Script tls-ticketbleed
Script types:
portrule
Categories:
vuln, safe
Download: https://svn.nmap.org/nmap/scripts/tls-ticketbleed.nse
Script Summary
Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
For additional information:
- https://filippo.io/Ticketbleed/
- https://blog.filippo.io/finding-ticketbleed/
- https://support.f5.com/csp/article/K05121675
Script Arguments
- tls-ticketbleed.protocols
(default tries all) TLSv1.0, TLSv1.1, or TLSv1.2
- tls.servername
See the documentation for the tls library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username
See the documentation for the mssql library.
- smtp.domain
See the documentation for the smtp library.
- randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.
- vulns.short, vulns.showall
See the documentation for the vulns library.
Example Usage
nmap -p 443 --script tls-ticketbleed <target>
Script Output
| tls-ticketbleed: | VULNERABLE: | Ticketbleed is a serious issue in products manufactured by F5, a popular vendor of TLS load-balancers. The issue allows for stealing information from the load balancer | State: VULNERABLE (Exploitable) | Risk factor: High | Ticketbleed is vulnerability in the implementation of the TLS SessionTicket extension found in some F5 products. It allows the leakage ("bleeding") of up to 31 bytes of data from uninitialized memory. This is caused by the TLS stack padding a Session ID, passed from the client, with data to make it 32-bits long. | Exploit results: | 2ab2ea6a4c167fbe8bf0b36c7d9ed6d3 | *..jL......l}... | References: | https://filippo.io/Ticketbleed/ | https://blog.filippo.io/finding-ticketbleed/ |_ https://support.f5.com/csp/article/K05121675
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html