先日、IdeaPad Duet ChromebookのLinuxにGo言語をインストールしたので、今度はNucleiをインストールしてみます。
Nuclei – Community Powered Vulnerability Scanner
https://nuclei.projectdiscovery.io/
projectdiscovery/nuclei
https://github.com/projectdiscovery/nuclei
projectdiscovery/nuclei-templates
https://github.com/projectdiscovery/nuclei-templates
- git clone
- go build
- go mod tidy
- go build
- nucleiのテンプレート更新
- nucleiの実行
1 2 3 4 5 6 7 8 |
user01@penguin:~$ git clone https://github.com/projectdiscovery/nuclei.git Cloning into 'nuclei'... remote: Enumerating objects: 560, done. remote: Counting objects: 100% (560/560), done. remote: Compressing objects: 100% (360/360), done. remote: Total 7674 (delta 308), reused 375 (delta 177), pack-reused 7114 Receiving objects: 100% (7674/7674), 9.71 MiB | 313.00 KiB/s, done. Resolving deltas: 100% (5055/5055), done. |
“go mod tidy”が必要と。よく分かっていませんが実行します。
1 2 3 4 |
user01@penguin:~$ cd nuclei/v2/cmd/nuclei/ user01@penguin:~/nuclei/v2/cmd/nuclei$ go build . go: updates to go.mod needed; to update it: go mod tidy |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
user01@penguin:~/nuclei/v2/cmd/nuclei$ go mod tidy go: downloading github.com/stretchr/testify v1.6.1 go: downloading golang.org/x/sync v0.0.0-20190423024810-112230192c58 go: downloading gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 go: downloading github.com/onsi/ginkgo v1.7.0 go: downloading github.com/onsi/gomega v1.4.3 go: downloading gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c go: downloading github.com/pmezard/go-difflib v1.0.0 go: downloading github.com/davecgh/go-spew v1.1.1 go: downloading golang.org/x/text v0.3.3 go: downloading github.com/hpcloud/tail v1.0.0 go: downloading github.com/golang/protobuf v1.3.2 go: downloading gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 go: downloading gopkg.in/fsnotify.v1 v1.4.7 go: downloading github.com/fsnotify/fsnotify v1.4.7 |
実行ファイルが出来ました
1 2 3 4 5 |
user01@penguin:~/nuclei/v2/cmd/nuclei$ go build . user01@penguin:~/nuclei/v2/cmd/nuclei$ ls -l total 13796 -rw-r--r-- 1 user01 user01 401 Mar 1 1:55 main.go -rwxr-xr-x 1 user01 user01 14119947 Mar 1 1:58 nuclei |
PATHの通っている場所にコピーしておきます。
1 |
user01@penguin:~/nuclei/v2/cmd/nuclei$ sudo cp nuclei /usr/local/bin |
nucleiは直ぐに利用できるテンプレートが用意されています。下記のコマンドでテンプレートをダウンロードしますが保存場所は$HOMEでした。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
user01@penguin:~$ nuclei -update-templates __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v2.2.1-dev projectdiscovery.io [WRN] Use with caution. You are responsible for your actions [WRN] Developers assume no liability and are not responsible for any misuse or damage. [INF] Successfully updated nuclei-templates (v8.1.0). Enjoy! user01@penguin:~$ ls -l nuclei-templates/ total 12 -rwxr-xr-x 1 user01 user01 3359 Mar 1 15:01 CODE_OF_CONDUCT.md drwxr-xr-x 1 user01 user01 88 Mar 1 15:01 cves drwxr-xr-x 1 user01 user01 158 Mar 1 15:01 default-logins drwxr-xr-x 1 user01 user01 324 Mar 1 15:01 dns drwxr-xr-x 1 user01 user01 3538 Mar 1 15:01 exposed-panels drwxr-xr-x 1 user01 user01 60 Mar 1 15:01 exposed-tokens drwxr-xr-x 1 user01 user01 54 Mar 1 15:01 exposures drwxr-xr-x 1 user01 user01 180 Mar 1 15:01 fuzzing drwxr-xr-x 1 user01 user01 16 Mar 1 15:01 helpers -rwxr-xr-x 1 user01 user01 1079 Mar 1 15:01 LICENSE.md drwxr-xr-x 1 user01 user01 612 Mar 1 15:01 miscellaneous drwxr-xr-x 1 user01 user01 2132 Mar 1 15:01 misconfiguration -rwxr-xr-x 1 user01 user01 4051 Mar 1 15:01 README.md drwxr-xr-x 1 user01 user01 46 Mar 1 15:01 takeovers drwxr-xr-x 1 user01 user01 2064 Mar 1 15:01 technologies drwxr-xr-x 1 user01 user01 182 Mar 1 15:01 vulnerabilities drwxr-xr-x 1 user01 user01 1030 Mar 1 15:01 workflows |
試しに自社で管理しているサーバをチェックしてみます。使用したテンプレートはcves,dnsです。
対象となるサーバのリストファイルを作成します。
1 2 3 |
user01@penguin:~$ vi nuclei_list.txt user01@penguin:~$ cat nuclei_list.txt https://192.168.200.200 |
それでは実行してみます。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
rootlinks@penguin:~$ nuclei -l nuclei_list.txt -t nuclei-templates/cves/ -t nuclei-templates/dns/ __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v2.2.1-dev projectdiscovery.io [WRN] Use with caution. You are responsible for your actions [WRN] Developers assume no liability and are not responsible for any misuse or damage. [INF] Loading templates... [INF] [CVE-2005-2428] CVE-2005-2428 (@CasperGN) [medium] (snip) [INF] [spoofable-spf-records-ptr] Find spoofable SPF records containing the PTR mechanism (@binaryfigments) [info] [INF] Using 212 rules (212 templates, 0 workflows) [INF] No results found. Happy hacking! |
212のルールを使用してチェックしましたが脆弱性は見つかりませんでしたと。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
user01@penguin:~$ nuclei -h Usage of nuclei: -H value Custom Header. -bulk-size int Maximum Number of hosts analyzed in parallel per template (default 25) -burp-collaborator-biid string Burp Collaborator BIID -c int Maximum Number of templates executed in parallel (default 10) -debug Allow debugging of request/responses -exclude value Template input dir/file/files to exclude. Can be used multiple times. Supports globbing. -include-rr Write requests/responses for matches in JSON output -json Write json output to files -l string List of URLs to run templates on -metrics Expose nuclei metrics on a port -metrics-port int Port to expose nuclei metrics on (default 9092) -no-color Disable colors in output -no-meta Don't display metadata for the matches -o string File to write output to (optional) -project Use a project folder to avoid sending same request multiple times -project-path string Use a user defined project folder, temporary folder is used if not specified but enabled -proxy-socks-url string URL of the proxy socks server -proxy-url string URL of the proxy server -random-agent Use randomly selected HTTP User-Agent header value -rate-limit int Rate-Limit (maximum requests/second (default 150) -retries int Number of times to retry a failed request (default 1) -sandbox Run workflows in isolated sandbox mode -severity string Filter templates based on their severity and only run the matching ones. Comma-separated values can be used to specify multiple severities. -silent Show only results in output -stats Display stats of the running scan -stop-at-first-match Stop processing http requests at first match (this may break template/workflow logic) -t value Template input dir/file/files to run on host. Can be used multiple times. Supports globbing. -target string Target is a single target to scan using template -templates-version Shows the installed nuclei-templates version -timeout int Time to wait in seconds before timeout (default 5) -tl List available templates -trace-log string File to write sent requests trace log -update-directory string Directory to use for storing nuclei-templates -update-templates Update Templates updates the installed templates (optional) -v Show Verbose output -version Show version of nuclei -workflow-duration int Max time for workflow run on single URL in minutes (default 10) |