El script Nmap para HeartBleed (con Nmap v7.40) parece funcionar solo en puertos conocidos. Cuando se utiliza un puerto no estándar, la secuencia de comandos no informa nada.
nmap -p 46000 --script ssl-heartbleed -script-args vulns.showall -sV x.x.x.x
Starting Nmap 7.40 ( https://nmap.org ) at 2018-06-26 03:23 EDT
Nmap scan report for x.x.x.x.in-addr.arpa (x.x.x.x)
Host is up (0.0048s latency).
PORT STATE SERVICE VERSION
46000/tcp open http nginx 1.5.12
|_http-server-header: nginx/1.5.12
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.08 seconds
Usar la depuración -d
no ayuda mucho, pero ver que el script no hace nada aparentemente.
Según lo solicitado en los comentarios:
nmap -p 46000 -n -Pn -sV --version-trace x.x.x.x
Starting Nmap 7.40 ( https://nmap.org ) at 2018-06-26 15:38 EDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI:
NSE: Loaded 40 scripts for scanning.
Packet capture filter (device eth0): dst host 192.168.80.131 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host x.x.x.x)))
Overall sending rates: 10.78 packets / s, 474.44 bytes / s.
NSOCK INFO [0.8860s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.8860s] nsock_connect_tcp(): TCP connection requested to x.x.x.x:46000 (IOD #1) EID 8
NSOCK INFO [0.9240s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [x.x.x.x:46000]
Service scan sending probe NULL to x.x.x.x:46000 (tcp)
NSOCK INFO [0.9240s] nsock_read(): Read request from IOD #1 [x.x.x.x:46000] (timeout: 6000ms) EID 18
NSOCK INFO [6.9250s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [x.x.x.x:46000]
Service scan sending probe GenericLines to x.x.x.x:46000 (tcp)
NSOCK INFO [6.9250s] nsock_write(): Write request for 4 bytes to IOD #1 EID 27 [x.x.x.x:46000]
NSOCK INFO [6.9250s] nsock_read(): Read request from IOD #1 [x.x.x.x:46000] (timeout: 5000ms) EID 34
NSOCK INFO [6.9250s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [x.x.x.x:46000]
NSOCK INFO [11.9320s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 34 [x.x.x.x:46000]
NSOCK INFO [11.9320s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [11.9320s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [11.9330s] nsock_connect_tcp(): TCP connection requested to x.x.x.x:46000 (IOD #2) EID 40
NSOCK INFO [11.9690s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 40 [x.x.x.x:46000]
Service scan sending probe GetRequest to x.x.x.x:46000 (tcp)
NSOCK INFO [11.9690s] nsock_write(): Write request for 18 bytes to IOD #2 EID 51 [x.x.x.x:46000]
NSOCK INFO [11.9690s] nsock_read(): Read request from IOD #2 [x.x.x.x:46000] (timeout: 5000ms) EID 58
NSOCK INFO [11.9690s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 51 [x.x.x.x:46000]
NSOCK INFO [12.0520s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 58 [x.x.x.x:46000] (346 bytes)
Service scan match (Probe GetRequest matched with GetRequest line 6609): x.x.x.x:46000 is http. Version: |nginx|1.5.12||
NSOCK INFO [12.0520s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
NSE: Script scanning x.x.x.x.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting http-server-header against x.x.x.x:46000.
NSOCK INFO [12.0530s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [12.0550s] nsock_connect_tcp(): TCP connection requested to x.x.x.x:46000 (IOD #1) EID 8
NSE: Finished http-server-header against x.x.x.x:46000.
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for x.x.x.x
Host is up (0.036s latency).
Scanned at 2018-06-26 15:38:40 EDT for 11s
PORT STATE SERVICE VERSION
46000/tcp open http nginx 1.5.12
Final times for host: srtt: 36338 rttvar: 36338 to: 181690
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.22 seconds
(echo -en 'GET / HTTP/1.0\r\n\r\n'; sleep 2) | nc x.x.x.x 46000 | (hd || xxd || hexdump)
00000000 48 54 54 50 2f 31 2e 31 20 33 30 32 20 4d 6f 76 |HTTP/1.1 302 Mov|
00000010 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 0d 0a |ed Temporarily..|
00000020 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 2e |Server: nginx/1.|
00000030 35 2e 31 32 0d 0a 44 61 74 65 3a 20 57 65 64 2c |5.12..Date: Wed,|
00000040 20 32 37 20 4a 75 6e 20 32 30 31 38 20 31 36 3a | 27 Jun 2018 16:|
00000050 33 32 3a 30 39 20 47 4d 54 0d 0a 43 6f 6e 74 65 |32:09 GMT..Conte|
00000060 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 |nt-Type: text/ht|
00000070 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 |ml..Content-Leng|
00000080 74 68 3a 20 31 36 31 0d 0a 43 6f 6e 6e 65 63 74 |th: 161..Connect|
00000090 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 4c 6f 63 61 |ion: close..Loca|
000000a0 74 69 6f 6e 3a 20 68 74 74 70 73 3a 2f 2f 3a 34 |tion: https://:4|
000000b0 36 30 30 30 2f 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d |6000/....<html>.|
000000c0 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 |.<head><title>30|
000000d0 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c |2 Found</title><|
000000e0 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 |/head>..<body bg|
000000f0 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a |color="white">..|
00000100 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 |<center><h1>302 |
00000110 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 |Found</h1></cent|
00000120 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 |er>..<hr><center|
00000130 3e 6e 67 69 6e 78 2f 31 2e 35 2e 31 32 3c 2f 63 |>nginx/1.5.12</c|
00000140 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d |enter>..</body>.|
00000150 0a 3c 2f 68 74 6d 6c 3e 0d 0a |.</html>..|