nuclei-templates/GUIDE.md

602 lines
23 KiB
Markdown
Raw Normal View History

2020-04-05 19:24:04 +00:00
# Templating Guide
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
**Nuclei** is based on the concepts of `YAML` based template files that define how the requests will be sent and processed. This allows easy extensibility capabilities to nuclei.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
The templates are written in `YAML` which specifies a simple human readable format to quickly define the execution process.
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
Let's start with the basics and define our own workflow file for detecting the presence of a `.git/config` file on a webserver and take it from there.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
## Table of Contents
2020-04-04 16:49:55 +00:00
* [Templating Guide](#templating-guide)
* [Template Details](#template-details)
* [<strong>Info</strong>](#info)
2020-04-24 15:17:14 +00:00
* [<strong>HTTP Requests</strong>](#http-requests)
2020-04-04 16:49:55 +00:00
* [<strong>Method</strong>](#method)
2020-04-28 22:17:23 +00:00
* [<strong>Redirects</strong>](#redirects)
2020-04-04 16:49:55 +00:00
* [<strong>Path</strong>](#path)
* [<strong>Headers</strong>](#headers)
* [<strong>Body</strong>](#body)
* [<strong>Matchers</strong>](#matchers)
* [<strong>Types</strong>](#types)
* [<strong>Conditions</strong>](#conditions)
* [<strong>Matched Parts</strong>](#matched-parts)
* [<strong>Multiple Matchers</strong>](#multiple-matchers)
2020-04-05 19:23:35 +00:00
* [Extractors](#extractors)
2020-04-24 15:17:14 +00:00
* [<strong>Example HTTP Template</strong>](#example-http-template)
* [<strong>DNS Requests</strong>](#dns-requests)
* [<strong>Type</strong>](#type)
* [<strong>Name</strong>](#name)
* [<strong>Class</strong>](#class)
* [<strong>Recursion</strong>](#recursion)
* [<strong>Retries</strong>](#retries)
* [<strong>Matchers</strong>](#matchers)
* [<strong>Example DNS Template</strong>](#example-dns-template)
2020-06-30 10:57:24 +00:00
* [<strong>Chained workflow</strong>](#chained-workflow)
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
## Template Details
2020-04-04 16:22:53 +00:00
Each template has a unique ID which is used during output writing to specify the template name for an output line.
2020-04-05 19:24:04 +00:00
The template file ends with **.yaml** extension. The template files can be created any text editor of your choice.
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
```yaml
# id contains the unique identifier for the template.
id: git-config
```
2020-04-04 16:22:53 +00:00
2020-04-05 19:23:35 +00:00
ID must not contain spaces. This is done to allow easier output parsing.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
### Info
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Next important piece of information about a template is the **info** block. Info block provides more context on the purpose of the template and the **author**. It can also contain a **severity** field which indicates the severity of the template.
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
Let's add an **info** block to our template as well.
```yaml
info:
2020-05-25 07:21:13 +00:00
# Name is the name of the template
2020-04-05 19:24:04 +00:00
name: Git Config File Detection Template
2020-05-25 07:21:13 +00:00
# Author is the name of the author for the template
2020-04-05 19:24:04 +00:00
author: Ice3man
2020-05-25 07:21:13 +00:00
# Severity is the severity for the template.
2020-04-05 19:24:04 +00:00
severity: medium
```
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Actual requests and corresponding matchers are placed below the info block and they perform the task of making requests to target servers and finding if the template request was successful.
2020-04-04 16:22:53 +00:00
2020-04-24 15:17:14 +00:00
Each template file can contain multiple requests to be made. The template is iterated and one by one the desired HTTP/DNS requests are made to the target sites.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
### HTTP Requests
2020-04-04 16:47:48 +00:00
2020-05-25 07:21:13 +00:00
Requests start with a request block which specifies the start of the requests for the template.
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
```yaml
2020-05-25 07:21:13 +00:00
# Start the requests for the template right here
2020-04-05 19:24:04 +00:00
requests:
```
2020-04-04 16:22:53 +00:00
2020-05-22 12:27:51 +00:00
At this point you can define raw requests like the following ones (as of now it's suggested to leave the `Host` header as in the example with the variable `{{Hostname}}`).
2020-04-29 21:48:22 +00:00
```yaml
requests:
- raw:
2020-05-25 07:21:13 +00:00
- |
2020-04-29 21:48:22 +00:00
GET /path1/ HTTP/1.1
User-Agent: chrome
Host: {{Hostname}}
Accept: a1/b1
2020-05-25 07:21:13 +00:00
- |
2020-04-29 21:48:22 +00:00
POST /path2/ HTTP/1.1
User-Agent: chrome
Host: {{Hostname}}
Accept: a2/b2
This is the request Body
```
2020-05-25 07:21:13 +00:00
Otherwise you can define structured requests as described in the following paragraphs. Requests can be fine tuned to perform the exact tasks as desired. Nuclei requests are fully configurable meaning you can configure and define each and every single thing about the requests that will be sent to the target servers. A recent addition in raw requests has been the introduction of intruder-like functionalities. It's possible to define placeholders as `{{placeholder}}`, and perform Sniper, Pitchfork and ClusterBomb attacks. The wordlist for these attacks needs to be defined during the request definition under the `Payload` field. Finally all DSL functionalities are fully available and supported, and can be used to manipulate the final values. Here follows an example:
2020-05-22 12:27:51 +00:00
```yaml
id: dummy-raw
info:
2020-05-25 07:21:13 +00:00
name: Example-Fuzzing
2020-05-22 12:27:51 +00:00
requests:
- payloads:
param_a: /home/user/wordlist_param_a.txt
param_b: /home/user/wordlist_param_b.txt
2020-05-25 07:21:13 +00:00
attack: clusterbomb # Available options: sniper, pitchfork and clusterbomb
2020-05-22 12:27:51 +00:00
raw:
# Request with simple param and header manipulation with DSL functions
2020-05-25 07:21:13 +00:00
- |
2020-05-22 12:27:51 +00:00
POST /?param_a={{param_a}}&paramb={{param_b}} HTTP/1.1
User-Agent: {{param_a}}
Host: {{Hostname}}
another_header: {{base64(param_b)}}
Accept: */*
This is the Body
# Request with body manipulation
2020-05-25 07:21:13 +00:00
- |
2020-05-22 12:27:51 +00:00
DELETE / HTTP/1.1
User-Agent: nuclei
Host: {{Hostname}}
This is the body {{sha256(param_a)}}
# Yet another one
2020-05-25 07:21:13 +00:00
- |
2020-05-22 12:27:51 +00:00
PUT / HTTP/1.1
Host: {{Hostname}}
This is again the request body {{html_escape(param_a)}} + {{hex_encode(param_b))}}
matchers:
- type: word
2020-05-25 07:21:13 +00:00
words:
2020-05-22 12:27:51 +00:00
- "title"
- "body"
```
This functionality is **not optimized** for speed as the internal http library needs to be set explicitly with connection reuse policy.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
#### Method
2020-04-04 16:47:48 +00:00
2020-05-25 07:21:13 +00:00
First thing in the request is **method**. Request method can be **GET**, **POST**, **PUT**, **DELETE**, etc depending on the needs.
2020-04-04 16:47:48 +00:00
2020-04-05 19:24:04 +00:00
```yaml
2020-05-25 07:21:13 +00:00
# Method is the method for the request
2020-04-05 19:24:04 +00:00
method: GET
```
2020-04-04 16:47:48 +00:00
2020-05-25 07:21:13 +00:00
#### Redirects
2020-04-28 22:17:23 +00:00
2020-05-25 07:21:13 +00:00
Redirection conditions can be specified per each template. By default, redirects are not followed. However, if desired, they can be enabled with `redirects: true` in request details. 10 redirects are followed at maximum by default which should be good enough for most use cases. More fine grained control can be exercised over number of redirects followed by using `max-redirects` field.
2020-04-28 22:17:23 +00:00
2020-05-25 07:21:13 +00:00
An example of the usage:
2020-04-28 22:17:23 +00:00
```yaml
requests:
- method: GET
2020-05-25 07:21:13 +00:00
path:
2020-04-28 22:17:23 +00:00
- "{{BaseURL}}/login.php
redirects: true
max-redirects: 3
```
2020-05-25 07:21:13 +00:00
#### Path
2020-04-28 22:17:23 +00:00
2020-05-25 07:21:13 +00:00
The next part of the requests is the **path** of the request path. Dynamic variables can be placed in the path to modify its behavior on runtime. Variables start with `{{` and end with `}}` and are case-sensitive.
