Nuclei : A Fast Tool For Configurable Targeted Scanning

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

It is used to send requests across targets based on a template leading to zero false positives and providing effective scanning for known paths. Main use cases for it is during initial reconnaissance phase to quickly check for low hanging fruits or CVEs across targets that are known and easily detectable. It uses retryablehttp-go library designed to handle various errors and retries in case of blocking by WAFs, this is also one of our core modules from custom-queries.

We have also open-sourced a dedicated repository to maintain various type of templates, we hope that you will contribute there too. Templates are provided in hopes that these will be useful and will allow everyone to build their own templates for the scanner. Checkout the guide at GUIDE.md for a primer on its templates.

Features

  • Simple and modular code base making it easy to contribute.
  • Fast And fully configurable using a template based engine.
  • Handles edge cases doing retries, backoffs etc for handling WAFs.
  • Smart matching functionality for zero false positive scanning.

Also Read – Wotop : Web On Top Of Any Protocol

Usage

nuclei -h

This will display help for the tool. Here are all the switches it supports.

FlagDescriptionExample
-cNumber of concurrent requests (default 10)nuclei -c 100
-lList of urls to run templatesnuclei -l urls.txt
-tTemplates input file/files to check across hostsnuclei -t git-core.yaml
-tTemplates input file/files to check across hostsnuclei -t “path/*.yaml”
-nCDon’t Use colors in outputnuclei -nC
-oFile to save output result (optional)nuclei -o output.txt
-silentShow only found results in outputnuclei -silent
-retriesNumber of times to retry a failed request (default 1)nuclei -retries 1
-timeoutSeconds to wait before timeout (default 5)nuclei -timeout 5
-vShow Verbose outputnuclei -v
-versionShow version of nucleinuclei -version

Installation Instructions

  • From Binary

The installation is easy. You can download the pre-built binaries for your platform from the Releases page. Extract them using tar, move it to your $PATHand you’re ready to go.

> tar -xzvf nuclei-linux-amd64.tar
> mv nuclei-linux-amd64 /usr/bin/nuclei
> nuclei -h

  • From Source

It requires go1.13+ to install successfully. Run the following command to get the repo –

> GO111MODULE=on go get -u -v github.com/projectdiscovery/nuclei/cmd/nuclei

In order to update the tool, you can use -u flag with go get command.

Running

  • Running it with a single template.

This will run the tool against all the hosts in urls.txt and returns the matched results.

> nuclei -l urls.txt -t git-core.yaml -o results.txt

You can also pass the list of hosts at standard input (STDIN). This allows for easy integration in automation pipelines.

This will run the tool against all the hosts in urls.txt and returns the matched results.

> cat urls.txt | nuclei -t git-core.yaml -o results.txt

  • Running it with multiple templates.

This will run the tool against all the hosts in urls.txt with all the templates in the path-to-templates directory and returns the matched results.

> nuclei -l urls.txt -t “path-to-templates/*.yaml” -o results.txt

  • Automating it with subfinder and any other similar tool.

> subfinder -d hackerone.com | httprob | nuclei -t “path-to-templates/*.yaml” -o results.txt

It supports glob expression ending in .yaml meaning multiple templates can be easily passed to be executed one after the other. Please refer to this guide to build your own custom templates.

Credit: projectdiscovery team

R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

2 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago