Nuclei
Nuclei
Overview
Nuclei (GitHub project) is a sort of web scanner that works by parsing through the request and comparing whether the response matches some pre-determined template, resulting in a positive detection for whatever the analyst was looking for.
Key Characteristics
| Key | Value |
|---|---|
| Name | Nuclei |
| Project URL | https://nuclei.projectdiscovery.io/ |
| Documentation | https://github.com/projectdiscovery/nuclei |
| Author | Project Discovery |
| Category | #software |
Description
Nuclei is like a combination of Nmap and a vulnerability scanner, where the vulnerability tests are composed in "templates" written in YAML. You can think of the template development as a kind of Yara for web requests.
Components
Nuclei is simple: it's a binary with a directory containing the rules, or detections, executed by the tool.
Setup
Binary installation
The simplest method to get started with Nuclei is to download the binary for your platform from the releases page.
Installing Nuclei Templates
Nuclei templates will auto download to your system when Nuclei runs. Alternatively, you can pull them down with git
git clone https://github.com/projectdiscovery/nuclei-templates
Running Nuclei in Docker
Nuclei in Docker is fairly straightforward. Pull the image, and throw your CLI parameters at it.
When using the docker image, relative pathing is not supported, and I have only been successful when using the full path of the template within the container
Configuration
- as of 2.7.7, the configuration directory can be specified with
-config-directory.
Updating
Run nuclei -update
Usage
Rmember to use http:// or https:// for your targets. Nuclei will not accurately check the desintation
Getting Started
Using Workflows
- Nuclei Workflows - official documentation
- Dwi's blog post on weaponizing Nuclei through workflows.
Examples
These examples assume the compiled nuclei binary and the nuclei-templates in the same directory.
(click to expand)
/nuclei -t nuclei-templates/technologies/tech-detect.yaml -u https://example.com
security.txt file on target webserver
nuclei -t nuclei-templates/miscellaneous/security-txt.yaml -u https://example.com
nuclei --tags tech -u https://example.com
Resume
Nuclei can also resume an aborted session. When you ctrl-c a scan, it will provide the path to the resume file. Simply call that with -r
Example: nuclei -r ~/.config/nuclei/resume-cfd8sque5pcse523000g.cfg
Nuclei Templates
Example Template
How Nuclei fits in an Intel workflow
Using Nuclei for bug hunting
The following guide provides an excellent overview of putting all the pieces from above together to create a bug-hunting workflow. Project Discovery blog post The Ultimate Guide to Finding Bugs With Nuclei
Using Nuclei as an ASM platform
'ASM' stands for Attack Surface Management. The Project Discovery blog post Hacking Together an ASM Platform Using ProjectDiscovery Tools describes a GitHub project using Nuclei and some other tools to piece together an #ASM platform to monitor accessible infrastructure for potential exposure.
Checking for a potential domain takeover is another Nuclei capability using the ./dns/servfail-refused-hosts.yaml template.