Didier Stevens

Thursday 24 April 2014

ssl-hearbleed.nse mod

Filed under: Networking,Vulnerabilities — Didier Stevens @ 7:36

YAHP: Yet Another Heartbleed Post

Update: Daniel Miller told me this modification is not necessary. You can force a script to run on all open ports, regardless of the result of the portrule function, by prefixing the scriptname with a +. Like this: nmap -p443 –script +ssl-heartbleed cloudflarechallenge.com


I’ve read that some people are surprised by Nmap’s ssl-heartbleed.nse script behavior: that it will not test all ports.

The script is designed to test only ports with ssl. This is encoded in the portrule function:

portrule = function(host, port)
  return shortport.ssl(host, port) or sslcert.isPortSupported(port)

It’s explained here that you should do a service version detection scan (-sV) so that the script will test unusual ports.

If you don’t want to do a service version detection scan, you could change the portrule function to always return true, hence forcing a test on all open ports.

But this solution is not desired, it’s better to use a script argument to be able to force testing when really necessary.

I copied ssl-heartbleed.nse (SHA1 7540E31EF133226648616DF6534A8BD58C35A3D6) to ssl-heartbleed-force.nse and changed the portrule function like this:

<   return shortport.ssl(host, port) or sslcert.isPortSupported(port)
>   return stdnse.get_script_args(SCRIPT_NAME .. ".force") or shortport.ssl(host, port) or sslcert.isPortSupported(port)

With this change, ssl-heartbleed-force will behave exactly like ssl-heartbleed, unless you use script argument ssl-heartbleed-force.force, like this:

nmap --p443 --script ssl-heartbleed-force --script-args ssl-heartbleed-force.force cloudflarechallenge.com

This script argument will force the test on all open ports.


  1. Hello. You have a great blog and post some excellent material that explains a lot to the reader.

    Apologies. This actually relates to a post you did in 2008 on digital signatures and the cryptographic service. I have a question on the ‘cryptsvc ‘ and how this relates to the catroot2 directory in windows 7.

    In the presence of malware/rootkit or virus, does stopping the “net stop cryptsvc” command provide any malicious code an advantage to do something/register itself hidden?

    If in net/stopped, and you then rename or delete the catroot2 folder, does a malware then have an opportunity to hide itself?

    This question comes from a problem with the network adapter and being unable to disable the local network connection. A solution is to net stop cryptsvc and rename the catroot2 folder to resolve it. What would happen if the problem is caused by undetected malicious code or rootkit? Does stopping cryptsvc with a rootkit make things worse?

    Thank you.

    Comment by Eva — Wednesday 7 May 2014 @ 7:10

  2. @Eva What do you mean with hidden? Like a rootkit?

    Comment by Didier Stevens — Thursday 8 May 2014 @ 8:45

  3. Hi thank you for replying. Yes. Does stopping the cryptsvc in the presence of malicious code make you more vulnerable?

    My understanding is the catroot2 catalogs are automatically regenerated when the folder is removed/renamed. If you had a malware process running at the same time, are you more vulnerable? i.e. could a rootkit/malware take advantage of the situation? (Would it be a bad idea to reset the catroot2 folder if you had malware?)

    Would like to know more about it, but not sure how to ask the right questions. Thank you.

    Comment by Anonymous — Thursday 8 May 2014 @ 9:14

  4. So you mean that you stop the cryptsvc service while malware is active on your machine? And said malware has admin rights?

    Comment by Didier Stevens — Thursday 8 May 2014 @ 20:34

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.