Offline Heartbleed Vulnerability Scanner Tools

Numerous online Heartbleed vulnerability scanners have popped up recently. These sites claim that they are able to identify websites that are vulnerable to the OpenSSL Heartbleed bug. So what happens if one of the Heartbleed scanning websites concludes that your site is vulnerable? It means that the owners of the scanner websites know that sensitive data can be retrieved from your site by exploiting the Heartbleed bug.

Personally, I would prefer to use trusted offline tools to check if a server is vulnerable to the Heartbleed bug. Also, if your systems are not accessible on the internet, offline scanning tools are the only option to check for vulnerabilities.

I guess that’s enough for a basic introduction. So what are these offline tools? These are tools that can be run locally on a trusted laptop or machine and not running off an anonymous server on the internet . Currently Nessus, Metasploit and Nmap can be used to detect whether your systems are affected. RedHat has also released a Heartbleed Detector in the form of a python script.

In this article, I will skip the Nessus and Metasploit tools as these two are not completely open source and will instead just concentrate on Nmap and RedHat’s Heartbleed Detector.

Heartbleed Scan Using Nmap

You can download Nmap directly from their website here. If you running on Ubuntu or Fedora, you can install Nmap using the relevant package management tool.

$ sudo apt-get install nmap
# yum install nmap

Once installed, run Nmap by specifing the server address and port number.

$ nmap -p 443 --script ssl-heartbleed --script-args vulns.showall 192.168.10.1

Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-11 08:26 a/S
Nmap scan report for router01 (192.168.10.1)
Host is up (0.0010s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed:
|   NOT VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: NOT VULNERABLE
|     References:
|       http://www.openssl.org/news/secadv_20140407.txt
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://cvedetails.com/cve/2014-0160/
MAC Address: X1:X2:X3:X4:X5:X6 

Nmap done: 1 IP address (1 host up) scanned in 4.11 seconds

Nmap will give a short report once it has finished scanning. For the example above, Nmap has determined that the server is not vulnerable to the Hertbleed bug.

Heartbleed Scan Using RedHat Heartbleed Detector

This script from RedHat, requires you to have the Python binary installed. Download the script from RedHat’s site here. Set the Execute bit for the script if you running it on a UNIX environment. Execute the script by passing the server IP address and port number to scan.

$ heartbleed-poc.py 192.168.10.1 -p 443
Scanning 192.168.10.1 on port 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0301, length = 53
Message Type is 0x02
 ... received message: type = 22, ver = 0301, length = 461
Message Type is 0x0B
 ... received message: type = 22, ver = 0301, length = 4
Message Type is 0x0E
Server sent server hello done
Server TLS version was 1.1

Sending heartbeat request...
No heartbeat response received from 192.168.10.1, server likely not vulnerable

For the example above, the script has detected that the server is not vulnerable to the Heartbleed bug.

Check OpenSSL version

You can also check the installed version of the OpenSSL library directly on the server to determine if it’s vulnerable to the Hertbleed bug.

$ openssl version

Your OpenSSL installation is vulnerable to Hertbleed if the version output is one of these values: 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react, vuejs); plays_on(xbox, ps4); linux_desktop_user(true); }