Introduction
In the constantly evolving domain of cybersecurity, the unceasing battle against malicious entities to discover and remediate vulnerabilities is intense. With the advent of new threats at a concerning pace, the demand for advanced, efficient, and all-encompassing vulnerability scanning solutions has reached an unprecedented level. This is where Nuclei (https://github.com/projectdiscovery/nuclei) emerges as a cutting-edge vulnerability scanner, heralding a new era of hope for cybersecurity experts and organizations across the globe.
Nuclei transcends the conventional role of a cybersecurity tool; it emerges as a formidable partner in the ceaseless war against cyber threats. Crafted with meticulous attention to detail and operational efficiency, Nuclei empowers its users to rapidly pinpoint and rectify vulnerabilities spanning a diverse range of systems and applications. Its applicability extends from web applications to network services, rendering Nuclei a vital asset for the protection of digital infrastructures.
The purpose of this blog is not only to introduce you to Nuclei but also to take you on a comprehensive journey through its capabilities. Through a series of controlled demonstrations, we’ll explore how Nuclei can detect a variety of vulnerabilities, offering insights into its operational mechanics, and showcasing its potential to fortify cybersecurity defenses.
Join me as I delve into the depths of cybersecurity with Nuclei, uncovering the layers of protection it offers and demonstrating why it’s an essential tool for anyone serious about securing their digital environment. Prepare to be enlightened, educated, and inspired to elevate your cybersecurity game.
Understanding Nuclei
In the cybersecurity arena, maintaining a proactive stance against emerging threats is critical. Nuclei positions itself as an essential tool in this ongoing battle. Designed to meet the challenges of today’s digital ecosystem, Nuclei is a rapid, scalable, and adaptable vulnerability scanner that has transformed the methodologies security teams employ in identifying and addressing threats. What distinguishes Nuclei from the myriad of cybersecurity solutions available? We will delve into its essence, examining its functionalities, advantages, and the reasons it has garnered widespread acclaim among cybersecurity experts worldwide.
What is Nuclei?
Nuclei is an open-source, project-driven vulnerability scanner designed for speed, efficiency, and accuracy in identifying security vulnerabilities across various platforms and technologies. Unlike traditional scanners that rely on a generic, often outdated database of vulnerabilities, Nuclei utilizes a template-based approach. This method allows it to be highly adaptable and up-to-date with the latest exploit and vulnerability discoveries. Templates in Nuclei are essentially YAML files that define how to identify specific types of vulnerabilities, making it incredibly versatile and powerful in the hands of security researchers and practitioners.
Key Features of Nuclei
- Template-Based Scans: Nuclei leverages a robust, community-sourced library of templates that span an extensive array of vulnerabilities, from routine configuration errors to severe security breaches. This ensures thorough coverage and the most current vulnerability assessments.
- High Performance: Engineered for high-speed operation, Nuclei stands out as one of the quickest scanners on the market, capable of executing thousands of requests each minute. This efficiency makes it ideal for swiftly scanning vast network landscapes.
- Customizable and Extensible: Nuclei offers users the flexibility to craft or adjust templates, providing the means for scans that are precisely tailored to meet the unique needs of an organization or to address newly emerging threats directly.
- Integration-Friendly: Designed to fit smoothly into CI/CD pipelines, security processes, and notification systems, Nuclei enhances the automation of security measures and supports instantaneous threat detection and response.
Why Nuclei?
The widespread utilization of Nuclei across diverse industries highlights its efficacy in implementing preemptive security strategies. Its capacity for swift adaptation to the most recent vulnerabilities, courtesy of community-driven updates, distinguishes it from competitors that may not keep pace with the evolution of new threats. Additionally, the straightforwardness and adaptability of Nuclei render it approachable for not only sizable corporations with specialized security divisions but also for smaller entities and independent researchers. This democratization of security offers a potent and user-friendly tool that is both efficient and highly impactful.
