Monday, August 25, 2014

Masscan does STARTTLS

Just a quick note: I've updated my port-scanner masscan to support STARTTLS, including Heartbleed checks. Thus, if you scan:

masscan 192.168.0.0/16 -p0-65535 --banners --heartbleed

...then it'll find not only all vulnerable SSL servers, but also vulnerable SMTP/POP3/IMAP4/FTP servers using STARTTLS.

The issue is that there are two ways unencrypted protocols can support SSL. One is to assign a new port number (like 443 instead of 80), establish the SSL connection first, then the normal protocol second within the encrypted tunnel. The second way is the method SMTP uses: it starts the normal unencrypted SMTP session, then issues the "STARTTLS" command to convert the connection to SSL, then continue with SMTP encrypted.

Here's what a scan will look like:

Banner on port 143/tcp on 198.51.100.42: [ssl] cipher:0x39 , imap.example.com  
Banner on port 143/tcp on 198.51.100.42: [vuln] SSL[heartbeat] SSL[HEARTBLEED] 
Banner on port 143/tcp on 198.51.100.42: [imap] * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.\x0a* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5\x0aa001 OK Capability completed.\x0aa002

Because of the --banners option, we see the normal IMAP4 banners. Because the banner advertises STARTTLS, masscan will attempt to execute that feature. The SSL banner shows the name of the system "imap.example.com", and the vulnerability banner shows that it has heartbeats enabled, and that the software is vulnerable to Heartbleed.

I suggest you run this on all your outward facing sites on all ports -p0-65535 to find lots of Heartbleed vulnerable services that your normal vulnerability scanner might've missed.

I've probably introduced a bug doing this, so please update your code and try this out, and notify me of any bugs.


Note: if you want to also grab the full certificate with the SSL connection, use the option --capture cert to dump the BASE64 X.509 certificates as part of the scan.

1 comment:

Zac said...

Thanks for the update.