Skip to content

Instantly share code, notes, and snippets.

@nsa-yoda

nsa-yoda/NmapHeartbleed.md

Forked from bonsaiviking/NmapHeartbleed.md
Created July 31, 2014 14:38
Show Gist options
  • Save nsa-yoda/0251239ad7a282c28d20 to your computer and use it in GitHub Desktop.
Save nsa-yoda/0251239ad7a282c28d20 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
NmapHeartbleed.md

Requirements

  1. Nmap. The script requires version 6.25 or newer. The latest version, 6.46, already includes the next 2 dependencies, so you can skip directly to the Scanning section below.
    • An easy way to get the latest Nmap release is to use Kali Linux.
    • Binary installers are available for Windows.
    • RPM installer available for Linux, or install from source.
    • .dmg installer available for Mac OS X.
  2. tls.lua. The script requires this Lua library for TLS handshaking.
  3. ssl-heartbleed.nse. This is the script itself.

Installation Guide

If you have Nmap version 6.46, you can skip this section, since you already have the ssl-heartbleed script and the tls.lua library.

Locate your Nmap files directory. On Linux, this is usually /usr/share/nmap/ or /usr/local/share/nmap/. On Windows, it's either C:\Program Files\Nmap\ or C:\Program Files (x86)\Nmap\

Download the tls.lua library and put it in the nselib directory.

Download the ssl-heartbleed.nse script and put it in the scripts directory

Optionally, run nmap --script-updatedb to allow the script to run according to category (not necessary for this example).

Scanning

Finally, run Nmap. Here are some recommended options to use:

nmap -d --script ssl-heartbleed --script-args vulns.showall -sV X.X.X.X/24

Options summary:

  • -d turns on debugging output, helpful for seeing problems with the script.
  • --script ssl-heartbleed selects the ssl-heartbleed script to run on appropriate ports.
  • --script-args vulns.showall tells the script to output "NOT VULNERABLE" when it does not detect the vulnerability.
  • -sV requests a service version detection scan, which will allow the script to run against unusual ports that support SSL.

Other helpful options:

  • --script-trace shows a packet dump of all script-related traffic, which may show memory dumps from the Heartbleed bug.
  • -p 443 limits the script to port 443, but use caution! Even services like SMTP, FTP, and IMAP can be vulnerable.
  • -oA heartbleed-%y%m%d saves Nmap's output in 3 formats as heartbleed-20140410.nmap, heartbleed-20140410.xml, and heartbleed-20140410.gnmap.

Bugs

Before reporting a bug, please be sure that you

  1. have the latest version of Nmap,
  2. have the most recent version of the script and the tls.lua library (links on this page are always the most recent), and
  3. have installed the script and the library according to this guide.

If you find a false-negative or false-positive bug with the script, please notify the developers mailing list or #nmap on Freenode IRC. Output with -d and --script-trace is especially appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment