Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

As you can see, we were able to identify the two git repositories

with the custom template.

Running a Full Scan

When not provided with a specific template, Nuclei will use its

built-in templates during the scan. Running Nuclei is noisy, so we

recommend tailoring the execution to a specific target. For instance,

if you know a server is running the Apache web server, you could

select just the Apache-related templates by specifying the -tags

option:

$ nuclei -tags apache,git -u 172.16.10.11

Run nuclei -tl to get a list of all available templates.

Let’s run a full Nuclei scan against all three IP addresses in the

172.16.10.0/24 network using all of its built-in templates:

$ nuclei -u 172.16.10.10:8081

$ nuclei -u 172.16.10.11

$ nuclei -u 172.16.10.12

--snip--

[tech-detect:google-font-api] [http] [info] http://172.16.10.10:8081

[tech-detect:python] [http] [info] http://172.16.10.10:8081

[http-missing-security-headers:access-control-allow-origin] [http] [info] http://172.16.10.10:8081

[http-missing-security-headers:content-security-policy] [http] [info] http://172.16.10.10:8081

--snip--

Nuclei tries to optimize the number of total requests made by

using the concept of clustering. When multiple templates call the

same web path (such as /backup), Nuclei consolidates these into a

single request to reduce network overhead. but it could still send

thousands of requests during a single scan. You can control how

many requests Nuclei sends by specifying the rate limit option (-rl)

followed by an integer to specify the number of allowed requests per

second.

The full scan results in a lot of findings, so append the output to

some file (>>) so you can examine them one by one. As you can see,

Nuclei can find vulnerabilities, but it can also fingerprint the target

server and the technologies that are running on it. It should have

highlighted findings we’ve already seen previously as well as a few

new findings. We want to draw your attention to a few specific

issues it detected:

•^{An FTP server with anonymous access enabled on 172.16.10.11}