#Question about scanning a list of IP address URLs that includes port numbers

1 messages · Page 1 of 1 (latest)

zenith flame
#

It's my understanding that with http/https related assets a port number isn't necessary to add when running the scan (ex: nuclei -t /path/file -u http://x.x.x.x) however if an asset has a different port then during scan it needs to be included (ex: nuclei -t /path/template-file -u x.x.x.x:port-number) in order for it to work.

Now if I want to run a scan on let's say 100 IPs with different ports do all the port numbers need to be added in the list along with the IP address (ex: x.x.x.x:port-number) or is there a nuclei scanning command I can use that will automatically detect the port number for that IP address.

I only run into this issue with HTTP-related scripts that are accessible through the browser and not network-related ones such as application-based (MongoDB, Redis, etc...). I understand that application based network related scripts use {{hostname}} parameter compare to URL related scripts that uses {{baseurl}}.

Please let me know if there's a nuclei command that will detect the port number automatically or if something can be added on the script itself

zenith flame
#

Question about scanning a list of IP address URLs that includes port numbers

jade plank
#

@zenith flame it is expected to include port along with ip in the input list to scan services running on non standard ports.

zenith flame
#

@jade plank thank you for clarifying! So is there a reason why the port needs to included on non-standard ports for web-based assets but network based templates automatically detects the port number during the scan. Attaching a screenshot of a redis scan that I did without including the port number and nuclei was able to detect the port

Screenshot_2023-06-23_at_1.55.58_PM.png
jade plank
#

#1079473814326493254 message

zenith flame
#

@jade plank Oh okay, is there something I should do from a script point. I've seen that in network based scripts {{hostname}} is being used compare to web based which is {{baseurl}} syntax unless I am using raw http request. With raw HTTP requests it's {{hostname}} syntax but even then web based scans still require me to include the port. Any idea about the difference on those?