Post

nuclei

Posted
Preview Image
By Muzammil Shaik 2 min read

Comprehensive Guide to Nuclei Scans

Nuclei is a powerful tool for performing vulnerability scans and security assessments on web applications. This guide walks you through the different modes, templates, and tips for using Nuclei effectively.

🌎 Default Mode

By default, Nuclei uses almost all available templates, making it suitable for comprehensive scans. To perform a complete scan, you can use the following commands:

1
2
3
4
5

> nuclei -u http://domain[.]com

> nuclei -l url_list.txt

> cat urls.txt | nuclei

Warning: Be cautious when running scans as they can overload servers, especially on high-traffic or resource-constrained systems.

🔧 Template-Based Scans

Nuclei allows you to specify individual templates, folders, tags, or severity levels to target specific vulnerabilities. Below are examples:

Using Specific Templates

1

> nuclei -u http://site[.]com -t my-template.yaml

Scanning a Folder of Templates

1

> nuclei -u http://site[.]com -t nuclei-templates/cves/

Using Tags

1

> nuclei -u http://site[.]com -tags log4j

Based on Severity

1

> nuclei -u http://site[.]com -severity low

⚔️ Moderate Scan

Nuclei is a powerful tool, but its scans can be resource-intensive. For smaller web applications or systems with limited resources, you can reduce the scan’s impact by controlling its speed and concurrency:

1

> nuclei -u http://site[.]com -rate-limit 20 -concurrency 5 -timeout 10

This setup ensures:

  • Rate Limit: A maximum of 20 requests per second.
  • Concurrency: Up to 5 concurrent threads.
  • Timeout: Each request will timeout after 10 seconds if unresponsive.

📄 Output Options

Nuclei provides various options for saving the results. Here are some commonly used commands:

Save Results to a File

1

> nuclei -u http://domain[.]com -o results.txt

Save Results with Responses

1

> nuclei -u http://domain[.]com -o output/results.txt -store-resp output

JSON Output with Request-Response Details

1

> nuclei -u http://site[.]com -o results.txt -json -include-rr

🔄 Miscellaneous Features

Execute Scans with New Templates Only

1

> nuclei -u http://site[.]com -nt

Update Nuclei and Templates

1
2

> nuclei -update
> nuclei -update-templates

Proxy Requests Through Burp Suite

1

> nuclei -u http://site[.]com -p http://127.0.0.1:8080

💣 Scans Based on Severity

You can target vulnerabilities based on their severity levels. For example, you can scan only for high and medium severity vulnerabilities:

1

> nuclei -u https://domain[.]com -tags xss -severity high,medium

Alternatively, exclude informational vulnerabilities:

1

> nuclei -l target.txt -t /nuclei-templates/cves/2022/ -exclude-severity info

📸 Make Screenshots of Your Targets

Nuclei supports headless mode to take screenshots of target web pages. Here’s how:

Single Target

1

> nuclei -u https://target[.]com -headless -t nuclei-templates/headless/screenshot.yaml -v

Multiple Targets

1

> nuclei -l target.txt -headless -t nuclei-templates/headless/screenshot.yaml -v

🔬 Template Categories Scans

To scan specific categories of templates, you can define multiple directories. Here’s an example:

1

> nuclei -l disney_httpx.txt -t cves/* -t brute-force/* -t files/* -t panels/* -t tokens/*

🌐 Finding Vulnerabilities Using Shodan

You can combine Shodan with Nuclei for an efficient vulnerability scan. Here’s how:

Fetch IPs Using Shodan and Scan

1
2
3

> shodan search ssl[.]cert[.]subject[.]CN:"http://target[.]com*" 200 --fields ip_str | httpx | tee ips.txt

> nuclei -l ips.txt -o vulns.txt

Simplified Workflow

1

echo 'https://target[.]com' | uncover | httpx | nuclei

With these examples and resources, you can leverage Nuclei to perform powerful and precise scans tailored to your needs. Happy hunting!

Cheatsheet
cheatsheet
This post is licensed under CC BY 4.0 by the author.