Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Guide to using Nmap to scan for the Heartbleed bug.

Requirements

  1. Nmap. The script requires version 6.25 or newer. The latest version, 6.47, already includes the next 3 dependencies, so you can skip directly to the Scanning section below.
    • An easy way to get the latest Nmap release is to use Kali Linux.
    • Binary installers are available for Windows.
    • RPM installer available for Linux, or install from source.
    • .dmg installer available for Mac OS X.
  2. tls.lua. The script requires this Lua library for TLS handshaking.
  3. ssl-heartbleed.nse. This is the script itself.
  4. stdnse.lua. The ssl-heartbleed script above is the development version, so it depends on some functions that are not present in released versions of Nmap.

Installation Guide

If you have Nmap version 6.46 or 6.47, you can skip this section, since you already have the ssl-heartbleed script and the tls.lua library.

Locate your Nmap files directory. On Linux, this is usually /usr/share/nmap/ or /usr/local/share/nmap/. On Windows, it's either C:\Program Files\Nmap\ or C:\Program Files (x86)\Nmap\

Download the tls.lua and stdnse.lua libraries and put them in the nselib directory.

Download the ssl-heartbleed.nse script and put it in the scripts directory

Optionally, run nmap --script-updatedb to allow the script to run according to category (not necessary for this example).

Scanning

Finally, run Nmap. Here are some recommended options to use:

nmap -d --script ssl-heartbleed --script-args vulns.showall -sV X.X.X.X/24

Options summary:

  • -d turns on debugging output, helpful for seeing problems with the script.
  • --script ssl-heartbleed selects the ssl-heartbleed script to run on appropriate ports.
  • --script-args vulns.showall tells the script to output "NOT VULNERABLE" when it does not detect the vulnerability.
  • -sV requests a service version detection scan, which will allow the script to run against unusual ports that support SSL.

Other helpful options:

  • --script-trace shows a packet dump of all script-related traffic, which may show memory dumps from the Heartbleed bug.
  • -p 443 limits the script to port 443, but use caution! Even services like SMTP, FTP, and IMAP can be vulnerable.
  • -oA heartbleed-%y%m%d saves Nmap's output in 3 formats as heartbleed-20140410.nmap, heartbleed-20140410.xml, and heartbleed-20140410.gnmap.

Bugs

Before reporting a bug, please be sure that you

  1. have the latest version of Nmap, OR
  2. have the most recent version of the script and the tls.lua library (links on this page are always the most recent), and
  3. have installed the script and the library according to this guide.

If you find a false-negative or false-positive bug with the script, please notify the developers mailing list or #nmap on Freenode IRC. Output with -d and --script-trace is especially appreciated.

jjcf89 commented Apr 14, 2014

The latest nmap windows installer comes with the tls.lua and ssl-heartbleed.nse files.

anasri commented Apr 18, 2014

Can you explain how to get info like cookies ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment