Nuclei and its community thrives on its ability to write exploits/checks in fast and simple way in YAML format and we aim to make nuclei templates as standard for writing security checks and that comes with understanding its limitations and addressing them as well as expanding its capabilities. It is already possible to write most complex HTTP, DNS, SSL protocol exploits / checks with increasing support and a powerful and easy to use DSL in nuclei engine but we understand this may not be enough for addressing / writing vulnerabilities across all protocols as well as other non-remote domains of security like local privilege escalation checks, kernel etc.
- Provider/Driver specific exploit
- Non Network Checks
Security is not limited to network and nuclei also doesn't intend to limit itself to network only. There are lot of security checks that are not network related like
- local privilege escalation checks
- kernel exploits
- account misconfigurations
- system misconfigurations etc
- Complex network protocol exploits
- Multi Step Exploits
Ldap / kerberos exploits usually involves multi step process of authentication and then exploitation etc and not easy to write in YAML based DSL
- Scalable and maintainable exploits
One off exploits written in code are not scalable and maintainable due to nature of language , boilerplate code and lot of other factors. The goal here is to only write bare minimum code required to run exploit and let nuclei engine handle the rest
- Leveraging turing complete language
- Nuclei v3.0.0 or above
API reference of all exposed modules and functions can be found here.
- Nuclei Engine provides a set of functions, libraries that are tailor made for writing exploits / checks and only adds required/necessary functionality to compliment existing YAML based DSL.
In above nuclei template we are fingerprinting SSH Server Software by connecting in Non-Auth mode and extracting server banner. Lets break down the template.
- creating a new instance of
- connecting to SSH server in
- converting response to json
error variable is exposed in matcher/extractor with error message.
SSH Password Bruteforce Template
In above nuclei template we are bruteforcing ssh server with list of usernames and passwords. We can tell that this might not have been possible to achieve with network template Let's break down the template.
- address is actually a ssh server
- ssh server is configured to allow password based authentication
- If pre-condition returns
trueonly then code is executed otherwise it is skipped
- In code section we import
nuclei/sshmodule and create a new instance of
- and then we attempt to connect to ssh server with username and password
- this template uses payloads to launch a clusterbomb attack with 10 threads and exits on first match
nuclei-templates/helpers directory and storing them as a variable in payloads with name
keys, if we were loading private keys from 'pre-condition' code block then it would have been loaded for every target which is not ideal.
Two special functions that are available in init block are
|updates payload with given key and value|
|sets a variable with given key and value|