In conclusion, Nuclei exemplifies the significant impact of community collaboration and innovation within the realm of cybersecurity. Its foundational principles of rapidity, precision, and flexibility render it an essential resource for anyone prioritizing security, from individuals to large-scale organizations. As we explore its features in greater detail in the subsequent sections, the reasons behind Nuclei’s status as not merely a tool but a holistic answer to the intricate problems faced in contemporary cybersecurity environments become increasingly clear.
Nuclei in Action: Scanning Metasploitable2 for Vulnerabilities
Metasploitable2, a purposely vulnerable virtual machine designed for training and educational purposes, provides an excellent playground for exploring the capabilities of Nuclei. This section guides you through a practical exercise using Nuclei to identify vulnerabilities within Metasploitable2, highlighting the tool’s efficiency and precision in real-world applications.
Preparing the Environment
Setup: Ensure that Metasploitable2 is installed and running in a safe, isolated environment. This setup will serve as your target for vulnerability scanning, offering a wide array of vulnerabilities for detection and exploration. I will be running Metasploitable2 on a separate virtual machine from my Kali Linux setup, however it will be on the same virtual network. You can validate it is setup correctly by running a ip addr
command on the Metasploitable2 machine and pinging that IP address that comes appears on your Kali Linux machine.
Nuclei Configuration: With Nuclei installed on your machine, update your templates to ensure you have the latest definitions. This step is crucial for maximizing the detection capabilities of Nuclei against the known vulnerabilities within Metasploitable2.
Scanning Process
Selecting Templates: Given Metasploitable2’s broad spectrum of vulnerabilities, start with a general set of Nuclei templates that cover common web vulnerabilities, misconfigurations, and known service vulnerabilities. This approach provides a comprehensive overview of potential security issues. You are able to not provide exact templates to search from and use them all by not using the -t syntax at all.
Executing the Scan: Run Nuclei against the IP address of your Metasploitable2 instance, specifying the selected templates or not. Nuclei’s efficient scanning engine will process each request, systematically searching for vulnerabilities based on the definitions within the templates.
Example Commands:
nuclei -u http://[Metasploitable2-IP] -t [path-to-templates]
nuclei -u http://[Metasploitable2-IP]
ShellScriptAnalyzing the Results: Nuclei outputs a detailed report of identified vulnerabilities, including their severity, the exact location (if applicable), and a brief description. This information is invaluable for understanding the security posture of Metasploitable2.
Practical Findings
Here is what I was able to find with a basic nuclei search against the Metasploitable2 virtual machine.
nuclei -u http://192.168.160.135
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.10
projectdiscovery.io
[INF] Current nuclei version: v3.1.10 (latest)
[INF] Current nuclei-templates version: v9.7.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 49
[INF] Templates loaded for current scan: 7501
[INF] Executing 7519 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1282 (Reduced 1246 Requests)
[INF] Using Interactsh Server: oast.me
[CVE-2012-1823] [http] [high] http://192.168.160.135/index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input
[apache-detect] [http] [info] http://192.168.160.135 ["Apache/2.2.8 (Ubuntu) DAV/2"]
[php-detect] [http] [info] http://192.168.160.135 ["5.2.4"]
[tech-detect:php] [http] [info] http://192.168.160.135
[http-missing-security-headers:permissions-policy] [http] [info] http://192.168.160.135
[http-missing-security-headers:x-content-type-options] [http] [info] http://192.168.160.135
[http-missing-security-headers:clear-site-data] [http] [info] http://192.168.160.135
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://192.168.160.135
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://192.168.160.135
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://192.168.160.135
[http-missing-security-headers:strict-transport-security] [http] [info] http://192.168.160.135
[http-missing-security-headers:content-security-policy] [http] [info] http://192.168.160.135
[http-missing-security-headers:x-frame-options] [http] [info] http://192.168.160.135
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://192.168.160.135
[http-missing-security-headers:referrer-policy] [http] [info] http://192.168.160.135
[phpmyadmin-panel] [http] [info] http://192.168.160.135/phpMyAdmin/
[phpinfo-files] [http] [low] http://192.168.160.135/phpinfo.php
[http-trace:trace-request] [http] [info] http://192.168.160.135
[waf-detect:apachegeneric] [http] [info] http://192.168.160.135/
[postgres-weak-credentials] [javascript] [high] 192.168.160.135:5432 [passwords="postgres",usernames="postgres"]
[ftp-anonymous-login] [tcp] [medium] 192.168.160.135:21
[samba-detect] [tcp] [info] 192.168.160.135:139
[CVE-2020-1938] [tcp] [critical] 192.168.160.135:8009
[CVE-2011-2523] [tcp] [critical] 192.168.160.135:6200
[vnc-service-detect] [tcp] [info] 192.168.160.135:5900 ["RFB 003.003"]
ShellScriptAnalysis and Mitigation
The output from the Nuclei scan against the target at http://192.168.160.135
provides a comprehensive overview of various vulnerabilities and information disclosures present on the target system. Here’s a detailed analysis of the findings:
High and Critical Vulnerabilities
- CVE-2012-1823 (High Severity): This vulnerability relates to PHP’s CGI configuration, allowing remote attackers to execute arbitrary code by placing command-line options in the query string, leveraging PHP’s
-d
option. The presence of this vulnerability indicates a severely outdated PHP configuration that should be updated or patched immediately. - CVE-2020-1938 (Critical Severity): Also known as “Ghostcat,” this vulnerability affects Apache Tomcat servers. It allows attackers to read or include any files in the webapp directories of Tomcat. This can lead to sensitive information disclosure or remote code execution if server-side request forgery (SSRF) is also possible.
- CVE-2011-2523 (Critical Severity): This vulnerability is related to VNC servers and indicates a potential for unauthorized access or information disclosure. It’s critical to investigate and remediate this to prevent unauthorized remote control of the system.
- Postgres Weak Credentials (High Severity): The detection of weak credentials for PostgreSQL (
postgres:postgres
) is a significant security risk, allowing an attacker to gain unauthorized access to the database.
Information Disclosures and Configuration Issues
- Apache, PHP Version Detection: The detection of specific Apache and PHP versions (Apache/2.2.8 and PHP 5.2.4) indicates the use of outdated and potentially vulnerable software versions.
- Missing Security Headers: A variety of missing HTTP security headers (Permissions-Policy, X-Content-Type-Options, etc.) were noted. These headers are crucial for mitigating certain web application vulnerabilities, including cross-site scripting (XSS) and clickjacking.
- phpMyAdmin Panel, phpinfo.php: The presence of administrative tools (
phpMyAdmin
) and informational files (phpinfo.php
) publicly accessible without authentication is a security risk, potentially exposing sensitive information about the server configuration. - Samba, VNC, and Other Services Detected: The detection of Samba, VNC, and other services indicates potential points of entry for attackers, especially if these services are not securely configured or are unnecessary and still running.
Recommendations
- Immediate Patching and Updates: Address the high and critical vulnerabilities by updating or patching the affected software. This includes updating PHP, Apache Tomcat, PostgreSQL, VNC, and any other affected platforms.
- Secure Configuration: Review the configuration of all services, especially those that are publicly accessible. Ensure that services like FTP, Samba, and VNC are configured with strong authentication mechanisms and are only accessible where necessary.
- Implement Security Headers: Configure the web server to include the missing HTTP security headers to enhance the security posture of web applications hosted on the server.
- Limit Information Disclosure: Remove or restrict access to pages like
phpinfo.php
and administrative panels likephpMyAdmin
if they are not intended for public access. - Regular Security Assessments: Conduct regular security scans and assessments to identify and remediate new vulnerabilities as they are discovered.
This scan has highlighted several critical security issues that require immediate attention to protect the system from potential exploitation.
Creating Custom Templates
Creating custom templates in vulnerability scanning tools like Nuclei allows security researchers and penetration testers to tailor their detection mechanisms to specific vulnerabilities, systems, or applications. This capability is crucial for comprehensive security assessments, especially when dealing with custom applications or uncommon configurations. To illustrate this process, let’s delve into a custom template designed to detect the presence of Damn Vulnerable Web Application (DVWA) on a Metasploitable2 target.
