Nuclei vulnerabilidad Scanner hoja de trucos
Overview
Nuclei is a fast, template-based vulnerabilidad scanner developed by Project Discovery. It focuses on providing extensive configurability, massive extensibility, and ease of use. Nuclei uses YAML-based templates to define vulnerabilidad detection logic, making it highly customizable and community-driven. The scanner is designed to have zero false positives by using templates that precisely define the detection methodology.
What sets Nuclei apart from other vulnerabilidad scanners is its template ecosystem. The community-maintained nuclei-templates repository contains thousands of ready-to-use templates for detecting various security issues, from common vulnerabilities to complex security misconfiguracións. This approach allows security professionals to share their detection methods and benefit from the collective knowledge of the security community.
Nuclei can scan various objetivos including aplicación webs, APIs, networks, DNS, and more. Its modular architecture allows for easy extension to suppuerto new protocolos and vulnerabilidad types. The tool is widely used by security researchers, bug bounty hunters, and penetration testers to automate vulnerabilidad detection across multiple objetivos efficiently.
instalación
Using Go
# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Verify instalación
nuclei -version
Using Docker
# Pull the latest Docker image
docker pull projectdiscovery/nuclei:latest
# Run Nuclei using Docker
docker run -it projectdiscovery/nuclei:latest -h
Using Homebrew (macOS)
# Install using Homebrew
brew install nuclei
# Verify instalación
nuclei -version
Using PDTM (Project Discovery Tools Manager)
# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest
# Install Nuclei using PDTM
pdtm -i nuclei
# Verify instalación
nuclei -version
On Kali Linux
# Install using apt
sudo apt install nuclei
# Verify instalación
nuclei -version
Basic uso
Scanning a Single objetivo
# Scan a single URL
nuclei -u https://ejemplo.com
# Scan with increased verbosity
nuclei -u https://ejemplo.com -v
# Scan with debug information
nuclei -u https://ejemplo.com -debug
Scanning Multiple objetivos
# Scan multiple URLs
nuclei -u https://ejemplo.com,https://test.com
# Scan from a list of URLs
nuclei -l urls.txt
# Scan from STDIN
cat urls.txt|nuclei
Template Selection
# Scan with specific template
nuclei -u https://ejemplo.com -t cves/2021/CVE-2021-44228.yaml
# Scan with multiple templates
nuclei -u https://ejemplo.com -t cves/2021/CVE-2021-44228.yaml,cves/2021/CVE-2021-40438.yaml
# Scan with template directory
nuclei -u https://ejemplo.com -t cves/
# Scan with tags
nuclei -u https://ejemplo.com -tags cve,oast
# Exclude templates by tags
nuclei -u https://ejemplo.com -exclude-tags dos,fuzz
Output opcións
# Save results to a file
nuclei -u https://ejemplo.com -o results.txt
# Save results in JSON format
nuclei -u https://ejemplo.com -o results.json -j
# Save results in SARIF format
nuclei -u https://ejemplo.com -o results.sarif -sarif
# Save results in Markdown format
nuclei -u https://ejemplo.com -o results.md -markdown
Rate Limiting
# Limit requests per second
nuclei -u https://ejemplo.com -rate-limit 100
# Limit requests per minute
nuclei -u https://ejemplo.com -rate-limit-minute 300
# Bulk size for concurrent requests
nuclei -u https://ejemplo.com -bulk-size 25
# Concurrency for template execution
nuclei -u https://ejemplo.com -c 50
Advanced uso
Severity Filtering
# Scan only for critical severity issues
nuclei -u https://ejemplo.com -severity critical
# Scan for high and critical severity issues
nuclei -u https://ejemplo.com -severity high,critical
# Exclude low severity issues
nuclei -u https://ejemplo.com -exclude-severity low,info
Automatic Template Updates
# Update templates to the latest version
nuclei -update-templates
# Update to a specific templates directory
nuclei -update-directory /path/to/templates
# Update templates and exit
nuclei -update-templates -ut
Proxy and Network opcións
# Use a proxy for HTTP requests
nuclei -u https://ejemplo.com -proxy http://127.0.0.1:8080
# Use SOCKS5 proxy
nuclei -u https://ejemplo.com -proxy socks5://127.0.0.1:1080
# Follow redirects
nuclei -u https://ejemplo.com -follow-redirects
# Follow host redirects
nuclei -u https://ejemplo.com -follow-host-redirects
autenticación
# Basic autenticación
nuclei -u https://ejemplo.com -auth-type basic -auth-user nombre de usuario -auth-pass contraseña
# Bearer token autenticación
nuclei -u https://ejemplo.com -H "autorización: Bearer YOUR_token"
# Cookie-based autenticación
nuclei -u https://ejemplo.com -H "Cookie: sesión=123456"
Interactsh Integration
# Enable Interactsh for OOB testing
nuclei -u https://ejemplo.com -interactsh-server https://your-interactsh-server.com
# Disable Interactsh
nuclei -u https://ejemplo.com -no-interactsh
# Set Interactsh polling and timeout
nuclei -u https://ejemplo.com -interactsh-server https://your-interactsh-server.com -interactions-poll-duration 60 -interactions-cooldown-period 30
Workflow Execution
# Execute a workflow
nuclei -u https://ejemplo.com -w workflows/wordpress-workflow.yaml
# Execute multiple workflows
nuclei -u https://ejemplo.com -w workflows/wordpress-workflow.yaml,workflows/jira-workflow.yaml
Headless Browser Suppuerto
# Enable headless browser suppuerto
nuclei -u https://ejemplo.com -headless
# Set browser path
nuclei -u https://ejemplo.com -headless -browser-path /path/to/chrome
# Set page timeout
nuclei -u https://ejemplo.com -headless -page-timeout 20
Template Management
Template Structure
Nuclei templates are YAML files with the following basic structure:
id: template-id
info:
name: Template Name
author: Author Name
| severity: info | low | medium | high | critical |
Descripción: Template Descripción
tags: tag1,tag2
requests:
- method: GET
path:
- "\\\\{\\\\{BaseURL\\\\}\\\\}/path"
matchers:
- type: word
words:
- "sensitive data"
Creating Custom Templates
# Create a basic template structure
cat > custom-template.yaml << EOF
id: custom-template
info:
name: Custom Template
author: Your Name
severity: medium
Descripción: Detects a custom vulnerabilidad
tags: custom
requests:
- method: GET
path:
- "\\\\{\\\\{BaseURL\\\\}\\\\}/admin"
matchers:
- type: word
words:
- "Admin Panel"
EOF
# Test the custom template
nuclei -u https://ejemplo.com -t custom-template.yaml
Template Validation
# Validate a template
nuclei -validate -t custom-template.yaml
# Validate all templates in a directory
nuclei -validate -t templates/
Template Listing
# List all available templates
nuclei -tl
# List templates by tags
nuclei -tl -tags cve,2021
# List templates by severity
nuclei -tl -severity critical
Integration with Other Tools
Pipeline with httpx
# Discover subdomains and scan them
| subfinder -d ejemplo.com | httpx | nuclei -t cves/ |
# Scan specific puertos
| naabu -host ejemplo.com -top-puertos 100 -silent | httpx -silent | nuclei -t cves/ |
Integration with Notify
# Send results to Slack
nuclei -u https://ejemplo.com -o results.txt|notify -provider slack
# Send critical findings to Discord
nuclei -u https://ejemplo.com -severity critical -json|notify -provider discord
Integration with GitHub Actions
# ejemplo GitHub Action workflow
name: Nuclei Scan
on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
objetivo: https://ejemplo.com
templates: cves/
output: nuclei-results.txt
Best Practices
Performance Optimization
# Use fast templates for initial scanning
nuclei -u https://ejemplo.com -tags tech
# Exclude time-consuming templates
nuclei -u https://ejemplo.com -exclude-templates ssl,fuzzing
# Optimize concurrency based on objetivo
nuclei -u https://ejemplo.com -c 50 -bulk-size 20
# Use rate limiting to avoid overwhelming the objetivo
nuclei -u https://ejemplo.com -rate-limit 100
objetivoed Scanning
# Scan for specific vulnerabilidad types
nuclei -u https://ejemplo.com -tags wordpress,plugin
# Scan for recent CVEs
nuclei -u https://ejemplo.com -tags cve,2023
# Scan based on technology detection
httpx -u https://ejemplo.com -tech-detect|nuclei -t technologies/
Reducing Noise
# Exclude common false positives
nuclei -u https://ejemplo.com -exclude-templates false-positives/
# Focus on high-Impacto issues
nuclei -u https://ejemplo.com -severity high,critical
# Filter out noisy templates
nuclei -u https://ejemplo.com -exclude-tags fuzz,dos
Regular Updates
# Update templates regularly
nuclei -update-templates
# Update Nuclei to the latest version
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
solución de problemas
Common Issues
- Template Errors ```bash # Check template sintaxis nuclei -validate -t custom-template.yaml
# Debug template execution nuclei -u https://ejemplo.com -t custom-template.yaml -debug
2. **Rate Limiting by objetivo**
```bash
# Reduce request rate
nuclei -u https://ejemplo.com -rate-limit 10
# Add random delays
nuclei -u https://ejemplo.com -rate-limit 10 -random-delay 5
