Saltar a contenido

Nuclei

Nuclei Vulnerability Scanner Cheat Sheet

Overview

Nuclei es un escáner de vulnerabilidad rápido y basado en plantilla desarrollado por Project Discovery. Se centra en proporcionar una amplia configurabilidad, extensibilidad masiva y facilidad de uso. Nuclei utiliza plantillas basadas en YAML para definir la lógica de detección de vulnerabilidad, por lo que es altamente personalizable y impulsado por la comunidad. El escáner está diseñado para tener cero falsos positivos utilizando plantillas que definen precisamente la metodología de detección.

Lo que distingue a Nuclei de otros escáneres de vulnerabilidad es su ecosistema de plantilla. El repositorio [nuclei-templates] (URL_77__ contiene miles de plantillas listas para usar para detectar diversos problemas de seguridad, desde vulnerabilidades comunes hasta configuraciones complejas de seguridad. Este enfoque permite a los profesionales de la seguridad compartir sus métodos de detección y beneficiarse del conocimiento colectivo de la comunidad de seguridad.

Nuclei puede escanear varios objetivos incluyendo aplicaciones web, APIs, redes, DNS, y más. Su arquitectura modular permite una fácil extensión para apoyar nuevos protocolos y tipos de vulnerabilidad. La herramienta es ampliamente utilizada por investigadores de seguridad, cazadores de recompensas de fallos y testadores de penetración para automatizar la detección de vulnerabilidad en múltiples objetivos de manera eficiente.

Instalación

Usando Go

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Verify installation
nuclei -version

Usando Docker

# Pull the latest Docker image
docker pull projectdiscovery/nuclei:latest

# Run Nuclei using Docker
docker run -it projectdiscovery/nuclei:latest -h

Usando Homebrew (macOS)

# Install using Homebrew
brew install nuclei

# Verify installation
nuclei -version

Usando PDTM (Project Discovery Tools Manager)

# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest

# Install Nuclei using PDTM
pdtm -i nuclei

# Verify installation
nuclei -version

On Kali Linux

# Install using apt
sudo apt install nuclei

# Verify installation
nuclei -version

Uso básico

Scanning a Single Target

# Scan a single URL
nuclei -u https://example.com

# Scan with increased verbosity
nuclei -u https://example.com -v

# Scan with debug information
nuclei -u https://example.com -debug

Scanning Multiple Targets

# Scan multiple URLs
nuclei -u https://example.com,https://test.com

# Scan from a list of URLs
nuclei -l urls.txt

# Scan from STDIN
cat urls.txt|nuclei

Template Selection

# Scan with specific template
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml

# Scan with multiple templates
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml,cves/2021/CVE-2021-40438.yaml

# Scan with template directory
nuclei -u https://example.com -t cves/

# Scan with tags
nuclei -u https://example.com -tags cve,oast

# Exclude templates by tags
nuclei -u https://example.com -exclude-tags dos,fuzz

Output Options

# Save results to a file
nuclei -u https://example.com -o results.txt

# Save results in JSON format
nuclei -u https://example.com -o results.json -j

# Save results in SARIF format
nuclei -u https://example.com -o results.sarif -sarif

# Save results in Markdown format
nuclei -u https://example.com -o results.md -markdown

Rate Limiting

# Limit requests per second
nuclei -u https://example.com -rate-limit 100

# Limit requests per minute
nuclei -u https://example.com -rate-limit-minute 300

# Bulk size for concurrent requests
nuclei -u https://example.com -bulk-size 25

# Concurrency for template execution
nuclei -u https://example.com -c 50

Advanced Usage

Severity Filtering

# Scan only for critical severity issues
nuclei -u https://example.com -severity critical

# Scan for high and critical severity issues
nuclei -u https://example.com -severity high,critical

# Exclude low severity issues
nuclei -u https://example.com -exclude-severity low,info

Actualizaciones automáticas de la plantilla

# Update templates to the latest version
nuclei -update-templates

# Update to a specific templates directory
nuclei -update-directory /path/to/templates

# Update templates and exit
nuclei -update-templates -ut

Proxy and Network Options

# Use a proxy for HTTP requests
nuclei -u https://example.com -proxy http://127.0.0.1:8080

# Use SOCKS5 proxy
nuclei -u https://example.com -proxy socks5://127.0.0.1:1080

# Follow redirects
nuclei -u https://example.com -follow-redirects

# Follow host redirects
nuclei -u https://example.com -follow-host-redirects

Authentication

# Basic authentication
nuclei -u https://example.com -auth-type basic -auth-user username -auth-pass password

# Bearer token authentication
nuclei -u https://example.com -H "Authorization: Bearer YOUR_TOKEN"

# Cookie-based authentication
nuclei -u https://example.com -H "Cookie: session=123456"

Interactsh Integration

# Enable Interactsh for OOB testing
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com

# Disable Interactsh
nuclei -u https://example.com -no-interactsh

# Set Interactsh polling and timeout
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com -interactions-poll-duration 60 -interactions-cooldown-period 30

Workflow Execution

# Execute a workflow
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml

# Execute multiple workflows
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml,workflows/jira-workflow.yaml

Headless Browser Support

# Enable headless browser support
nuclei -u https://example.com -headless

# Set browser path
nuclei -u https://example.com -headless -browser-path /path/to/chrome

# Set page timeout
nuclei -u https://example.com -headless -page-timeout 20

Template Management

Template Structure

Las plantillas Nuclei son archivos YAML con la siguiente estructura básica:

id: template-id
info:
  name: Template Name
  author: Author Name
  severity: info|low|medium|high|critical
  description: Template description
  tags: tag1,tag2

requests:
  - method: GET
    path:
      - "\\\\{\\\\{BaseURL\\\\}\\\\}/path"
    matchers:
      - type: word
        words:
          - "sensitive data"

Crear plantillas personalizadas

# Create a basic template structure
cat > custom-template.yaml << EOF
id: custom-template
info:
  name: Custom Template
  author: Your Name
  severity: medium
  description: Detects a custom vulnerability
  tags: custom

requests:
  - method: GET
    path:
      - "\\\\{\\\\{BaseURL\\\\}\\\\}/admin"
    matchers:
      - type: word
        words:
          - "Admin Panel"
EOF

# Test the custom template
nuclei -u https://example.com -t custom-template.yaml

Template Validation

# Validate a template
nuclei -validate -t custom-template.yaml

# Validate all templates in a directory
nuclei -validate -t templates/

Template Listing

# List all available templates
nuclei -tl

# List templates by tags
nuclei -tl -tags cve,2021

# List templates by severity
nuclei -tl -severity critical

Integración con otras herramientas

Pipeline con httpx

# Discover subdomains and scan them
subfinder -d example.com|httpx|nuclei -t cves/

# Scan specific ports
naabu -host example.com -top-ports 100 -silent|httpx -silent|nuclei -t cves/

Integración con Notificar

# Send results to Slack
nuclei -u https://example.com -o results.txt|notify -provider slack

# Send critical findings to Discord
nuclei -u https://example.com -severity critical -json|notify -provider discord

Integración con GitHub Actions

# Example GitHub Action workflow
name: Nuclei Scan

on:
  schedule:
    - cron: '0 0 * * *'  # Run daily at midnight

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Nuclei Scan
        uses: projectdiscovery/nuclei-action@main
        with:
          target: https://example.com
          templates: cves/
          output: nuclei-results.txt

Buenas prácticas

Performance Optimization

# Use fast templates for initial scanning
nuclei -u https://example.com -tags tech

# Exclude time-consuming templates
nuclei -u https://example.com -exclude-templates ssl,fuzzing

# Optimize concurrency based on target
nuclei -u https://example.com -c 50 -bulk-size 20

# Use rate limiting to avoid overwhelming the target
nuclei -u https://example.com -rate-limit 100

Targeted Scanning

# Scan for specific vulnerability types
nuclei -u https://example.com -tags wordpress,plugin

# Scan for recent CVEs
nuclei -u https://example.com -tags cve,2023

# Scan based on technology detection
httpx -u https://example.com -tech-detect|nuclei -t technologies/

Reduciendo Noise

# Exclude common false positives
nuclei -u https://example.com -exclude-templates false-positives/

# Focus on high-impact issues
nuclei -u https://example.com -severity high,critical

# Filter out noisy templates
nuclei -u https://example.com -exclude-tags fuzz,dos

Actualizaciones regulares

# Update templates regularly
nuclei -update-templates

# Update Nuclei to the latest version
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Troubleshooting

Common Issues

  1. ** Errores de implementación** 
       # Check template syntax
   nuclei -validate -t custom-template.yaml

   # Debug template execution
   nuclei -u https://example.com -t custom-template.yaml -debug
   ```

2. ** Limitación de destino por objetivo* *
```bash
   # Reduce request rate
   nuclei -u https://example.com -rate-limit 10

   # Add random delays
   nuclei -u https://example.com -rate-limit 10 -random-delay 5
   ```

3. * Problemas de memoria*
```bash
   # Limit template concurrency
   nuclei -u https://example.com -c 10

