h4cker/recon/intro_to_nuclei.md

Introducing Nuclei: A Fast and Customizable Vulnerability Scanner

Introduction

Nuclei is an open-source, fast, and customizable vulnerability scanner developed by ProjectDiscovery. It is designed to send requests across targets based on predefined templates, enabling efficient and accurate vulnerability detection with minimal false positives. Nuclei supports scanning for various protocols, including TCP, DNS, HTTP, SSL, File, Whois, and Websocket.

Some of the Key Features

1. Template-based scanning: Nuclei uses YAML-based templates to define scanning logic, making it highly extensible and customizable.

2. Multi-protocol support: Enables scanning across various network protocols and services.

3. Fast and efficient: Optimized for speed, allowing rapid scanning of large numbers of hosts.

4. Low false positives: Template-based approach helps minimize false positive results.

5. Community-driven: Large repository of community-contributed templates for detecting various vulnerabilities.

6. Easy integration: Can be easily integrated into CI/CD pipelines and other automated security workflows.

Usage Examples

Basic Scanning

To scan a single target using Nuclei:

nuclei -u http://10.6.6.23

To scan multiple targets from a file:

nuclei -l targets.txt

Using Specific Templates

Scan with particular templates:

nuclei -u https://example.com -t cves/ -t exposures/

Filtering Templates

Scan using templates with specific tags:

nuclei -u https://example.com -tags cve,oast

Exclude certain tags:

nuclei -u https://example.com -etags dos,fuzz

Output Formatting

Generate JSON output:

nuclei -u https://example.com -json-output results.json

Rate Limiting

Limit requests per second:

nuclei -u https://example.com -rate-limit 100

Creating Nuclei Templates

Nuclei templates are YAML files that define the scanning logic. Here's a basic structure of a Nuclei template:

id: example-template
info:
  name: Example Vulnerability Check
  author: YourName
  severity: medium
  description: Checks for an example vulnerability
  
requests:
  - method: GET
    path:
      - "{{BaseURL}}/vulnerable-endpoint"
    matchers:
      - type: word
        words:
          - "vulnerable string"

Key components of a template:

1. id: Unique identifier for the template
2. info: Metadata about the template
3. requests: Defines the HTTP requests to be made
4. matchers: Specifies conditions to identify vulnerabilities

Example: CVE Detection Template

Here's an example template for detecting CVE-2021-44228 (Log4j vulnerability):

id: CVE-2021-44228

info:
  name: Apache Log4j RCE
  author: pdteam
  severity: critical
  description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228

requests:
  - raw:
      - |
        GET /${jndi:ldap://{{interactsh-url}}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: ${jndi:ldap://{{interactsh-url}}}
        Referer: ${jndi:ldap://{{interactsh-url}}}        

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'

This template sends requests with JNDI lookup strings in various HTTP headers and checks for DNS or HTTP callbacks to detect the Log4j vulnerability[8].

Best Practices for Template Creation

1. Use clear and descriptive template IDs and names
2. Include accurate metadata (author, severity, description)
3. Utilize dynamic variables like {{BaseURL}} for flexibility
4. Implement precise matchers to reduce false positives
5. Test templates thoroughly before submission
6. Follow the community template contributions