La secuencia de comandos de Nmap HeartBleed no parece funcionar con puertos no estándar

Navega tus respuestas
1

El script Nmap para HeartBleed (con Nmap v7.40) parece funcionar solo en puertos conocidos. Cuando se utiliza un puerto no estándar, la secuencia de comandos no informa nada. 

nmap -p 46000 --script ssl-heartbleed -script-args vulns.showall -sV x.x.x.x 

Starting Nmap 7.40 ( https://nmap.org ) at 2018-06-26 03:23 EDT
Nmap scan report for x.x.x.x.in-addr.arpa (x.x.x.x)
Host is up (0.0048s latency).
PORT      STATE SERVICE VERSION
46000/tcp open  http    nginx 1.5.12
|_http-server-header: nginx/1.5.12

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.08 seconds

Usar la depuración -d no ayuda mucho, pero ver que el script no hace nada aparentemente.

Según lo solicitado en los comentarios: 

nmap -p 46000 -n -Pn -sV --version-trace x.x.x.x 
Starting Nmap 7.40 ( https://nmap.org ) at 2018-06-26 15:38 EDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 40 scripts for scanning.
Packet capture filter (device eth0): dst host 192.168.80.131 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host x.x.x.x)))
Overall sending rates: 10.78 packets / s, 474.44 bytes / s.
NSOCK INFO [0.8860s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.8860s] nsock_connect_tcp(): TCP connection requested to x.x.x.x:46000 (IOD #1) EID 8
NSOCK INFO [0.9240s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [x.x.x.x:46000]
Service scan sending probe NULL to x.x.x.x:46000 (tcp)
NSOCK INFO [0.9240s] nsock_read(): Read request from IOD #1 [x.x.x.x:46000] (timeout: 6000ms) EID 18
NSOCK INFO [6.9250s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [x.x.x.x:46000]
Service scan sending probe GenericLines to x.x.x.x:46000 (tcp)
NSOCK INFO [6.9250s] nsock_write(): Write request for 4 bytes to IOD #1 EID 27 [x.x.x.x:46000]
NSOCK INFO [6.9250s] nsock_read(): Read request from IOD #1 [x.x.x.x:46000] (timeout: 5000ms) EID 34
NSOCK INFO [6.9250s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [x.x.x.x:46000]
NSOCK INFO [11.9320s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 34 [x.x.x.x:46000]
NSOCK INFO [11.9320s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [11.9320s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [11.9330s] nsock_connect_tcp(): TCP connection requested to x.x.x.x:46000 (IOD #2) EID 40
NSOCK INFO [11.9690s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 40 [x.x.x.x:46000]
Service scan sending probe GetRequest to x.x.x.x:46000 (tcp)
NSOCK INFO [11.9690s] nsock_write(): Write request for 18 bytes to IOD #2 EID 51 [x.x.x.x:46000]
NSOCK INFO [11.9690s] nsock_read(): Read request from IOD #2 [x.x.x.x:46000] (timeout: 5000ms) EID 58
NSOCK INFO [11.9690s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 51 [x.x.x.x:46000]
NSOCK INFO [12.0520s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 58 [x.x.x.x:46000] (346 bytes)
Service scan match (Probe GetRequest matched with GetRequest line 6609): x.x.x.x:46000 is http.  Version: |nginx|1.5.12||
NSOCK INFO [12.0520s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
NSE: Script scanning x.x.x.x.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting http-server-header against x.x.x.x:46000.
NSOCK INFO [12.0530s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [12.0550s] nsock_connect_tcp(): TCP connection requested to x.x.x.x:46000 (IOD #1) EID 8
NSE: Finished http-server-header against x.x.x.x:46000.
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for x.x.x.x
Host is up (0.036s latency).
Scanned at 2018-06-26 15:38:40 EDT for 11s
PORT      STATE SERVICE VERSION
46000/tcp open  http    nginx 1.5.12
Final times for host: srtt: 36338 rttvar: 36338  to: 181690

Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.22 seconds

(echo -en 'GET / HTTP/1.0\r\n\r\n'; sleep 2) | nc x.x.x.x 46000 | (hd || xxd || hexdump)
00000000  48 54 54 50 2f 31 2e 31  20 33 30 32 20 4d 6f 76  |HTTP/1.1 302 Mov|
00000010  65 64 20 54 65 6d 70 6f  72 61 72 69 6c 79 0d 0a  |ed Temporarily..|
00000020  53 65 72 76 65 72 3a 20  6e 67 69 6e 78 2f 31 2e  |Server: nginx/1.|
00000030  35 2e 31 32 0d 0a 44 61  74 65 3a 20 57 65 64 2c  |5.12..Date: Wed,|
00000040  20 32 37 20 4a 75 6e 20  32 30 31 38 20 31 36 3a  | 27 Jun 2018 16:|
00000050  33 32 3a 30 39 20 47 4d  54 0d 0a 43 6f 6e 74 65  |32:09 GMT..Conte|
00000060  6e 74 2d 54 79 70 65 3a  20 74 65 78 74 2f 68 74  |nt-Type: text/ht|
00000070  6d 6c 0d 0a 43 6f 6e 74  65 6e 74 2d 4c 65 6e 67  |ml..Content-Leng|
00000080  74 68 3a 20 31 36 31 0d  0a 43 6f 6e 6e 65 63 74  |th: 161..Connect|
00000090  69 6f 6e 3a 20 63 6c 6f  73 65 0d 0a 4c 6f 63 61  |ion: close..Loca|
000000a0  74 69 6f 6e 3a 20 68 74  74 70 73 3a 2f 2f 3a 34  |tion: https://:4|
000000b0  36 30 30 30 2f 0d 0a 0d  0a 3c 68 74 6d 6c 3e 0d  |6000/....<html>.|
000000c0  0a 3c 68 65 61 64 3e 3c  74 69 74 6c 65 3e 33 30  |.<head><title>30|
000000d0  32 20 46 6f 75 6e 64 3c  2f 74 69 74 6c 65 3e 3c  |2 Found</title><|
000000e0  2f 68 65 61 64 3e 0d 0a  3c 62 6f 64 79 20 62 67  |/head>..<body bg|
000000f0  63 6f 6c 6f 72 3d 22 77  68 69 74 65 22 3e 0d 0a  |color="white">..|
00000100  3c 63 65 6e 74 65 72 3e  3c 68 31 3e 33 30 32 20  |<center><h1>302 |
00000110  46 6f 75 6e 64 3c 2f 68  31 3e 3c 2f 63 65 6e 74  |Found</h1></cent|
00000120  65 72 3e 0d 0a 3c 68 72  3e 3c 63 65 6e 74 65 72  |er>..<hr><center|
00000130  3e 6e 67 69 6e 78 2f 31  2e 35 2e 31 32 3c 2f 63  |>nginx/1.5.12</c|
00000140  65 6e 74 65 72 3e 0d 0a  3c 2f 62 6f 64 79 3e 0d  |enter>..</body>.|
00000150  0a 3c 2f 68 74 6d 6c 3e  0d 0a                    |.</html>..|
    
pregunta user1156544 26.06.2018 - 13:56
fuente

1 respuesta

1

El truco es hacer que el puerto pase la "regla" especificada. Una de las formas de forzar que el script opere en el puerto es especificar el puerto con -p mientras el script se ejecuta con el prefijo + : 

nmap -p 46000 --script +ssl-heartbleed -script-args vulns.showall -sV x.x.x.x 

Starting Nmap 7.40 ( https://nmap.org ) at 2018-06-26 03:27 EDT
Nmap scan report for x.x.x.x.in-addr.arpa (x.x.x.x)
Host is up (0.0051s latency).
PORT      STATE SERVICE VERSION
46000/tcp open  http    nginx 1.5.12
|_http-server-header: nginx/1.5.12
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       http://www.openssl.org/news/secadv_20140407.txt 
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://cvedetails.com/cve/2014-0160/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.78 seconds

Esta vez el script detectó la vulnerabilidad.

    
respondido por el user1156544 26.06.2018 - 13:56
fuente

Lea otras preguntas en las etiquetas

Verificación de la "integridad" del programa residente antes de cada ejecución IIS: ¿otorgar derechos de administrador a las cuentas de servicio?