   # Limit bulk size
   nuclei -u https://example.com -bulk-size 10
   ```

4. ** Problemas de red**
```bash
   # Increase timeout
   nuclei -u https://example.com -timeout 10

   # Increase retries
   nuclei -u https://example.com -retries 3
   ```

### Debugging

```bash
# Enable debug mode
nuclei -u https://example.com -debug

# Show verbose output
nuclei -u https://example.com -v

# Show request and response details
nuclei -u https://example.com -debug -show-request -show-response

# Store HTTP requests and responses
nuclei -u https://example.com -store-resp

Configuración

Archivo de configuración

Nuclei utiliza un archivo de configuración ubicado en $HOME/.config/nuclei/config.yaml_. Puede personalizar varios ajustes en este archivo:

# Example configuration file
concurrency: 25
rate-limit: 150
bulk-size: 20
templates-directory: /path/to/templates
output: /path/to/output.txt
json: true
severity:
  - critical
  - high
  - medium
exclude-severity:
  - info
  - low

Environment Variables

# Set Nuclei configuration via environment variables
export NUCLEI_CONCURRENCY=25
export NUCLEI_RATE_LIMIT=150
export NUCLEI_TEMPLATES_DIRECTORY=/path/to/templates
export NUCLEI_OUTPUT=/path/to/output.txt
export NUCLEI_JSON=true

Reference

Command Line Options

Flag Description
INLINE_CODE_36 Target URL to scan
INLINE_CODE_37 Path to file containing list of URLs to scan
INLINE_CODE_38 Templates to use for scanning
INLINE_CODE_39 Tags to include templates by
INLINE_CODE_40 Tags to exclude templates by
INLINE_CODE_41 File to write output to
INLINE_CODE_42 Write output in JSON format
INLINE_CODE_43 Number of concurrent requests
INLINE_CODE_44 Maximum number of requests per second
INLINE_CODE_45 Timeout in seconds for HTTP requests
INLINE_CODE_46 Show verbose output
INLINE_CODE_47 Show debug information
INLINE_CODE_48 Update templates to latest version
INLINE_CODE_49 Filter templates by severity
INLINE_CODE_50 Exclude templates by severity
INLINE_CODE_51 Interactsh server URL for OOB testing
INLINE_CODE_52 Disable Interactsh for OOB testing
INLINE_CODE_53 Follow HTTP redirects
INLINE_CODE_54 Follow redirects on the same host
INLINE_CODE_55 Maximum number of redirects to follow
INLINE_CODE_56 Enable headless browser support
INLINE_CODE_57 HTTP/SOCKS5 proxy to use
INLINE_CODE_58 Custom header to add to all requests
INLINE_CODE_59 Validate templates
INLINE_CODE_60 List available templates

Tipos de Plantilla

Type Description
HTTP Web-based vulnerabilities
DNS DNS-based vulnerabilities
File Local file analysis
Network Network protocol vulnerabilities
Headless Browser-based vulnerabilities
SSL SSL/TLS vulnerabilities
Websocket Websocket vulnerabilities
Whois Whois data analysis
Javascript JavaScript analysis
Workflow Multi-step vulnerability chains

Matcher Types

Type Description
INLINE_CODE_61 Match based on response containing specific words
INLINE_CODE_62 Match based on regular expressions
INLINE_CODE_63 Match based on binary response
INLINE_CODE_64 Match based on HTTP status code
INLINE_CODE_65 Match based on response size
INLINE_CODE_66 Match using DSL expressions
INLINE_CODE_67 Match using XPath expressions
INLINE_CODE_68 Match using JSONPath expressions
INLINE_CODE_69 Match using GVAL expressions
INLINE_CODE_70 Match using key-value expressions

Extractor Types

Type Description
INLINE_CODE_71 Extract data using regular expressions
INLINE_CODE_72 Extract key-value pairs
INLINE_CODE_73 Extract data using XPath expressions
INLINE_CODE_74 Extract data using JSONPath expressions
INLINE_CODE_75 Extract data using DSL expressions
INLINE_CODE_76 Extract data using GVAL expressions

Resources

  • [Documentación Oficial](URL_78__
  • [Repositorio GitHub](URL_79__
  • [Repositorio de Plantillas Nuclei](URL_80__
  • [Discord de descubrimiento del producto](URL_81__
  • Nuclei Guía de Creación de Plantillas_

-...

*Esta hoja de trampa proporciona una referencia completa para el uso de Nuclei, desde el escaneo básico hasta la creación de plantilla avanzada e integración con otras herramientas. Para la información más actualizada, consulte siempre la documentación oficial. *