{"id":1879,"date":"2014-04-11T01:07:31","date_gmt":"2014-04-10T23:07:31","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=1879"},"modified":"2014-04-11T11:29:01","modified_gmt":"2014-04-11T09:29:01","slug":"security-checking-a-webserver-for-heartbleed-vulnerability-with-nmap","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/security-checking-a-webserver-for-heartbleed-vulnerability-with-nmap\/","title":{"rendered":"Security: Check a webserver for heartbleed vulnerability with nmap"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_1879 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_1879')){$('.twoclick_social_bookmarks_post_1879').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Security%3A%20Check%20a%20webserver%20for%20heartbleed%20vulnerability%20with%20nmap\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Ahere%20is%20a%20short%20tutorial%20to%20check%20a%20webserver%20with%20nmap.%0D%0A%0D%0AUpdate%20to%20the%20latest%20version%20of%20nmap.%20Otherwise%20nmap%20would%20not%20work%20%28Error%20message%3A%2Fusr%2Fbin%2F..%2Fshare%2Fnmap%2Fscripts%2Fssl-heartbleed.nse%3A40%3A%20This%20script%20requires%20the%20tls.lua%20library....%29.%20For%20example%20debian%20wheezy.%20Add%20the%20backport%20repository%20%22deb%20http%3A%2F%2Fftp.uni-erlangen.de%2Fdebian%2F%20wheezy-backports%20main%22%20to%20%2Fetc%2Fapt%2Fsources.list.%0D%0A%20...\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/security-checking-a-webserver-for-heartbleed-vulnerability-with-nmap\\\/\",\"post_id\":1879,\"post_title_referrer_track\":\"Security%3A+Check+a+webserver+for+heartbleed+vulnerability+with+nmap\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>here is a short tutorial to check a webserver with nmap.<\/p>\n<p>Update to the latest version of nmap. Otherwise nmap would not work (Error message:\/usr\/bin\/..\/share\/nmap\/scripts\/ssl-heartbleed.nse:40: This script requires the tls.lua library&#8230;.). For example debian wheezy. Add the backport repository &#8220;deb http:\/\/ftp.uni-erlangen.de\/debian\/ wheezy-backports main&#8221; to \/etc\/apt\/sources.list.<\/p>\n<p>Refresh sources<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# apt-get update\r\n<\/pre>\n<p>Install the latest nmap version<br \/>\n<!--more--><\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# apt-get install -t wheezy-backports nmap\r\n<\/pre>\n<p>Check version<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# nmap -V\r\n\r\nNmap version 6.40 ( http:\/\/nmap.org )\r\nPlatform: i686-pc-linux-gnu\r\nCompiled with: liblua-5.2.1 openssl-1.0.1e libpcre-8.30 libpcap-1.3.0 nmap-libdnet-1.12 ipv6\r\nCompiled without:\r\nAvailable nsock engines: epoll poll select\r\n<\/pre>\n<p>Get the heartbleed script and the tls library<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nwget http:\/\/nmap.org\/svn\/nselib\/tls.lua -P \/usr\/share\/nmap\/nselib\r\nwget http:\/\/nmap.org\/svn\/scripts\/ssl-heartbleed.nse -P \/usr\/share\/nmap\/scripts\/\r\n<\/pre>\n<p>Check the host, i.e. webserver.domain.local at port 11443<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# nmap -sV --script=ssl-heartbleed  -p 11443 webserver.domain.local\r\n\r\nStarting Nmap 6.40 ( http:\/\/nmap.org ) at 2014-04-10 22:44 CEST\r\nNmap scan report for webserver.domain.local (192.168.254.23)\r\nHost is up (0.00072s latency).\r\nPORT      STATE SERVICE  VERSION\r\n11443\/tcp open  ssl\/http Apache httpd\r\n| ssl-heartbleed:\r\n|   VULNERABLE:\r\n|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic\r\n|   software library.\r\n|   It allows for stealing information\r\n|     State: VULNERABLE\r\n|     Risk factor: High\r\n|     Description:\r\n|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1)\r\n|       of OpenSSL are affected\r\n|       by the Heartbleed bug. TpenSSL versions and could allow for disclosure of otherwise\r\n|       encrypted confidential\r\n|       information as well as the encryption keys themselves.