2020-04-04 16:47:48 +00:00
2020-04-05 19:24:04 +00:00
1. **BaseURL** - Placing BaseURL as a variable in the path will lead to it being replaced on runtime in the request by the original URL as specified in the target file.
2. **Hostname** - Hostname variable is replaced by the hostname of the target on runtime.
2020-04-04 16:47:48 +00:00
2020-05-25 07:21:13 +00:00
Some sample dynamic variable replacement examples:
2020-04-04 16:47:48 +00:00
2020-04-05 19:24:04 +00:00
```yaml
path: {{BaseURL}}/.git/config
2020-05-25 07:21:13 +00:00
# This path will be replaced on execution with BaseURL
# If BaseURL is set to https://abc.com then the
# path will get replaced to the following: https://abc.com/.git/config
2020-04-05 19:24:04 +00:00
```
2020-04-04 16:47:48 +00:00
Multiple paths can also be specified in one request which will be requested for the target.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
#### Headers
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Headers can also be specified to be sent along with the requests. Headers are placed in form of key/value pairs. An example header configuration looks like this:
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
```yaml
# headers contains the headers for the request
headers:
# Custom user-agent header
User-Agent: Some-Random-User-Agent
# Custom request origin
Origin: https://google.com
```
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
#### Body
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Body specifies a body to be sent along with the request. For instance:
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
```yaml
2020-05-25 07:21:13 +00:00
# Body is a string sent along with the request
body: "{\"some random JSON\"}"
2020-04-05 19:24:04 +00:00
```
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
#### Matchers
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Matchers are the core of nuclei. They are what make the tool so powerful. Multiple type of combinations and checks can be added to ensure that the results you get are free from false-positives.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
##### Types
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Multiple matchers can be specified in a request. There are basically 6 types of matchers:
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
| Matcher Type | Part Matched |
| ------------ | -------------------------- |
| status | Status Code of Response |
| size | Content Length of Response |
| word | Response body or headers |
| regex | Response body or headers |
2020-04-24 11:11:17 +00:00
| binary | Response body |
2020-04-27 19:01:28 +00:00
| dsl | All Response Parts |
2020-04-04 16:22:53 +00:00
2020-04-04 16:47:48 +00:00
To match status codes for responses, you can use the following syntax.
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
```yaml
matcher:
2020-05-25 07:21:13 +00:00
# Match the status codes
2020-04-05 19:24:04 +00:00
- type: status
2020-05-25 07:21:13 +00:00
# Some status codes we want to match
2020-04-05 19:24:04 +00:00
status:
- 200
- 302
```
2020-04-04 16:22:53 +00:00
2020-04-24 11:11:17 +00:00
To match binary for hexadecimal responses, you can use the following syntax.
```yaml
matchers:
2020-05-25 07:21:13 +00:00
- type: binary
binary:
- "504B0304" # zip archive
- "526172211A070100" # rar RAR archive version 5.0
- "FD377A585A0000" # xz tar.xz archive
condition: or
part: body
2020-04-24 11:11:17 +00:00
```
2020-04-04 16:47:48 +00:00
To match size, similar structure can be followed. If the status code of response from the site matches any single one specified in the matcher, the request is marked as successful.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
**Word** and **Regex** matchers can be further configured depending on the needs of the users.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Complex matchers of type **dsl** allows to build more elaborated expressions with helper functions, this is an example of a complex DSL matcher:
2020-04-27 19:01:28 +00:00
```yaml
matchers:
2020-05-25 07:21:13 +00:00
- type: dsl
dsl:
- "len(body)<1024 && status_code==200" # Body length less than 1024 and 200 status code
- "contains(toupper(body), md5(cookie))" # Check if the MD5 sum of cookies is contained in the uppercase body
2020-04-27 19:01:28 +00:00
```
Every part of a http response can be matched:
| Response Part | Description | Example |
|------------------|-------------------------------------------------|---------------------------|
| content_length | Header Content-Length | content_length >= 1024 |
2020-05-25 07:21:13 +00:00
| status_code | Response Status Code | status_code==200 |
2020-04-27 19:01:28 +00:00
| all_headers | Unique string containing all headers | len(all_headers) |
2020-05-25 07:21:13 +00:00
| body | Body as string | len(body) |
2020-04-27 19:01:28 +00:00
| header_name | Lowercase header name with "-" converted to "_" | len(user_agent) |
| raw | Headers + Response | len(raw) |
This is the list for a dns response:
| Response Part | Description | Example |
|------------------|-----------------------------------|---------------------------|
| rcode | Response status | rcode == "NXDOMAIN |
| question | Response Question Section | len(question) |
| extra | Response Extra Section | len(extra) |
| answer | Response Answers Section | len(answer) |
| ns | Response Authority Section | len(ns) |
| raw | Full Response | len(raw) |
The helper functions are:
| Helper Function | Description | Example |
|-----------------|-------------------------------------------|------------------------------------------------------------------------------------------------|
| len | Length of a string | len("Hello") // Result: 5 |
| toupper | string to uppercase | toupper("Hello") // Result: "HELLO" |
| tolower | string to lowercase | tolower("Hello") // Result: "hello" |
| replace | Replace string parts | replace("Hello", "He", "Ha") // Result: "Hallo" |
| trim | Remove trailing unicode chars | trim("aaaHelloddd", "ad") // Result: "Hello" |
| trimleft | Remove unicode chars from left | trimleft("aaaHelloddd", "ad") // Result: "Helloddd" |
| trimright | Remove unicode chars from right | trimleft("aaaHelloddd", "ad") // Result: "aaaHello" |
| trimspace | Remove trailing spaces | trimspace(" Hello ") // Result: "Hello" |
| trimprefix | Trim specified prefix | trimprefix("aaHelloaa", "aa") // Result: "Helloaa" |
| trimsuffix | Trim specified suffix | trimsuffix("aaHelloaa", "aa") // Result: "aaHello" |
| base64 | Encode string to base64 | base64("Hello") // Result: "SGVsbG8=" |
| base64_decode | Decode string from base64 | base64_decode("SGVsbG8=") // Result: "Hello" |
2020-05-22 12:12:12 +00:00
| url_encode | URL encode a string | url_encode("https://projectdiscovery.io/test?a=1") // Result: "https:%2F%2Fprojectdiscovery.io%3Ftest=1" |
| url_decode | URL decode a string | url_decode("https:%2F%2Fprojectdiscovery.io%3Ftest=1") // Result: "https://projectdiscovery.io/test?a=1" |
| hex_encode | Hex encode a string | hex_encode("aa") // Result: "6161" |
| hex_decode | Hex decode a string | hex_decode("6161") // Result: "aa" |
| html_escape | Hex encode a string | html_escape("<html><body>test</body></html>") // Result: "&lt;html&gt;&lt;body&gt;test&lt;/body&gt;&lt;/html&gt;" |
| html_unescape | Hex decode a string | html_unescape("&lt;html&gt;&lt;body&gt;test&lt;/body&gt;&lt;/html&gt;") // Result: "<html><body>test</body></html>" |
2020-04-27 19:01:28 +00:00
| md5 | Calculate md5 of string | md5("Hello") // Result: "8b1a9953c4611296a827abf8c47804d7" |
| sha256 | Calculate sha256 of string | sha256("Hello") // Result: "185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969" |
2020-05-22 12:12:12 +00:00
| sha1 | Calculate sha1 of string | sha1("Hello") // Result: "f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0" |
2020-04-27 19:01:28 +00:00
| contains | Verify if a string contains another one | contains("Hello", "lo") // Result: True |
| regex | Verify a regex versus a string | regex("H([a-z]+)o", "Hello") // Result: True |
2020-05-25 07:21:13 +00:00
##### Conditions
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Multiple words and regexes can be specified in a single matcher and can be configured with different conditions like **AND** and **OR**.
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
1. **AND** - Using AND conditions allows matching of all the words from the list of words for the matcher. Only then will the request be marked as successful when all the words have been matched.
2. **OR** - Using OR conditions allows matching of a single word from the list of matcher. The request will be marked as successful when even one of the word is matched for the matcher.
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
##### Matched Parts
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Multiple parts of the response can also be matched for the request.
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
| Part | Matched Part |
| ------ | ------------------------------------ |
| body | Body of the response |
| header | Header of the response |
| all | Both body and header of the response |
2020-04-04 16:22:53 +00:00
2020-05-25 07:21:13 +00:00
Example matchers for response body using the AND condition:
2020-04-04 16:22:53 +00:00
2020-04-05 19:24:04 +00:00
```yaml
matcher:
2020-05-25 07:21:13 +00:00
# Match the body word
2020-04-05 19:24:04 +00:00
- type: word
2020-05-25 07:21:13 +00:00
# Some words we want to match
words:
2020-04-05 19:24:04 +00:00
- "[core]"
- "[config]"
2020-05-25 07:21:13 +00:00
# Both words must be found in the response body
2020-04-05 19:24:04 +00:00
condition: and
2020-05-25 07:21:13 +00:00
# We want to match request body (default)
2020-04-05 19:24:04 +00:00
part: body
```
2020-04-04 16:22:53 +00:00
Similarly, matchers can be written to match anything that you want to find in the response body allowing unlimited creativity and extensibility.
2020-05-25 07:21:13 +00:00
##### Multiple Matchers
2020-05-25 07:21:13 +00:00
Multiple matchers can be used in a single template to fingerprint multiple conditions with a single request.
Here is an example of syntax for multiple matchers.
```yaml
2020-05-25 07:21:13 +00:00
matchers:
- type: word
name: php
words:
- "X-Powered-By: PHP"
- "PHPSESSID"
part: header
- type: word
name: node
words:
- "Server: NodeJS"
- "X-Powered-By: nodejs"
condition: or
part: header
- type: word
name: python
words:
- "Python/2."
- "Python/3."
condition: or
part: header
```
2020-05-25 07:21:13 +00:00
##### Matchers Condition
2020-04-28 22:02:16 +00:00
2020-05-25 07:21:13 +00:00
While using multiple matchers the default condition is to follow OR operation in between all the matchers, AND operation can be used to make sure return the result if all matchers returns true.
2020-04-28 22:02:16 +00:00
```yaml
matchers-condition: and
matchers:
- type: word
words:
- "X-Powered-By: PHP"
- "PHPSESSID"
condition: or
part: header
2020-05-25 07:21:13 +00:00
2020-04-28 22:02:16 +00:00
- type: word
words:
- "PHP"
part: body
```
2020-04-05 19:24:04 +00:00
#### Extractors
2020-04-05 19:23:35 +00:00
Extractors are another important feature of nuclei. Extractors can be used to extract and display in results a match from the response body or headers based on a regular expression.
2020-05-25 07:21:13 +00:00
Currently only `regex` type extractors are supported. A sample extractor for extracting API keys from the response body is as follows:
2020-04-05 19:24:04 +00:00
```yaml
# A list of extractors for text extraction
extractors:
# type of the extractor, only regex for now.
- type: regex
# part of the response to extract (can be headers, all too)
part: body
# regex to use for extraction.
regex:
- "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
```
2020-04-24 15:17:14 +00:00
#### **Example HTTP Template**
2020-04-05 19:24:04 +00:00
2020-05-25 07:21:13 +00:00
The final template file for the `.git/config` file mentioned above is as follows:
2020-04-05 19:24:04 +00:00
```yaml
id: git-config
info:
name: Git Config File
author: Ice3man
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/.git/config"
matchers:
- type: word
words:
- "[core]"
```
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
### DNS Requests
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
Requests start with a dns block which specifies the start of the requests for the template.
2020-04-24 15:17:14 +00:00
```yaml
2020-05-25 07:21:13 +00:00
# Start the requests for the template right here
2020-04-24 15:17:14 +00:00
dns:
```
DNS requests can be fine tuned to perform the exact tasks as desired. Nuclei requests are fully configurable meaning you can configure and define each and every single thing about the requests that will be sent to the target servers.
2020-05-25 07:21:13 +00:00
#### Type
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
First thing in the request is **type**. Request type can be **A**, **NS**, **CNAME**, **SOA**, **PTR**, **MX**, **TXT**, **AAAA**.
2020-04-24 15:17:14 +00:00
```yaml
# type is the type for the dns request
type: A
```
2020-05-25 07:21:13 +00:00
#### Name
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
The next part of the requests is the **name** of the request path. Dynamic variables can be placed in the path to modify its value on runtime. Variables start with `{{` and end with `}}` and are case-sensitive.
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
1. **FQDN** - variable is replaced by the hostname/FQDN of the target on runtime.
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
Some sample dynamic variable replacement examples:
2020-04-24 15:17:14 +00:00
```yaml
name: {{FQDN}}.com
2020-05-25 07:21:13 +00:00
# This value will be replaced on execution with the FQDN.
# If FQDN is https://this.is.an.example then the
# name will get replaced to the following: this.is.an.example.com
2020-04-24 15:17:14 +00:00
```
As of now the tool supports only one question per request.
