Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Monday, April 21st 2014

Heartbleed hunting

Published: 2014-04-21
Last Updated: 2014-04-21 01:19:25 UTC
by Pedro Bueno (Version: 1)
1 comment(s)

Yes, I know that by now you are really tired of hear and read about Heartbleed. You probably already got all testing scripts and tools and are looking on your network for vulnerable servers. 

I was just playing with the Shodan transformer for Maltego and looking for some specific versions of OpenSSL. The results are not good...

Somethings to keep in mind when checking your network is that the tools may not detect all vulnerable hosts since they may be buggy themselves :)

According some research, one of the first scripts released to test the vulnerability, and that most of people still use to identify vulnerable servers contains some bugs that may not detect correctly the vulnerable servers.

The heartbeat request generated on the proof of concept script is:

18 03 02 00 03 01 40 00 <-- the bold bytes basically tell the server to use TLS 1.1, so if the server only supports TLS 1.0 or TLS 1.2 it won't work. Of course that 1.0 and 1.2 are not widely used, so the chance of you having it on your network is small, but still, there is a chance. 

Early last week, while testing different online and offline tools, I also came across different results, so you may want to use different tools on your check.

Network signatures may also provide additional check to help you identify vulnerable hosts. Again there is a chance of False Positives, but it is worth to provide you with more info on your checks.

Snort signatures and network parses for products like Netwitness can also be very effective to detect not only when an exploit was used against your hosts, but most importantly, when your vulnerable host provided information back (the leaked info). 

Happy hunting to you because the bad guys are already hunting!


Pedro Bueno (pbueno /%%/ isc. sans. org)

Keywords: heartbleed
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Testing your website for the heartbleed vulnerability with nmap
published 2 days ago by Manuel Humberto Santander Pelaacuteez (7 comments)

Looking for malicious traffic in electrical SCADA networks - part 2 - solving problems with DNP3 Secure Authentication Version 5
published 3 days ago by Manuel Humberto Santander Pelaacuteez (1 comment)

Heartbleed CRL Activity Spike Found
published 4 days ago by Alex Stanford (9 comments)

WinXP and/or Win2003 hanged systems because of SC Forefront Endpoint Protection faulty update
published 4 days ago by Manuel Humberto Santander Pelaacuteez (1 comment)

Oracle Critical Patch Update for April 2014
published 4 days ago by Dr. J (0 comments)

Looking for malicious traffic in electrical SCADA networks - part 1
published 5 days ago by Manuel Humberto Santander Pelaacuteez (0 comments)

INFOCon Green: Heartbleed - on the mend
published 6 days ago by Kevin Shortt (8 comments)

View All Diaries →

Latest Discussions

Script kiddie scan
created 1 week ago by Anonymous (0 replies)

Russia and DoS
created 1 month ago by Peter P (0 replies)

Suspiciously quiet on DNS scan activity
created 1 month ago by Thomas (1 reply)

Outbound 6000/TCP traffic to multiple Chinese IPs?
created 1 month ago by SniffingShadow (4 replies)

principle for designing a pen test testing workbencg
created 2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →