ch0ic3/h4cker
1
0
Fork 0
mirror of https://github.com/The-Art-of-Hacking/h4cker.git synced 2024-12-18 19:06:08 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Update intro_to_nuclei.md

Browse Source
This commit is contained in:
Omar Santos 2024-12-10 15:50:24 -05:00 committed by GitHub
parent 9d6d27b4b7
commit 9698154298
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 191 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

193
recon/intro_to_nuclei.md
View File

@ -94,7 +94,7 @@ requests:
- "vulnerable string" - "vulnerable string"
``` ```
Key components of a template: The following are the typical components of a template:
1. `id`: Unique identifier for the template 1. `id`: Unique identifier for the template
2. `info`: Metadata about the template 2. `info`: Metadata about the template
@ -103,7 +103,7 @@ Key components of a template:
### Example: CVE Detection Template ### Example: CVE Detection Template
Here's an example template for detecting CVE-2021-44228 (Log4j vulnerability): Example template for detecting CVE-2021-44228 (Log4j vulnerability):
```yaml ```yaml
id: CVE-2021-44228 id: CVE-2021-44228
@ -149,3 +149,192 @@ This template sends requests with JNDI lookup strings in various HTTP headers an
5. Test templates thoroughly before submission 5. Test templates thoroughly before submission
6. Follow the [community template contributions](https://github.com/projectdiscovery/nuclei-templates/tree/main/dns) 6. Follow the [community template contributions](https://github.com/projectdiscovery/nuclei-templates/tree/main/dns)
## Additional Examples of Basic Usage
The simplest command to run Nuclei against a single target is:
```bash
nuclei -target http://10.6.6.6
```
This uses the default directory of templates (`~/.nuclei-templates/`). To specify a particular template or directory, use `-t`:
```bash
nuclei -target http://10.6.6.6 -t nuclei-templates/cves/
```
Nuclei can also take a list of targets (e.g., multiple IPs, domains) from a file:
```bash
nuclei -l targets.txt -t nuclei-templates/misconfiguration/
```
---
## Preparing for the Example Scan
### Our Scenario
- **Target:** `10.6.6.6`
- **Possible Services:** Lets assume this IP hosts a web service on port 80/443.
- **Goals:**
1. Enumerate potential vulnerabilities using a broad template set.
2. Check for known CVEs in popular web frameworks.
3. Identify misconfigurations or sensitive endpoints.
### Adjusting the Command
For internal scans (like scanning `http://10.6.6.6`), you might want to:
- Specify the template directory.
- Focus on particular template categories.
- Adjust rate limits to avoid overwhelming the target.
#### Example Commands:
1. **Run all default templates against the target:**
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/
```
This can be quite noisy; it tries all templates. Its often better to narrow down the scope.
2. **Targeting Specific Categories:**
For instance, just run CVE-related templates:
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/cves/
```
This will check common CVE patterns. If the web service is a known framework (WordPress, Joomla, etc.), these templates might find known issues.
3. **Running a Specific Template:**
Suppose you suspect the server might be running phpMyAdmin and you want to detect any phpMyAdmin login panel exposures. Find the phpMyAdmin templates (for example `exposed-panels/phpmyadmin-login.yaml`) and run:
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/exposed-panels/phpmyadmin-login.yaml
```
4. **Setting Rate Limits and Concurrency:**
If youre scanning a network service that might be sensitive, slow down the requests:
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -rl 50 -c 10
```
`-rl 50` limits to 50 requests per second and `-c 10` sets concurrency to 10 templates at a time.
---
## Interpreting Results
The output of Nuclei prints findings to the terminal. A typical finding might look like:
```
[critical] [cves/2021/CVE-2021-XXXXX.yaml] http://10.6.6.6/vulnerable-endpoint
```
- **Severity Tag:** `[critical]` indicates the severity level from the template.
- **Template Info:** `cves/2021/CVE-2021-XXXXX.yaml` indicates which template matched.
- **Matched URL:** `http://10.6.6.6/vulnerable-endpoint` is the discovered vulnerable endpoint.
You can also output results to a file:
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -o results.txt
```
Nuclei can also output in JSON for easier parsing:
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -json -o results.json
```
---
## Running Against Multiple Targets in the 10.6.6.0/24 Network
If you have a list of hosts or endpoints within the network, say `targets.txt`:
```
http://10.6.6.6
http://10.6.6.7
http://10.6.6.8
```
You can run:
```bash
nuclei -l targets.txt -t ~/.nuclei-templates/ -o network_results.txt
```
This will scan each listed host against all templates. To target only a certain set, like misconfiguration checks:
```bash
nuclei -l targets.txt -t ~/.nuclei-templates/misconfiguration/ -o misconfig_results.txt
```
## Advanced Usage: Workflows and Tagging
Nuclei supports:
- **Workflows:** Chain multiple templates so one finding triggers another template.
- **Tagging:** Run templates by tags, like `-tags exposure` to run all templates tagged as `exposure`.
For example, if you want to run only templates that are labeled with `exposure` tag:
```bash
nuclei -u http://10.6.6.6 -tags exposure
```
If you have a workflow file (a collection of templates in a certain order), you can specify it:
```bash
nuclei -u http://10.6.6.6 -w ~/my-workflows/exposure-workflow.yaml
```
---
## Tuning and Optimization
- **Exclude Templates:** Use `-exclude` flag to exclude certain templates or directories that produce false positives or are irrelevant.
- **Stop at First Match:** If you just want to know if theres any vulnerability at all, you can optimize by stopping after first match with certain parameters.
- **Integration with Other Tools:** Combine Nuclei with subdomain enumeration (e.g., `subfinder`), and pipe results directly. For example:
```bash
echo http://10.6.6.6 | nuclei -t ~/.nuclei-templates/
```
---
## Practical Example Recap
Lets finalize with a practical scenario using the fictitious target:
1. **Initial Broad Scan (All Templates):**
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -o broad_scan.txt
```
Wait for results. Check `broad_scan.txt` for interesting findings.
2. **Focused CVE Scan:**
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/cves/ -o cves_findings.txt
```
3. **Misconfiguration Checks:**
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/misconfiguration/ -o misconfig_findings.txt
```
4. **Custom Endpoint Check:**
```bash
nuclei -u http://10.6.6.6 -t internal-status.yaml -o custom_check.txt
```
5. **JSON Output for Tool Integration:**
```bash
nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -json -o results.json
```
Then parse `results.json` with a script.