Hey there, fellow hackers! Are you ready to take your Nuclei skills to the next level? Buckle up, because in this blog post, we're going to explore the vast possibilities of Nuclei beyond its popular use with HTTP. Nuclei, developed by ProjectDiscovery, is a powerful and versatile tool that can help you uncover vulnerabilities. In this article, you'll learn how you can leverage Nuclei for various protocols and make your security assessments even more robust!
Beyond Basic HTTP Requests
Despite what many think, Nuclei isn't limited to basic HTTP requests. In fact, it's not even limited to HTTP! By understanding and utilizing Nuclei functionality effectively, you can widen the scope of your scans, covering services beyond web servers. Here's a breakdown of a few protocols supported by Nuclei:
- TCP: Nuclei can act as an automatable Netcat, enabling you to send and receive bytes across the wire while providing matching and extracting capabilities on the response.
- DNS: Using Nuclei you can send fully customizable DNS requests and perform matching and extracting operations on their responses.
- Files: Nuclei goes beyond the network and DNS layers by providing support for file-based assessments. With file-based templates, you can match and extract data directly from the filesystem, adding an extra layer of depth to your security scans.
- Headless: Nuclei supports browsing with a headless browser, which enables you to detect vulnerabilities that only reveal themselves after executing JavaScript in a browser, such as DOM XSS.
Now that we've covered the different protocol support in Nuclei, let's take a closer look at each protocol and see how you can leverage them effectively in your security assessments.
Sending Raw TCP Requests
Nuclei's network protocol support brings a whole new level of flexibility to your security assessments. You can think of it as an automatable Netcat, allowing you to send and receive bytes while performing matching and extracting operations on the response.
A basic network template with a word matcher could look like this:
This template connects to {{Hostname}} via a raw TCP connection, sends "PING\r\n", then reads 4 bytes from the response. In this case, the template is looking for the word "PONG" in the response.
Using TLS
You can make TLS requests by adding a tls:// schema at the start of the hostname, for example: tls://example.com.
Sending hex data
You can send raw hex data by specifying "hex" as the type in the input. You can also specify the output encoding for matchers. Here's an example from the Nuclei docs.
Sending multi-step requests
You can also send multi-step requests, as demonstrated by this template, which exploits CVE-2015-3306, an RCE against ProFTPd.
Crafting DNS Requests
With Nuclei, you can fully customize DNS requests and perform matching and extracting operations on the DNS responses. This can be extremely useful for detecting DNS takeovers and general DNS reconnaissance tasks.
This example simply detects if there is a CNAME record for the specified fully qualified domain name.
File Protocol: Delving Into Filesystem Assessments
Nuclei not only excels in network and DNS assessments but also extends its capabilities to the filesystem level. By using file-based templates, you can match and extract information directly from files. This might be used to uncover vulnerable code patterns, API keys, or sensitive file types.
Here's an example of a file template that finds Google API keys in files.
Recursiveness and denylist
You can specify "no-recursive: true" which will stop nuclei from searching through directories recursively. You can also specify a "denylist" which will ignore files with the extensions specified in the "denylist" array.
In the template below, files with the "pub" extension will be ignored and only files in the root directory will be scanned.
Conclusion
Congratulations! You've now expanded your knowledge of Nuclei beyond just HTTP. In this blog post, we explored the possibilities of creating raw TCP requests, DNS requests and file system scans. Each of these features brings unique capabilities to the table, allowing you to uncover more vulnerabilities!
If you want to continue levelling up your nuclei knowledge, the best place to look is the nuclei docs and more specifically, the nuclei templating guide.
Stay tuned for more exciting content and advanced techniques to maximize your cybersecurity arsenal. Until then, keep exploring, learning, and safeguarding the digital realm!
Author - Luke Stephens, @hakluke