Nuclei is a fast and customizable vulnerability scanner based on simple YAML-based templates. It is a popular tool among security enthusiasts and professionals for performing security assessments and automated scans. The ability to define custom templates makes it highly versatile for a range of use cases. In this tutorial, we will explore the features of Nuclei, understand how to use it through the command line, and learn how to write custom templates.
Table of Contents
- Features
- Installation
- Basic Usage
- Template Usage
- Writing Custom Templates
- Troubleshooting
- Citations and References
- Summary
Features
Nuclei Security Scanner boasts various features, such as:
- Template-based scans using YAML files
- Customizable templates for different types of security checks
- Community-contributed template repository
- Simultaneous scanning of multiple targets
- Support for various protocols including HTTP, DNS, and FILE
- Automation through scripting and integration with CI/CD pipelines
Installation
To install Nuclei, you need to have Go installed on your system. Once Go is set up, run the following command to install Nuclei:
go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei
Basic Usage
Using Nuclei is straightforward. Here’s how to initiate a scan with Nuclei:
nuclei -target https://example.com -templates cves/
The above command scans the specified target using all the templates located in the ‘cves’ directory.
Template Usage
Nuclei comes with a wide variety of templates for different security checks. To use a specific template file:
nuclei -target https://example.com -t files/directory-listing.yaml
To update the templates to the latest version from the GitHub repository, use the following command:
nuclei -update-templates
Writing Custom Templates
Writing custom templates allows for tailored scans. Templates are YAML files with defined requests and matchers. Here are steps and examples for creating custom templates:
Example 1: Basic HTTP GET request
id: simple-http-get
info:
name: Basic HTTP GET Template
author: myname
requests:
- method: GET
path:
- "{{BaseURL}}/myPath"
matchers-condition: and
matchers:
- type: status
status:
- 200
Example 2: Matching content type
id: content-type-matcher
info:
name: Match HTML Content Type
author: myname
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
words:
- "text/html"
part: header
name: Content-Type
Example 3: Logical conditions with matchers
id: logical-conditions
info:
name: Logical Conditions Example
author: myname
requests:
- method: GET
path:
- "{{BaseURL}}/admin"
matchers-condition: or
matchers:
- type: word
words:
- "admin"
- "login"
- type: status
status:
- 200
Example 4: Chained requests
id: chained-request
info:
name: Chained Request Example
author: myname
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
words:
- "Welcome"
extractors:
- type: regex
regex:
- "session=(.+?)"
part: body
- method: POST
path:
- "{{BaseURL}}/verify"
raw:
- "cookie: session={{0}}"
matchers:
- type: status
status:
- 200
Troubleshooting
While using Nuclei, here are some tips for troubleshooting common issues:
- Ensure Nuclei is up to date by running ‘nuclei -version’
- Verify that the templates are updated with ‘nuclei -update-templates’
- For problems with specific templates, verify the YAML syntax is correct
- Check network connectivity to the target
- Use verbose mode with ‘-v’ flag to debug HTTP requests and responses
Citations and References
Summary
We have covered the basics of Nuclei Security Scanner, its features, installation, and how to utilize the tool through various command-line examples. We also delved into creating custom templates with examples to help you start crafting tailored scans for your requirements. By using Nuclei, you can enhance your security testing and potentially uncover vulnerabilities that can be addressed before they are exploited maliciously.
