Zum Inhalt

Nuclei Vulnerability Scanner Cheat Sheet

Im Überblick

Nuclei ist ein schneller, Template-basierter Sicherheitsscanner, der von Project Discovery entwickelt wurde. Es konzentriert sich auf die Bereitstellung umfangreicher Konfigurierbarkeit, massiver Erweiterbarkeit und einfacher Bedienung. Nuclei verwendet YAML-basierte Templates, um Schwachstellenerkennungslogik zu definieren, wodurch es sehr anpassbar und gemeinschaftsgesteuert wird. Der Scanner ist entworfen, um Null falsche Positive zu haben, indem Vorlagen verwendet werden, die die Erkennungsmethodik genau definieren.

Was Nuclei von anderen Sicherheitsscannern unterscheidet, ist sein Template-Ökosystem. Das Community-Maintained nuclei-templates Repository enthält tausende von gebrauchsfertigen Vorlagen zur Erkennung verschiedener Sicherheitsprobleme, von gemeinsamen Schwachstellen bis hin zu komplexen Sicherheitsfehlkonfigurationen. Dieser Ansatz ermöglicht es Sicherheitsexperten, ihre Erkennungsmethoden zu teilen und von der kollektiven Kenntnis der Sicherheitsgemeinschaft zu profitieren.

Nuclei kann verschiedene Ziele scannen, einschließlich Web-Anwendungen, APIs, Netzwerke, DNS und mehr. Seine modulare Architektur ermöglicht eine einfache Erweiterung, um neue Protokolle und Sicherheitstypen zu unterstützen. Das Tool wird von Sicherheitsforschern, Bug-Bounty-Jägern und Penetration-Testern weit verbreitet, um die Sicherheitserkennung über mehrere Ziele effizient zu automatisieren.

• Installation

Verwenden von Go

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Verify installation
nuclei -version

Verwenden von Docker

# Pull the latest Docker image
docker pull projectdiscovery/nuclei:latest

# Run Nuclei using Docker
docker run -it projectdiscovery/nuclei:latest -h

Verwendung von Homebrew (macOS)

# Install using Homebrew
brew install nuclei

# Verify installation
nuclei -version

Verwenden von PDTM (Projekt Discovery Tools Manager)

# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest

# Install Nuclei using PDTM
pdtm -i nuclei

# Verify installation
nuclei -version

Auf Kali Linux

# Install using apt
sudo apt install nuclei

# Verify installation
nuclei -version

oder Basisnutzung

Scannen eines einzigen Ziels

# Scan a single URL
nuclei -u https://example.com

# Scan with increased verbosity
nuclei -u https://example.com -v

# Scan with debug information
nuclei -u https://example.com -debug

Scannen mehrerer Ziele

# Scan multiple URLs
nuclei -u https://example.com,https://test.com

# Scan from a list of URLs
nuclei -l urls.txt

# Scan from STDIN
cat urls.txt|nuclei

Vorlage Auswahl

# Scan with specific template
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml

# Scan with multiple templates
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml,cves/2021/CVE-2021-40438.yaml

# Scan with template directory
nuclei -u https://example.com -t cves/

# Scan with tags
nuclei -u https://example.com -tags cve,oast

# Exclude templates by tags
nuclei -u https://example.com -exclude-tags dos,fuzz

Ausgabeoptionen

# Save results to a file
nuclei -u https://example.com -o results.txt

# Save results in JSON format
nuclei -u https://example.com -o results.json -j

# Save results in SARIF format
nuclei -u https://example.com -o results.sarif -sarif

# Save results in Markdown format
nuclei -u https://example.com -o results.md -markdown

Rate Limiting

# Limit requests per second
nuclei -u https://example.com -rate-limit 100

# Limit requests per minute
nuclei -u https://example.com -rate-limit-minute 300

# Bulk size for concurrent requests
nuclei -u https://example.com -bulk-size 25

# Concurrency for template execution
nuclei -u https://example.com -c 50

/ Fortgeschrittene Nutzung

Schwere Filterung

# Scan only for critical severity issues
nuclei -u https://example.com -severity critical

# Scan for high and critical severity issues
nuclei -u https://example.com -severity high,critical

# Exclude low severity issues
nuclei -u https://example.com -exclude-severity low,info

Automatische Template-Updates

# Update templates to the latest version
nuclei -update-templates

# Update to a specific templates directory
nuclei -update-directory /path/to/templates

# Update templates and exit
nuclei -update-templates -ut

Proxy und Netzwerkoptionen

# Use a proxy for HTTP requests
nuclei -u https://example.com -proxy http://127.0.0.1:8080

# Use SOCKS5 proxy
nuclei -u https://example.com -proxy socks5://127.0.0.1:1080

# Follow redirects
nuclei -u https://example.com -follow-redirects

# Follow host redirects
nuclei -u https://example.com -follow-host-redirects

Authentication

# Basic authentication
nuclei -u https://example.com -auth-type basic -auth-user username -auth-pass password

# Bearer token authentication
nuclei -u https://example.com -H "Authorization: Bearer YOUR_TOKEN"

# Cookie-based authentication
nuclei -u https://example.com -H "Cookie: session=123456"

Interactsh Integration

# Enable Interactsh for OOB testing
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com

# Disable Interactsh
nuclei -u https://example.com -no-interactsh

# Set Interactsh polling and timeout
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com -interactions-poll-duration 60 -interactions-cooldown-period 30

Workflow Execution

# Execute a workflow
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml

# Execute multiple workflows
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml,workflows/jira-workflow.yaml

Headless Browser Support

# Enable headless browser support
nuclei -u https://example.com -headless

# Set browser path
nuclei -u https://example.com -headless -browser-path /path/to/chrome

# Set page timeout
nuclei -u https://example.com -headless -page-timeout 20

/ Vorlagenverwaltung

Vorlagenstruktur

Nuclei Templates sind YAML-Dateien mit der folgenden Grundstruktur:

id: template-id
info:
  name: Template Name
  author: Author Name
  severity: info|low|medium|high|critical
  description: Template description
  tags: tag1,tag2

requests:
  - method: GET
    path:
      - "\\\\{\\\\{BaseURL\\\\}\\\\}/path"
    matchers:
      - type: word
        words:
          - "sensitive data"

Erstellen von benutzerdefinierten Vorlagen

# Create a basic template structure
cat > custom-template.yaml << EOF
id: custom-template
info:
  name: Custom Template
  author: Your Name
  severity: medium
  description: Detects a custom vulnerability
  tags: custom

requests:
  - method: GET
    path:
      - "\\\\{\\\\{BaseURL\\\\}\\\\}/admin"
    matchers:
      - type: word
        words:
          - "Admin Panel"
EOF

# Test the custom template
nuclei -u https://example.com -t custom-template.yaml

Vorlagenvalidierung

# Validate a template
nuclei -validate -t custom-template.yaml

# Validate all templates in a directory
nuclei -validate -t templates/

Template Listing

# List all available templates
nuclei -tl

# List templates by tags
nuclei -tl -tags cve,2021

# List templates by severity
nuclei -tl -severity critical

Integration mit anderen Tools

Pipeline mit httpx

# Discover subdomains and scan them
subfinder -d example.com|httpx|nuclei -t cves/

# Scan specific ports
naabu -host example.com -top-ports 100 -silent|httpx -silent|nuclei -t cves/

Integration mit Benachrichtigung

# Send results to Slack
nuclei -u https://example.com -o results.txt|notify -provider slack

# Send critical findings to Discord
nuclei -u https://example.com -severity critical -json|notify -provider discord

Integration mit GitHub Aktionen

# Example GitHub Action workflow
name: Nuclei Scan

on:
  schedule:
    - cron: '0 0 * * *'  # Run daily at midnight

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Nuclei Scan
        uses: projectdiscovery/nuclei-action@main
        with:
          target: https://example.com
          templates: cves/
          output: nuclei-results.txt

oder Best Practices

Leistungsoptimierung

# Use fast templates for initial scanning
nuclei -u https://example.com -tags tech

# Exclude time-consuming templates
nuclei -u https://example.com -exclude-templates ssl,fuzzing

# Optimize concurrency based on target
nuclei -u https://example.com -c 50 -bulk-size 20

# Use rate limiting to avoid overwhelming the target
nuclei -u https://example.com -rate-limit 100

Gezieltes Scanning

# Scan for specific vulnerability types
nuclei -u https://example.com -tags wordpress,plugin

# Scan for recent CVEs
nuclei -u https://example.com -tags cve,2023

# Scan based on technology detection
httpx -u https://example.com -tech-detect|nuclei -t technologies/

Reducing Noise

# Exclude common false positives
nuclei -u https://example.com -exclude-templates false-positives/

# Focus on high-impact issues
nuclei -u https://example.com -severity high,critical

# Filter out noisy templates
nuclei -u https://example.com -exclude-tags fuzz,dos

Reguläre Updates

# Update templates regularly
nuclei -update-templates

# Update Nuclei to the latest version
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Fehlerbehebung

Häufige Fragen

ANHANG ** Fehler einstellen** 

   # Check template syntax
   nuclei -validate -t custom-template.yaml

   # Debug template execution
   nuclei -u https://example.com -t custom-template.yaml -debug
   ```_

2. **Begrenzung durch Ziel* *
```bash
   # Reduce request rate
   nuclei -u https://example.com -rate-limit 10

