Packages and Binaries:


This is a typical “heartbleed” tool. It can scan for systems vulnerable to the bug, and then be used to download them. Some important features:

  • conclusive/inconclusive verdicts as to whether the target is vulnerable
  • bulk/fast download of heartbleed data into a large files for offline processing using many threads
  • automatic retrieval of private keys with no additional steps
  • some limited IDS evasion
  • STARTTLS support
  • IPv6 support
  • Tor/Socks5n proxy support
  • extensive connection diagnostic information

Installed size: 2.76 MB
How to install: sudo apt install heartleech

  • libc6
  • libpcre3

Exploits OpenSSL heartbleed vulnerability

root@kali:~# man heartleech
HEARTLEECH(8)                                                    HEARTLEECH(8)

       heartleech - Exploits OpenSSL heartbleed vulnerability

       heartleech host [-pport] [--dump filename] [--autopwn]

       heartleech --read filename --cert certficate

       heartleech   exploits   the   well-known   "heartbleed"   bug   in   <=
       OpenSSL-1.0.1f. It has a number of features  that  improve  over  other
       heartbleed  exploits,  such  as  automatically  extracting the SSL pri-
       vate-key (autopwn).

       o   <host>: the target's name, IPv4 address, or IPv6 address.

       o   --autopwn: sets "auto-pwn" mode, which automatically  searches  the
           bleeding  buffers for the private-key. If the private-key is found,
           it will be printed to stdout, and the program will exit.

       o   --cert: in offline mode, this option tells the program the certifi-
           cate  to  load. A certificate, containing the public-key, is needed
           in order to search data for the matching components  of  a  private
           key.  In online mode, this option isn't necessary, because the cer-
           tificate is fetched from the server duing the SSL handshake.

       o   -d: sets the 'debug' flag, which causes a lot of debug  information
           to  be  printed to stderr. Using this will help diagnose connection
           problems. You should use this the first time you connect to  a  new
           host, just to make sure things are working well.

       o   --dump  <filename>:  the file where bleeding information is stored.
           Typically, the user will use this  program  to  grab  data  from  a
           server, then use other tools to search those files for things, such
           as cookies, passwords, and private strings.

       o   --ipver <ver>: sets the version of IP to use, either 4 for IPv4  or
           6  for IPv6. Otherwise, the program tries to guess from the address
           given, or chooses whichever is  first  when  doing  a  DNS  lookup.
           Shorter options of --ipv6 and --ipv4 also work.

       o   --loop  <count>:  the  number  of times to loop and try a heartbeat
           again. The default count is 1000000 (one-million).  A  count  of  1
           grabs just a single heartbeat.

       o   --port <port>: the port number to connect to on the target machine.
           If not specified, the port number 443 will be used.

       o   --proxy <host:port>: use the Socks5n proxy.  If  the  port  is  not
           specified,  it  defaults to 9150. This is intended for use with the
           Tor network, but should work with any Socks5 proxy. These uses  the
           'name' feature, so to that it'll be the Tor exit node resolving the
           DNS name, not the local host.

       o   --rand: randomizes the size of heartbleed requests.  Normally,  the
           program  requests for the max 64k size, but with this setting, each
           request will have a random size between 200 and 64k.  Some  believe
           that heartbeats of different size will produce different results.

       o   --read:  instead  of  running  live  against  a server, this option
           causes the program to run forensics on existing files, looking  for
           private keys. The option --cert must also be used.

       o   --raw:  send  the  hearbeat requests before SSL negotiation is com-
           plete. Use this option on targets where the  post-handshake  heart-
           beats don't work.

       o   --scan:  scans  target  to  test if vulnerable, instead of dumping.
           This ends the connection immediately. A verdict will be printed  to
           stdout,  either  VULNERABLE,  SAFE,  or  INCONCLUSIVE. Most systems
           marked INCONCLUSIVE are in fact safe.

       o   --scanlist <filename>: reads a list of targets from a file  instead
           of reading them from a command-line, and also sets the --scan flag.
           Use this when you have thousands of targets to scan. Note  that  if
           you  have  a lot of targets, you should also set the --threads to a
           high number.

       o   --threads <count>: uses more than one  thread,  scanning/dumping  a
           lot  faster.  Setting 1000 threads would not be unreasonable, espe-
           cially when scanning a lot of targets.

       o   --timeout <n>: sets the timeout for read operations  on  a  socket,
           which defaults to 6 seconds. Note that connection timeouts are much
           longer, set by the operating  system,  and  not  currently  config-

       The  following  is the easiest way to use the program, to grab the pri-
       vate-key form the server in 'auto-pwn' mode:

           $ heartleech --autopwn --threads 5

       This auto-pwn mode will search for the heartbeat payloads  looking  for
       the components of the private-key that matches the server's certificate
       (which it automatically retrieves). When a certificate is  found,  it's
       printed  to  stdout. The user can then copy it to a file and use it for
       anythign that private-keys can be  used  for.  Using  multiple  threads
       downloads faster.

       Heartbleed information contains more than just private keys. On a typi-
       cal web-server, it'll contain session cookies (useful for  sidejacking)
       and passwords. In that case, the way to use this program is to save all
       the heartbleed information into a file. Note that these  files  quickly
       grow to gigabytes in size:

           $ heartleech --dump bleed.bin --threads 6
           $ grep -iobUaP "Cookie:.*\n" bleed.bin

       Soon after the Heartbleed vulnerability was announced, many people pub-
       lished 'rules' for Snort-like intrusion-detection engines. These  rules
       all  trigger  on  the pattern |18 03| in the first two bytes of the TCP

       By default, this program avoids putting that pattern in the  first  two
       bytes.  Instead,  it tries to put those bytes elsewhere in the payload.
       Thus, this program should genrally avoid that sort of detection.

       Note that this isn't complete IDS evasion. The open-source Bro program,
       and many commercial products, do a full SSL protocol decode, and there-
       fore catch this exploit no matter where it is in the packet.  Also,  by
       the  time you read this, it's probable that the Snort-like engines will
       have upgraded their code to support SSL decodes as well.


       This tool was written by Robert Graham. The source code is available at

                                   May 2014                      HEARTLEECH(8)

Updated on: 2021-Nov-26