New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding support to scan all v4/v6 IPs #2709
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change implemented here will make request to directly IP instead of passing IP along with request (which is intended) but unfortunately this means TLS-SNI or servers that validate hostname will not work. Instead, we should work on the passing of normalized input by enhancing request context so that we can incrementally pass IPs for hostnames solving the issue. Merging the PR in this doesn't make much sense tbh, instead we should wait for the input mechanism to be implemented
meinput prototype was implemented
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
echo https://hackerone.com | ./nuclei -t pp.yaml -sa
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ 2.7.8
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.8 (latest)
[INF] Using Nuclei Templates 9.2.6 (latest)
[INF] Templates added in last update: 100
[INF] Templates loaded for scan: 1
[2022-10-31 21:17:58] [basic-example] [http] [info] https://hackerone.com [104.16.99.52]
[2022-10-31 21:17:58] [basic-example] [http] [info] https://hackerone.com [104.16.99.52]
[2022-10-31 21:17:59] [basic-example] [http] [info] https://hackerone.com [104.16.99.52]
[2022-10-31 21:18:00] [basic-example] [http] [info] https://hackerone.com [104.16.99.52]
id: basic-example
info:
name: Test HTTP Template
author: pdteam
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: dsl
dsl:
- ip
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Same IP used for connection when
-rl
option is not used - Unexpected DNS resolution (
162.159.1.31
,162.159.0.31
)
echo https://hackerone.com | go run . -t pp.yaml -sa -rl 1 -iv 4 -silent
[2022-10-31 23:26:14] [basic-example] [http] [info] https://hackerone.com [162.159.1.31]
[2022-10-31 23:26:15] [basic-example] [http] [info] https://hackerone.com [104.16.99.52]
[2022-10-31 23:26:16] [basic-example] [http] [info] https://hackerone.com [104.16.100.52]
[2022-10-31 23:26:17] [basic-example] [http] [info] https://hackerone.com [162.159.0.31]
Related issues:
The newly introduced
$ echo hackerone.com | go run . -t test.yaml -sa -v
[WRN] [basic-example] Could not execute request for {"Input":"hackerone.com","CustomIP":"2606:4700::6810:6434"}
: unsupported protocol scheme ""
[WRN] [basic-example] Could not execute request for {"Input":"hackerone.com","CustomIP":"2606:4700::6810:6334"}
: unsupported protocol scheme ""
[WRN] [basic-example] Could not execute request for {"Input":"hackerone.com","CustomIP":"104.16.100.52"}
: unsupported protocol scheme ""
[WRN] [basic-example] Could not execute request for {"Input":"hackerone.com","CustomIP":"104.16.99.52"}
: unsupported protocol scheme ""
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Issue with network template when
-sa
is used.
./nuclei -u 156.67.236.219:22 -id openssh-detect -silent
[2022-11-05 17:46:42] [openssh-detect] [network] [info] 156.67.236.219:22 [SSH-2.0-OpenSSH_8.9]
[2022-11-05 17:46:42] [openssh-detect] [network] [info] 156.67.236.219:22 [SSH-2.0-OpenSSH_8.9]
./nuclei -u 156.67.236.219:22 -id openssh-detect -sa
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ 2.7.8
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.8 (latest)
[INF] Using Nuclei Templates 9.2.7 (latest)
[INF] Templates added in last update: 50
[INF] Templates loaded for scan: 1
[INF] No results found. Better luck next time!
Not sure if it's related to connecting IP directly, but same need to check with domain input as well.
Proposed changes
This PR implements the
scan-all-ips
with selective ip version functionalityChecklist
Notes
Current core implementation (statistics calculation, clustering algorithms) makes it very hard to propagate metadata information (e.g. hostname with custom IP) to the internal engine. Hence, for the time being, the domains are pre-resolved to ips, and the IP is used as a target within the URLs (but unfortunately, the domain name is lost as information).
A proposal for enriched syntax that could be used internally for this purpose is at https://github.com/projectdiscovery/team-backlogs/issues/215
Update: a limited metainput prototype was added, now the target can hold additional meta info (for now limited to custom ip to connect to)