Testing your website for the heartbleed vulnerability with nmap

Published: 2014-04-18
Last Updated: 2014-04-18 17:08:52 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
9 comment(s)

We have received reports by many readers about buggy tools to test for the heartbleed vulnerability. Today I want to show you how easy it is to check for this vulnerability using a reliable tool as nmap.

You just need to trigger a version scan (-sV) along with the script (ssl-heartbleed). The following example with show a command that will scan for this bug:

nmap -sV --script=ssl-heartbleed

This will be the output for a non-vulnerable website. As you can see, no warnings are shown:

ssl-heartbleed output

If you are vulnerable, you will get the following:

Vulnerable message for heartbleed

For vulnerability testing, always use reliable tools which won't contain malicious code infecting your computer and won't give you false positive messages.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

9 comment(s)


My understanding is that you have to use the latest version of Nmap, AND you have to download the nmap script (http://nmap.org/nsedoc/scripts/ssl-heartbleed.html) as well as the tls.lua file(https://svn.nmap.org/nmap/nselib/tls.lua)

I had to. :)
For just "ssl-heartbleed" on non std port (-sV is slow):

edit ssl-heartbleed.nse portrule function to always return true

portrule = function(host, port)
-- return shortport.ssl(host, port) or sslcert.isPortSupported(port)
return true

[cgm@silver ~]$ nmap -p1133 --script=ssl-heartbleed

Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-18 21:29 EEST
Nmap scan report for
Host is up (0.13s latency).
1133/tcp open unknown
| ssl-heartbleed:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
The too-common practice of backporting makes anything based upon a version check unreliable and prone to false positives.
Do you suppose they could further revise the OpenSSL patch to not merely FIX the vulnerability, but also log the fact that an exploit attempt occured, so this information can be used to gather intelligence on potential attackers at the syslog collection point? :)
This information would be much more useful if you mentioned that you need the script and where to find it and any other libraries etc. As it is it is useless.

The script (ssl-heartbleed.nse) is in the latest version of nmap, as of today, anyways. I didn't need to download any additional files.
The ssl-heartbleed.nse in nmap 6.46 will scan for the issue on ports other than 443. The original version did not, and had a few other issues.
Thank you for sharing.
<a href="http://holy.be">Test my site</a>

Diary Archives