how to use nuclei -passive

[Xc1Ym]

if I want to use passive, please tell me how to use it

[forgedhallpass]

Please see: https://nuclei.projectdiscovery.io/nuclei/get-started/#passive-scan

You can use for example proxify to dump requests and responses after you've manually/automatically crawled the target, executed automated tests or a vulnerability scanner like nuclei.

[mzpqnxow]

Perhaps I should enter a new issue, but I'll start here first...

I'm familiar with the existence of this feature, but the documentation is either misleading or woefully incomplete as far as I can tell. For example, can I feed nuclei a pcap file? I haven't looked at the code, but I suspect not

Anyway, my constructive criticism of the documentation:

Passive Scan

Nuclei engine supports passive mode scanning for HTTP based template utilizing file support, with this support we can run HTTP based templates against locally stored HTTP response data collected from any other tool.

nuclei -passive -target http_data

The key piece here being this language (emphasis mine)

locally stored HTTP response data collected from any other tool.

I see proxify mentioned in this issue; I'm not too familiar with proxify (or the format of the output it emits) but I understand the concept

What about Burp output? And if Burp captures are supported, which format is expected? I've exported Burp session data before for my own postprocessing and recall it being an XML file with most of the request/response data base64 encoded

What about raw pcap files?

My interest/need is to derive additional value from very, very large pcap files which contain programmatically generated traffic. That traffic is captured rather than proxied through a tool like burp or proxify because (for various reasons) the tool(s) making the requests can't be funneled through a proxy in any practical way

Maybe this is not exactly what the feature was designed for, but regardless, it seems I'll have to read the source to figure out if it's directly supported. If it's not, I considered looking into pcap2socks but this would be a clunky process, and I'm not sure how it might then be funneled into proxify

Apologies if I missed something in the documentation (or elsewhere) but I haven't found much evidence that this feature is widely used. I admit I did not take the time to install proxify or research or analyze its output format- I was hoping there may be a quick answer here

tl; dr; It's not clear to me what input format(s) is/are supported by -passive but it sure would be nice if pcap format was supported, and/or if there was more documentation to guide how one might use another tool (or write a new one) to convert a pcap to the format that nuclei prefers

[ehsandeep]

@mzpqnxow Recently, we have been considering deprecating the -passive option in favor of using file protocol instead that can process any kind of file input, including http response, due to various edge cases/maintenance and limited support to a specific format (initially it was aimed to process only httpx response)

do you have any specific use cases to use with passive option? is it something that can be achieved with file template?

[mzpqnxow]

@mzpqnxow Recently, we have been considering deprecating the -passive option in favor of using file protocol instead that can process any kind of file input, including http response, due to various edge cases/maintenance and limited support to a specific format (initially it was aimed to process only httpx response)

Cool, look forward to that

do you have any specific use cases to use with passive option? is it something that can be achieved with file template?

Good question. So imagine a simpler more performance focused tool (e.g. zgrab2) doing "only" raw collection of a large number of HTTP(S) endpoints rapidly at large scale - for example, ~50k+ unique (scheme, ip, port, urlpath) 4-tuples

Currently I perform post-processing on that raw data. I'm not looking to replace zgrab2 (or the post-processing) with nuclei. I'm also not necessarily ready to use nuclei do the same amount of gathering for a few reasons; rather I'm trying to derive additional value from the zgrab2 data that's already available. I understand you wouldn't want to deal with zgrab2 output, but something like a PCAP is what I was imagining

I'm not trying to replace (or even compare) either tool; I just recognize that it's wasteful in my case to not have nuclei take a pass over the PCAP, even if it's only able to make use of the small subset of templates that can function by looking only at a few headers and tags (e.g. Server header, Cookies header, HTML title tag, ...)

There's of course limited value for the many advanced templates; but for those that look at the responses from common endpoints like /, /login, /admin, etc. there's potentially huge value.. I think

What I'm describing may not really be what -passive was intended for, which is OK. I'm just exploring the idea because it seemed like a neat possibility

[mzpqnxow]

@mzpqnxow Recently, we have been considering deprecating the -passive option in favor of using file protocol instead that can process any kind of file input, including http response, due to various edge cases/maintenance and limited support to a specific format (initially it was aimed to process only httpx response)

do you have any specific use cases to use with passive option? is it something that can be achieved with file template?

Adding to this, specifically with regard to PCAP and file protocol (which I'm not too familiar with) - if it works like I'm imaging, maybe a small script to scrape HTTP requests/responses from the PCAP into file protocol format would do the trick and there wouldn't be anything special needed on the nuclei side