Running Nuclei under VPN connection

[sgxgsx]

Describe the bug
It seems that nuclei doesn't resolve the hosts when it's used under a VPN.
While trying to scan https://google.com with a verbose flag enabled - nuclei output:

[http-request] Sent for [tech-detect] to https://google.com
[WRN] [tech-detect] Could not execute step: could not handle http request: GET https://google.com giving up after 2 attempts: Get "https://google.com": no address found for host
[http-request] Sent for [couchdb-detect] to https://google.com
[WRN] [couchdb-detect] Could not execute step: could not handle http request: GET https://google.com/_all_dbs giving up after 2 attempts: Get "https://google.com/_all_dbs": no address found for host
[http-request] Sent for [pi-hole-detect] to https://google.com
[WRN] [pi-hole-detect] Could not execute step: could not handle http request: GET https://google.com/admin/index.php giving up after 2 attempts: Get "https://google.com/admin/index.php": no address found for host
[http-request] Sent for [jaspersoft-detect] to https://google.com
[WRN] [jaspersoft-detect] Could not execute step: could not handle http request: GET https://google.com/jasperserver/login.html?error=1 giving up after 2 attempts: Get "https://google.com/jasperserver/login.html?error=1": no address found for host
[http-request] Sent for [prometheus-exporter-detect] to https://google.com
[WRN] [prometheus-exporter-detect] Could not execute step: could not handle http request: GET https://google.com/ giving up after 2 attempts: Get "https://google.com/": no address found for host
[http-request] Sent for [terraform-detect] to https://google.com
[WRN] [terraform-detect] Could not execute step: could not handle http request: GET https://google.com/provider.tf giving up after 2 attempts: Get "https://google.com/provider.tf": no address found for host
[http-request] Sent for [apache-version-detect] to https://google.com
[WRN] [apache-version-detect] Could not execute step: could not handle http request: GET https://google.com giving up after 2 attempts: Get "https://google.com": no address found for host

If it's scanned using -debug option, then we see that it sends HTTP request but never gets a response.

[INF] Dumped HTTP request for https://google.com (bigip-config-utility)

GET /tmui/login.jsp HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

[INF] Dumped HTTP request for https://google.com (liferay-portal-detect)

GET /api/jsonws HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55

[INF] Dumped HTTP request for https://google.com (terraform-detect)

GET /provider.tf HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

[INF] Dumped HTTP request for https://google.com (couchdb-detect)

GET /_all_dbs HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55

[INF] Dumped HTTP request for https://google.com (tech-detect)

GET / HTTP/1.1
Host: google.com
Connection: close
Accept: */*
Accept-Language: en
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

I have verified that this issue persists even if I limit nuclei to 1 request per second and used a normal User-Agent.
I am using a Mullvad VPN with openvpn option (used different options, while testing).
If I use curl or a browser - everything is okay. If I scan without a vpn - then everything is okay. But truth to say I need to use a vpn for some targets

Nuclei version
2.2.0

Screenshot of the error or bug

[geeknik]

I've used nuclei with Mullvad, PIA and ProtonVPN with no issues on Debian, Ubuntu and Fedora (OpenVPN and Wireguard). You could try a different node (Google might be blocking or ignoring requests from some VPN providers because of abuse), try limiting the amount of requests, and lastly try using your own DNS resolver (I have a cluster of 6 Unbound servers behind a load balancer). Some VPN servers can't (or won't) handle thousands of DNS and HTTP requests per second. Good luck out there!

[ehsandeep]

@vladosstrawberry could you share the exact setup to replicate this behaviour?

[sgxgsx]

@geeknik I just said that google is not blocking me. (google is just an example). I limited requests to 1 request per second and it's not working. If I don't use Mullvad then everything is okay.

@bauthard How do I do that?
Ubuntu 2020.4
Mullvad 2020.7 (latest)
nuclei (latest stable version 2.2.0)

Just when I am under the VPN connection then nuclei doesn't want to pass the traffic through that connection. It's possible to scan only those hosts that are inside VPN, not those to which you get through the tunnel

[ehsandeep]

@vladosstrawberry this should be fixed here, thanks for reporting this.

[kpoow]

@ehsandeep I check this fix under my corporate VPN (GlobalProtect) using nuclei 2.3.0. When trying to run some templates against internal host, I'm still getting error
Could not execute request for http://<internal_hostname>/: no response got for request

I found workaround, when using -proxy-url this issue doesn't exist - host is being properly resolved and template runs without any errors.

[ehsandeep]

@kpoow you can also use -system-resolvers flag that we added in 2.3.0

[hishammir]

hi @ehsandeep , im using nordvpn linux client , and even with using the -system-resolvers , the nuclei responds with

[INF] Skipped target.com:443 from target list as found unresponsive 30 times
[INF] No results found. Better luck next time!

without nordvpn
[waf-detect:litespeed] [http] [info] https://target.com
[imap-detect] [tcp] [info] target.com:143
[pop3-detect] [tcp] [info] target.com:110

[Techbrunch]

I ran into a similar issue and my fix was to specify the resolver used when connected to the VPN:

nuclei -u https://target.com -t  ~/nuclei-templates -r resolvers.txt

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.4.3

		projectdiscovery.io

[INF] Using Nuclei Engine 2.4.3 (latest)
[INF] Using Nuclei Templates 8.4.5 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates loaded: 1772 (New: 82)
[INF] Templates clustered: 283 (Reduced 265 HTTP Requests)
[2021-08-16 14:30:09] [server-status-localhost] [http] [low] https://target.com/server-status

You can find the resolver by doing a dig on your target and checking the SERVER part of the response:

;; SERVER: 192.168.211.2#53(192.168.211.2)