Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Testing for Heartbleed - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Testing for Heartbleed

There are a fair few sites popping up testing for this issue.  I know this is possibly overly motherly, sorry, but be careful.  You may not know who is running the site, what they are actually testing for and what is done with the information collected.  Consider sticking to the main sites and known security organisations.  

Metasploit now has a module out (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb). NMAP likewise has a check.  QUALYS has their SSLLABS page.  Other security vendors are also providing checks in their scanning products.  

Not saying the free scanners are "evil", just saying be careful what you use.  

Cheers

Mark H

 Mark

392 Posts
ISC Handler
Apr 9th 2014
Thread locked Subscribe Apr 9th 2014
8 years ago
When I use the SSL Labs site for citicard.com, I can't get a good read on that site. I don't have problems with some other financial sites I have run through the SSL Labs tester.
 Anonymous
Quote Apr 9th 2014
8 years ago
C# stand-alone tool for testing via PacketStormSecurity (Have not tested):

"Authored by John Leitch
Bleed Out is a command line tool written in C# for targeting instances of OpenSSL made vulnerable by the prolific "Heartbleed" bug. The tool aggressively exploits the OpenSSL vulnerability, dumping both ASCII and binary data to files. It also checks the uniqueness of each chunk before persisting it, to ensure that duplicate chunks are not saved"

http://packetstormsecurity.com/files/126100
https://twitter.com/packet_storm
 Taylor

1 Posts
Quote Apr 10th 2014
8 years ago
NMAP hasn't released the version with the script to check for this yet.

There are instructions here http://rollingwebsphere.blogspot.com/2014/04/scanning-for-heartbleed-with-nmap.html for getting it up and running with version 6.40
 Taylor
2 Posts
Quote Apr 10th 2014
8 years ago
Please note that all online tests must be taken "cum grano salis".
At least one of them, in our checking, shows false positives.
-Marlon
 Marlon

9 Posts
Quote Apr 10th 2014
8 years ago
We have discovered that the NMAP script "ssl-heartbleed" may not be reliable. A scan of a Polycom HDX 7000 device did not reveal vulnerability. However, testing with another tool did. Upon checking firmware versions against Polycom's documented vulnerability list, we confirmed vulnerability.
 IMFerret

10 Posts
Quote Apr 11th 2014
8 years ago
NMAP can be used for this too:

http://rollingwebsphere.blogspot.com/2014/04/scanning-for-heartbleed-with-nmap.html
 IMFerret
2 Posts
Quote Apr 14th 2014
8 years ago

Sign Up for Free or Log In to start participating in the conversation!