When conducting penetration tests, it happens that we use multiple tools simultaneously. To make writing more exploits for known vulnerabilities consistent, it is necessary to use a single format. One framework that has such a task is nuclei.
What is nuclei?
In simple terms, it is a network vulnerability framework that performs the appropriate operations based on defined templates in yaml format. It is these templates that we will talk about today. With their help we can scan various network protocols such as TCP, DNS, HTTP, SSL, File or many more.
Let's write our first template
To start with, let's choose a template type. In order not to go into more detailed examples, let's assume that we will create a template of type osint (white intelligence) in which we will check if a user with a given name (or page) exists. This is important because it is now possible on your Facebook page to define a custom name. For private accounts, there is no such possibility.
Let's start by defining the basic information of the template.
id: facebook-page
info:
name: Facebook.com page Name Information - Detect
author: gpiechnik2
description: Facebook.com page name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: osint,osint-business,osint-social
metadata:
max-request: 1
The next step is to define the corresponding request and two assertions - based on the status and the response. The response is interesting in that we perform it on the header and status itself. Facebook handles statuses relatively well, so we used that. The same is true of the "Link" header. It is specific and quite stable.
self-contained: true
http:
- raw:
- |
GET https://facebook.com/{{user}} HTTP/2
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Sec-Fetch-Mode: navigate
Accept-Language: en-US,en;q=0.9
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "Link: <https://www.facebook.com/{{user}}>"
We had to add the appropriate headers, because without them we would be blocked or receive a response in a different language than we should.
The full scenario is as follows:
id: facebook-page
info:
name: Facebook.com page Name Information - Detect
author: gpiechnik2
description: Facebook.com page name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: osint,osint-business,osint-social
metadata:
max-request: 1
self-contained: true
http:
- raw:
- |
GET https://facebook.com/{{user}} HTTP/2
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Sec-Fetch-Mode: navigate
Accept-Language: en-US,en;q=0.9
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "Link: <https://www.facebook.com/{{user}}>"
Getting started
The first step is to validate the script to check that everything is properly defined inside it.
figaro@pop-os ~/> nuclei -validate facebook-page.yaml
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.9.1
projectdiscovery.io
[INF] All templates validated successfully
When we get a message on the screen that everything is OK, we can move on to running the target script. First, let's check the operation on an existing user profile.
figaro@pop-os ~/> nuclei -t facebook-page.yaml -var user=grzesiek.piechnik.9
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.9.1
projectdiscovery.io
[INF] Using Nuclei Engine 2.9.1 (latest)
[INF] Using Nuclei Templates 9.4.2 (latest)
[INF] Templates added in last update: 78
[INF] Templates loaded for scan: 1
[facebook-page] [http] [info] https://facebook.com/grzesiek.piechnik.9
As you can see above, it has been found. So let's try to check some company website. Let's make it a Twitter page (TwitterInc).
figaro@pop-os ~/> nuclei -t facebook-page.yaml -var user=TwitterInc
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.9.1
projectdiscovery.io
[INF] Using Nuclei Engine 2.9.1 (latest)
[INF] Using Nuclei Templates 9.4.2 (latest)
[INF] Templates added in last update: 78
[INF] Templates loaded for scan: 1
[facebook-page] [http] [info] https://facebook.com/TwitterInc
We received again a positive response nuclei in the console. What happens when we enter a page name that does not exist?
figaro@pop-os ~/> nuclei -t facebook-page.yaml -var user=TwitterIncDoesNotExist
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.9.1
projectdiscovery.io
[INF] Using Nuclei Engine 2.9.1 (latest)
[INF] Using Nuclei Templates 9.4.2 (latest)
[INF] Templates added in last update: 78
[INF] Templates loaded for scan: 1
[INF] No results found. Better luck next time!
As you can see, everything works correctly. Remember that you can add the created templatey to the remote repository.
Top comments (0)