Hardcoded ports in templates

[gelim]

Issue description:

Hello,
I noticed there are templates (often network ones) that have the following {{Host}}:port within the network host definition.

I see it as a design issue. With this, you cannot guarantee that the target you scan will be hit only on the ports you specify (either via URL, or host:port notation).
Usually in your pipeline you will have this dedicated port scanning activity before nuclei is launched.

By doing echo "127.0.0.1:22" | nuclei -tags network you will have not only port 22 that will be hit, but all the others that are hardcoded.

Anything else:

Current templates that are illustrating this issue:

$ grep -P "{{Host}}:\d+" * -r 
cves/2017/CVE-2017-3881.yaml:      - "{{Host}}:23"
cves/2001/CVE-2001-1473.yaml:      - "{{Host}}:22"
cves/2021/CVE-2021-44521.yaml:      - "{{Host}}:9042"
cves/2015/CVE-2015-3306.yaml:      - "{{Host}}:21"
cves/2019/CVE-2019-8451.yaml:      url=https://{{Host}}:443@{{interactsh-url}}
cves/2016/CVE-2016-2004.yaml:      - "{{Host}}:5555"
cves/2020/CVE-2020-25780.yaml:      - "http://{{Host}}:81/SearchSvc/CVSearchService.svc"
cves/2020/CVE-2020-7247.yaml:      - "{{Host}}:25"
cves/2020/CVE-2020-1938.yaml:      - "{{Host}}:8009"
cves/2022/CVE-2022-0543.yaml:      - "{{Host}}:6379"
network/backdoor/backdoored-zte.yaml:      - "{{Host}}:23"
network/vsftpd-backdoor.yaml:      - "{{Host}}:21"
network/clickhouse-unauth.yaml:      - "{{Host}}:9000"
network/expn-mail-detect.yaml:      - "{{Host}}:25"
network/mysql-native-password.yaml:      - "{{Host}}:3306"
network/vsftpd-detection.yaml:      - "{{Host}}:21"
network/detect-addpac-voip-gateway.yaml:      - "{{Host}}:23"
network/iplanet-imap-detect.yaml:      - "{{Host}}:110"
network/samba-detect.yaml:      - "{{Host}}:139"
network/mongodb-detect.yaml:      - "{{Host}}:27017"
network/ftp-default-credentials.yaml:      - "{{Host}}:21"
network/sap-router-info-leak.yaml:      - "{{Host}}:3299"
network/totemomail-smtp-detect.yaml:      - "{{Host}}:25"
network/detect-rsyncd.yaml:      - "{{Host}}:873"
network/exposed-zookeeper.yaml:      - "{{Host}}:2181"
network/detection/iplanet-imap-detect.yaml:      - "{{Host}}:110"
network/detection/samba-detect.yaml:      - "{{Host}}:139"
network/detection/mongodb-detect.yaml:      - "{{Host}}:27017"
network/detection/totemomail-smtp-detect.yaml:      - "{{Host}}:25"
network/detection/vnc-service-detect.yaml:      - "{{Host}}:5900"
network/detection/smtp-detect.yaml:      - "{{Host}}:25"
network/detection/rdp-detect.yaml:      - "{{Host}}:3389"
network/detection/rsyncd-service-detect.yaml:      - "{{Host}}:873"
network/detection/openssh-detect.yaml:      - "{{Host}}:22"
network/detection/gopher-detect.yaml:      - "{{Host}}:70"
network/detection/starttls-mail-detect.yaml:      - "{{Host}}:25"
network/detection/smb-v1-detect.yaml:      - "{{Host}}:445"
network/unauth-ftp.yaml:      - "{{Host}}:21"
network/exposed-adb.yaml:      - "{{Host}}:5555"
network/openssh-detection.yaml:      - "{{Host}}:22"
network/tidb-unauth.yaml:      - "{{Host}}:4000"
network/smb-v1-detection.yaml:      - "{{Host}}:445"
network/printers-info-leak.yaml:      - "{{Host}}:9100"
network/rdp-detect.yaml:      - "{{Host}}:3389"
network/memcached-stats.yaml:      - "{{Host}}:11211"
network/gopher-detection.yaml:      - "{{Host}}:70"
network/smtp-detection.yaml:      - "{{Host}}:25"
network/mongodb-unauth.yaml:      - "{{Host}}:27017"
network/vnc-detect.yaml:      - "{{Host}}:5900"
network/sap-router.yaml:      - "{{Host}}:3299"
network/exposed-redis.yaml:      - "{{Host}}:6379"
network/ftp-weak-credentials.yaml:      - "{{Host}}:21"
network/starttls-mail-detect.yaml:      - "{{Host}}:25"
network/tidb-native-password.yaml:      - "{{Host}}:4000"
network/cisco-smi-exposure.yaml:      - "{{Host}}:4786"
network/ganglia-xml-grid-monitor.yaml:      - "{{Host}}:8649"
network/cowrie-honeypot-detect.yaml:      - '{{Host}}:22'
network/detect-jabber-xmpp.yaml:      - "{{Host}}:5222"
vulnerabilities/other/clockwatch-enterprise-rce.yaml:      - "{{Host}}:1001"

[ehsandeep]

Hey @gelim, thank you for bringing this up, and you are right; at the time we started with this project, we expected that users would be doing port scans to feed the input to nuclei, which seems to be not the case due to the majority of the HTTP based template where inputs are filtered that runs http web services, as a results network templates being discarded.

To increase scan coverage with default input that can work with all protocols, we started to hardcode the default ports specific to the service + also accept users' port input, just in case the specific network service is running on unrelated ports.

Possibly this will be resolved with projectdiscovery/nuclei#2614 where users don't need to feed URLs as input, and probing will be done internally depending on the template protocol in use; anyway, the primary issue will remain as it is, where hardcoded ports can be useful in network templates to increase scan coverage for the cases when host inputs are used without port information.

What do you think?

Some related discussion:

• network port support nuclei#2181
• [Feature] Add default ports to templates #1163

[gelim]

Hey thanks for the reply,
for me it's a no go, where I would not want to launch nuclei and have it probe ports I did not intend to probe. Additionally this way of adding the fixed port adds duplicate to the findings.

For instance in network/openssh-detection.yaml:

network:
  - host:
    - "{{Hostnbame}}"
    - "{{Host}:22"

By using this example you seem to have duplication between templates
network/detection/openssh-detect.yaml and network/openssh-detection.yaml

Cheers