Hi,
here is a short tutorial to check a webserver with nmap.
Update to the latest version of nmap. Otherwise nmap would not work (Error message:/usr/bin/../share/nmap/scripts/ssl-heartbleed.nse:40: This script requires the tls.lua library….). For example debian wheezy. Add the backport repository “deb http://ftp.uni-erlangen.de/debian/ wheezy-backports main” to /etc/apt/sources.list.
Refresh sources
1 | root@debdev:/# apt-get update |
Install the latest nmap version
1 | root@debdev:/# apt-get install -t wheezy-backports nmap |
Check version
1 2 3 4 5 6 7 | root@debdev:/# nmap -VNmap version 6.40 ( http://nmap.org )Platform: i686-pc-linux-gnuCompiled with: liblua-5.2.1 openssl-1.0.1e libpcre-8.30 libpcap-1.3.0 nmap-libdnet-1.12 ipv6Compiled without:Available nsock engines: epoll poll select |
Get the heartbleed script and the tls library
1 2 | wget http://nmap.org/svn/nselib/tls.lua -P /usr/share/nmap/nselibwget http://nmap.org/svn/scripts/ssl-heartbleed.nse -P /usr/share/nmap/scripts/ |
Check the host, i.e. webserver.domain.local at port 11443
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | root@debdev:/# nmap -sV --script=ssl-heartbleed -p 11443 webserver.domain.localStarting Nmap 6.40 ( http://nmap.org ) at 2014-04-10 22:44 CESTNmap scan report for webserver.domain.local (192.168.254.23)Host is up (0.00072s latency).PORT STATE SERVICE VERSION11443/tcp open ssl/http Apache httpd| ssl-heartbleed:| VULNERABLE:| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic| software library.| It allows for stealing information| State: VULNERABLE| Risk factor: High| Description:| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1)| of OpenSSL are affected| by the Heartbleed bug. TpenSSL versions and could allow for disclosure of otherwise| encrypted confidential| information as well as the encryption keys themselves.|| References:| http://www.openssl.org/news/secadv_20140407.txt| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160|_ http://cvedetails.com/cve/2014-0160/Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 30.69 secondsroot@debdev:/# |
The ssl-heartbleed script shows details only if a vulnerability is found. You can tell the script to always speak with you by adding the –script-args=vulns.showall parameter. Here is the output of a server which is not vulnarable.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | root@debdev:/# nmap -sV --script=ssl-heartbleed --script-args=vulns.showall -p 443 webserver2.domain.localStarting Nmap 6.40 ( http://nmap.org ) at 2014-04-10 22:57 CESTNmap scan report for webserver2.domain.local (192.168.254.24)Host is up (0.0012s latency).PORT STATE SERVICE443/tcp open https| ssl-heartbleed:| NOT VULNERABLE:| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL| cryptographic software library.| It allows for stealing information intended to be protected by SSL/TLS encryption.| State: NOT VULNERABLE| References:| http://www.openssl.org/news/secadv_20140407.txt| http://cvedetails.com/cve/2014-0160/|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160Nmap done: 1 IP address (1 host up) scanned in 11.63 seconds |
There are much more checks available. I also use this perl script.
1 2 3 4 5 6 7 8 | root@debdev:/# perl ./heartbleed-check.pl webserver.domain.local:11443...ssl received type=22 ver=0x301 ht=0x2 size=54...ssl received type=22 ver=0x301 ht=0xb size=691...ssl received type=22 ver=0x301 ht=0xc size=393...ssl received type=22 ver=0x301 ht=0xe size=0...send heartbeat_...ssl received type=24 ver=301 size=16384BAD! got 16384 bytes back instead of 3 (vulnerable) |
Michael