Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added tlsx integration to nuclei #2522

Merged
merged 5 commits into from
Sep 1, 2022
Merged

Added tlsx integration to nuclei #2522

merged 5 commits into from
Sep 1, 2022

Conversation

Ice3man543
Copy link
Member

Proposed changes

Closes #2368

echo "expired.badssl.com:443" | ./nuclei  -t template.yaml -debug 

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.7.7

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.7 (latest)
[INF] Using Nuclei Templates 9.1.7 (latest)
[INF] Templates added in last update: 45
[INF] Templates loaded for scan: 1
[DBG] Protocol request variables: 
        1. Host => expired.badssl.com
        2. Port => 443
        3. Hostname => expired.badssl.com:443

[DBG] [expired-ssl] Dumped SSL request for expired.badssl.com:443 address=expired.badssl.com:443
[DBG] Protocol response variables: 
        1. Port => 443
        2. subject_an => [*.badssl.com badssl.com]
        3. issuer_org => [COMODO CA Limited]
        4. fingerprint_hash => {67344e61c0431cf1f7257c1d .... 93b61b2eb3dcc82014d21b4f}
        5. host => expired.badssl.com
        6. probe_status => true
        7. tls_connection => ctls
        8. expired => true
        9. matched => expired.badssl.com:443
        10. template-path => /Users/ice3man/projectdis .... /cmd/nuclei/template.yaml
        11. template-id => expired-ssl
        12. Hostname => expired.badssl.com:443
        13. sni => expired.badssl.com
        14. subject_dn => CN=*.badssl.com, OU=Posit .... =Domain Control Validated
        15. wildcard_certificate => true
        16. cipher => TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        17. subject_cn => *.badssl.com
        18. not_after => 2015-04-12 23:59:59 +0000 UTC
        19. type => ssl
        20. issuer_dn => CN=COMODO RSA Domain Vali .... =Greater Manchester, C=GB
        21. response => {"timestamp":"2022-08-31T .... ni":"expired.badssl.com"}
        22. template-info => {Expired SSL Certificate  .... ssl   {low} map[] <nil> }
        23. not_before => 2015-04-09 00:00:00 +0000 UTC
        24. ip => 104.154.89.105
        25. Host => expired.badssl.com
        26. timestamp => 2022-08-31 01:15:49.9112 +0530 IST m=+1.414793251
        27. port => 443
        28. tls_version => tls12
        29. issuer_cn => COMODO RSA Domain Validation Secure Server CA

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

@Ice3man543 Ice3man543 added the Status: Review Needed The issue has a PR attached to it which needs to be reviewed label Aug 30, 2022
@Ice3man543 Ice3man543 requested a review from Mzack9999 August 30, 2022 19:48
@Ice3man543 Ice3man543 self-assigned this Aug 30, 2022
@Ice3man543 Ice3man543 linked an issue Aug 30, 2022 that may be closed by this pull request
tlsx integration for tls protocol / connection / output #2368
Closed
@Ice3man543 Ice3man543 requested a review from ehsandeep August 30, 2022 19:48
Mzack9999
Mzack9999 requested changes Aug 31, 2022
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't work with deprecated-tls.yaml (even using -ztls):

$ echo "expired.badssl.com:443" | go run .  -t C:\Users\user\nuclei-templates\ssl\deprecated-tls.yaml -debug
...
[ERR] Could not read nuclei-ignore file: open C:\Users\user\.config\nuclei\.nuclei-ignore: The system cannot find the file specified.
[WRN] Could not parse template C:\Users\user\nuclei-templates\ssl\deprecated-tls.yaml: could not compile request: could not create tlsx service: could not create tls service: invalid min version specified: sslv3
[WRN] Found 1 templates with runtime error (use -validate flag for further examination)
[INF] Using Nuclei Engine 2.7.7 (latest)
[INF] Using Nuclei Templates 9.1.7 (latest)
[FTL] Could not run nuclei: no valid templates were found

@Ice3man543
Copy link
Member Author

@Mzack9999 it works but the mapping name is different. tlsx using ssl30 instead of sslv3.

id: deprecated-tls

info:
  name: Deprecated TLS Detection (TLS 1.1 or SSLv3)
  author: righettod,forgedhallpass
  severity: info
  reference:
    - https://ssl-config.mozilla.org/#config=intermediate
  description: |
    Both TLS 1.1 and SSLv3 are deprecated in favor of stronger encryption.
  remediation: |
    Update the web server's TLS configuration to disable TLS 1.1 and SSLv3.
  metadata:
    shodan-query: ssl.version:sslv2 ssl.version:sslv3 ssl.version:tlsv1 ssl.version:tlsv1.1
  tags: ssl

ssl:
  - address: "{{Host}}:{{Port}}"
    min_version: ssl30
    max_version: ssl30

    extractors:
      - type: json
        json:
          - " .tls_version"

@Ice3man543 Ice3man543 requested a review from Mzack9999 August 31, 2022 07:01
ehsandeep
ehsandeep requested changes Aug 31, 2022
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since ztls is already supported as part of tlsx, we can enable auto fallback to ztls here as well and -ztls flag can still be used for dedicated connection mode, but having auto fallback enabled as default will increase the connection coverage on default run.

@Ice3man543 Ice3man543 mentioned this pull request Aug 31, 2022
Merged
@ehsandeep ehsandeep mentioned this pull request Aug 31, 2022
Merged
2 tasks
ehsandeep
ehsandeep approved these changes Aug 31, 2022
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

id: mismatched-ssl

info:
  name: Mismatched SSL Certificate
  author: pdteam
  severity: low
  tags: ssl

ssl:
  - address: "{{Host}}:{{Port}}"

    matchers:
      - type: dsl
        dsl:
          - "mismatched == true"
echo wrong.host.badssl.com:443 | ./nuclei -t ./ssl/mismatched-ssl.yaml

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.7.7

		projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.7 (latest)
[INF] Using Nuclei Templates 9.1.7 (latest)
[INF] Templates added in last update: 45
[INF] Templates loaded for scan: 1
[mismatched-ssl] [ssl] [low] wrong.host.badssl.com

@ehsandeep ehsandeep merged commit e193e7c into dev Sep 1, 2022
@ehsandeep ehsandeep deleted the tlsx branch September 1, 2022 18:26
@ehsandeep ehsandeep removed the Status: Review Needed The issue has a PR attached to it which needs to be reviewed label Sep 1, 2022
@ehsandeep ehsandeep mentioned this pull request Sep 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mzack9999 Mzack9999 Mzack9999 approved these changes

@ehsandeep ehsandeep ehsandeep approved these changes

Assignees

@Ice3man543 Ice3man543

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tlsx integration for tls protocol / connection / output
3 participants
@Ice3man543 @ehsandeep @Mzack9999