Nmap Development mailing list archives

Re: Re: [NSE] SSL Heartbleed

From: Andrew Klaus <andrewklaus () gmail com>
Date: Sat, 12 Apr 2014 17:07:48 -0600

This particular scan was done as root. Really weird.

I'll see about messing around with the heartbeat size.
On Apr 12, 2014 4:46 PM, "Olli Hauer" <ohauer () gmx de> wrote:

I've seen simmilar results if nmap is running with an unprivileged user,
also in this case the "openssl s_server..." procesz crashes.
Running the same as root returns with target is vulnerable and the openssl
proceess doesn't crash.

--


Patrik Karlsson <patrik () cqure net> wrote:


I think the change of the requested heartbeat size from 16384 to 4073 is
what is causing the issue.
That's whats different from the initial commit that works and the other
code that I have tried.
Revision 32828 changes this back to 16384 while only reading 4073 bytes
back from the server.
There was another issue reported where reading too much data back would
incorrectly report the server as non-vulnerable.

Thanks,
-Patrik


On Sat, Apr 12, 2014 at 5:04 PM, Andrew Klaus <andrewklaus () gmail com>
wrote:

So, I don't think the nmap heartbleed detection script doesn't always

work,

and I'm not sure why.

There are hosts I know about that it does detect, but this one it
doesn't...

nmap -p 443 --script ssl-heartbleed cloudflarechallenge.com
Nmap scan report for cloudflarechallenge.com (107.170.194.215)
Host is up (0.095s latency).
PORT STATE SERVICE
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 18.19 seconds


If I use the python detection script, it pulls back 64k of memory.. So I
know the site is affected by it.

Any ideas?

Thanks
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/




--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
http://www.linkedin.com/in/nevdull77
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] SSL Heartbleed, (continued)
- Re: [NSE] SSL Heartbleed Dane Goodwin (Apr 09)
  - Re: [NSE] SSL Heartbleed Jasey DePriest (Apr 09)
    - Re: [NSE] SSL Heartbleed Whyte, Jesse (Apr 09)
    - Re: [NSE] SSL Heartbleed Jasey DePriest (Apr 09)
    - Re: [NSE] SSL Heartbleed John Bond (Apr 11)
    - Re: [NSE] SSL Heartbleed Jasey DePriest (Apr 09)
- [NSE] SSL Heartbleed Aaron Zauner (Apr 12)
- RE: [NSE] SSL Heartbleed Andrew Klaus (Apr 12)
  - Re: [NSE] SSL Heartbleed Patrik Karlsson (Apr 12)
- Re: Re: [NSE] SSL Heartbleed Olli Hauer (Apr 12)
  - Re: Re: [NSE] SSL Heartbleed Andrew Klaus (Apr 12)
    - RE: Re: [NSE] SSL Heartbleed HD Moore (Apr 14)
    - Re: [NSE] SSL Heartbleed Daniel Miller (Apr 14)