From 9698154298fb8d60f93a4fdba5373d08fe1a7203 Mon Sep 17 00:00:00 2001 From: Omar Santos <santosomar@gmail.com> Date: Tue, 10 Dec 2024 15:50:24 -0500 Subject: [PATCH] Update intro_to_nuclei.md --- recon/intro_to_nuclei.md | 193 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 191 insertions(+), 2 deletions(-) diff --git a/recon/intro_to_nuclei.md b/recon/intro_to_nuclei.md index f3e90c6..8741d23 100644 --- a/recon/intro_to_nuclei.md +++ b/recon/intro_to_nuclei.md @@ -94,7 +94,7 @@ requests: - "vulnerable string" ``` -Key components of a template: +The following are the typical components of a template: 1. `id`: Unique identifier for the template 2. `info`: Metadata about the template @@ -103,7 +103,7 @@ Key components of a template: ### Example: CVE Detection Template -Here's an example template for detecting CVE-2021-44228 (Log4j vulnerability): +Example template for detecting CVE-2021-44228 (Log4j vulnerability): ```yaml id: CVE-2021-44228 @@ -149,3 +149,192 @@ This template sends requests with JNDI lookup strings in various HTTP headers an 5. Test templates thoroughly before submission 6. Follow the [community template contributions](https://github.com/projectdiscovery/nuclei-templates/tree/main/dns) + +## Additional Examples of Basic Usage + +The simplest command to run Nuclei against a single target is: + +```bash +nuclei -target http://10.6.6.6 +``` + +This uses the default directory of templates (`~/.nuclei-templates/`). To specify a particular template or directory, use `-t`: + +```bash +nuclei -target http://10.6.6.6 -t nuclei-templates/cves/ +``` + +Nuclei can also take a list of targets (e.g., multiple IPs, domains) from a file: + +```bash +nuclei -l targets.txt -t nuclei-templates/misconfiguration/ +``` + +--- + +## Preparing for the Example Scan + +### Our Scenario + +- **Target:** `10.6.6.6` +- **Possible Services:** Let’s assume this IP hosts a web service on port 80/443. +- **Goals:** + 1. Enumerate potential vulnerabilities using a broad template set. + 2. Check for known CVEs in popular web frameworks. + 3. Identify misconfigurations or sensitive endpoints. + +### Adjusting the Command + +For internal scans (like scanning `http://10.6.6.6`), you might want to: +- Specify the template directory. +- Focus on particular template categories. +- Adjust rate limits to avoid overwhelming the target. + +#### Example Commands: + +1. **Run all default templates against the target:** + ```bash + nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ + ``` + + This can be quite noisy; it tries all templates. It’s often better to narrow down the scope. + +2. **Targeting Specific Categories:** + For instance, just run CVE-related templates: + ```bash + nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/cves/ + ``` + + This will check common CVE patterns. If the web service is a known framework (WordPress, Joomla, etc.), these templates might find known issues. + +3. **Running a Specific Template:** + Suppose you suspect the server might be running phpMyAdmin and you want to detect any phpMyAdmin login panel exposures. Find the phpMyAdmin templates (for example `exposed-panels/phpmyadmin-login.yaml`) and run: + ```bash + nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/exposed-panels/phpmyadmin-login.yaml + ``` + +4. **Setting Rate Limits and Concurrency:** + If you’re scanning a network service that might be sensitive, slow down the requests: + ```bash + nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -rl 50 -c 10 + ``` + `-rl 50` limits to 50 requests per second and `-c 10` sets concurrency to 10 templates at a time. + +--- + +## Interpreting Results + +The output of Nuclei prints findings to the terminal. A typical finding might look like: + +``` +[critical] [cves/2021/CVE-2021-XXXXX.yaml] http://10.6.6.6/vulnerable-endpoint +``` + +- **Severity Tag:** `[critical]` indicates the severity level from the template. +- **Template Info:** `cves/2021/CVE-2021-XXXXX.yaml` indicates which template matched. +- **Matched URL:** `http://10.6.6.6/vulnerable-endpoint` is the discovered vulnerable endpoint. + +You can also output results to a file: + +```bash +nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -o results.txt +``` + +Nuclei can also output in JSON for easier parsing: + +```bash +nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -json -o results.json +``` + +--- + +## Running Against Multiple Targets in the 10.6.6.0/24 Network + +If you have a list of hosts or endpoints within the network, say `targets.txt`: + +``` +http://10.6.6.6 +http://10.6.6.7 +http://10.6.6.8 +``` + +You can run: + +```bash +nuclei -l targets.txt -t ~/.nuclei-templates/ -o network_results.txt +``` + +This will scan each listed host against all templates. To target only a certain set, like misconfiguration checks: + +```bash +nuclei -l targets.txt -t ~/.nuclei-templates/misconfiguration/ -o misconfig_results.txt +``` + + + +## Advanced Usage: Workflows and Tagging + +Nuclei supports: +- **Workflows:** Chain multiple templates so one finding triggers another template. +- **Tagging:** Run templates by tags, like `-tags exposure` to run all templates tagged as `exposure`. + +For example, if you want to run only templates that are labeled with `exposure` tag: + +```bash +nuclei -u http://10.6.6.6 -tags exposure +``` + +If you have a workflow file (a collection of templates in a certain order), you can specify it: + +```bash +nuclei -u http://10.6.6.6 -w ~/my-workflows/exposure-workflow.yaml +``` + +--- + +## Tuning and Optimization + +- **Exclude Templates:** Use `-exclude` flag to exclude certain templates or directories that produce false positives or are irrelevant. +- **Stop at First Match:** If you just want to know if there’s any vulnerability at all, you can optimize by stopping after first match with certain parameters. +- **Integration with Other Tools:** Combine Nuclei with subdomain enumeration (e.g., `subfinder`), and pipe results directly. For example: + ```bash + echo http://10.6.6.6 | nuclei -t ~/.nuclei-templates/ + ``` + +--- + +## Practical Example Recap + +Let’s finalize with a practical scenario using the fictitious target: + +1. **Initial Broad Scan (All Templates):** + ```bash + nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -o broad_scan.txt + ``` + Wait for results. Check `broad_scan.txt` for interesting findings. + +2. **Focused CVE Scan:** + ```bash + nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/cves/ -o cves_findings.txt + ``` + +3. **Misconfiguration Checks:** + ```bash + nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/misconfiguration/ -o misconfig_findings.txt + ``` + +4. **Custom Endpoint Check:** + ```bash + nuclei -u http://10.6.6.6 -t internal-status.yaml -o custom_check.txt + ``` + +5. **JSON Output for Tool Integration:** + ```bash + nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -json -o results.json + ``` + Then parse `results.json` with a script. + + + + +