■「CVE-2014-0160」をnmapスクリプトを使ってローカル環境でテストする 「CVE-2014-0160.」の脆弱性の対処について(Debian Wheezy) http://labunix.hateblo.jp/entry/20140408/1396963029 How to test if your OpenSSL heartbleeds https://blog.ipredator.se/2014/04/how-to-test-if-your-openssl-heartbleeds.html ■外部Webサービスを使わずにテストする方法。 「ssltest.py」ベースのnmapスクリプトを準備 「ssl-heartbleed.nse」はSVNからではない点に注意。 $ cd /usr/share/nmap/scripts && \ sudo wget "http://seclists.org/nmap-dev/2014/q2/att-22/ssl-heartbleed.nse"; \ cd /usr/share/nmap/nselib && \ sudo wget "https://svn.nmap.org/nmap/nselib/tls.lua"; \ sudo nmap --script-updatedb Starting Nmap 6.00 ( http://nmap.org ) at 2014-04-12 02:11 JST NSE: Updating rule database. NSE: Script Database updated successfully. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.81 seconds $ sudo nmap --script-help ssl-heartbleed.nse Starting Nmap 6.00 ( http://nmap.org ) at 2014-04-12 03:02 JST ssl-heartbleed Categories: default safe discovery http://nmap.org/nsedoc/scripts/ssl-heartbleed.html Detects whether a server is vulnerable to the OpenSSL Heartbleed bug (CVE-2014-0160). The code is based on the Python script ssltest.py authored by Jared Stafford (jspenguin@jspenguin.org) ■「heartbleed.nse」の応答の一覧 $ grep return /usr/share/nmap/scripts/ssl-heartbleed.nse | \ awk -F\' '($2!=""){print "|_ssl-heartbleed: "$2}' |_ssl-heartbleed: Unexpected EOF receiving record header - server closed connection |_ssl-heartbleed: Unexpected EOF receiving record payload - server closed connection |_ssl-heartbleed: No heartbeat response received, server likely not vulnerable |_ssl-heartbleed: WARNING: server returned more data than it should - server is vulnerable! |_ssl-heartbleed: Server processed malformed heartbeat, but did not return any extra data. |_ssl-heartbleed: Server returned error, likely not vulnerable ■ここからローカルでテスト可能となる。 まずは「hrartbleed」対応済みのサイトへのテスト開始 $ sudo nmap -sV -p 443 --script ssl-heartbleed.nse 192.168.1.2 | \ grep "^[P0-9]\|[Ss]erver" PORT STATE SERVICE VERSION 443/tcp open http Apache httpd 2.2.22 ((Debian)) $ sudo nmap -sV -p 443 --script ssl-heartbleed.nse 192.168.1.1 | \ grep "^[P0-9]\|server" PORT STATE SERVICE VERSION 443/tcp open http-proxy Squid http proxy 2.7.STABLE9 ■上記だとcloseやfilterdの際にPORTスキャンの結果が無い。 VERSIONを気にしない代わりに結果を表示させる。 $ sudo nmap -sV -p 443 --script ssl-heartbleed.nse 192.168.1.3 | \ grep "^[P0-9]\|[Ss]erver" $ sudo nmap -P0 -sT -p 443 --script ssl-heartbleed.nse 192.168.1.3 | \ grep "^[P0-9]\|[Ss]erver" PORT STATE SERVICE 443/tcp filtered https ■PORTスキャンの結果を優先してテスト Debianでは無い対策済みサイトの応答例。 $ sudo nmap -P0 -sT -p 443 --script ssl-heartbleed.nse 192.168.1.4 | \ grep "^[P0-9]\|[Ss]erver" PORT STATE SERVICE 443/tcp open https |_ssl-heartbleed: No heartbeat response received, server likely not vulnerable $ sudo nmap -P0 -sT -p 443 --script ssl-heartbleed.nse 192.168.1.5 | \ grep "^[P0-9]\|[Ss]erver" PORT STATE SERVICE 443/tcp open https |_ssl-heartbleed: Server returned error, likely not vulnerable