Guide to Using Nuclei | Learn The Shell

Introduction

Nuclei is a powerful and flexible open-source vulnerability scanner designed for security researchers and professionals. It uses customizable templates to identify and report a wide range of vulnerabilities in web applications, APIs, and network services. Nuclei supports integration with other security tools, allowing for seamless inclusion in automated workflows. With features such as rate limiting, custom headers, out-of-band testing, and extensive configuration options, Nuclei provides an efficient and thorough solution for proactive vulnerability management and security assessment.

TL;DR

You can find a shorter cheat sheet version of this article here.

Open Table of contents

Basic Usage
Templates
Setting Headers
- Custom Headers
Rate Limits
- Limiting Requests and Threads
Optimizations
Output
Out of Band Testing
- Disabling OOB Testing
- Using Interactsh Server
Config
- Using Configuration Files
- Example Configuration
Updates
- Disabling Update Checks
- Updating Templates and Nuclei
Conclusion

Basic Usage

Nuclei can scan single targets, multiple targets from a file, and be integrated into workflows with other tools.

Scanning Single Target

To scan a single target URL for vulnerabilities, use the following command:

nuclei -u http://example.com

Alternatively, you can use:

nuclei -target http://example.com

Both commands perform the same function: scanning the specified URL for any known vulnerabilities based on the templates in use.

Scanning Targets from a File

If you have a list of targets, you can save them in a file (e.g., targets.txt) and scan each one:

nuclei -l targets.txt

This method is efficient for scanning multiple targets, automating the process, and ensuring all specified URLs are checked for vulnerabilities.

Integrating Nuclei with Other Tools

Nuclei can be integrated with other security tools to create comprehensive workflows. For example, you can combine subfinder and httpx with Nuclei to find subdomains and then scan them for exposures:

subfinder -d targetdomain.site -silent | httpx | nuclei -t http/exposures/

This workflow first discovers subdomains of targetdomain.site using subfinder, checks their HTTP status with httpx, and finally scans for vulnerabilities using Nuclei templates in the http/exposures/ directory.

Templates

Templates define what Nuclei will look for during scans. They can be specific to certain types of vulnerabilities or more general in nature.

Using Template Folders

You can scan using all templates in a specific folder. For example, to use all templates in the http/exposures/ folder:

nuclei -t http/exposures/

This command scans the target(s) using all templates in the specified directory, checking for various types of exposures.

Using Specific Templates

To scan with specific templates, list them with the -t flag. This allows for targeted scanning based on particular vulnerabilities or technologies:

nuclei -t http/technologies/tech-detect.yaml -t http/technologies/nginx/nginx-version.yaml

This example scans for specific technologies and checks for the version of Nginx being used, leveraging the specified templates.

Using Template Tags

Templates can be tagged to make them easier to organize and use. You can specify tags to use templates that match certain criteria:

nuclei -u https://jira.targetdomain.site -tags jira,generic

This command uses templates tagged with jira and generic to scan the target URL, ensuring relevant vulnerabilities are checked.

Filtering by Severity

You can filter templates by severity to focus on more critical issues. For example:

nuclei -u https://targetdomain.site -s critical,high,medium

This scans the target using templates categorized as critical, high, or medium severity, prioritizing significant vulnerabilities.

Excluding Templates

To exclude certain templates from a scan, use the -et flag. This helps in refining scans by excluding irrelevant or less important checks:

nuclei -et http/fuzzing/

This command excludes all templates in the http/fuzzing/ directory from the scan.

Setting Headers

You can set custom headers to be included in the HTTP requests during the scan. This is useful when scanning applications that require specific headers for proper interaction.

Custom Headers

Set a custom header using the -H flag. For example, setting a User-Agent header:

nuclei -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36' -l targets.txt

This command scans all targets listed in targets.txt while sending the specified User-Agent header with each request.

Rate Limits

To avoid overwhelming the target server, you can limit the rate of requests and the number of concurrent threads.

Limiting Requests and Threads

Control the scan’s rate by setting the number of requests per second and the number of concurrent threads:

nuclei -l targets.txt -rl 20 -c 5

This command limits Nuclei to 20 requests per second and uses up to 5 concurrent threads, balancing speed and server load.

