua -P /usr/share/nmap/nselib
wget http://nmap.org/svn/scripts/ssl-heartbleed.nse -P /usr/share/nmap/scripts/

Check the host, i.e. webserver.domain.local at port 11443

root@debdev:/# nmap -sV --script=ssl-heartbleed  -p 11443 webserver.domain.local

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-10 22:44 CEST
Nmap scan report for webserver.domain.local (192.168.254.23)
Host is up (0.00072s latency).
PORT      STATE SERVICE  VERSION
11443/tcp open  ssl/http Apache httpd
| ssl-heartbleed:
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic
|   software library.
|   It allows for stealing information
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1)
|       of OpenSSL are affected
|       by the Heartbleed bug. TpenSSL versions and could allow for disclosure of otherwise
|       encrypted confidential
|       information as well as the encryption keys themselves.
|
|     References:
|       http://www.openssl.org/news/secadv_20140407.txt
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://cvedetails.com/cve/2014-0160/

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.69 seconds
root@debdev:/#

The ssl-heartbleed script shows details only if a vulnerability is found. You can tell the script to always speak with you by adding the –script-args=vulns.showall parameter. Here is the output of a server which is not vulnarable.

root@debdev:/# nmap -sV --script=ssl-heartbleed --script-args=vulns.showall -p 443 webserver2.domain.local

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-10 22:57 CEST
Nmap scan report for webserver2.domain.local (192.168.254.24)
Host is up (0.0012s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed:
|   NOT VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
|   cryptographic software library.
|   It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: NOT VULNERABLE
|     References:
|       http://www.openssl.org/news/secadv_20140407.txt
|       http://cvedetails.com/cve/2014-0160/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Nmap done: 1 IP address (1 host up) scanned in 11.63 seconds

There are much more checks available. I also use this perl script.

root@debdev:/# perl ./heartbleed-check.pl webserver.domain.local:11443
...ssl received type=22 ver=0x301 ht=0x2 size=54
...ssl received type=22 ver=0x301 ht=0xb size=691
...ssl received type=22 ver=0x301 ht=0xc size=393
...ssl received type=22 ver=0x301 ht=0xe size=0
...send heartbeat_
...ssl received type=24 ver=301 size=16384
BAD! got 16384 bytes back instead of 3 (vulnerable)

 

Michael

Leave a Reply