ssl test poc

  •      http://filippo.io/Heartbleed/ (An online test for exposure to Heartbleed) and https://github.com/FiloSottile/Heartbleed (The codebase the @filippoindicates is running on the site)
  •     http://pastebin.com/WmxzjkXJ (ssltest.py)
  •     https://www.ssllabs.com/ssltest/index.html (An online test for exposure to Heartbleed)
  •     https://github.com/rapid7/metasploit-framework/pull/3206/files (Metasploit module)
  •     https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse (Nmap NSE script)
  •     https://gist.github.com/bonsaiviking/10402038 (Guide for using Nmap script)
  •     https://github.com/titanous/heartbleeder?files=1  (POC in Go)
  •     https://github.com/mothran/tlslite/tree/master/scripts
  •     https://gist.github.com/rcvalle/10223042 (A C version from @rcvalle)
  •     https://bitbucket.org/fb1h2s/cve-2014-0160/src (Scanner in python) and http://www.garage4hackers.com/entry.php?b=2551 (Writeup)
  •     https://gist.github.com/RealRancor/10140249 (OpenVAS NASL script) and
  •     https://www.nth-dimension.org.uk/pub/s_client-vs-cve-2014-0160.diff.txt(Patch which allows exploitation using the OpenSSL client)
  •     https://gist.github.com/anantshri/10238615 (Modified for readability)
  •     http://1337day.com/exploit/22114 (Exploit POC)
  •     https://play.google.com/store/apps/details?id=com.bblabs.heartbleedscanner (Mobile test for exposure)
  •     https://github.com/HackerFantastic/Public/blob/master/exploits/heartbleed.c(Exploit POC)
  •     https://github.com/sensepost/heartbleed-poc (Exploit POC)
  •     https://gist.github.com/eelsivart/10174134 (Improved on ssltest.py)
  •     http://www.tenable.com/plugins/index.php?view=single&id=73404 (Official Tenable NASL plugin)
  •     https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic (Chrome plugin using test by Filippo Valsorda)
  •     https://nextsuite.websecurify.com/apps/heartbleed/  (Test multiple targets)
  •     https://lastpass.com/heartbleed/ (Test for exposure with added features for lastpass users)
  •     https://play.google.com/store/apps/details?id=com.lookout.heartbleeddetector (Mobile detector)

来源:https://blog.bugcrowd.com/heartbleed-exploit-yet/

思科设备检查脚本:http://blog.didierstevens.com/2014/04/18/heartbleed-testing-from-a-cisco-ios-router-ssltest-tcl/

大规模检测可以使用https://github.com/robertdavidgraham/heartleech的工具进行测试

BurpSuit的插件见https://github.com/xxux11/BurpHeartbleedExtension,可以在项目中查看使用方法

获取私钥的POChttps://github.com/robertdavidgraham/heartleech

通过静态分析的方法检测

http://security.coverity.com/blog/2014/Apr/on-detecting-heartbleed-with-static-analysis.html

图形化检测工具:

http://www.crowdstrike.com/community-tools/

发表评论