Numerous online Heartbleed vulnerability scanners have popped up recently. These sites claim that they are able to identify websites that are vulnerable to the OpenSSL Heartbleed bug. So what happens if one of the Heartbleed scanning websites concludes that your site is vulnerable? It means that the owners of the scanner websites know that sensitive data can be retrieved from your site by exploiting the Heartbleed bug.
Personally, I would prefer to use trusted offline tools to check if a server is vulnerable to the Heartbleed bug. Also, if your systems are not accessible on the internet, offline scanning tools are the only option to check for vulnerabilities.
I guess that’s enough for a basic introduction. So what are these offline tools? These are tools that can be run locally on a trusted laptop or machine and not running off an anonymous server on the internet . Currently
Nmap can be used to detect whether your systems are affected. RedHat has also released a
Heartbleed Detector in the form of a python script.
In this article, I will skip the Nessus and Metasploit tools as these two are not completely open source and will instead just concentrate on Nmap and RedHat’s Heartbleed Detector.
Heartbleed Scan Using Nmap
You can download Nmap directly from their website here. If you running on Ubuntu or Fedora, you can install Nmap using the relevant package management tool.
$ sudo apt-get install nmap
# yum install nmap
Once installed, run Nmap by specifing the server address and port number.
$ nmap -p 443 --script ssl-heartbleed --script-args vulns.showall 192.168.10.1 Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-11 08:26 a/S Nmap scan report for router01 (192.168.10.1) Host is up (0.0010s latency). PORT STATE SERVICE 443/tcp open https | ssl-heartbleed: | NOT VULNERABLE: | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption. | State: NOT VULNERABLE | References: | http://www.openssl.org/news/secadv_20140407.txt | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 |_ http://cvedetails.com/cve/2014-0160/ MAC Address: X1:X2:X3:X4:X5:X6 Nmap done: 1 IP address (1 host up) scanned in 4.11 seconds
Nmap will give a short report once it has finished scanning. For the example above, Nmap has determined that the server is not vulnerable to the Hertbleed bug.
Heartbleed Scan Using RedHat Heartbleed Detector
This script from RedHat, requires you to have the Python binary installed. Download the script from RedHat’s site here. Set the Execute bit for the script if you running it on a UNIX environment. Execute the script by passing the server IP address and port number to scan.
$ heartbleed-poc.py 192.168.10.1 -p 443 Scanning 192.168.10.1 on port 443 Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0301, length = 53 Message Type is 0x02 ... received message: type = 22, ver = 0301, length = 461 Message Type is 0x0B ... received message: type = 22, ver = 0301, length = 4 Message Type is 0x0E Server sent server hello done Server TLS version was 1.1 Sending heartbeat request... No heartbeat response received from 192.168.10.1, server likely not vulnerable
For the example above, the script has detected that the server is not vulnerable to the Heartbleed bug.
Check OpenSSL version
You can also check the installed version of the OpenSSL library directly on the server to determine if it’s vulnerable to the Hertbleed bug.
$ openssl version
Your OpenSSL installation is vulnerable to Hertbleed if the version output is one of these values: