Nuclei cheatsheet

Basic usage

Scan single target

nuclei -u http://example.com
nuclei -target http://example.com

Scan targets from file

nuclei -l targets.txt

Scan in a workflow with other tools

subfinder -d targetdomain.site -silent | httpx | nuclei -t http/exposures/

Templates

Scan with template folder

nuclei -t http/exposures/

Scan with specific templates

nuclei -t http/technologies/tech-detect.yaml -t http/technologies/nginx/nginx-version.yaml

Scan with template tags

nuclei -u https://jira.targetdomain.site -tags jira,generic

Use only templates with given severity

nuclei -u https://targetdomain.site -s critical,high,medium

Exclude templates

Exclude templates

nuclei -et http/fuzzing/

Setting headers

Set custom header for scan

nuclei -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36' -l targets.txt

Rate limits

Limit nuclei to 20 requests per seconds and 5 concurrent threads

nuclei -l targets.txt -rl 20 -c 5

Optimizations

Set timeout to 3 seconds (by default its 10)

nuclei -l targets.txt -timeout 3

Skip host after 5 errors

nuclei -l targets.txt --max-host-errors 5

Set maximum retries to 3 (default is 1)

nuclei -l targets.txt -retries 3

Scan strategy

nuclei -l targets.txt -ss host-spray
  • auto - placeholder for template-spray strategy
  • host-spray - runs all templates on single target before moving to next target
  • template-spray - runs a template on multiple targets thereby reducing the load on single target

Output

Save output to the file

nuclei -l targets.txt -o nuclei.log

Print output in JSONL format

nuclei -l targets.txt -jsonl

Print stats during scan

nuclei -l targets.txt -stats

Save results in Markdown format in the directory

nuclei -l targets.txt -me results/

Out of band testing

Disable OOB testing

nuclei -l targets.txt -ni

Use self-hosted Interactsh server

nuclei -l targets.txt -iserver <server-addr> -itoken <server-token>

Define how long to wait for an interaction

nuclei -l targets.txt -interactions-eviction 120

Define custom poll duration (default 5)

nuclei -l targets.txt -interactions-poll-duration 10

Config

Use config

nuclei -config nuclei.yaml -l targets.txt

Default nuclei config is located in ~/.config/nuclei/config.yaml

Example config

header:
  - 'X-BugBounty-Hacker: h1/nickname'

templates:
  - cves/
  - vulnerabilities/
  - misconfiguration/

tags: exposures,cve

tags: exposures,cve
severity: critical,high,medium

include-templates:
  - vulnerabilities/xxx
  - misconfiguration/xxxx

exclude-tags: info,fuzz
exclude-templates:
  - vulnerabilities/xxx
  - misconfiguration/xxxx

# Rate Limit configuration
rate-limit: 50
bulk-size: 20
concurrency: 20

Updates

Disable update checks

nuclei -l targets.txt -duc

Update templates

nuclei -ut

Update nuclei

nuclei -up

Creating templates

Example template

id: git-config

info:
  name: Git Config File
  author: Ice3man
  severity: medium
  description: Searches for the pattern /.git/config on passed URLs.

http:
  - method: GET
    path:
      - "{{BaseURL}}/.git/config"
    matchers:
      - type: word
        words:
          - "[core]"

References