cyber-security-resources/recon/intro_to_nuclei.md
2024-07-18 14:47:00 -04:00

152 lines
4.2 KiB
Markdown

# Introducing Nuclei: A Fast and Customizable Vulnerability Scanner
## Introduction
[Nuclei](https://github.com/projectdiscovery/nuclei) is an open-source, fast, and customizable vulnerability scanner developed by [ProjectDiscovery](https://github.com/projectdiscovery/). It is designed to send requests across targets based on predefined templates, enabling efficient and accurate vulnerability detection with minimal false positives. [Nuclei](https://github.com/projectdiscovery/nuclei) supports scanning for various protocols, including TCP, DNS, HTTP, SSL, File, Whois, and Websocket.
## Some of the Key Features
1. Template-based scanning: Nuclei uses YAML-based templates to define scanning logic, making it highly extensible and customizable.
2. Multi-protocol support: Enables scanning across various network protocols and services.
3. Fast and efficient: Optimized for speed, allowing rapid scanning of large numbers of hosts.
4. Low false positives: Template-based approach helps minimize false positive results.
5. Community-driven: Large repository of community-contributed templates for detecting various vulnerabilities.
6. Easy integration: Can be easily integrated into CI/CD pipelines and other automated security workflows.
## Usage Examples
### Basic Scanning
To scan a single target using Nuclei:
```bash
nuclei -u http://10.6.6.23
```
To scan multiple targets from a file:
```bash
nuclei -l targets.txt
```
### Using Specific Templates
Scan with particular templates:
```bash
nuclei -u https://example.com -t cves/ -t exposures/
```
### Filtering Templates
Scan using templates with specific tags:
```bash
nuclei -u https://example.com -tags cve,oast
```
Exclude certain tags:
```bash
nuclei -u https://example.com -etags dos,fuzz
```
### Output Formatting
Generate JSON output:
```bash
nuclei -u https://example.com -json-output results.json
```
### Rate Limiting
Limit requests per second:
```bash
nuclei -u https://example.com -rate-limit 100
```
## Creating Nuclei Templates
Nuclei templates are YAML files that define the scanning logic. Here's a basic structure of a Nuclei template:
```yaml
id: example-template
info:
name: Example Vulnerability Check
author: YourName
severity: medium
description: Checks for an example vulnerability
requests:
- method: GET
path:
- "{{BaseURL}}/vulnerable-endpoint"
matchers:
- type: word
words:
- "vulnerable string"
```
Key components of a template:
1. `id`: Unique identifier for the template
2. `info`: Metadata about the template
3. `requests`: Defines the HTTP requests to be made
4. `matchers`: Specifies conditions to identify vulnerabilities
### Example: CVE Detection Template
Here's an example template for detecting CVE-2021-44228 (Log4j vulnerability):
```yaml
id: CVE-2021-44228
info:
name: Apache Log4j RCE
author: pdteam
severity: critical
description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
requests:
- raw:
- |
GET /${jndi:ldap://{{interactsh-url}}} HTTP/1.1
Host: {{Hostname}}
User-Agent: ${jndi:ldap://{{interactsh-url}}}
Referer: ${jndi:ldap://{{interactsh-url}}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- "http"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
```
This template sends requests with JNDI lookup strings in various HTTP headers and checks for DNS or HTTP callbacks to detect the Log4j vulnerability[8].
## Best Practices for Template Creation
1. Use clear and descriptive template IDs and names
2. Include accurate metadata (author, severity, description)
3. Utilize dynamic variables like `{{BaseURL}}` for flexibility
4. Implement precise matchers to reduce false positives
5. Test templates thoroughly before submission
6. Follow the [community template contributions](https://github.com/projectdiscovery/nuclei-templates/tree/main/dns)