On October 14, 2014 Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team publicly disclosed the POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) which is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0.

SSLv3 was declared swiss cheese, companies and users were advised to stop using the outdated cipher and disable SSL 3.0 on the client side and the server side.

Fast forward to today and during a routine scan of network that I have been contracted to PenTest. For me it not uncommon to run into one or two servers that are stuck in a server room, forgotten and un-patched to POODLE. What struck me was the large amount of server that I encountered on this particular network, which got me thinking about how many servers in the world are still vulnerable.

After a few minutes of searching I discovered the wonderful team over at Shadow Server who are keeping the stats on just this very thing. Below is the most recent results as of 7/12/16.

As you can see 11,000,000+ devices are still using SSLv3…sad panda 🙁 . Naturally I was taken back but not necessarily surprised. There are very specific reason this numbers are so high: at the top of that list is not having a full understanding of you environment and the machines that inhabit it. (i.e. the poor forgotten server). Being that a large part of what I strive to do here at Huggable Hacker is trying to help people better understand the threats they face, I wanted to share a little script I wrote to do just that. Full disclosure: You’ll need nmap installed to make this work correctly.

#!/bin/bash

if [ -z “$1” ]; then

echo “[*] NMAP POODLE SCAN”

echo “[*] Usage : $0 enter IP or domain”

exit 0

fi

nmap -sV –version-light –script ssl-poodle -p 443 $1 >> $1.txt

Save the script, modify the arguments with chmod a+x

Usage of this would be:

$ ./poodle.sh www.google.com

Next step would be to add functionality to allow for a user to scan a .txt file containing your entire environment’s IP’s or FQDN’s, but for now I just wanted to share this for anyone who may run into a similar situation.

Share this: Tweet



