Nuclei : A Fast Tool For Configurable Targeted Scanning

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

It is used to send requests across targets based on a template leading to zero false positives and providing effective scanning for known paths. Main use cases for it is during initial reconnaissance phase to quickly check for low hanging fruits or CVEs across targets that are known and easily detectable. It uses retryablehttp-go library designed to handle various errors and retries in case of blocking by WAFs, this is also one of our core modules from custom-queries.

We have also open-sourced a dedicated repository to maintain various type of templates, we hope that you will contribute there too. Templates are provided in hopes that these will be useful and will allow everyone to build their own templates for the scanner. Checkout the guide at GUIDE.md for a primer on its templates.

Features

  • Simple and modular code base making it easy to contribute.
  • Fast And fully configurable using a template based engine.
  • Handles edge cases doing retries, backoffs etc for handling WAFs.
  • Smart matching functionality for zero false positive scanning.

Also Read – Wotop : Web On Top Of Any Protocol

Usage

nuclei -h

This will display help for the tool. Here are all the switches it supports.

FlagDescriptionExample
-cNumber of concurrent requests (default 10)nuclei -c 100
-lList of urls to run templatesnuclei -l urls.txt
-tTemplates input file/files to check across hostsnuclei -t git-core.yaml
-tTemplates input file/files to check across hostsnuclei -t “path/*.yaml”
-nCDon’t Use colors in outputnuclei -nC
-oFile to save output result (optional)nuclei -o output.txt
-silentShow only found results in outputnuclei -silent
-retriesNumber of times to retry a failed request (default 1)nuclei -retries 1
-timeoutSeconds to wait before timeout (default 5)nuclei -timeout 5
-vShow Verbose outputnuclei -v
-versionShow version of nucleinuclei -version

Installation Instructions

  • From Binary

The installation is easy. You can download the pre-built binaries for your platform from the Releases page. Extract them using tar, move it to your $PATHand you’re ready to go.

> tar -xzvf nuclei-linux-amd64.tar
> mv nuclei-linux-amd64 /usr/bin/nuclei
> nuclei -h

  • From Source

It requires go1.13+ to install successfully. Run the following command to get the repo –

> GO111MODULE=on go get -u -v github.com/projectdiscovery/nuclei/cmd/nuclei

In order to update the tool, you can use -u flag with go get command.

Running

  • Running it with a single template.

This will run the tool against all the hosts in urls.txt and returns the matched results.

> nuclei -l urls.txt -t git-core.yaml -o results.txt

You can also pass the list of hosts at standard input (STDIN). This allows for easy integration in automation pipelines.

This will run the tool against all the hosts in urls.txt and returns the matched results.

> cat urls.txt | nuclei -t git-core.yaml -o results.txt

  • Running it with multiple templates.

This will run the tool against all the hosts in urls.txt with all the templates in the path-to-templates directory and returns the matched results.

> nuclei -l urls.txt -t “path-to-templates/*.yaml” -o results.txt

  • Automating it with subfinder and any other similar tool.

> subfinder -d hackerone.com | httprob | nuclei -t “path-to-templates/*.yaml” -o results.txt

It supports glob expression ending in .yaml meaning multiple templates can be easily passed to be executed one after the other. Please refer to this guide to build your own custom templates.

Credit: projectdiscovery team

R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

14 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

14 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

4 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago