Welcome back, my budding hackers!
Recently, I showed you how you could exploit the widely disseminated OpenSSL vulnerability that has to become known as "Heartbleed". Although the world has known about this vulnerability for over a month now, it will likely take many more months—or even years—for everyone to close this vulnerability.
Last week, Errata Security scanned the Web on port 443 looking for servers still affected by Heartbleed, and found over 300,000+ servers possibly still vulnerable, as compared to the 600,000+ from a month ago. If history is any judge, some websites will likely never patch this vulnerability. If that is the case, we can keep using this exploit for some time to come.
In this tutorial, I will show you how to test a website/IP address to determine whether the Heartbleed vulnerability is available to you.
The first step is fire up Kali and get an nmap prompt. Fortunately, nmap is in our PATH variable and we can run it from any command prompt. The folks at insecure.org (Fyodor and friends) developed a script that scans a website to determine whether it is vulnerable to the OpenSSL vulnerability. That is what we will be using here.
Of course, you can just copy and paste it into the Leafpad text editor in Kali (or any text editor) to the same location.
The nmap Heartbleed scanner requires a special library file to be effective. That file is tls.lua. Download it here or copy it to usr/share/nmap/nselib.
With the Heartbleed script and the tls.lua library in place, we now are ready to begin hunting for vulnerable websites. The syntax for running this script is:
nmap -sV --script=ssl-heartbleed 192.168.89.186
Remember, I'm running it against a web server in my lab on my LAN here. When running against web servers on the Internet, simply replace my private IP with the public IP of the web server.
If the website is vulnerable to the Heartbleed attack, it should get results similar that below.
As most web administrators are slow to patch vulnerabilities, many web servers are still vulnerable to the Heartbleed attack. You can use this tool to find those servers and then use the Heartbleed exploit to extract critical information from the memory of the server, if it is vulnerable.