Is there a HeartBleed Honeypot so that I can pentest it?

Question

I am looking to improve my skills, to do so I need a site with an old OpenSSL version, so that I can do a pentest on my own.

It would take you about 10 minutes to set one up yourself – TildalWave May 02 '14 at 18:55 — TildalWave, May 02 '14 at 18:55

score 5 · Answer 1 · answered May 02 '14 at 16:51

It should be easy to create one of your own, which is usually preferable. Fire up apache, install an old libssl (prior to 1.0.1f) and give your install a self-signed cert. Then, generate some traffic with curl.

You should be able to fire up your exploit and start reading memory.

It's probably best to do this in a VM, since you don't want anyone else exploiting your test bed.

score 2 · Answer 2 · answered May 02 '14 at 16:55

Cloudflare operates some servers over at cloudflarechallenge.com that are vulnerable to heartbleed.

You can verify it with nmap:

sudo nmap --script ssl-heartbleed cloudflarechallenge.com -d

443/tcp open  https   syn-ack
| ssl-heartbleed:
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High

Is there a HeartBleed Honeypot so that I can pentest it?

2 Answers2