\r\n|\r\n|     References:\r\n|       http:\/\/www.openssl.org\/news\/secadv_20140407.txt\r\n|       https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0160\r\n|_      http:\/\/cvedetails.com\/cve\/2014-0160\/\r\n\r\nService detection performed. Please report any incorrect results at http:\/\/nmap.org\/submit\/ .\r\nNmap done: 1 IP address (1 host up) scanned in 30.69 seconds\r\nroot@debdev:\/#\r\n<\/pre>\n<p>The ssl-heartbleed script shows details only if a vulnerability is found. You can tell the script to always speak with you by adding the <b>&#8211;script-args=vulns.showall<\/b> parameter. Here is the output of a server which is not vulnarable.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# nmap -sV --script=ssl-heartbleed --script-args=vulns.showall -p 443 webserver2.domain.local\r\n\r\nStarting Nmap 6.40 ( http:\/\/nmap.org ) at 2014-04-10 22:57 CEST\r\nNmap scan report for webserver2.domain.local (192.168.254.24)\r\nHost is up (0.0012s latency).\r\nPORT    STATE SERVICE\r\n443\/tcp open  https\r\n| ssl-heartbleed:\r\n|   NOT VULNERABLE:\r\n|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL\r\n|   cryptographic software library.\r\n|   It allows for stealing information intended to be protected by SSL\/TLS encryption.\r\n|     State: NOT VULNERABLE\r\n|     References:\r\n|       http:\/\/www.openssl.org\/news\/secadv_20140407.txt\r\n|       http:\/\/cvedetails.com\/cve\/2014-0160\/\r\n|_      https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0160\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 11.63 seconds\r\n\r\n<\/pre>\n<p>There are much more checks available. I also use this<a title=\"check-ssl-heartbleed.pl\" href=\"https:\/\/github.com\/noxxi\/p5-scripts\/blob\/master\/check-ssl-heartbleed.pl\" target=\"_blank\"> perl script<\/a>.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nroot@debdev:\/# perl .\/heartbleed-check.pl webserver.domain.local:11443\r\n...ssl received type=22 ver=0x301 ht=0x2 size=54\r\n...ssl received type=22 ver=0x301 ht=0xb size=691\r\n...ssl received type=22 ver=0x301 ht=0xc size=393\r\n...ssl received type=22 ver=0x301 ht=0xe size=0\r\n...send heartbeat_\r\n...ssl received type=24 ver=301 size=16384\r\nBAD! got 16384 bytes back instead of 3 (vulnerable)\r\n<\/pre>\n<p>&nbsp;<\/p>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, here is a short tutorial to check a webserver with nmap. Update to the latest version of nmap. Otherwise nmap would not work (Error message:\/usr\/bin\/..\/share\/nmap\/scripts\/ssl-heartbleed.nse:40: This script requires the tls.lua library&#8230;.). For example debian wheezy. Add the backport repository &#8220;deb http:\/\/ftp.uni-erlangen.de\/debian\/ wheezy-backports main&#8221; to \/etc\/apt\/sources.list. Refresh sources root@debdev:\/# apt-get update Install the latest nmap &hellip; <a href=\"https:\/\/michlstechblog.info\/blog\/security-checking-a-webserver-for-heartbleed-vulnerability-with-nmap\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Security: Check a webserver for heartbleed vulnerability with nmap<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[466],"tags":[356,476,475],"class_list":["post-1879","post","type-post","status-publish","format-standard","hentry","category-security","tag-check","tag-heartbleed","tag-nmap"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/1879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=1879"}],"version-history":[{"count":11,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/1879\/revisions"}],"predecessor-version":[{"id":1890,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/1879\/revisions\/1890"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=1879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=1879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=1879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}