Hackin9

Yes, I know that by now you are really tired of hear and read about Heartbleed. You probably already got all testing scripts and tools and are looking on your network for vulnerable servers. 

I was just playing with the Shodan transformer for Maltego and looking for some specific versions of OpenSSL. The results are not good...

Somethings to keep in mind when checking your network is that the tools may not detect all vulnerable hosts since they may be buggy themselves :)

According some research, one of the first scripts released to test the vulnerability, and that most of people still use to identify vulnerable servers contains some bugs that may not detect correctly the vulnerable servers.

The heartbeat request generated on the proof of concept script is:

18 03 02 00 03 01 40 00 <-- the bold bytes basically tell the server to use TLS 1.1, so if the server only supports TLS 1.0 or TLS 1.2 it won't work. Of course that 1.0 and 1.2 are not widely used, so the chance of you having it on your network is small, but still, there is a chance. 

Early last week, while testing different online and offline tools, I also came across different results, so you may want to use different tools on your check.

Network signatures may also provide additional check to help you identify vulnerable hosts. Again there is a chance of False Positives, but it is worth to provide you with more info on your checks.

Snort signatures and network parses for products like Netwitness can also be very effective to detect not only when an exploit was used against your hosts, but most importantly, when your vulnerable host provided information back (the leaked info). 

Happy hunting to you because the bad guys are already hunting!

--------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle Java SE CVE-2014-0446 Remote Security Vulnerability
 
Borrowing a page from the recently revised Microsoft playbook, development tools maker Telerik has released as open source the bulk of its Kendo software library of components for building Web and mobile applications
 
Internet Storm Center Infocon Status