Hello Student,
Hacktify Cyber Security welcomes you to read this awesome guide on "Nuclei - An open-source Vulnerability Scanning tool".
First of all we will learn the WHAT, HOW and WHY of nuclei followed by it's Installation and usage which will further take you to how one can start building his/her custom nuclei templates with ease.
If you are not aware of what we are talking about then it's completely fine. You will fall in love with nuclei after going through this complete guide.
Let's Get Started ;D
Nuclei is an open source tool by Project Discovery. It is a very powerful tool that helps automate vulnerability scanning, reconnaissance and penetration testing easily. It scans stuff based on the template a user provides. Project discovery also had a dedicated repository that houses various types of vulnerability templates contributed by more than 100+ security researchers, bug bounty hunters and engineers.
Nuclei is used to send requests across targets based on a template leading to zero false positives and providing fast scanning on large number of hosts. Nuclei offers scanning for a variety of protocols including TCP, DNS, HTTP, File, etc. With powerful and flexible templating, all kinds of security checks can be modelled with Nuclei.
So, Maybe you will be confused now about what this templates are and how it's made or work? Well, No worries!! Let's discuss that now.
Time has come we should think about hunting for mass and automate the process to get ahead of the competition. With the increase of technology there has been a mere increase of vulnerability these days. Why one should focus on testing one single vulnerability manually when they can do the same with automation by just writing a simple template?
That's how nuclei help us! It takes a template and perform a scan according to our requirement.
Nuclei is based on the concepts of YAML based template files that define how the requests will be sent and processed. This allows easy extensibility capabilities to nuclei. The templates are written in YAML which specifies a simple human readable format to quickly define the execution process. Why not? YAML is easy to write and easy to understand.
You can find a set of community curated list of templates for the nuclei engine to find a security vulnerability in application here: https://github.com/projectdiscovery/nuclei-templates
Lot's of Theory! Let's see nuclei in action! But before that we have to install it.
Nuclei is too easy to install. This tool is written in go so you must install and configure golang in your working environment.
In this guide, we will be using Linux most of the time. It's not difficult for Windows or MacOS user as well.
To Install nuclei, run the below command in your Linux terminal.
GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei
Once you run the command, it will take some time and install it for you. In my case it took 9 sec as i have already installed it.
Time to launch nuclei. For this, you just need to run nuclei in your linux terminal.
If you can see something like the above picture, that means you have successfully installed nuclei and you are ready to download the community curated templates to find security vulnerability.
For this task, just run the bellow command in your terminal.
nuclei -update-templates
Within 4-6 sec you will see a list of templates has been added to your present working directory in the name of nuclei-templates with a success message.
At this point you are all set to start your first scan with nuclei. But, before that let us look at the usage and user guide to understand it's working further.
To get the full usage flags just run the command nuclei --help and it will return something like this:
Usage:nuclei [flags] Flags: -H, -header value Custom Header. -biid, -burp-collaborator-biid string Burp Collaborator BIID -bs, -bulk-size int Maximum Number of hosts analyzed in parallel per template (default 25) -c, -concurrency int Maximum Number of templates executed in parallel (default 10) -config string Nuclei configuration file -de, -disk-export string Directory on disk to export reports in markdown to -debug Debugging request and responses -debug-req Debugging request -debug-resp Debugging response -et, -exclude value Templates to exclude, supports single and multiple templates using directory. -etags, -exclude-tags value Exclude templates with the provided tags -headless Enable headless browser based templates support -impact, -severity value Templates to run based on severity, supports single and multiple severity. -irr, -include-rr Write requests/responses for matches in JSON output -interactions-cache-size int Number of requests to keep in interactions cache (default 5000) -interactions-cooldown-period int Extra time for interaction polling before exiting (default 5) -interactions-eviction int Number of seconds to wait before evicting requests from cache (default 60) -interactions-poll-duration int Number of seconds before each interaction poll request (default 5) -interactsh-url string Interactsh Server URL (default https://interact.sh) -json Write json output to files -l, -list string List of URLs to run templates on -metrics Expose nuclei metrics on a port -metrics-port int Port to expose nuclei metrics on (default 9092) -nc, -no-color Disable colors in output -nt, -new-templates Only run newly added templates -nm, -no-meta Don't display metadata for the matches -no-interactsh Do not use interactsh server for blind interaction polling -o, -output string File to write output to (optional) -page-timeout int Seconds to wait for each page in headless (default 20) -passive Enable Passive HTTP response processing mode -project Use a project folder to avoid sending same request multiple times -project-path string Use a user defined project folder, temporary folder is used if not specified but enabled -proxy-socks-url string URL of the proxy socks server -proxy-url string URL of the proxy server -r, -resolvers string File containing resolver list for nuclei -rl, -rate-limit int Maximum requests to send per second (default 150) -rc, -report-config string Nuclei Reporting Module configuration file -rdb, -report-db string Local Nuclei Reporting Database (Always use this to persistent report data) -retries int Number of times to retry a failed request (default 1) -show-browser Show the browser on the screen -si, -stats-interval int Number of seconds between each stats line (default 5) -silent Show only results in output -spm, -stop-at-first-path Stop processing http requests at first match (this may break template/workflow logic) -stats Display stats of the running scan -system-resolvers Use system dns resolving as error fallback -t, -templates value Templates to run, supports single and multiple templates using directory. -tags value Tags to execute templates for -u, -target string URL to scan with nuclei -tv, -templates-version Shows the installed nuclei-templates version -timeout int Time to wait in seconds before timeout (default 5) -tl List available templates -trace-log string File to write sent requests trace log -ud, -update-directory string Directory storing nuclei-templates (default /home/deviner/nuclei-templates) -ut, -update-templates Download / updates nuclei community templates -v, -verbose Show verbose output -version Show version of nuclei -w, -workflows value Workflows to run for nuclei
If you gone through the above help statements, you are now ready to work with nuclei. However, we don't generally use most of these flags but we can use these according to our requirements.
Let us see a general example of nuclei.
nuclei -u "<http://testphp.vulnweb.com/>" -t nuclei-templates/technologies
The above command takes the URL http://testphp.vulnweb.com/ and takes all the nuclei templates present in the technologies category and scan the web application to find certain technologies used by the application. This gives an output similar to this:
Please note that we can use all the templates except fuzzing and workflows present in the repository at once by this bellow command.
Why fuzzing and workflows are excluded will be explained latter in this guide.
nuclei -u "<http://testphp.vulnweb.com/>" -t nuclei-templates/
We can also take a number of hosts or URL and pass them to nuclei, this is how this can be done:
cat hosts.txt | nuclei -t nuclei-templates/
Awesome!
Now as we have already learnt how and with what nuclei works it's time to grab the interesting topic and start learning how we can make these awesome templates for our own use.
Let's get Started!!