   # Add random delays
   nuclei -u https://example.com -rate-limit 10 -random-delay 5
   ```_

3. **Memory Issues*
```bash
   # Limit template concurrency
   nuclei -u https://example.com -c 10

   # Limit bulk size
   nuclei -u https://example.com -bulk-size 10
   ```_

4. **Verkehrsfragen*
```bash
   # Increase timeout
   nuclei -u https://example.com -timeout 10

   # Increase retries
   nuclei -u https://example.com -retries 3
   ```_

### Debugging

```bash
# Enable debug mode
nuclei -u https://example.com -debug

# Show verbose output
nuclei -u https://example.com -v

# Show request and response details
nuclei -u https://example.com -debug -show-request -show-response

# Store HTTP requests and responses
nuclei -u https://example.com -store-resp

Konfiguration

Konfigurationsdatei

Nuclei verwendet eine Konfigurationsdatei unter $HOME/.config/nuclei/config.yaml_. Sie können verschiedene Einstellungen in dieser Datei anpassen:

# Example configuration file
concurrency: 25
rate-limit: 150
bulk-size: 20
templates-directory: /path/to/templates
output: /path/to/output.txt
json: true
severity:
  - critical
  - high
  - medium
exclude-severity:
  - info
  - low

Umgebungsvariablen

# Set Nuclei configuration via environment variables
export NUCLEI_CONCURRENCY=25
export NUCLEI_RATE_LIMIT=150
export NUCLEI_TEMPLATES_DIRECTORY=/path/to/templates
export NUCLEI_OUTPUT=/path/to/output.txt
export NUCLEI_JSON=true

Referenz

Kommandozeilenoptionen

Flag Description
INLINE_CODE_36 Target URL to scan
INLINE_CODE_37 Path to file containing list of URLs to scan
INLINE_CODE_38 Templates to use for scanning
INLINE_CODE_39 Tags to include templates by
INLINE_CODE_40 Tags to exclude templates by
INLINE_CODE_41 File to write output to
INLINE_CODE_42 Write output in JSON format
INLINE_CODE_43 Number of concurrent requests
INLINE_CODE_44 Maximum number of requests per second
INLINE_CODE_45 Timeout in seconds for HTTP requests
INLINE_CODE_46 Show verbose output
INLINE_CODE_47 Show debug information
INLINE_CODE_48 Update templates to latest version
INLINE_CODE_49 Filter templates by severity
INLINE_CODE_50 Exclude templates by severity
INLINE_CODE_51 Interactsh server URL for OOB testing
INLINE_CODE_52 Disable Interactsh for OOB testing
INLINE_CODE_53 Follow HTTP redirects
INLINE_CODE_54 Follow redirects on the same host
INLINE_CODE_55 Maximum number of redirects to follow
INLINE_CODE_56 Enable headless browser support
INLINE_CODE_57 HTTP/SOCKS5 proxy to use
INLINE_CODE_58 Custom header to add to all requests
INLINE_CODE_59 Validate templates
INLINE_CODE_60 List available templates
_
### Vorlagentypen
Type Description
HTTP Web-based vulnerabilities
DNS DNS-based vulnerabilities
File Local file analysis
Network Network protocol vulnerabilities
Headless Browser-based vulnerabilities
SSL SSL/TLS vulnerabilities
Websocket Websocket vulnerabilities
Whois Whois data analysis
Javascript JavaScript analysis
Workflow Multi-step vulnerability chains
_
### Spielarten
Type Description
INLINE_CODE_61 Match based on response containing specific words
INLINE_CODE_62 Match based on regular expressions
INLINE_CODE_63 Match based on binary response
INLINE_CODE_64 Match based on HTTP status code
INLINE_CODE_65 Match based on response size
INLINE_CODE_66 Match using DSL expressions
INLINE_CODE_67 Match using XPath expressions
INLINE_CODE_68 Match using JSONPath expressions
INLINE_CODE_69 Match using GVAL expressions
INLINE_CODE_70 Match using key-value expressions
_
### Extractor Types
Type Description
INLINE_CODE_71 Extract data using regular expressions
INLINE_CODE_72 Extract key-value pairs
INLINE_CODE_73 Extract data using XPath expressions
INLINE_CODE_74 Extract data using JSONPath expressions
INLINE_CODE_75 Extract data using DSL expressions
INLINE_CODE_76 Extract data using GVAL expressions

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Nuclei, von grundlegendem Scannen bis hin zur erweiterten Template-Erstellung und Integration mit anderen Werkzeugen. Für die aktuellsten Informationen finden Sie immer die offizielle Dokumentation. *