Optimizations

Nuclei offers several options to optimize scan performance and handle errors efficiently.

Setting Timeouts

Reduce the timeout for requests to speed up scans. The default timeout is 10 seconds, but you can lower it as needed:

nuclei -l targets.txt -timeout 3

This command sets the request timeout to 3 seconds.

Handling Errors and Retries

Configure how Nuclei handles errors and retries. Skip hosts after a certain number of errors, and set the number of retries for failed requests:

nuclei -l targets.txt --max-host-errors 5

nuclei -l targets.txt -retries 3

These commands skip hosts after 5 errors and retry failed requests up to 3 times.

Scan Strategy

Choose a scanning strategy to balance load and efficiency. host-spray runs all templates on a single target before moving to the next, while template-spray runs a template across multiple targets:

nuclei -l targets.txt -ss host-spray

This command uses the host-spray strategy, which can reduce load on individual targets.

Output

Nuclei provides various options for saving and formatting scan results.

Saving Output

Save scan results to a file for later analysis:

nuclei -l targets.txt -o nuclei.log

This command writes the scan results to nuclei.log.

JSONL Output

Print the scan output in JSONL (JSON Lines) format for easy parsing and integration with other tools:

nuclei -l targets.txt -jsonl

Printing Stats

Show statistics during the scan to monitor progress and performance:

nuclei -l targets.txt -stats

Markdown Output

Save results in Markdown format for easy reporting and sharing:

nuclei -l targets.txt -me results/

This command saves the scan results in Markdown format in the results/ directory.

Out of Band Testing

Out of band (OOB) testing involves testing interactions that occur outside the normal HTTP request/response cycle.

Disabling OOB Testing

If OOB testing is not needed, you can disable it:

nuclei -l targets.txt -ni

Using Interactsh Server

Specify a self-hosted Interactsh server for handling OOB interactions:

nuclei -l targets.txt -iserver <server-addr> -itoken <server-token>

interaction eviction time:

nuclei -l targets.txt -interactions-eviction 120

and define custom poll durations:

nuclei -l targets.txt -interactions-poll-duration 10

These commands configure Nuclei to use a specific Interactsh server and adjust how long to wait for interactions.

Config

Load configurations from a YAML file to streamline setup and ensure consistent scans. The default configuration file is located at ~/.config/nuclei/config.yaml.

Using Configuration Files

Load configurations using the -config flag:

nuclei -config nuclei.yaml -l targets.txt

Example Configuration

An example configuration file might include custom headers, template paths, tags, severity filters, and rate limit settings:

header:
  - 'X-BugBounty-Hacker: h1/nickname'

templates:
  - cves/
  - vulnerabilities/
  - misconfiguration/

tags: exposures,cve
severity: critical,high,medium

include-templates:
  - vulnerabilities/xxx
  - misconfiguration/xxxx

exclude-tags: info,fuzz
exclude-templates:
  - vulnerabilities/xxx
  - misconfiguration/xxxx

# Rate Limit configuration
rate-limit: 50
bulk-size: 20
concurrency: 20

This configuration sets custom headers, specifies templates, and defines rate limits and other settings to optimize the scanning process.

Updates

Keep Nuclei and its templates up to date to ensure you have the latest vulnerability checks.

Disabling Update Checks

Disable automatic update checks to prevent disruptions during scanning:

nuclei -l targets.txt -duc

Updating Templates and Nuclei

Update your Nuclei installation to the latest versions:

nuclei -up

Update templates:

nuclei -ut

These commands update the templates and the Nuclei tool itself, ensuring you have the most recent features and vulnerability checks.

Conclusion

Nuclei is an essential tool for security professionals and researchers, offering a robust and flexible solution for vulnerability scanning. With its wide range of customizable templates, integration capabilities, and comprehensive configuration options, Nuclei enables users to efficiently identify and manage security risks across various targets. By leveraging its powerful features such as rate limiting, custom headers, and out-of-band testing, users can tailor their scanning strategies to meet specific needs and environments. Whether you’re performing routine security checks or integrating Nuclei into larger security workflows, this tool provides the versatility and depth required to maintain robust security postures. Embrace the power of Nuclei to enhance your vulnerability management practices and stay ahead of potential threats.