When conducting penetration tests, it happens that we use multiple tools simultaneously. To make writing more exploits for known vulnerabilities consistent, it is necessary to use a single format. One framework that has such a task is nuclei.
What is nuclei?
In simple terms, it is a network vulnerability framework that performs the appropriate operations based on defined templates in yaml format. It is these templates that we will talk about today. With their help we can scan various network protocols such as TCP, DNS, HTTP, SSL, File or many more.
Let's write our first template
To start with, let's choose a template type. In order not to go into more detailed examples, let's assume that we will create a template of type osint (white intelligence) in which we will check if a user with a given name (or page) exists. This is important because it is now possible on your Facebook page to define a custom name. For private accounts, there is no such possibility.
Let's start by defining the basic information of the template.
id: facebook-page info: name: Facebook.com page Name Information - Detect author: gpiechnik2 description: Facebook.com page name information check was conducted. severity: info classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N cvss-score: 0.0 cwe-id: CWE-200 tags: osint,osint-business,osint-social metadata: max-request: 1 The next step is to define the corresponding request and two assertions - based on the status and the response. The response is interesting in that we perform it on the header and status itself. Facebook handles statuses relatively well, so we used that. The same is true of the "Link" header. It is specific and quite stable.
self-contained: true http: - raw: - | GET https://facebook.com/{{user}} HTTP/2 Host: www.facebook.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Sec-Fetch-Mode: navigate Accept-Language: en-US,en;q=0.9 matchers-condition: and matchers: - type: status status: - 200 - type: word part: header words: - "Link: <https://www.facebook.com/{{user}}>" We had to add the appropriate headers, because without them we would be blocked or receive a response in a different language than we should.
The full scenario is as follows:
id: facebook-page info: name: Facebook.com page Name Information - Detect author: gpiechnik2 description: Facebook.com page name information check was conducted. severity: info classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N cvss-score: 0.0 cwe-id: CWE-200 tags: osint,osint-business,osint-social metadata: max-request: 1 self-contained: true http: - raw: - | GET https://facebook.com/{{user}} HTTP/2 Host: www.facebook.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Sec-Fetch-Mode: navigate Accept-Language: en-US,en;q=0.9 matchers-condition: and matchers: - type: status status: - 200 - type: word part: header words: - "Link: <https://www.facebook.com/{{user}}>" Getting started
The first step is to validate the script to check that everything is properly defined inside it.
figaro@pop-os ~/> nuclei -validate facebook-page.yaml __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v2.9.1 projectdiscovery.io [INF] All templates validated successfully When we get a message on the screen that everything is OK, we can move on to running the target script. First, let's check the operation on an existing user profile.
figaro@pop-os ~/> nuclei -t facebook-page.yaml -var user=grzesiek.piechnik.9 __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v2.9.1 projectdiscovery.io [INF] Using Nuclei Engine 2.9.1 (latest) [INF] Using Nuclei Templates 9.4.2 (latest) [INF] Templates added in last update: 78 [INF] Templates loaded for scan: 1 [facebook-page] [http] [info] https://facebook.com/grzesiek.piechnik.9 As you can see above, it has been found. So let's try to check some company website. Let's make it a Twitter page (TwitterInc).
figaro@pop-os ~/> nuclei -t facebook-page.yaml -var user=TwitterInc __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v2.9.1 projectdiscovery.io [INF] Using Nuclei Engine 2.9.1 (latest) [INF] Using Nuclei Templates 9.4.2 (latest) [INF] Templates added in last update: 78 [INF] Templates loaded for scan: 1 [facebook-page] [http] [info] https://facebook.com/TwitterInc We received again a positive response nuclei in the console. What happens when we enter a page name that does not exist?
figaro@pop-os ~/> nuclei -t facebook-page.yaml -var user=TwitterIncDoesNotExist __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v2.9.1 projectdiscovery.io [INF] Using Nuclei Engine 2.9.1 (latest) [INF] Using Nuclei Templates 9.4.2 (latest) [INF] Templates added in last update: 78 [INF] Templates loaded for scan: 1 [INF] No results found. Better luck next time! As you can see, everything works correctly. Remember that you can add the created templatey to the remote repository.
Top comments (0)