Script tls-ticketbleed

Script types: portrule
Categories: vuln, safe

Script Summary

Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).

For additional information:

Script Arguments


(default tries all) TLSv1.0, TLSv1.1, or TLSv1.2


See the documentation for the tls library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.


See the documentation for the smtp library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -p 443 --script tls-ticketbleed <target>

Script Output

| tls-ticketbleed:
|   Ticketbleed is a serious issue in products manufactured by F5, a popular
vendor of TLS load-balancers. The issue allows for stealing information from
the load balancer
|     State: VULNERABLE (Exploitable)
|     Risk factor: High
|       Ticketbleed is vulnerability in the implementation of the TLS
SessionTicket extension found in some F5 products. It allows the leakage
("bleeding") of up to 31 bytes of data from uninitialized memory. This is
caused by the TLS stack padding a Session ID, passed from the client, with
data to make it 32-bits long.
|     Exploit results:
|       2ab2ea6a4c167fbe8bf0b36c7d9ed6d3
|       *..jL......l}...
|     References:



  • Mak Kolybabi <>

License: Same as Nmap--See