cyber-security-resources/recon/intro_to_nuclei.md
2024-12-10 15:50:24 -05:00

9.6 KiB
Raw Permalink Blame History

Introducing Nuclei: A Fast and Customizable Vulnerability Scanner

Introduction

Nuclei is an open-source, fast, and customizable vulnerability scanner developed by ProjectDiscovery. It is designed to send requests across targets based on predefined templates, enabling efficient and accurate vulnerability detection with minimal false positives. Nuclei supports scanning for various protocols, including TCP, DNS, HTTP, SSL, File, Whois, and Websocket.

Some of the Key Features

  1. Template-based scanning: Nuclei uses YAML-based templates to define scanning logic, making it highly extensible and customizable.

  2. Multi-protocol support: Enables scanning across various network protocols and services.

  3. Fast and efficient: Optimized for speed, allowing rapid scanning of large numbers of hosts.

  4. Low false positives: Template-based approach helps minimize false positive results.

  5. Community-driven: Large repository of community-contributed templates for detecting various vulnerabilities.

  6. Easy integration: Can be easily integrated into CI/CD pipelines and other automated security workflows.

Usage Examples

Basic Scanning

To scan a single target using Nuclei:

nuclei -u http://10.6.6.23

To scan multiple targets from a file:

nuclei -l targets.txt

Using Specific Templates

Scan with particular templates:

nuclei -u https://example.com -t cves/ -t exposures/

Filtering Templates

Scan using templates with specific tags:

nuclei -u https://example.com -tags cve,oast

Exclude certain tags:

nuclei -u https://example.com -etags dos,fuzz

Output Formatting

Generate JSON output:

nuclei -u https://example.com -json-output results.json

Rate Limiting

Limit requests per second:

nuclei -u https://example.com -rate-limit 100

Creating Nuclei Templates

Nuclei templates are YAML files that define the scanning logic. Here's a basic structure of a Nuclei template:

id: example-template
info:
  name: Example Vulnerability Check
  author: YourName
  severity: medium
  description: Checks for an example vulnerability
  
requests:
  - method: GET
    path:
      - "{{BaseURL}}/vulnerable-endpoint"
    matchers:
      - type: word
        words:
          - "vulnerable string"

The following are the typical components of a template:

  1. id: Unique identifier for the template
  2. info: Metadata about the template
  3. requests: Defines the HTTP requests to be made
  4. matchers: Specifies conditions to identify vulnerabilities

Example: CVE Detection Template

Example template for detecting CVE-2021-44228 (Log4j vulnerability):

id: CVE-2021-44228

info:
  name: Apache Log4j RCE
  author: pdteam
  severity: critical
  description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228

requests:
  - raw:
      - |
        GET /${jndi:ldap://{{interactsh-url}}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: ${jndi:ldap://{{interactsh-url}}}
        Referer: ${jndi:ldap://{{interactsh-url}}}        

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'

This template sends requests with JNDI lookup strings in various HTTP headers and checks for DNS or HTTP callbacks to detect the Log4j vulnerability[8].

Best Practices for Template Creation

  1. Use clear and descriptive template IDs and names
  2. Include accurate metadata (author, severity, description)
  3. Utilize dynamic variables like {{BaseURL}} for flexibility
  4. Implement precise matchers to reduce false positives
  5. Test templates thoroughly before submission
  6. Follow the community template contributions

Additional Examples of Basic Usage

The simplest command to run Nuclei against a single target is:

nuclei -target http://10.6.6.6

This uses the default directory of templates (~/.nuclei-templates/). To specify a particular template or directory, use -t:

nuclei -target http://10.6.6.6 -t nuclei-templates/cves/

Nuclei can also take a list of targets (e.g., multiple IPs, domains) from a file:

nuclei -l targets.txt -t nuclei-templates/misconfiguration/

Preparing for the Example Scan

Our Scenario

  • Target: 10.6.6.6
  • Possible Services: Lets assume this IP hosts a web service on port 80/443.
  • Goals:
    1. Enumerate potential vulnerabilities using a broad template set.
    2. Check for known CVEs in popular web frameworks.
    3. Identify misconfigurations or sensitive endpoints.

Adjusting the Command

For internal scans (like scanning http://10.6.6.6), you might want to:

  • Specify the template directory.
  • Focus on particular template categories.
  • Adjust rate limits to avoid overwhelming the target.

Example Commands:

  1. Run all default templates against the target:

    nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/
    

    This can be quite noisy; it tries all templates. Its often better to narrow down the scope.

  2. Targeting Specific Categories: For instance, just run CVE-related templates:

    nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/cves/
    

    This will check common CVE patterns. If the web service is a known framework (WordPress, Joomla, etc.), these templates might find known issues.

  3. Running a Specific Template: Suppose you suspect the server might be running phpMyAdmin and you want to detect any phpMyAdmin login panel exposures. Find the phpMyAdmin templates (for example exposed-panels/phpmyadmin-login.yaml) and run:

    nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/exposed-panels/phpmyadmin-login.yaml
    
  4. Setting Rate Limits and Concurrency: If youre scanning a network service that might be sensitive, slow down the requests:

    nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -rl 50 -c 10
    

    -rl 50 limits to 50 requests per second and -c 10 sets concurrency to 10 templates at a time.


Interpreting Results

The output of Nuclei prints findings to the terminal. A typical finding might look like:

[critical] [cves/2021/CVE-2021-XXXXX.yaml] http://10.6.6.6/vulnerable-endpoint
  • Severity Tag: [critical] indicates the severity level from the template.
  • Template Info: cves/2021/CVE-2021-XXXXX.yaml indicates which template matched.
  • Matched URL: http://10.6.6.6/vulnerable-endpoint is the discovered vulnerable endpoint.

You can also output results to a file:

nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -o results.txt

Nuclei can also output in JSON for easier parsing:

nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -json -o results.json

Running Against Multiple Targets in the 10.6.6.0/24 Network

If you have a list of hosts or endpoints within the network, say targets.txt:

http://10.6.6.6
http://10.6.6.7
http://10.6.6.8

You can run:

nuclei -l targets.txt -t ~/.nuclei-templates/ -o network_results.txt

This will scan each listed host against all templates. To target only a certain set, like misconfiguration checks:

nuclei -l targets.txt -t ~/.nuclei-templates/misconfiguration/ -o misconfig_results.txt

Advanced Usage: Workflows and Tagging

Nuclei supports:

  • Workflows: Chain multiple templates so one finding triggers another template.
  • Tagging: Run templates by tags, like -tags exposure to run all templates tagged as exposure.

For example, if you want to run only templates that are labeled with exposure tag:

nuclei -u http://10.6.6.6 -tags exposure

If you have a workflow file (a collection of templates in a certain order), you can specify it:

nuclei -u http://10.6.6.6 -w ~/my-workflows/exposure-workflow.yaml

Tuning and Optimization

  • Exclude Templates: Use -exclude flag to exclude certain templates or directories that produce false positives or are irrelevant.
  • Stop at First Match: If you just want to know if theres any vulnerability at all, you can optimize by stopping after first match with certain parameters.
  • Integration with Other Tools: Combine Nuclei with subdomain enumeration (e.g., subfinder), and pipe results directly. For example:
    echo http://10.6.6.6 | nuclei -t ~/.nuclei-templates/
    

Practical Example Recap

Lets finalize with a practical scenario using the fictitious target:

  1. Initial Broad Scan (All Templates):

    nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -o broad_scan.txt
    

    Wait for results. Check broad_scan.txt for interesting findings.

  2. Focused CVE Scan:

    nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/cves/ -o cves_findings.txt
    
  3. Misconfiguration Checks:

    nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/misconfiguration/ -o misconfig_findings.txt
    
  4. Custom Endpoint Check:

    nuclei -u http://10.6.6.6 -t internal-status.yaml -o custom_check.txt
    
  5. JSON Output for Tool Integration:

    nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -json -o results.json
    

    Then parse results.json with a script.