|
7 | 7 | \fBheartleech\fR \- Exploits OpenSSL heartbleed vulnerability |
8 | 8 | . |
9 | 9 | .SH "SYNOPSIS" |
10 | | -heartleech \fIhost\fR [\-p\fIport\fR] [\-\-dump \fIfilename\fR] [\-\-autopwn] |
| 10 | +heartleech \fIhost\fR [\-\-p \fIport\fR] [\-\-dump \fIfilename\fR] [\-\-autopwn] [\-\-threads \fIn\fR] |
11 | 11 | . |
12 | 12 | .P |
13 | 13 | heartleech \-\-read \fIfilename\fR \-\-cert \fIcertficate\fR |
14 | 14 | . |
| 15 | +.P |
| 16 | +heartleech \-\-scanlist \fIfile\fR |
| 17 | +. |
15 | 18 | .SH "DESCRIPTION" |
16 | 19 | \fBheartleech\fR exploits the well\-known "heartbleed" bug in <= OpenSSL\-1\.0\.1f\. It has a number of features that improve over other heartbleed exploits, such as automatically extracting the SSL private\-key (autopwn)\. |
17 | 20 | . |
18 | 21 | .SH "OPTIONS" |
19 | 22 | . |
20 | 23 | .IP "\(bu" 4 |
21 | | -\fB<host>\fR: the target\'s name, IPv4 address, or IPv6 address\. |
| 24 | +\fB<host>\fR: the target\'s name, IPv4 address, or IPv6 address\. IPv4 ranges separated by a dash work\. This can optionally have a port as part of the name using a colon (e\.g\. \fBwww\.google\.com:25\fR)\. Will try to use STARTTLS on appropriate ports instead of raw SSL\. |
22 | 25 | . |
23 | 26 | .IP "\(bu" 4 |
24 | 27 | \fB\-\-autopwn\fR: sets "auto\-pwn" mode, which automatically searches the bleeding buffers for the private\-key\. If the private\-key is found, it will be printed to \fIstdout\fR, and the program will exit\. |
@@ -98,14 +101,38 @@ $ grep \-iobUaP "Cookie:\.*\en" bleed\.bin |
98 | 101 | . |
99 | 102 | .IP "" 0 |
100 | 103 | . |
101 | | -.SH "IDS EVASION" |
102 | | -Soon after the Heartbleed vulnerability was announced, many people published \'rules\' for Snort\-like intrusion\-detection engines\. These rules all trigger on the pattern |18 03| in the first two bytes of the TCP payloads\. |
103 | | -. |
104 | 104 | .P |
105 | | -By default, this program avoids putting that pattern in the first two bytes\. Instead, it tries to put those bytes elsewhere in the payload\. Thus, this program should genrally avoid that sort of detection\. |
| 105 | +You can scan for vulnerable targets instead of dumping information: |
| 106 | +. |
| 107 | +.IP "" 4 |
| 108 | +. |
| 109 | +.nf |
| 110 | + |
| 111 | +$ heartleech \-\-scanlist hostlist\.txt \-\-scan 10\.0\.0\.0\-10\.0\.0\.255:992 \-\-threads 1000 |
| 112 | +. |
| 113 | +.fi |
| 114 | +. |
| 115 | +.IP "" 0 |
106 | 116 | . |
107 | 117 | .P |
108 | | -Note that this isn\'t complete IDS evasion\. The open\-source Bro program, and many commercial products, do a full SSL protocol decode, and therefore catch this exploit no matter where it is in the packet\. Also, by the time you read this, it\'s probable that the Snort\-like engines will have upgraded their code to support SSL decodes as well\. |
| 118 | +Hosts in the this file use the same format as other hostnames, meaning they can be ranges, and also have ports specified\. Scan speed is likely dictated by the number of threads you have\. You can have a lot of threads, but scanning will still be slower than \fBmasscan\fR\. The "verdict" from scanning is |
| 119 | +. |
| 120 | +.IP "" 4 |
| 121 | +. |
| 122 | +.nf |
| 123 | + |
| 124 | +* `SAFE` if we know for certain the target is safe, because it either |
| 125 | + doesn\'t support heartbeats at all, or is patched against the bug |
| 126 | + |
| 127 | +* `VULNERABLE` if we know for certain that the target is vulnerable, |
| 128 | + because we got back a bleed |
| 129 | + |
| 130 | +* `INCONCLUSIVE` if we don\'t get a response \-\- which usually means that the |
| 131 | + target is safe, but we can\'t tell for sure |
| 132 | +. |
| 133 | +.fi |
| 134 | +. |
| 135 | +.IP "" 0 |
109 | 136 | . |
110 | 137 | .SH "SEE ALSO" |
111 | 138 | masscan(8) |
|
0 commit comments