Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Testing your website for the heartbleed vulnerability with nmap - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Testing your website for the heartbleed vulnerability with nmap

We have received reports by many readers about buggy tools to test for the heartbleed vulnerability. Today I want to show you how easy it is to check for this vulnerability using a reliable tool as nmap.

You just need to trigger a version scan (-sV) along with the script (ssl-heartbleed). The following example with show a command that will scan for this bug:

nmap -sV --script=ssl-heartbleed

This will be the output for a non-vulnerable website. As you can see, no warnings are shown:

ssl-heartbleed output

If you are vulnerable, you will get the following:

Vulnerable message for heartbleed

For vulnerability testing, always use reliable tools which won't contain malicious code infecting your computer and won't give you false positive messages.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

195 Posts
ISC Handler
Apr 18th 2014
My understanding is that you have to use the latest version of Nmap, AND you have to download the nmap script ( as well as the tls.lua file(

I had to. :)

17 Posts
For just "ssl-heartbleed" on non std port (-sV is slow):

edit ssl-heartbleed.nse portrule function to always return true

portrule = function(host, port)
-- return shortport.ssl(host, port) or sslcert.isPortSupported(port)
return true

[cgm@silver ~]$ nmap -p1133 --script=ssl-heartbleed

Starting Nmap 6.45 ( ) at 2014-04-18 21:29 EEST
Nmap scan report for
Host is up (0.13s latency).
1133/tcp open unknown
| ssl-heartbleed:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.

2 Posts
The too-common practice of backporting makes anything based upon a version check unreliable and prone to false positives.

40 Posts
Do you suppose they could further revise the OpenSSL patch to not merely FIX the vulnerability, but also log the fact that an exploit attempt occured, so this information can be used to gather intelligence on potential attackers at the syslog collection point? :)

146 Posts
This information would be much more useful if you mentioned that you need the script and where to find it and any other libraries etc. As it is it is useless.

3 Posts
1 Posts
The script (ssl-heartbleed.nse) is in the latest version of nmap, as of today, anyways. I didn't need to download any additional files.

31 Posts
The ssl-heartbleed.nse in nmap 6.46 will scan for the issue on ports other than 443. The original version did not, and had a few other issues.
Rob VandenBrink

578 Posts
ISC Handler
Thank you for sharing.
<a href="">Test my site</a>

1 Posts

Sign Up for Free or Log In to start participating in the conversation!