Scan for Heartbleed using nmap from a Windows machine

You may have heard of "Heartbleed", a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption.

It is possible to scan for the presence of this vulnerability using different methods.
This page explains how you can scan for it from a Windows machine using nmap.

Added April 15th, 2014: It turns our that the nmap NSE script may not be able to detect all cases of the Heartbleed bug (see http://www.hut3.net/blog/cns---networks-security/2014/04/14/bugs-in-hear... ). So definitely also check the version of the installed OpenSSL library on your machines or the version packaged with your software!

Installing nmap and adding the Heartbleed detection script to it can be done as follows on a Windows machine:

  1. Download the Windows version of nmap. You can download it from http://nmap.org/download.html#windows. As a Windows-user you have two possible downloads:
    1. Self-installer: The Nmap executable Windows installer can handle WinPcap installation, registry performance tweaks, and decompressing the executables and data files into your preferred location. It also includes the Zenmap graphical frontend. You can skip all the complexity of the Windows zip files with a self-installer. At the time of writing, the direct download link to the latest version of the self-installer is http://nmap.org/dist/nmap-6.40-setup.exe
    2. Command-line zipfile: If you already have WinPcap and the Visual C++ Redistributable package installed on your system and you want to have nmap running from a special directory or from a USB drive, you can download the zip file. (if you don't have these installed yet, the packages are present in the ZIP file). At the time of writing, the direct download link to the latest version of the command-line zipfile is http://nmap.org/dist/nmap-6.40-win32.zip
    3. Download the nmap NSE script to scan for heartbleed. The file to download is https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse and you should save it in the scripts subfolder of the directory in which you installed nmap.
    4. Download an additional NSE library. The file to download is https://svn.nmap.org/nmap/nselib/tls.lua and you should save it in the nselib subfolder of the directory in which you installed nmap.
    5. Run the following command to update the NSE script rule database: nmap --script-updatedb
      1. Now nmap is ready to scan for heartbleed on your machines. Attention Windows 7 and 8 users: you have to run the nmap command as Administrator. So I recommend to start a DOS Command Prompt as administrator (right-click and then select "Run as administrator") and to start nmap from within this window.

        The nmap command-line to scan for heartbleed is the following:
        nmap.exe -p 443 --script ssl-heartbleed -oN heartbleed_443 192.168.1.17
        The command-line options that we specify mean the following:

    • -p 443: This indicates the port that we want to scan. Here we only scan port 443 which is the most common SSL/TLS port. If you have SSL/TLS servers running on other ports, you can add them by separating them with commas, e.g. -p 443,8080,8443,8888. If you leave out the -p parameter, nmap will scan a default list of the most common ports.
    • --script ssl-heartbleed: This indicates that the heartbleed script should be executed on every found open port.
    • -oN heartbleed_443: Output scan in normal format to the given filename (in this case the filename will be heartbleed_443.nmap
    • 192.168.1.17: This indicates the machine to scan.

    If nmap detects that a machine is vulnerable for heartbleed, then the output will look as follows:

    C:\TOOLS\nmap-6.40>nmap -p 443 --script ssl-heartbleed 192.168.1.17
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-09 20:43 Romance Daylight Time
    
    Nmap scan report for 192.168.1.17
    Host is up (0.0010s latency).
    PORT    STATE SERVICE
    443/tcp open  https
    | ssl-heartbleed:
    |   VULNERABLE:
    |   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
    |     State: VULNERABLE
    |     Risk factor: High
    |     Description:
    |       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
    |
    |     References:
    |       http://cvedetails.com/cve/2014-0160/
    |       http://www.openssl.org/news/secadv_20140407.txt
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
    MAC Address: 00:00:00:00:00:00 (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 13.32 seconds
    

    If nmap detects that a machine is not vulnerable for heartbleed, then the output will look as follows:

    C:\TOOLS\nmap-6.40>nmap -p 443 --script ssl-heartbleed 192.168.1.17
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-09 20:49 Romance Daylight Time
    
    Nmap scan report for 192.168.1.17
    Host is up (0.0011s latency).
    PORT    STATE SERVICE
    443/tcp open  https
    MAC Address: 00:00:00:00:00:00 (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 24.84 seconds
    

    Additional links:

Tags: 

You might also be interested in...