-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DRAFT: Implementing cloud asset discovery #6865
DRAFT: Implementing cloud asset discovery #6865
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@initstring! this is interesting and also a great examples for detecting cloud misconfiguration in template style.
We are also writing templates for authenticated aws misconfiguration detection and will be published soon.
This is a good start, let's add some more, let me know if you need any help with porting the templates if you know any known limitations we can work to support them into nuclei engine.
Thanks so much for your feedback and the help linting, @ehsandeep. I will continue to port over the templates and will ping you again when I think it is ready. The mainlimitation I mentioned above - it would be nice to be able to specify severity per matcher. Like this:
|
Hi @ehsandeep, I'm working on the template that will enumerate Azure virtual machines. I do this in cloud-enum using DNS brute forcing, as a registered DNS name means the virtual machine exists. I've pushed a template for this here, in a way that I think it should work. But, it does not, I think due to decreased functionality in the DNS protocol of Nuclei. Here are the issues I have with it currently:
Am I doing something wrong here? Do you think improving the DNS protocol to include more of the HTTP functionality (battering-ram attacks, printing of Or should I be somehow leveraging Thanks! |
@initstring I knew this is coming :D I've already created a couple of issues to enhance dns protocol including payload support which is required in this case! I would suggest adding templates, and we will update the template as soon as the feature gets merged into nuclei engine. |
@initstring FYI, payload support in dns protocol being added here - projectdiscovery/nuclei#3632 |
Thanks so much for the update! It might be a few weeks until I can get back to this, I have some things occupying my time right now unfortunately. But it is definitely on my radar to come back and get my MR all cleaned up, and to write some documentation or a blog on how to use. Thanks!!! |
Hi @ehsandeep - Sorry for the long delay! I was in between moving houses and went without my personal computer for a much longer time than expected. I checked in on the templates today after updating to the newest Nuclei. Everything is working now, except for one which I removed from this commit to work on at a later time. I also did some small updated to make v3 compliant, change severities to info, and tweak the keyword name to match your "wordlist" example. Is there anything left technically you'd like to see with these? I still need to add references but can do that this week. Thanks for all your hard work over at ProjectDiscovery! |
Template / PR Information
Hi Team PD!
I maintain a tool called cloud-enum, a multi-cloud OSINT tool to enumerate public resources in AWS, Azure, and GCP. It currently supports brute-force discovery of about a dozen services, including buckets, applications, databases, etc.
Maintaining tools is a pain, and I wanted to see if I could port the functionality to Nuclei.
This PR is a draft, implementing only 5 functions as a proof of concept. I wanted to show you an early release to see if it is something you would be interested in, and to discuss some areas where it isn't quite perfect with Nuclei.
These templates are all
self-contained
, meaning they do not run against a list of network targets. When enumerating cloud resources, we already know what the network targets will be and we need to guess lots of keywords which are added to those targets. For example, guessing a GCP bucket you would add something liketest
tostorage.googleapis.com
and check for a specific response.I'll provide a list of keywords below that I know will get positive matches for all the templates I provided. You can then run any or all of the templates like this:
With the original tool, cloud-enum, the user would provide a keyword or a list of keywords, and the tool would then mutate those to create a lot more keywords. For example, the user would provide "test" and the tool would generate "test-db", "test-app", "test-dev", etc. With Nuclei, that mutation functionality does not exist. So to replace the original tool, I would probably have to create some helper script to generate a wordlist and then use that with Nuclei.
The second issue I ran into is that I cannot specify different severity for different matchers in a template. Let's say you are looking for GCP buckets. You are most interested in open buckets (status 200). But you might also want to know about protected buckets (status 403) as you could try to brute items in there, or just take that datapoint as OSINT to use further. You'd want the first to be high/medium, and the second to be informational. You wouldn't want to write two separate template files, as then you would double up the network requests required (if I understand self-contained templates correctly).
I've currently written the templates to include multiple matchers, but there is a bit of information overload for those not interested in the less-critical findings. You can see this here, with GCP App Engine. Someone might be most interested in the "OPEN" resources, but would still want to log the "PROTECTED" ones as informational.
Please let me know if this seems like a viable use case, and I can continue porting the other signatures over.
You can use this as a keyword file for testing:
Template Validation
I've validated this template locally?
Additional Details (leave it blank if not applicable)
Additional References: