Nuclei shouldn't scan other ports when the user specified one

[jimen0]

Nuclei version:

Current dev branch: 77a03ee90fc2cebdb8aac4471e8c315be588240c

$ go version -m nuclei
nuclei: go1.21.1
        path    github.com/projectdiscovery/nuclei/v2/cmd/nuclei
        mod     github.com/projectdiscovery/nuclei/v2   (devel)
        ...
        build   -buildmode=exe
        build   -compiler=gc
        build   DefaultGODEBUG=panicnil=1
        build   CGO_ENABLED=1
        build   CGO_CFLAGS=
        build   CGO_CPPFLAGS=
        build   CGO_CXXFLAGS=
        build   CGO_LDFLAGS=
        build   GOARCH=amd64
        build   GOOS=linux
        build   GOAMD64=v1
        build   vcs=git
        build   vcs.revision=77a03ee90fc2cebdb8aac4471e8c315be588240c
        build   vcs.time=2023-09-16T08:55:36Z
        build   vcs.modified=true

Current Behavior:

$ python3 -m http.server 3101
...
$ nuclei -u http://127.0.0.1:3101 -silent
...
[openssh-detect] [tcp] [info] 127.0.0.1:22 [SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1]

Expected Behavior:

Port 22/tcp shouldn't be fetched by the tool without explicit consent by the user.

Steps To Reproduce:

See the Current Behavior section.

Anything else:

Reason behind this is oftentimes bug hunters aren't allowed to hunt on ALL ports as scope is restricted to a specific service/app.

If this is the intended behavior I'd expect it to be documented and a flag provided to disable it, please.

[ehsandeep]

@jimen0, thanks for flagging this; it's something we already handled in #3902; as you might already know, It's the templates making the additional request, in order to support default port + port specified in user input, existing public network templates makes two request block which results into two network request, but with the improvements done in #4123 now nuclei can handle user input port without the need of duplicating request.

This also requires a change in the public network templates after the next nuclei release, but we will wait for a couple of weeks to avoid force updates for users.

[ehsandeep]

@jimen0 new release of nuclei is out with a fix; here is the template that you can run with the latest nuclei release:

id: openssh-detect

info:
  name: OpenSSH Service - Detect
  author: r3dg33k,daffainfo,iamthefrogy
  severity: info
  description: |
    OpenSSH service was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  reference:
    - http://www.openwall.com/lists/oss-security/2016/08/01/2
    - http://www.openwall.com/lists/oss-security/2018/08/15/5
    - http://seclists.org/fulldisclosure/2016/Jul/51
    - https://nvd.nist.gov/vuln/detail/CVE-2016-6210
    - https://nvd.nist.gov/vuln/detail/CVE-2018-15473
  tags: seclists,network,ssh,openssh,detect
  metadata:
    max-request: 1

tcp:
  - host:
      - "{{Hostname}}"
    port: 22

    matchers:
      - type: regex
        regex:
          - '(?i)OpenSSH'

    extractors:
      - type: regex
        regex:
          - '(?i)SSH-(.*)-OpenSSH_[^\r]+'

[jimen0]

That's amazing, @ehsandeep. Incredible team you built!

Let me know if you want me to close this issue or if you prefer it to stay open until your team closes it, please.

[ehsandeep]

Thank you, @jimen0 💙

I'm closing this issue as this is already resolved and soon public network templates will be updated - projectdiscovery/nuclei-templates#8219