Nuclei: Packing a Punch with Vulnerability Scanning
Here at Bishop Fox, we love using open-source tools to outfox attackers and protect our customers’ attack surfaces. Nuclei is one of our favorite tools to run more speedy, efficient, customized, AND accurate multi-protocol vulnerability scanning. As our customers’ security architecture inevitably changes over time and attack surfaces broaden, Nuclei templates provide a single source of truth to help reduce the noise and focus on the vulnerabilities at hand. We’ve briefly spotlighted the tool on our blog previously and recently hosted a Tool Talk webcast with Sandeep Singh, Co-Founder and CTO of ProjectDiscovery.io, to take a deep dive into how the tool works and how our experts use it at Bishop Fox.
“What’s clear today is that we need to operate with a renewed sense of urgency since we’re covering an ever-expanding attack surface.” - Joe Sechman, AVP of R&D, Bishop Fox
The Low Down on Nuclei
Nuclei is an open-source tool that enables fast and customizable vulnerability scans based on simple YAML and DSL. Using templates that can scan protocols including TCP, SSH, DNS, HTTP, SSL and many more, Nuclei sends requests across targets to provide quick and large-scale vulnerability scanning. Over 300 security researchers and engineers, including some from Bishop Fox, have contributed to a dedicated vulnerability template archive that serves as a community-built resource.
ProjectDiscovery is Born
ProjectDiscovery was founded in 2019 by Sandeep Singh, Rishiraj Sharma, Marco Rivoli, and Nizamul Rana. Through Github collaboration for Subfinder, a subdomain discovery tool that finds valid subdomain websites using passive online sources, they discovered their common interests in developing open-source security automation tools. This became the genesis of ProjectDiscovery, an open-source software company that builds tools to quickly discover, monitor, and manage attack surface vulnerabilities.
“Since security and automation were common interests for all of us, we decided to work on all the ideas we had, including Nuclei, and that’s how everything got started.” -Sandeep Singh, Co-Founder & CTO, ProjectDiscovery
Why Foxes Love Using Nuclei
When teams across Bishop Fox conduct vulnerability scans on our customers’ attack surfaces, speed, accuracy, customization, and efficiency are critical to identify cracks before attackers even know they exist.
We talked with Foxes from our Network Security, Managed Services, and Cosmos teams about the ways they use Nuclei, and here is what they had to say:
- Network Security: Nuclei is one of many tools in the toolbox; however, it fills a critical gap for external pen testing. With Nuclei, external pen testers map out underlying technology and hunt for suspicious indicators on the first day of an engagement. This significantly speeds up the time it takes to find vulnerabilities and root through false positives. Since external pen testing is usually done within a scheduled window, it is important to have a tool that can accurately hit all the targets on the first day, and Nuclei does just that.
- Managed Services: Nuclei templates automate many tasks that would otherwise be manual. This not only reduces the time to find network vulnerabilities, but also lends to greater confidence in results with fewer false positives. Nuclei has also proven to be a great knowledge source when our consultants are looking at how to exploit new technologies. Leveraging the community’s research that is added to Nuclei’s templates proves to be a consistent starting point to dive into the nuts and bolts of new technologies.
- Cosmos Team: From yet another perspective, our Cosmos team finds standardization of detection and proof of concept language in Nuclei tremendously useful for ongoing attack surface management.
Not only does Nuclei allow Bishop Fox to speak the same vulnerability language internally, but we can better communicate across the greater community. Sharing our attack surface templates with other Nuclei users and garnering feedback adds additional knowledge layers to our teams, leading to more rapid testing and remediation.
“We can build each other's understanding of vulnerabilities really quickly because we have the ability to communicate in the same language.” - Zach Zeitlin, Senior Operator, Bishop Fox
Single Source of Knowledge for Multi-Protocol Scanning
With so many things in the world migrating to web applications, HTTP is a common protocol across attack surfaces. However, there are many cases where practitioners need to scan for vulnerabilities on non-HTTP protocols. Nuclei’s highly adaptable template engine combined with community crowdsourcing gives our offensive experts more time to hack and less time to toggle between tools in search of solutions.
Here are a few ways that Bishop Fox leverages Nuclei’s versatility and flexibility:
As the Log4j dilemma unfolded, Nuclei’s Interact server provided out-of-band testing that improved our ability to test for Log4j in our customers’ environments. Using Nuclei templates, we were able to test many protocols in addition to HTTP for Log4j vulnerabilities. We quickly adapted our templates to new avenues of attack starting with simple Log4j payloads into HTTP headers, which were identified using basic Nuclei templates. Next came Log4j obfuscated payloads that were still identifiable with a set of Nuclei templates. Finally came Log4j payloads against non-HTTP protocols, which were no match for the flexibility of the YAML-based Nuclei templates.
“It was really cool to see how fast we were able to apply updates as we discovered different avenues of attack, and that was all made possible by Nuclei’s flexibility of templates.” - Zach Zeitlin, Senior Operator, Bishop Fox
Nuclei templates give our Cosmos operators the flexibility to craft raw data, send it to a TCP endpoint and then parse the response, which is a limitation in many other platforms. Using Nuclei, we can test against both well-documented and undocumented services listening on any port. With modular templates tailored for generic TCP sockets, the door is open for crafting proofs of concept against reverse-engineered protocols lacking documentation.
Nuclei templates also support credential re-use testing. When we have a database of client infrastructure, we can query all endpoints of a specific protocol, like SFTP, and then use a template to test found credentials against the endpoint. This works with many authentication services. No more scripting for one-time use!
Our Cosmos team often utilizes tools that validate exposed API tokens when investigations lead to exposed repositories containing a list of API tokens, for example. In one such instance, some tokens were easily paired with a publicly known API, while other tokens appeared to be generic. Nuclei allowed quick validity testing for those tokens against numerous API endpoints using the token-spray templates, increasing our speed and efficiency of testing exposed credentials and tokens for our customers.
Lastly, a Bishop Fox team came across a 2018 CVE using SSH protocol that allowed enumeration of usernames in an external pen test. After an initial run of a different tool that didn’t provide a solution, Nuclei solved the problem with an existing template. The ease and flexibility of Nuclei templates ensured that vulnerability scanning could be performed on SSH protocol. This discovery led to further testing and remediation of this outdated CVE in the customer’s network.
“The discovery was certainly a core finding that we needed to let our customers know about, and I wouldn’t have found it if I didn’t have this one particular template for SSH.” - Matt Thoreson, Senior Security Consultant
The Future of Nuclei
For security experts, especially those working with expansive attack surfaces, it is cumbersome when many tools are needed to get results for one task, not to mention the risk of errors and false positives. We learned straight from the source, Co-Founder & CTO Sandeep Singh, that the Nuclei templates are intended to help security practitioners by providing a common platform, eliminating the need to switch between tools to perform multi-protocol vulnerability scanning.
As web application integration expands at lightning speed, tools like Nuclei will be afforded huge opportunities to support security practitioners that need logical, accurate, and efficient multi-protocol vulnerability scanning results. The core building blocks of community input combined with universal communication will provide a reliable open-source place of truth as Nuclei grows. Nuclei is off to a great start supporting the offensive security community, and we look forward to what the future holds with this impactful open-source tool!
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.