search

robertdavidgraham / masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
GNU Affero General Public License v3.0
23.77k stars 3.08k forks source link

Detect the "heartbleed" vulnerability #90

Open robertdavidgraham opened 10 years ago

espenfjo commented 10 years ago

Not sure how well this is working. Using the original ssltest.py script that started floating around yesterday I can still find some of these that are still vulnerable https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt the bab.la one for example.

ssltest.py shows it being vulnerable, however masscan -p443 --banners --heartbleed 85.25.30.170 -dddddddddddddd --packet-trace do not. It doesnt seem to hit the ssl parsing code at all, getting an RST instead of any form of handshake. This seems to be the case with more than just this example for me.

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-04-09 16:24:44 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
xmit: starting main loop: [0..1]
Scanning 1 hosts [1 port/host]
SENT (1.3097) TCP  xxx.xxx.xxx.xxx:40682    > 85.25.30.170:443      SYN
Transmit thread done, waiting for receive thread to realize this
begin receive thread
RCVD (2.0602) TCP  85.25.30.170:443      > xxx.xxx.xxx.xxx:40682    SYN-ACK
85.25.30.170   :  443: -> TCP ackno=0x2f87f1fe flags=0x12(syn-ack)
85.25.30.170   :  443: =STATE_SYN_SENT : TCP_WHAT_SYNACK
Discovered open port 443/tcp on 85.25.30.170
SENT (2.0601) TCP  xxx.xxx.xxx.xxx:40682    > 85.25.30.170:443      ACK
RCVD (3.0614) TCP  85.25.30.170:443      > xxx.xxx.xxx.xxx:40682    RST-ACK
85.25.30.170   :  443: -> TCP ackno=0x2f87f1fe flags=0x14(rst-ack)
85.25.30.170   :  443: =STATE_READY_TO_SEND : TCP_WHAT_ACK
85.25.30.170 - 0-sending, 0-reciving
85.25.30.170   :  443: =STATE_READY_TO_SEND : TCP_WHAT_RST
ecstasy2 commented 10 years ago

I am encountering the same issue as @espenfjo The SSL code is never being called. I stepped through the code and seems like after the TCP request is sent there is no data sent back.

b-free commented 10 years ago

I'm having the same problem as @espenfjo and @ecstasy2 nmap and other scripts report the host as vulnerable but masscan does not.

This is not always the case sometimes masscan does recognize the issue and reports it correctly. My concern is that with those discrepancies the results are not accurate.