Nuclei : A Fast Tool For Configurable Targeted Scanning

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

It is used to send requests across targets based on a template leading to zero false positives and providing effective scanning for known paths. Main use cases for it is during initial reconnaissance phase to quickly check for low hanging fruits or CVEs across targets that are known and easily detectable. It uses retryablehttp-go library designed to handle various errors and retries in case of blocking by WAFs, this is also one of our core modules from custom-queries.

We have also open-sourced a dedicated repository to maintain various type of templates, we hope that you will contribute there too. Templates are provided in hopes that these will be useful and will allow everyone to build their own templates for the scanner. Checkout the guide at GUIDE.md for a primer on its templates.

Features

• Simple and modular code base making it easy to contribute.
• Fast And fully configurable using a template based engine.
• Handles edge cases doing retries, backoffs etc for handling WAFs.
• Smart matching functionality for zero false positive scanning.

Also Read – Wotop : Web On Top Of Any Protocol

Usage

nuclei -h

This will display help for the tool. Here are all the switches it supports.

Flag	Description	Example
-c	Number of concurrent requests (default 10)	nuclei -c 100
-l	List of urls to run templates	nuclei -l urls.txt
-t	Templates input file/files to check across hosts	nuclei -t git-core.yaml
-t	Templates input file/files to check across hosts	nuclei -t “path/*.yaml”
-nC	Don’t Use colors in output	nuclei -nC
-o	File to save output result (optional)	nuclei -o output.txt
-silent	Show only found results in output	nuclei -silent
-retries	Number of times to retry a failed request (default 1)	nuclei -retries 1
-timeout	Seconds to wait before timeout (default 5)	nuclei -timeout 5
-v	Show Verbose output	nuclei -v
-version	Show version of nuclei	nuclei -version

Installation Instructions

• From Binary

The installation is easy. You can download the pre-built binaries for your platform from the Releases page. Extract them using tar, move it to your $PATHand you’re ready to go.

> tar -xzvf nuclei-linux-amd64.tar
> mv nuclei-linux-amd64 /usr/bin/nuclei
> nuclei -h

• From Source

It requires go1.13+ to install successfully. Run the following command to get the repo –

> GO111MODULE=on go get -u -v github.com/projectdiscovery/nuclei/cmd/nuclei

In order to update the tool, you can use -u flag with go get command.

Running

• Running it with a single template.

This will run the tool against all the hosts in urls.txt and returns the matched results.

> nuclei -l urls.txt -t git-core.yaml -o results.txt

You can also pass the list of hosts at standard input (STDIN). This allows for easy integration in automation pipelines.

This will run the tool against all the hosts in urls.txt and returns the matched results.

> cat urls.txt | nuclei -t git-core.yaml -o results.txt

• Running it with multiple templates.

This will run the tool against all the hosts in urls.txt with all the templates in the path-to-templates directory and returns the matched results.

> nuclei -l urls.txt -t “path-to-templates/*.yaml” -o results.txt

• Automating it with subfinder and any other similar tool.

> subfinder -d hackerone.com | httprob | nuclei -t “path-to-templates/*.yaml” -o results.txt

It supports glob expression ending in .yaml meaning multiple templates can be easily passed to be executed one after the other. Please refer to this guide to build your own custom templates.

Credit: projectdiscovery team