I have found a much more advanced vulnerability scanning tool to use in 2024. This is the Nuclei scanner. This requires Go version 2.21, but this does work on Ubuntu 23.04.
Install this very easily.
┏jcartwright@jcartwright-System-Version╼╸╸╸╸╸╸╾
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◉:~$ go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
After a lengthy installation process, this scanner will be installed. I installed this as a normal user and not root. But I had to add the PATH that this was installed under.
┏jcartwright@jcartwright-System-Version╼╸╸╸╸╸╸╾
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◉:~$ PATH=$PATH:$HOME/go/bin/
Then the nuclei executable was added to the PATH. Then I could perform a simple scan against a vulnerable host on the Internet…
┏jcartwright@jcartwright-System-Version╼╸╸╸╸╸╸╾
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◉:~$ nuclei -u http://210.113.102.182
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.0
projectdiscovery.io
[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /home/jcartwright/nuclei-templates
[INF] Current nuclei version: v3.1.0 (latest)
[INF] Current nuclei-templates version: v9.7.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 7324
[INF] Executing 7341 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1254 (Reduced 1222 Requests)
[INF] Using Interactsh Server: oast.live
[options-method] [http] [info] http://210.113.102.182 [GET,POST,OPTIONS,HEAD]
[CVE-2018-16836] [http] [critical] http://210.113.102.182/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd
[dir-listing] [http] [info] http://210.113.102.182
[apache-detect] [http] [info] http://210.113.102.182 [Apache/2.4.41 (Ubuntu)]
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:strict-transport-security] [http] [info] http://210.113.102.182
[http-missing-security-headers:content-security-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:x-frame-options] [http] [info] http://210.113.102.182
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://210.113.102.182
[http-missing-security-headers:clear-site-data] [http] [info] http://210.113.102.182
[http-missing-security-headers:permissions-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:x-content-type-options] [http] [info] http://210.113.102.182
[http-missing-security-headers:referrer-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://210.113.102.182
[waf-detect:apachegeneric] [http] [info] http://210.113.102.182/
[generic-linux-lfi] [http] [high] http://210.113.102.182/etc/passwd
[ssh-auth-methods] [javascript] [info] 210.113.102.182:22 [["publickey","password"]]
[ssh-server-enumeration] [javascript] [info] 210.113.102.182:22 [SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9]
[ssh-sha1-hmac-algo] [javascript] [info] 210.113.102.182:22
[ssh-password-auth] [javascript] [info] 210.113.102.182:22
[openssh-detect] [tcp] [info] 210.113.102.182:22 [SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9]
Run this command to keep the templates up to date.
┏jcartwright@jcartwright-System-Version╼╸╸╸╸╸╸╾
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◉:~$ nuclei -update-templates
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.0
projectdiscovery.io
[INF] No new updates found for nuclei templates
Download extra templates for vulnerability scanning from this repository. This will enhance your vulnerability scanning abilities.
┏jcartwright@jcartwright-System-Version╼╸╸╸╸╸╸╾
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◉:~$ git clone https://github.com/projectdiscovery/nuclei-templates.git
Cloning into 'nuclei-templates'...
remote: Enumerating objects: 417490, done.
remote: Counting objects: 100% (6752/6752), done.
remote: Compressing objects: 100% (2910/2910), done.
remote: Total 417490 (delta 4280), reused 4284 (delta 3807), pack-reused 410738
Receiving objects: 100% (417490/417490), 97.36 MiB | 5.58 MiB/s, done.
Resolving deltas: 100% (355671/355671), done.
There are thousands of files in this repo, this will be very useful for enhancing a scan.
This seems to be better.
┏jcartwright@jcartwright-System-Version╼╸╸╸╸╸╸╾
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◉:~$ nuclei -u http://210.113.102.182 -t nuclei-templates/http/
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.0
projectdiscovery.io
[INF] Current nuclei version: v3.1.0 (latest)
[INF] Current nuclei-templates version: v9.7.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 2
[INF] Templates loaded for current scan: 6819
[INF] Executing 6824 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1220 (Reduced 1192 Requests)
[INF] Using Interactsh Server: oast.live
[options-method] [http] [info] http://210.113.102.182 [GET,POST,OPTIONS,HEAD]
[CVE-2018-16836] [http] [critical] http://210.113.102.182/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd
[dir-listing] [http] [info] http://210.113.102.182
[apache-detect] [http] [info] http://210.113.102.182 [Apache/2.4.41 (Ubuntu)]
[http-missing-security-headers:x-frame-options] [http] [info] http://210.113.102.182
[http-missing-security-headers:clear-site-data] [http] [info] http://210.113.102.182
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:strict-transport-security] [http] [info] http://210.113.102.182
[http-missing-security-headers:content-security-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:permissions-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://210.113.102.182
[http-missing-security-headers:x-content-type-options] [http] [info] http://210.113.102.182
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://210.113.102.182
[http-missing-security-headers:referrer-policy] [http] [info] http://210.113.102.182
[waf-detect:apachegeneric] [http] [info] http://210.113.102.182/
[generic-linux-lfi] [http] [high] http://210.113.102.182/etc/passwd
Using this to scan a WordPress website reveals any outdated plugins and other interesting errors that could be a vector for any attacks. Outdated plugins can have exploits, especially if they are very old.
Here is a sample from a scan on a WordPress website.
┏jcartwright@jcartwright-System-Version╼╸╸╸╸╸╸╾
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◉:~$ nuclei -u http://www.myspecialbook.com/web -t nuclei-templates/http/
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.0
projectdiscovery.io
[INF] Current nuclei version: v3.1.0 (latest)
[INF] Current nuclei-templates version: v9.7.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 2
[INF] Templates loaded for current scan: 6819
[INF] Executing 6824 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1220 (Reduced 1192 Requests)
[INF] Using Interactsh Server: oast.pro
[wordpress-contact-form-7:outdated_version] [http] [info] http://www.myspecialbook.com/web/wp-content/plugins/contact-form-7/readme.txt [5.7.6]
[old-copyright] [http] [info] http://www.myspecialbook.com/web/ [Copyright 2018 ]
[http-missing-security-headers:permissions-policy] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:x-frame-options] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:referrer-policy] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:strict-transport-security] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:content-security-policy] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:clear-site-data] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:x-content-type-options] [http] [info] http://www.myspecialbook.com/web/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://www.myspecialbook.com/web/
[wordpress-login] [http] [info] http://www.myspecialbook.com/web/wp-login.php
[wordpress-readme-file] [http] [info] http://www.myspecialbook.com/web/readme.html
This is a great way to find all vulnerabilities in your website and secure it against attack.
Run this command to update nuclei.
┏jcartwright@jcartwright-System-Version╼╸╸╸╸╸╸╾
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◉:~$ nuclei -update
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.0
projectdiscovery.io
23.70 MiB / 23.70 MiB [-------------------------------------------------------] 100.00% 5.67 MiB p/s
[INF] Verified Integrity of nuclei_3.1.1_linux_amd64.zip
[INF] nuclei sucessfully updated 3.1.0 -> 3.1.1 (latest)
## What's Changed
• Added support for arbitrary string input for TLS SNI annotation by @jimen0
in https://github.com/projectdiscovery/nuclei/pull/4462
• Fixed panic + refactor headless waitevent action by @tarunKoyalwar in
https://github.com/projectdiscovery/nuclei/pull/4465
• Fixed wait time + added timeout for ssh connection by @dogancanbakir in
https://github.com/projectdiscovery/nuclei/pull/4467
• Fixed issue with headless result upload by @tarunKoyalwar in
https://github.com/projectdiscovery/nuclei/pull/4469
Full Changelog:
https://github.com/projectdiscovery/nuclei/compare/v3.1.0...v3.1.1