# Automation

### Introduction

While automation should not be relied on too heavily, it can assist when scanning the external perimiter of an organization during a penetration test to quickly identify low-hanging fruits. In this specific instance, I am referring to Nuclei from Project Discovery, however, other tooling to automate your penetration tests exists such as leveraging a vulnerability scanner like Burp Suite's Active Scan or Nessus. 

### Nuclei

To further improve your penetration test workflow, creating custom templates with Nuclei is highly recommended for common findings. For example, during a penetration test I observed several devices leveraging the same default credentials - a check for this can be quickly automated using Nuclei's scanner:

```yaml
id: yealink-default-login

info:
  name: Yealink CTP18 - Default Login
  author: parzival
  severity: high
  description: |
    Yealink CTP18 Default Administrator Credentials Discovered.
  reference:
    - https://support.yealink.com
  metadata:
    fofa-query: Yealink CTP18
    max-request: 1
    verified: true
  tags: default-login,yealink

http:
  - raw:
      - |
        POST /api/auth/login?p=Login&t=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: application/json, text/plain, */*

        username={{username}}&pwd={{password}}

    attack: pitchfork
    payloads:
      username:
        - admin
      password:
        - '0000'

    host-redirects: true
    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"ret":"ok","data":"ok"}'

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
```