Wednesday, April 9, 2014

Scanning for Heartbleed with NMAP

UPDATE: This script has now been released in NMAP 6.45 and is available upon download.

UPDATE: For advice on scanning efficiently, see my post here

Patrik Karlsson (@nevdull77) created an excellent script to scan for Heartbleed using NMAP. It's still in development, and hasn't been included in an official release yet, but here's how to get it if you're looking for it.

NOTE: Shout out to @bonsaiviking for pointing me towards the right files.

DISCLAIMER: Obviously this script may change without warning. I did not write the script, I am interested only in providing helpful instructions to install it quickly if you want to use it before it is officially released.

Download the latest version of nmap for your operating system here (

Save the file into the scripts directory in your download of nmap

Save the file into your nselib directory.

You can now run nmap with the -d3 option (I'd recommend dumping this to a file) and search for the debug statements listed in the script (such as "Unexpected EOF receiving record header - server closed connection", "Unexpected EOF receiving record payload - server closed connection", "No heartbeat response received, server likely not vulnerable") to make sure you have it running correctly.

UPDATE: It may be a good idea to run with --script-updatedb - Thanks to @TomSellers for pointing this out

At this point, scan as you normally would. If the script detects the heartbleed vulnerability, it will provide you with output similar what is in the description:

-- 443/tcp open  https
-- | ssl-heartbleed:
-- |   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
-- |     State: VULNERABLE
-- |     Risk factor: High
-- |     Description:
-- |       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
-- |
-- |     References:
-- |
-- |
-- |_
-- @args ssl-heartbleed.protocols (default tries all) TLS 1.0, TLS 1.1, or TLS 1.2

UPDATE: The scan I've been using most frequently is: nmap -sC --script=ssl-heartbleed -p 443 <IP Range>. This targets 443 specifically. If you are accepting SSL connections on a different port, you should scan that as well.