Nuclei Schwachstelle Scanner Cheat Blatt¶
Überblick¶
Nuclei ist ein schneller, Template-basierter Sicherheitsscanner, der von Project Discovery entwickelt wurde. Es konzentriert sich auf die Bereitstellung umfangreicher Konfigurierbarkeit, massiver Erweiterbarkeit und einfacher Bedienung. Nuclei verwendet YAML-basierte Templates, um Schwachstellenerkennungslogik zu definieren, wodurch es sehr anpassbar und gemeinschaftsgesteuert wird. Der Scanner ist entworfen, um Null falsche Positive zu haben, indem Vorlagen verwendet werden, die die Erkennungsmethodik genau definieren.
Was Nuclei von anderen Sicherheitsscannern unterscheidet, ist sein Template-Ökosystem. Das Community-Maintained nuclei-templates Repository enthält Tausende von gebrauchsfertigen Vorlagen zur Erkennung verschiedener Sicherheitsprobleme, von gemeinsamen Schwachstellen bis hin zu komplexen Sicherheitsfehlern. Dieser Ansatz ermöglicht es Sicherheitsexperten, ihre Erkennungsmethoden zu teilen und von der kollektiven Kenntnis der Sicherheitsgemeinschaft zu profitieren.
Nuclei kann verschiedene Ziele scannen, einschließlich Web-Anwendungen, APIs, Netzwerke, DNS und mehr. Seine modulare Architektur ermöglicht eine einfache Erweiterung, um neue Protokolle und Sicherheitstypen zu unterstützen. Das Tool wird von Sicherheitsforschern, Bug-Bounty-Jägern und Penetration-Testern weit verbreitet, um die Sicherheitserkennung über mehrere Ziele effizient zu automatisieren.
Installation¶
Verwenden Sie Go¶
```bash
Install using Go (requires Go 1.20 or later)¶
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
Verify installation¶
nuclei -version ```_
Verwendung von Docker¶
```bash
Pull the latest Docker image¶
docker pull projectdiscovery/nuclei:latest
Run Nuclei using Docker¶
docker run -it projectdiscovery/nuclei:latest -h ```_
Verwendung von Homebrew (macOS)¶
```bash
Install using Homebrew¶
brew install nuclei
Verify installation¶
nuclei -version ```_
Verwendung von PDTM (Projekt Discovery Tools Manager)¶
```bash
Install PDTM first if not already installed¶
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest
Install Nuclei using PDTM¶
pdtm -i nuclei
Verify installation¶
nuclei -version ```_
Auf Kali Linux¶
```bash
Install using apt¶
sudo apt install nuclei
Verify installation¶
nuclei -version ```_
Basisnutzung¶
Scannen eines einzigen Ziels¶
```bash
Scan a single URL¶
nuclei -u https://example.com
Scan with increased verbosity¶
nuclei -u https://example.com -v
Scan with debug information¶
nuclei -u https://example.com -debug ```_
Scannen mehrerer Ziele¶
```bash
Scan multiple URLs¶
nuclei -u https://example.com,https://test.com
Scan from a list of URLs¶
nuclei -l urls.txt
Scan from STDIN¶
cat urls.txt|nuclei ```_
Wählen Sie die Option¶
```bash
Scan with specific template¶
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml
Scan with multiple templates¶
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml,cves/2021/CVE-2021-40438.yaml
Scan with template directory¶
nuclei -u https://example.com -t cves/
Scan with tags¶
nuclei -u https://example.com -tags cve,oast
Exclude templates by tags¶
nuclei -u https://example.com -exclude-tags dos,fuzz ```_
Ausgabeoptionen¶
```bash
Save results to a file¶
nuclei -u https://example.com -o results.txt
Save results in JSON format¶
nuclei -u https://example.com -o results.json -j
Save results in SARIF format¶
nuclei -u https://example.com -o results.sarif -sarif
Save results in Markdown format¶
nuclei -u https://example.com -o results.md -markdown ```_
Grenzwerte¶
```bash
Limit requests per second¶
nuclei -u https://example.com -rate-limit 100
Limit requests per minute¶
nuclei -u https://example.com -rate-limit-minute 300
Bulk size for concurrent requests¶
nuclei -u https://example.com -bulk-size 25
Concurrency for template execution¶
nuclei -u https://example.com -c 50 ```_
Erweiterte Nutzung¶
Schwere Filterung¶
```bash
Scan only for critical severity issues¶
nuclei -u https://example.com -severity critical
Scan for high and critical severity issues¶
nuclei -u https://example.com -severity high,critical
Exclude low severity issues¶
nuclei -u https://example.com -exclude-severity low,info ```_
Automatische Vorlage Updates¶
```bash
Update templates to the latest version¶
nuclei -update-templates
Update to a specific templates directory¶
nuclei -update-directory /path/to/templates
Update templates and exit¶
nuclei -update-templates -ut ```_
Proxy und Netzwerkoptionen¶
```bash
Use a proxy for HTTP requests¶
nuclei -u https://example.com -proxy http://127.0.0.1:8080
Use SOCKS5 proxy¶
nuclei -u https://example.com -proxy socks5://127.0.0.1:1080
Follow redirects¶
nuclei -u https://example.com -follow-redirects
Follow host redirects¶
nuclei -u https://example.com -follow-host-redirects ```_
Authentication¶
```bash
Basic authentication¶
nuclei -u https://example.com -auth-type basic -auth-user username -auth-pass password
Bearer token authentication¶
nuclei -u https://example.com -H "Authorization: Bearer YOUR_TOKEN"
Cookie-based authentication¶
nuclei -u https://example.com -H "Cookie: session=123456" ```_
Interacter Integration¶
```bash
Enable Interactsh for OOB testing¶
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com
Disable Interactsh¶
nuclei -u https://example.com -no-interactsh
Set Interactsh polling and timeout¶
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com -interactions-poll-duration 60 -interactions-cooldown-period 30 ```_
Workflow Ausführung¶
```bash
Execute a workflow¶
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml
Execute multiple workflows¶
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml,workflows/jira-workflow.yaml ```_
Headless Browser Support¶
```bash
Enable headless browser support¶
nuclei -u https://example.com -headless
Set browser path¶
nuclei -u https://example.com -headless -browser-path /path/to/chrome
Set page timeout¶
nuclei -u https://example.com -headless -page-timeout 20 ```_
Projektleitung¶
Vorlagenstruktur¶
Nuclei Templates sind YAML-Dateien mit der folgenden Grundstruktur:
```yaml id: template-id info: name: Template Name author: Author Name | | severity: info | low | medium | high | critical | | description: Template description tags: tag1,tag2
requests: - method: GET path: - "\\{\\{BaseURL\\}\\}/path" matchers: - type: word words: - "sensitive data" ```_
Erstellen von benutzerdefinierten Vorlagen¶
```bash
Create a basic template structure¶
cat > custom-template.yaml << EOF id: custom-template info: name: Custom Template author: Your Name severity: medium description: Detects a custom vulnerability tags: custom
requests: - method: GET path: - "\\{\\{BaseURL\\}\\}/admin" matchers: - type: word words: - "Admin Panel" EOF
Test the custom template¶
nuclei -u https://example.com -t custom-template.yaml ```_
Vorlagenvalidierung¶
```bash
Validate a template¶
nuclei -validate -t custom-template.yaml
Validate all templates in a directory¶
nuclei -validate -t templates/ ```_
Anmelden¶
```bash
List all available templates¶
nuclei -tl
List templates by tags¶
nuclei -tl -tags cve,2021
List templates by severity¶
nuclei -tl -severity critical ```_
Integration mit anderen Tools¶
Pipeline mit httpx¶
```bash
Discover subdomains and scan them¶
| | subfinder -d example.com | httpx | nuclei -t cves/ | |
Scan specific ports¶
| | naabu -host example.com -top-ports 100 -silent | httpx -silent | nuclei -t cves/ | | ```_
Integration mit Benachrichtigung¶
```bash
Send results to Slack¶
nuclei -u https://example.com -o results.txt|notify -provider slack
Send critical findings to Discord¶
nuclei -u https://example.com -severity critical -json|notify -provider discord ```_
Integration mit GitHub Aktionen¶
```yaml
Example GitHub Action workflow¶
name: Nuclei Scan
on: schedule: - cron: '0 0 * * *' # Run daily at midnight
jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Nuclei Scan uses: projectdiscovery/nuclei-action@main with: target: https://example.com templates: cves/ output: nuclei-results.txt ```_
Best Practices¶
Leistungsoptimierung¶
```bash
Use fast templates for initial scanning¶
nuclei -u https://example.com -tags tech
Exclude time-consuming templates¶
nuclei -u https://example.com -exclude-templates ssl,fuzzing
Optimize concurrency based on target¶
nuclei -u https://example.com -c 50 -bulk-size 20
Use rate limiting to avoid overwhelming the target¶
nuclei -u https://example.com -rate-limit 100 ```_
Gezieltes Scannen¶
```bash
Scan for specific vulnerability types¶
nuclei -u https://example.com -tags wordpress,plugin
Scan for recent CVEs¶
nuclei -u https://example.com -tags cve,2023
Scan based on technology detection¶
httpx -u https://example.com -tech-detect|nuclei -t technologies/ ```_
Geräuschreduzierung¶
```bash
Exclude common false positives¶
nuclei -u https://example.com -exclude-templates false-positives/
Focus on high-impact issues¶
nuclei -u https://example.com -severity high,critical
Filter out noisy templates¶
nuclei -u https://example.com -exclude-tags fuzz,dos ```_
Regelmäßige Updates¶
```bash
Update templates regularly¶
nuclei -update-templates
Update Nuclei to the latest version¶
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest ```_
Fehlerbehebung¶
Gemeinsame Themen¶
- ** Fehler einstellen** ```bash # Check template syntax nuclei -validate -t custom-template.yaml
# Debug template execution nuclei -u https://example.com -t custom-template.yaml -debug
```_
- **Begrenzung durch Ziel* * ```bash # Reduce request rate nuclei -u https://example.com -rate-limit 10
# Add random delays nuclei -u https://example.com -rate-limit 10 -random-delay 5
```_
- **Memory Issues* ```bash # Limit template concurrency nuclei -u https://example.com -c 10
# Limit bulk size nuclei -u https://example.com -bulk-size 10
```_
- **Verkehrsfragen* ```bash # Increase timeout nuclei -u https://example.com -timeout 10
# Increase retries nuclei -u https://example.com -retries 3
```_
Debugging¶
```bash
Enable debug mode¶
nuclei -u https://example.com -debug
Show verbose output¶
nuclei -u https://example.com -v
Show request and response details¶
nuclei -u https://example.com -debug -show-request -show-response
Store HTTP requests and responses¶
nuclei -u https://example.com -store-resp ```_
Konfiguration¶
Datei konfigurieren¶
Nuclei verwendet eine Konfigurationsdatei unter $HOME/.config/nuclei/config.yaml_. Sie können verschiedene Einstellungen in dieser Datei anpassen:
```yaml
Example configuration file¶
concurrency: 25 rate-limit: 150 bulk-size: 20 templates-directory: /path/to/templates output: /path/to/output.txt json: true severity: - critical - high - medium exclude-severity: - info - low ```_
Umweltvariablen¶
```bash
Set Nuclei configuration via environment variables¶
export NUCLEI_CONCURRENCY=25 export NUCLEI_RATE_LIMIT=150 export NUCLEI_TEMPLATES_DIRECTORY=/path/to/templates export NUCLEI_OUTPUT=/path/to/output.txt export NUCLEI_JSON=true ```_
Sachgebiet¶
Kommandozeilenoptionen¶
| | | Flag | Description | | |
| --- | --- |
| | | -u, -target | Target URL to scan | | |
| | | -l, -list | Path to file containing list of URLs to scan | | |
| | | -t, -templates | Templates to use for scanning | | |
| | | -tags | Tags to include templates by | | |
| | | -exclude-tags | Tags to exclude templates by | | |
| | | -o, -output | File to write output to | | |
| | | -j, -json | Write output in JSON format | | |
| | | -c, -concurrency | Number of concurrent requests | | |
| | | -rate-limit | Maximum number of requests per second | | |
| | | -timeout | Timeout in seconds for HTTP requests | | |
| | | -v, -verbose | Show verbose output | | |
| | | -debug | Show debug information | | |
| | | -update-templates | Update templates to latest version | | |
| | | -severity | Filter templates by severity | | |
| | | -exclude-severity | Exclude templates by severity | | |
| | | -interactsh-server | Interactsh server URL for OOB testing | | |
| | | -no-interactsh | Disable Interactsh for OOB testing | | |
| | | -follow-redirects | Follow HTTP redirects | | |
| | | -follow-host-redirects | Follow redirects on the same host | | |
| | | -max-redirects | Maximum number of redirects to follow | | |
| | | -headless | Enable headless browser support | | |
| | | -proxy | HTTP/SOCKS5 proxy to use | | |
| | | -H, -header | Custom header to add to all requests | | |
| | | -validate | Validate templates | | |
| | | -tl | List available templates | | |
Art der Vorlage¶
| | | Type | Description | | | | --- | --- | | | | HTTP | Web-based vulnerabilities | | | | | | DNS | DNS-based vulnerabilities | | | | | | File | Local file analysis | | | | | | Network | Network protocol vulnerabilities | | | | | | Headless | Browser-based vulnerabilities | | | | | | SSL | SSL/TLS vulnerabilities | | | | | | Websocket | Websocket vulnerabilities | | | | | | Whois | Whois data analysis | | | | | | Javascript | JavaScript analysis | | | | | | Workflow | Multi-step vulnerability chains | | |
Passende Typen¶
| | | Type | Description | | |
| --- | --- |
| | | word | Match based on response containing specific words | | |
| | | regex | Match based on regular expressions | | |
| | | binary | Match based on binary response | | |
| | | status | Match based on HTTP status code | | |
| | | size | Match based on response size | | |
| | | dsl | Match using DSL expressions | | |
| | | xpath | Match using XPath expressions | | |
| | | jsonpath | Match using JSONPath expressions | | |
| | | gval | Match using GVAL expressions | | |
| | | kval | Match using key-value expressions | | |
Auszugsarten¶
| | | Type | Description | | |
| --- | --- |
| | | regex | Extract data using regular expressions | | |
| | | kval | Extract key-value pairs | | |
| | | xpath | Extract data using XPath expressions | | |
| | | jsonpath | Extract data using JSONPath expressions | | |
| | | dsl | Extract data using DSL expressions | | |
| | | gval | Extract data using GVAL expressions | | |
Ressourcen¶
- offizielle Dokumentation
- [GitHub Repository](LINK_6__ -%20Nuclei%20Templates%20Repository
- [Project Discovery Discord](LINK_6 -%20Nuclei%20Template%20Creation%20Guide
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Nuclei, von grundlegendem Scannen bis hin zur erweiterten Template-Erstellung und Integration mit anderen Werkzeugen. Für die aktuellsten Informationen finden Sie immer die offizielle Dokumentation. *