2020-05-25 07:21:13 +00:00
#### Class
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
Class type can be **INET**, **CSNET**, **CHAOS**, **HESIOD**, **NONE** and **ANY**. Usually it's enough to just leave it as **INET**.
2020-04-24 15:17:14 +00:00
```yaml
# method is the class for the dns request
class: inet
```
2020-05-25 07:21:13 +00:00
#### Recursion
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
Recursion is a boolean value, and determines if the resolver should only return cached results, or traverse the whole dns root tree to retrieve fresh results. Generally it's better to leave it as **true**.
2020-04-24 15:17:14 +00:00
```yaml
2020-05-25 07:21:13 +00:00
# Recursion is a boolean determining if the request is recursive
2020-04-24 15:17:14 +00:00
recursion: true
```
2020-05-25 07:21:13 +00:00
#### Retries
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
Retries is the number of attempts a dns query is retried before giving up among different resolvers. It's recommended a reasonable value, like **3**.
2020-04-24 15:17:14 +00:00
```yaml
2020-05-25 07:21:13 +00:00
# Retries is a number of retries before giving up on dns resolution
2020-04-24 15:17:14 +00:00
retries: 3
```
2020-05-25 07:21:13 +00:00
#### Matchers
2020-04-24 15:17:14 +00:00
2020-04-27 19:01:28 +00:00
Matchers are just equal to HTTP, but the search is performed on the whole dns response, therefore it's not necessary to specify the **part**. Multiple type of combinations and checks can be added to ensure that the results you get are free from false positives. The complex **dsl** matcher type allows to build complex queries as described in the HTTP section.
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
##### Types
2020-04-24 15:17:14 +00:00
2020-05-25 07:21:13 +00:00
Multiple matchers can be specified in a request. There are basically 5 types of matchers:
2020-04-24 15:17:14 +00:00
| Matcher Type | Part Matched |
| ------------ | -------------------------- |
| size | Response size |
| word | Response |
| regex | Response |
| binary | Response |
2020-04-27 19:01:28 +00:00
| dsl | Response |
2020-04-24 15:17:14 +00:00
## **Example DNS Template**
2020-05-25 07:21:13 +00:00
The final example template file for performing `A` query, and check if CNAME and A records are in the response is as follows:
2020-04-24 15:17:14 +00:00
```yaml
id: dummy-cname-a
info:
name: Dummy A dns request
author: mzack9999
severity: none
dns:
2020-05-25 07:21:13 +00:00
- name: "{{FQDN}}"
type: A
class: inet
recursion: true
retries: 3
matchers:
2020-04-24 15:17:14 +00:00
- type: word
words:
# The response must contains a CNAME record
- "IN\tCNAME"
# and also at least 1 A record
- "IN\tA"
condition: and
```
2020-06-30 10:56:32 +00:00
# Chained workflow
It's also possible to create conditional templates which executes after matching the condition from the previous templates, mostly useful for vulnerability detection and exploitation and tech based detection and exploitation, single, multiple along with directory based templates can be executed in chained workflow template.
2020-06-30 11:03:05 +00:00
Chained workflow supports both HTTP and DNS request based templates.
2020-06-30 10:56:32 +00:00
Example of running single / multiple templates only if `detect-jira.yaml` is detected host running Jira application.
```yaml
id: workflow-example
info:
name: Jira-Pawner
author: mzack9999
variables:
jira: panels/detect-jira.yaml
jira-cve-1: cves/CVE-2018-20824.yaml
jira-cve-2: cves/CVE-2019-3399.yaml
jira-cve-3: cves/CVE-2019-11581.yaml
jira-cve-4: cves/CVE-2017-18101.yaml
logic:
|
if jira() {
jira-cve-1()
jira-cve-2()
jira-cve-3()
jira-cve-4()
}
```
Example of running directory based templates when `detect-jira.yaml` is detected host running Jira application, based on this you can define your own workflow to run scans based on any or specific stacks.
```yaml
id: workflow-example
info:
name: Jira-Pawner
author: mzack9999
variables:
jira: panels/detect-jira.yaml
jira-pwn: my-jira-templates/
logic:
|
if jira() {
jira-pwn()
}
```