DVWA Detection Template Overview
id: dvwa-detection
info:
name: DVWA Detection on Metasploitable2
author: Joseph Damon
severity: critical
description: Checks for the presence of DVWA on Metasploitable2.
tags: web,dvwa,metasploitable2
requests:
- method: GET
path:
- "{{BaseURL}}/dvwa/login.php"
matchers:
- type: word
words:
- "dvwa/images/login_logo.png"
- "Damn Vulnerable Web Application (DVWA) is a RandomStorm OpenSource project"
- "Damn Vulnerable Web Application"
- "DVWA"
part: body
condition: or
YAMLThe custom template that I have created is specifically crafted to identify instances of DVWA, a known intentionally vulnerable web application used for training and educational purposes. The significance of detecting DVWA lies in its common use for security training; however, its presence on a live system can indicate a misconfigured or insecure environment, given its vulnerable nature. This configuration allows the template to flexibly identify DVWA by searching for multiple unique identifiers within the response body of the login page, enhancing detection accuracy.
Practical Example with a Custom Template
nuclei -u http://192.168.160.135 -t ~/Desktop/dvwa-detection.yaml
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.10
projectdiscovery.io
[INF] Current nuclei version: v3.1.10 (latest)
[INF] Current nuclei-templates version: v9.7.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 49
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[dvwa-detection] [http] [critical] http://192.168.160.135/dvwa/login.php
ShellScript
In this example, employing Nuclei, I initiate a targeted search operation by directly inputting a specific template into the command. This strategic approach efficiently uncovers a critical security vulnerability within DVWA, located on the HTTP server of the designated IP address. By leveraging Nuclei’s powerful scanning capabilities, the process adeptly identifies the essential flaw, demonstrating the tool’s effectiveness in pinpointing security issues in web applications.
Importance of Custom Templates
Custom templates like the DVWA detection template exemplify the adaptability of vulnerability scanning tools. By allowing users to define their own detection criteria, these tools can be extended to cover a wide range of scenarios beyond their default capabilities. This is particularly valuable in several contexts:
- Targeted Assessments: Custom templates can be designed to detect specific applications or configurations relevant to a particular security assessment or research project.
- Emerging Threats: In the face of new vulnerabilities or exploits, custom templates enable rapid development of detection mechanisms before official updates are released.
- Educational Purposes: For training environments or capture the flag (CTF) challenges, custom templates can help participants identify key targets or vulnerabilities to exploit.
The creation and utilization of custom templates, as demonstrated by the DVWA detection template, highlight the flexibility and power of modern vulnerability scanning tools. By enabling personalized assessments tailored to specific needs or targets, these templates significantly enhance the efficacy and scope of security testing efforts. For security professionals and researchers, mastering the art of crafting these templates is a valuable skill, contributing to more effective and comprehensive vulnerability management practices.
Conclusion
Nuclei emerges as a dynamic and versatile asset for security experts, offering a wide array of capabilities for pinpointing vulnerabilities across web applications, networks, and infrastructural components. Its effectiveness is rooted not just in its rapidity and operational efficiency but also in a community-driven methodology that perpetually updates its template library, aligning with the ever-changing contours of the cybersecurity domain.
By adhering to established best practices, practitioners can leverage Nuclei to conduct exhaustive security evaluations while minimizing the likelihood of false positives and unintentional system disruptions. The ability to customize and refine templates is a pivotal aspect that enables users to adapt scans to their unique requirements, thereby increasing the pertinence and precision of the outcomes.
Ethical usage and responsible implementation are crucial when employing Nuclei for any security examination. This entails obtaining necessary permissions prior to conducting scans, upholding data privacy, and dedicating oneself to ongoing educational pursuits. These core principles underscore the ethical application of Nuclei, encouraging users to contribute towards a collective cybersecurity ethos aimed at mutual enhancement and protection.
In essence, Nuclei, when applied with expertise, mindful of ethical standards, represents an invaluable component in the toolkit of cybersecurity professionals. It not only aids in the identification of vulnerabilities but also promotes a forward-thinking approach to security, vital in navigating the complexities of contemporary digital threats. As we navigate through the evolving digital terrain, instruments like Nuclei, backed by a dedicated and principled community, are indispensable in forging a secure and robust cyber landscape.