YAHP: Yet Another Heartbleed Post
Update: Daniel Miller told me this modification is not necessary. You can force a script to run on all open ports, regardless of the result of the portrule function, by prefixing the scriptname with a +. Like this: nmap -p443 –script +ssl-heartbleed cloudflarechallenge.com
I’ve read that some people are surprised by Nmap’s ssl-heartbleed.nse script behavior: that it will not test all ports.
The script is designed to test only ports with ssl. This is encoded in the portrule function:
portrule = function(host, port) return shortport.ssl(host, port) or sslcert.isPortSupported(port) end
It’s explained here that you should do a service version detection scan (-sV) so that the script will test unusual ports.
If you don’t want to do a service version detection scan, you could change the portrule function to always return true, hence forcing a test on all open ports.
But this solution is not desired, it’s better to use a script argument to be able to force testing when really necessary.
I copied ssl-heartbleed.nse (SHA1 7540E31EF133226648616DF6534A8BD58C35A3D6) to ssl-heartbleed-force.nse and changed the portrule function like this:
49c49 < return shortport.ssl(host, port) or sslcert.isPortSupported(port) --- > return stdnse.get_script_args(SCRIPT_NAME .. ".force") or shortport.ssl(host, port) or sslcert.isPortSupported(port)
With this change, ssl-heartbleed-force will behave exactly like ssl-heartbleed, unless you use script argument ssl-heartbleed-force.force, like this:
nmap --p443 --script ssl-heartbleed-force --script-args ssl-heartbleed-force.force cloudflarechallenge.com
This script argument will force the test on all open ports.
Didier Stevens 