Friday, May 9, 2014

Heartbleed: Scanning Uncommon SSL Ports

Alright, I lied in a previous post. Definitely not done riding the Heartbleed bandwagon.

While we were scanning for Heartbleed at my company, it mostly helped us find systems that were vulnerable when the vendor or system owner claimed it was clean (That's a fun conversation to have with a system engineer).

But occasionally the vendor would claim their system was vulnerable and our NMap scan wouldn't find it. During the flurry of activity we didn't have much time to look into it, so we just applied any available patches.

Later on though I did some digging through the NSE code and found that the ssl-heartbleed script uses a file called shortport.lua which is a library for common port/protocol associations (HTTP as 80 and 443, etc). Well there's an interest list in there:

Long story short, this is the ports (plus a few others in a different method call) that ssl-heartbleed will attempt the Heartbleed exploit on. If you have something listening on an uncommon SSL port (as, apparently, we do at my company) ssl-heartbleed won't check it unless you add the port to this list.

The convenient part is that after adding the port to the list the file can simply be saved and you can run nmap --script-updatedb and you're good to go. Pretty easy.

I would, however, caution against adding large numbers of ports here for a number of reasons.

1. As sad as it is, a number of applications will crash if they receive a packet formed (for instance Netscreen and HP ILO so that could cause you some headaches.

2. It will take a long time if your IP address space is sizeable at all.

3. NSE might not support a list that large.