Introduction
Nuclei is a fast and flexible open-source tool designed for vulnerability scanning, specifically tailored to security researchers, penetration testers, and bug bounty hunters. It allows users to perform high-speed, template-based vulnerability scanning on a wide range of services, protocols, and configurations. Nuclei is highly extensible, leveraging predefined templates and custom ones to scan for specific vulnerabilities, misconfigurations, and exposure risks across various applications and services.This technical documentation provides detailed instructions for installing, configuring, and using Nuclei effectively, along with explanations of its key features, usage examples, and troubleshooting tips.
Table of Contents
- System Requirements
- Installation
- Linux
- macOS
- Windows
- Basic Usage
- Advanced Features
- Custom Templates
- Active and Passive Scanning
- Burp Suite Integration
- Configuration Options
- Common Use Cases
- Troubleshooting
- Contributing
- License
1. System Requirements
Nuclei is compatible with Linux, macOS, and Windows systems. It is designed for efficiency, but to ensure optimal performance, your system should meet the following requirements:- Operating System: Linux (Ubuntu, Debian, CentOS), macOS, or Windows (via WSL)
- Processor: Any modern processor (recommended: 2+ cores)
- Memory: At least 2 GB RAM (4 GB or more recommended)
- Disk Space: 50 MB free disk space for installation
- Dependencies:
- Go 1.16+ (for building from source)
- git (for cloning the repository)
- curl or wget (for downloading templates)
- Optional: Python 3+ (for additional scripting support)
2. Installation
Nuclei can be installed from precompiled binaries or built from source. Below are the installation steps for each platform.2.1 Linux Installation (Ubuntu/Debian)
- Update your package list:
sudo apt update - Install Go (if not installed):
sudo apt install golang-go - Clone the Nuclei repository:
git clone https://github.com/projectdiscovery/nuclei.git
cd nuclei - Build Nuclei from source:
go build -o nuclei - Move the binary to your PATH:
sudo mv nuclei /usr/local/bin/ - Verify the installation:
nuclei -version
2.2 macOS Installation
- Install Homebrew (if not installed):
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" - Install Go via Homebrew:
brew install go - Clone the Nuclei repository:
git clone https://github.com/projectdiscovery/nuclei.git
cd nuclei - Build Nuclei from source:
go build -o nuclei - Move the binary to your PATH:
sudo mv nuclei /usr/local/bin/ - Verify the installation:
nuclei -version
2.3 Windows Installation (via WSL)
- Install Windows Subsystem for Linux (WSL):
- Open PowerShell as Administrator and run:
wsl --install - Choose a Linux distribution (e.g., Ubuntu).
- Open PowerShell as Administrator and run:
- Install Go on WSL:
sudo apt update
sudo apt install golang-go - Clone the Nuclei repository:
git clone https://github.com/projectdiscovery/nuclei.git
cd nuclei - Build Nuclei from source:
go build -o nuclei - Move the binary to your PATH:
sudo mv nuclei /usr/local/bin/ - Verify the installation:
nuclei -version
3. Basic Usage
Once installed, Nuclei can be used via the command-line interface (CLI). Below are examples of basic commands.3.1 Scan a Single Target
To run a scan against a single target:nuclei -target http://example.com
This will scan the target http://example.com using the default templates.
3.2 Scan with a Specific Template
You can specify a particular template for scanning. For example, to scan for common vulnerabilities using the vulnscan template:nuclei -target http://example.com -t /path/to/templates/vulnscan.yaml
3.3 Scan Multiple Targets from a File
To scan multiple targets from a file:nuclei -target /path/to/targets.txt
Where targets.txt contains a list of URLs or IPs.
3.4 Scan with a Custom Template Directory
If you have a custom set of templates, you can use the -t option to specify the directory:nuclei -target http://example.com -t /path/to/custom/templates/
4. Advanced Features
4.1 Custom Templates
Nuclei provides a robust template engine that allows you to create custom templates for scanning specific vulnerabilities. Templates are written in YAML format and consist of several components:- Info: General information about the template.
- Requests: HTTP requests to be sent.
- Matchers: Conditions that define whether a vulnerability has been found.
- Extractors: Extract data from responses (e.g., sensitive information, error messages).
yaml
id: custom-template
info:
name: Custom Vulnerability Detection
author: Your Name
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/vulnerable-endpoint"
matchers:
- type: word
words:
- "vulnerable"
part: body
4.2 Active and Passive Scanning
Nuclei supports both active and passive scanning modes. Active scanning sends requests to the target and analyzes the responses. Passive scanning relies on third-party data sources (like response headers or DNS logs) to detect vulnerabilities without actively scanning.To enable active scanning:
nuclei -target http://example.com -active
To enable passive scanning:
nuclei -target http://example.com -passive
4.3 Burp Suite Integration
Nuclei can integrate with Burp Suite to extend the scanning capabilities within a penetration testing workflow. This integration allows you to run Nuclei scans directly within Burp Suite.To run Nuclei from Burp Suite:
- Install the Burp Suite Extension for Nuclei from the BApp store.
- Configure the extension with the necessary parameters.
- Run scans directly from the Burp Suite interface.
5. Configuration Options
Nuclei provides various configuration options to customize its behavior during scanning. Below are some commonly used options:- -t: Specify the template(s) to use.
nuclei -target http://example.com -t /path/to/templates/ - -l: Limit the number of concurrent requests.
nuclei -target http://example.com -l 10 - -v: Enable verbose output.
nuclei -target http://example.com -v - -o: Output results to a file.
nuclei -target http://example.com -o results.txt - -json: Output results in JSON format.
nuclei -target http://example.com -json - -silent: Suppress output (useful for large scans).
nuclei -target http://example.com -silent
6. Common Use Cases
6.1 Scanning for Web Vulnerabilities
To perform a vulnerability scan on a web application:nuclei -target http://example.com -t /path/to/web-vuln-templates/
6.2 Scanning for Exposed Services
To scan for exposed services across a range of IP addresses:nuclei -target http://192.168.1.0/24 -t /path/to/service-discovery-templates/
6.3 Reconnaissance of a Domain
To collect information about a domain, such as DNS misconfigurations, subdomains, etc.:nuclei -target http://example.com -t /path/to/dns-misconfig-templates/
7. Troubleshooting
- Issue: Template not found
- Solution: Ensure the template path is correct and the template is valid. You can update templates with:
nuclei -update-templates
- Solution: Ensure the template path is correct and the template is valid. You can update templates with:
- Issue: Connection Timeout
- Solution: Increase the timeout using the -timeout flag, or check network connectivity issues.
- Issue: Permission Denied
- Solution: Ensure you have the necessary permissions to run Nuclei or write output files.