Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detect the "heartbleed" vulnerability #90

Open
robertdavidgraham opened this issue Apr 8, 2014 · 3 comments

Comments

@robertdavidgraham
Copy link
Owner

commented Apr 8, 2014

No description provided.

@espenfjo

This comment has been minimized.

Copy link

commented Apr 9, 2014

Not sure how well this is working.
Using the original ssltest.py script that started floating around yesterday I can still find some of these that are still vulnerable https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt
the bab.la one for example.

ssltest.py shows it being vulnerable, however masscan -p443 --banners --heartbleed 85.25.30.170 -dddddddddddddd --packet-trace do not.
It doesnt seem to hit the ssl parsing code at all, getting an RST instead of any form of handshake.
This seems to be the case with more than just this example for me.

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-04-09 16:24:44 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
xmit: starting main loop: [0..1]
Scanning 1 hosts [1 port/host]
SENT (1.3097) TCP  xxx.xxx.xxx.xxx:40682    > 85.25.30.170:443      SYN
Transmit thread done, waiting for receive thread to realize this
begin receive thread
RCVD (2.0602) TCP  85.25.30.170:443      > xxx.xxx.xxx.xxx:40682    SYN-ACK
85.25.30.170   :  443: -> TCP ackno=0x2f87f1fe flags=0x12(syn-ack)
85.25.30.170   :  443: =STATE_SYN_SENT : TCP_WHAT_SYNACK
Discovered open port 443/tcp on 85.25.30.170
SENT (2.0601) TCP  xxx.xxx.xxx.xxx:40682    > 85.25.30.170:443      ACK
RCVD (3.0614) TCP  85.25.30.170:443      > xxx.xxx.xxx.xxx:40682    RST-ACK
85.25.30.170   :  443: -> TCP ackno=0x2f87f1fe flags=0x14(rst-ack)
85.25.30.170   :  443: =STATE_READY_TO_SEND : TCP_WHAT_ACK
85.25.30.170 - 0-sending, 0-reciving
85.25.30.170   :  443: =STATE_READY_TO_SEND : TCP_WHAT_RST
@ecstasy2

This comment has been minimized.

Copy link

commented Apr 11, 2014

I am encountering the same issue as @espenfjo The SSL code is never being called. I stepped through the code and seems like after the TCP request is sent there is no data sent back.

@b-free

This comment has been minimized.

Copy link

commented Apr 13, 2014

I'm having the same problem as @espenfjo and @ecstasy2
nmap and other scripts report the host as vulnerable but masscan does not.

This is not always the case sometimes masscan does recognize the issue and reports it correctly. My concern is that with those discrepancies the results are not accurate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.