How to use the command 'nuclei' (with examples)
Nuclei is a fast and highly customizable vulnerability scanner designed primarily for security assessment tasks. It utilizes a simple YAML-based Domain Specific Language (DSL) to run network protocols from HTTP requests to DNS queries. Through its executable, Nuclei allows users to scan for vulnerabilities across various targets, enabling security teams to identify potential risks quickly. This article will explore various use cases of the Nuclei command, demonstrating its robust functionality with practical examples.
Update Nuclei Templates to the Latest Version
Code:
nuclei -ut
Motivation: Ensuring that your vulnerability scanning tools are equipped with the latest detection templates is crucial for identifying the newest vulnerabilities. Frequent template updates help keep your scans relevant and effective against evolving security threats.
Explanation:
-u
: This argument is not used in this command.t
: This flag stands for “template,” and the accompanying-ut
command triggers the update process for Nuclei’s templates, ensuring they are up-to-date with the latest defined vulnerabilities.
Example Output:
Nuclei templates updated successfully to the latest version.
Downloaded new templates and updated existing templates in ~/nuclei-templates.
List All Templates with a Specific Protocol Type
Code:
nuclei -tl -pt dns|file|http|headless|tcp|workflow|ssl|websocket|whois|code|javascript
Motivation: Understanding available templates for specific protocol types can help security professionals tailor their scans more effectively, focusing on areas most relevant to their infrastructure.
Explanation:
-tl
: Stands for “template list,” which lists all available templates.-pt
: Represents “protocol type” and is used to filter this list by the specified protocols such as DNS, HTTP, SSL, etc., to ensure the scan targets only the required protocol.
Example Output:
Listing templates with protocol type: dns, file, http...
- /dns/vulnerability.yaml
- /http/cve-2021.yaml
- /ssl/ssl-misconfig.yaml
...
Automatic Web Scan Using Wappalyzer Technology Detection
Code:
nuclei -as -u scanme.nmap.org
Motivation: Conducting automated scans can expedite the discovery of vulnerabilities using technology recognition capabilities, thus allowing security teams to cover more ground with less manual effort.
Explanation:
-a
: Represents “automatic scan.”-s
: Utilizes Wappalyzer for technology detection.-u
: Specifies the target URL/host that the command will scan.
Example Output:
Starting scan on target: scanme.nmap.org
Detected technology: Apache, PHP
Vulnerabilities found: XSS, SQL Injection
Scan complete.
Run HTTP Protocol Type Templates of High and Critical Severity
Code:
nuclei -severity high,critical -pt http -u http://scanme.sh -me markdown_directory
Motivation: By prioritizing high and critical severity vulnerabilities, organizations can address the most significant risks to their systems, ensuring the most dangerous flaws are resolved promptly.
Explanation:
-severity
: Used to filter scans by severity level, targeting high and critical vulnerabilities.-pt
: Specifies the protocol type, in this case, HTTP.-u
: Defines the target URL.-me
: Stands for “markdown export,” indicating the results are exported to a designated markdown directory.
Example Output:
Scanning HTTP templates for high and critical severity vulnerabilities...
Detected high severity: SQLi in /login
Detected critical severity: Remote Code Execution
Results exported to markdown_directory.
Run All Templates with Altered Rate Limit and Bulk Size
Code:
nuclei -rl 150 -bs 25 -c 25 -silent -u http://scanme.sh
Motivation: Adjusting rate limits and bulk size can optimize scan speeds and ensures performance flexibility, enabling tailored scans based on the server’s load capacity and network bandwidth.
Explanation:
-rl
: “Rate limit” sets the number of requests per second.-bs
: Specifies the “bulk size” or the number of requests processed in a batch.-c
: Number of concurrent templates to run.-silent
: Ensures that only the findings are shown, without additional output.-u
: Target URL for the scan.
Example Output:
Vulnerabilities discovered:
1. Information Disclosure in /info
2. Deprecated API usage on /api/v1...
Run WordPress Workflow Against a WordPress Site
Code:
nuclei -w path/to/nuclei-templates/workflows/wordpress-workflow.yaml -u https://sample.wordpress.site
Motivation: Running specific workflows like WordPress allows teams to focus on targeted application categories, ensuring all versions and common misconfigurations for that app are checked.
Explanation:
-w
: Specifies the workflow file to use during the scan.-u
: Target WordPress site URL for running the scan.
Example Output:
Scanning WordPress site: https://sample.wordpress.site
Detected outdated plugin: WP Super Cache
Vulnerabilities logged into default output.
Run Specific Templates with Verbose Output and Export to File
Code:
nuclei -t path/to/nuclei-templates/http -u http://scanme.sh -v -o results
Motivation: Utilizing specific templates with verbose output gives a detailed, real-time look at the scanning process, while exporting findings to a file aids in documentation and analysis.
Explanation:
-t
: Specifies a path to specific templates to be run.-u
: Designates target URL for the scan.-v
: Activates verbose output for detailed scanning information.-o
: Referral output to a specific file named ‘results’.
Example Output:
Verbose logging enabled.
Running template: HTTP Template
Finding: XSS Detected at /search
Results output to file 'results'.
Scan Based on Template Conditions
Code:
nuclei -tc "contains(tags, 'xss') && contains(tags, 'cve')" -u https://vulnerable.website
Motivation: Using template conditions allows for nuanced and specific scanning based on multiple conditions simultaneously, optimizing vulnerability assessments by honing in on certain threats.
Explanation:
-tc
: “Template conditions” define conditions by which templates are selected.-u
: URL of the target website to scan.
Example Output:
Initiating scan on https://vulnerable.website
Templates matching conditions (tags: xss and cve) executed.
Potential XSS vulnerability found: /contact
Conclusion:
The Nuclei command empowers security teams with highly customizable scanning capabilities, enabling them to address a wide array of security challenges, from general vulnerability assessment to targeted application-specific workflows. This article has illustrated several use cases of the Nuclei command, showcasing its versatility and effectiveness with practical examples. Whether you need to update your scanning templates, handle automated scans, or perform detailed analytic tasks, Nuclei offers the tools necessary for comprehensive security assessments.