Hello Student,

Hacktify Cyber Security welcomes you to read this awesome guide on "Nuclei - An open-source Vulnerability Scanning tool".

First of all we will learn the WHAT, HOW and WHY of nuclei followed by it's Installation and usage which will further take you to how one can start building his/her custom nuclei templates with ease.

If you are not aware of what we are talking about then it's completely fine. You will fall in love with nuclei after going through this complete guide.

Let's Get Started ;D

What is Nuclei?

Nuclei is an open source tool by Project Discovery. It is a very powerful tool that helps automate vulnerability scanning, reconnaissance and penetration testing easily. It scans stuff based on the template a user provides. Project discovery also had a dedicated repository that houses various types of vulnerability templates contributed by more than 100+ security researchers, bug bounty hunters and engineers.

How it works?

Nuclei is used to send requests across targets based on a template leading to zero false positives and providing fast scanning on large number of hosts. Nuclei offers scanning for a variety of protocols including TCP, DNS, HTTP, File, etc. With powerful and flexible templating, all kinds of security checks can be modelled with Nuclei.

So, Maybe you will be confused now about what this templates are and how it's made or work? Well, No worries!! Let's discuss that now.

Why it is needed?

Time has come we should think about hunting for mass and automate the process to get ahead of the competition. With the increase of technology there has been a mere increase of vulnerability these days. Why one should focus on testing one single vulnerability manually when they can do the same with automation by just writing a simple template?

That's how nuclei help us! It takes a template and perform a scan according to our requirement.

What are Nuclei Templates?

Nuclei is based on the concepts of YAML based template files that define how the requests will be sent and processed. This allows easy extensibility capabilities to nuclei. The templates are written in YAML which specifies a simple human readable format to quickly define the execution process. Why not? YAML is easy to write and easy to understand.

You can find a set of community curated list of templates for the nuclei engine to find a security vulnerability in application here: https://github.com/projectdiscovery/nuclei-templates

Lot's of Theory! Let's see nuclei in action! But before that we have to install it.

Installation

Nuclei is too easy to install. This tool is written in go so you must install and configure golang in your working environment.

In this guide, we will be using Linux most of the time. It's not difficult for Windows or MacOS user as well.

To Install nuclei, run the below command in your Linux terminal.

GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei

Once you run the command, it will take some time and install it for you. In my case it took 9 sec as i have already installed it.

Time to launch nuclei. For this, you just need to run nuclei in your linux terminal.



If you can see something like the above picture, that means you have successfully installed nuclei and you are ready to download the community curated templates to find security vulnerability.

For this task, just run the bellow command in your terminal.

nuclei -update-templates

Within 4-6 sec you will see a list of templates has been added to your present working directory in the name of nuclei-templates with a success message.

At this point you are all set to start your first scan with nuclei. But, before that let us look at the usage and user guide to understand it's working further.

Usage:

To get the full usage flags just run the command nuclei --help and it will return something like this:

Usage:nuclei [flags]

Flags:
   -H, -header value                      Custom Header.
   -biid, -burp-collaborator-biid string  Burp Collaborator BIID
   -bs, -bulk-size int                    Maximum Number of hosts analyzed in parallel per template (default 25)
   -c, -concurrency int                   Maximum Number of templates executed in parallel (default 10)
   -config string                         Nuclei configuration file
   -de, -disk-export string               Directory on disk to export reports in markdown to
   -debug                                 Debugging request and responses
   -debug-req                             Debugging request
   -debug-resp                            Debugging response
   -et, -exclude value                    Templates to exclude, supports single and multiple templates using directory.
   -etags, -exclude-tags value            Exclude templates with the provided tags
   -headless                              Enable headless browser based templates support
   -impact, -severity value               Templates to run based on severity, supports single and multiple severity.
   -irr, -include-rr                      Write requests/responses for matches in JSON output
   -interactions-cache-size int           Number of requests to keep in interactions cache (default 5000)
   -interactions-cooldown-period int      Extra time for interaction polling before exiting (default 5)
   -interactions-eviction int             Number of seconds to wait before evicting requests from cache (default 60)
   -interactions-poll-duration int        Number of seconds before each interaction poll request (default 5)
   -interactsh-url string                 Interactsh Server URL (default https://interact.sh)
   -json                                  Write json output to files
   -l, -list string                       List of URLs to run templates on
   -metrics                               Expose nuclei metrics on a port
   -metrics-port int                      Port to expose nuclei metrics on (default 9092)
   -nc, -no-color                         Disable colors in output
   -nt, -new-templates                    Only run newly added templates
   -nm, -no-meta                          Don't display metadata for the matches
   -no-interactsh                         Do not use interactsh server for blind interaction polling
   -o, -output string                     File to write output to (optional)
   -page-timeout int                      Seconds to wait for each page in headless (default 20)
   -passive                               Enable Passive HTTP response processing mode
   -project                               Use a project folder to avoid sending same request multiple times
   -project-path string                   Use a user defined project folder, temporary folder is used if not specified but enabled
   -proxy-socks-url string                URL of the proxy socks server
   -proxy-url string                      URL of the proxy server
   -r, -resolvers string                  File containing resolver list for nuclei
   -rl, -rate-limit int                   Maximum requests to send per second (default 150)
   -rc, -report-config string             Nuclei Reporting Module configuration file
   -rdb, -report-db string                Local Nuclei Reporting Database (Always use this to persistent report data)
   -retries int                           Number of times to retry a failed request (default 1)
   -show-browser                          Show the browser on the screen
   -si, -stats-interval int               Number of seconds between each stats line (default 5)
   -silent                                Show only results in output
   -spm, -stop-at-first-path              Stop processing http requests at first match (this may break template/workflow logic)
   -stats                                 Display stats of the running scan
   -system-resolvers                      Use system dns resolving as error fallback
   -t, -templates value                   Templates to run, supports single and multiple templates using directory.
   -tags value                            Tags to execute templates for
   -u, -target string                     URL to scan with nuclei
   -tv, -templates-version                Shows the installed nuclei-templates version
   -timeout int                           Time to wait in seconds before timeout (default 5)
   -tl                                    List available templates
   -trace-log string                      File to write sent requests trace log
   -ud, -update-directory string          Directory storing nuclei-templates (default /home/deviner/nuclei-templates)
   -ut, -update-templates                 Download / updates nuclei community templates
   -v, -verbose                           Show verbose output
   -version                               Show version of nuclei
   -w, -workflows value                   Workflows to run for nuclei


If you gone through the above help statements, you are now ready to work with nuclei. However, we don't generally use most of these flags but we can use these according to our requirements.

Let us see a general example of nuclei.

nuclei -u "<http://testphp.vulnweb.com/>" -t nuclei-templates/technologies

The above command takes the URL http://testphp.vulnweb.com/ and takes all the nuclei templates present in the technologies category and scan the web application to find certain technologies used by the application. This gives an output similar to this:

Please note that we can use all the templates except fuzzing and workflows present in the repository at once by this bellow command.

Why fuzzing and workflows are excluded will be explained latter in this guide.

nuclei -u "<http://testphp.vulnweb.com/>" -t nuclei-templates/

We can also take a number of hosts or URL and pass them to nuclei, this is how this can be done:

cat hosts.txt | nuclei -t nuclei-templates/

Awesome!

Now as we have already learnt how and with what nuclei works it's time to grab the interesting topic and start learning how we can make these awesome templates for our own use.

Let's get Started!!