search

projectdiscovery / nuclei

Fast and customizable vulnerability scanner based on simple YAML based DSL.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
20.24k stars 2.48k forks source link

[issue] Nuclei doesn't work under VPN connection, no address found for host #497

Closed sgxgsx closed 3 years ago

sgxgsx commented 3 years ago

Describe the bug It seems that nuclei doesn't resolve the hosts when it's used under a VPN. While trying to scan https://google.com with a verbose flag enabled - nuclei output:

[http-request] Sent for [tech-detect] to https://google.com
[WRN] [tech-detect] Could not execute step: could not handle http request: GET https://google.com giving up after 2 attempts: Get "https://google.com": no address found for host
[http-request] Sent for [couchdb-detect] to https://google.com
[WRN] [couchdb-detect] Could not execute step: could not handle http request: GET https://google.com/_all_dbs giving up after 2 attempts: Get "https://google.com/_all_dbs": no address found for host
[http-request] Sent for [pi-hole-detect] to https://google.com
[WRN] [pi-hole-detect] Could not execute step: could not handle http request: GET https://google.com/admin/index.php giving up after 2 attempts: Get "https://google.com/admin/index.php": no address found for host
[http-request] Sent for [jaspersoft-detect] to https://google.com
[WRN] [jaspersoft-detect] Could not execute step: could not handle http request: GET https://google.com/jasperserver/login.html?error=1 giving up after 2 attempts: Get "https://google.com/jasperserver/login.html?error=1": no address found for host
[http-request] Sent for [prometheus-exporter-detect] to https://google.com
[WRN] [prometheus-exporter-detect] Could not execute step: could not handle http request: GET https://google.com/ giving up after 2 attempts: Get "https://google.com/": no address found for host
[http-request] Sent for [terraform-detect] to https://google.com
[WRN] [terraform-detect] Could not execute step: could not handle http request: GET https://google.com/provider.tf giving up after 2 attempts: Get "https://google.com/provider.tf": no address found for host
[http-request] Sent for [apache-version-detect] to https://google.com
[WRN] [apache-version-detect] Could not execute step: could not handle http request: GET https://google.com giving up after 2 attempts: Get "https://google.com": no address found for host

If it's scanned using -debug option, then we see that it sends HTTP request but never gets a response.

[INF] Dumped HTTP request for https://google.com (bigip-config-utility)

GET /tmui/login.jsp HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

[INF] Dumped HTTP request for https://google.com (liferay-portal-detect)

GET /api/jsonws HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55

[INF] Dumped HTTP request for https://google.com (terraform-detect)

GET /provider.tf HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

[INF] Dumped HTTP request for https://google.com (couchdb-detect)

GET /_all_dbs HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55

[INF] Dumped HTTP request for https://google.com (tech-detect)

GET / HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

I have verified that this issue persists even if I limit nuclei to 1 request per second and used a normal User-Agent. I am using a Mullvad VPN with openvpn option (used different options, while testing). If I use curl or a browser - everything is okay. If I scan without a vpn - then everything is okay. But truth to say I need to use a vpn for some targets

Nuclei version 2.2.0

Screenshot of the error or bug

Screenshot from 2021-01-27 14-52-27 Screenshot from 2021-01-27 14-53-01

geeknik commented 3 years ago

I've used nuclei with Mullvad, PIA and ProtonVPN with no issues on Debian, Ubuntu and Fedora (OpenVPN and Wireguard). You could try a different node (Google might be blocking or ignoring requests from some VPN providers because of abuse), try limiting the amount of requests, and lastly try using your own DNS resolver (I have a cluster of 6 Unbound servers behind a load balancer). Some VPN servers can't (or won't) handle thousands of DNS and HTTP requests per second. Good luck out there!

ehsandeep commented 3 years ago

@vladosstrawberry could you share the exact setup to replicate this behaviour?

sgxgsx commented 3 years ago

@geeknik I just said that google is not blocking me. (google is just an example). I limited requests to 1 request per second and it's not working. If I don't use Mullvad then everything is okay.

@bauthard How do I do that? Ubuntu 2020.4 Mullvad 2020.7 (latest) nuclei (latest stable version 2.2.0)

Just when I am under the VPN connection then nuclei doesn't want to pass the traffic through that connection. It's possible to scan only those hosts that are inside VPN, not those to which you get through the tunnel

ehsandeep commented 3 years ago

@vladosstrawberry this should be fixed here, thanks for reporting this.

kpoow commented 3 years ago

@ehsandeep I check this fix under my corporate VPN (GlobalProtect) using nuclei 2.3.0. When trying to run some templates against internal host, I'm still getting error Could not execute request for http://<internal_hostname>/: no response got for request

I found workaround, when using -proxy-url this issue doesn't exist - host is being properly resolved and template runs without any errors.

ehsandeep commented 3 years ago

@kpoow you can also use -system-resolvers flag that we added in 2.3.0

Techbrunch commented 3 years ago

I ran into a similar issue and my fix was to specify the resolver used when connected to the VPN:

nuclei -u https://target.com -t  ~/nuclei-templates -r resolvers.txt

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.4.3

        projectdiscovery.io

[INF] Using Nuclei Engine 2.4.3 (latest)
[INF] Using Nuclei Templates 8.4.5 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates loaded: 1772 (New: 82)
[INF] Templates clustered: 283 (Reduced 265 HTTP Requests)
[2021-08-16 14:30:09] [server-status-localhost] [http] [low] https://target.com/server-status

You can find the resolver by doing a dig on your target and checking the SERVER part of the response:

;; SERVER: 192.168.211.2#53(192.168.211.2)