- Memory Issues ```bash # Limit template concurrency nuclei -u https://ejemplo.com -c 10
# Limit bulk size nuclei -u https://ejemplo.com -bulk-size 10
4. **Network Issues**
```bash
# Increase timeout
nuclei -u https://ejemplo.com -timeout 10
# Increase retries
nuclei -u https://ejemplo.com -retries 3
Debugging
# Enable debug mode
nuclei -u https://ejemplo.com -debug
# Show verbose output
nuclei -u https://ejemplo.com -v
# Show request and response details
nuclei -u https://ejemplo.com -debug -show-request -show-response
# Store HTTP requests and responses
nuclei -u https://ejemplo.com -store-resp
configuración
configuración File
Nuclei uses a configuración file located at $HOME/.config/nuclei/config.yaml. You can customize various settings in this file:
# ejemplo configuración file
concurrency: 25
rate-limit: 150
bulk-size: 20
templates-directory: /path/to/templates
output: /path/to/output.txt
json: true
severity:
- critical
- high
- medium
exclude-severity:
- info
- low
Environment Variables
# Set Nuclei configuración via environment variables
expuerto NUCLEI_CONCURRENCY=25
expuerto NUCLEI_RATE_LIMIT=150
expuerto NUCLEI_TEMPLATES_DIRECTORY=/path/to/templates
expuerto NUCLEI_OUTPUT=/path/to/output.txt
expuerto NUCLEI_JSON=true
Reference
comando Line opcións
| | bandera | Descripción | |
| --- | --- |
| | -u, -objetivo | objetivo URL to scan | |
| | -l, -list | Path to file containing list of URLs to scan | |
| | -t, -templates | Templates to use for scanning | |
| | -tags | Tags to include templates by | |
| | -exclude-tags | Tags to exclude templates by | |
| | -o, -output | File to write output to | |
| | -j, -json | Write output in JSON format | |
| | -c, -concurrency | Number of concurrent requests | |
| | -rate-limit | Maximum number of requests per second | |
| | -timeout | Timeout in seconds for HTTP requests | |
| | -v, -verbose | Show verbose output | |
| | -debug | Show debug information | |
| | -update-templates | Update templates to latest version | |
| | -severity | Filter templates by severity | |
| | -exclude-severity | Exclude templates by severity | |
| | -interactsh-server | Interactsh server URL for OOB testing | |
| | -no-interactsh | Disable Interactsh for OOB testing | |
| | -follow-redirects | Follow HTTP redirects | |
| | -follow-host-redirects | Follow redirects on the same host | |
| | -max-redirects | Maximum number of redirects to follow | |
| | -headless | Enable headless browser suppuerto | |
| | -proxy | HTTP/SOCKS5 proxy to use | |
| | -H, -header | Custom header to add to all requests | |
| | -validate | Validate templates | |
| | -tl | List available templates | |
Template Types
| | Type | Descripción | | | --- | --- | | | HTTP | Web-based vulnerabilities | | | | DNS | DNS-based vulnerabilities | | | | File | Local file analysis | | | | Network | Network protocolo vulnerabilities | | | | Headless | Browser-based vulnerabilities | | | | SSL | SSL/TLS vulnerabilities | | | | Websocket | Websocket vulnerabilities | | | | Whois | Whois data analysis | | | | Javascript | JavaScript analysis | | | | Workflow | Multi-step vulnerabilidad chains | |
Matcher Types
| | Type | Descripción | |
| --- | --- |
| | word | Match based on response containing specific words | |
| | regex | Match based on regular expressions | |
| | binary | Match based on binary response | |
| | status | Match based on HTTP status code | |
| | size | Match based on response size | |
| | dsl | Match using DSL expressions | |
| | xpath | Match using XPath expressions | |
| | jsonpath | Match using JSONPath expressions | |
| | gval | Match using GVAL expressions | |
| | kval | Match using clave-value expressions | |
Extractor Types
| | Type | Descripción | |
| --- | --- |
| | regex | Extract data using regular expressions | |
| | kval | Extract clave-value pairs | |
| | xpath | Extract data using XPath expressions | |
| | jsonpath | Extract data using JSONPath expressions | |
| | dsl | Extract data using DSL expressions | |
| | gval | Extract data using GVAL expressions | |
Resources
- Official documentación
- GitHub Repository
- Nuclei Templates Repository
- Project Discovery Discord
- Nuclei Template Creation Guide
This hoja de trucos provides a comprehensive reference for using Nuclei, from basic scanning to advanced template creation and integration with other tools. For the most up-to-date information, always refer to the official documentación.