Home Cheat Sheets Nuclei Cheatsheet: The Go-to Resource for Penetration Testers

Nuclei Cheatsheet: The Go-to Resource for Penetration Testers

by Mic Johnson
nuclei cheat sheet

Nuclei is a fast and efficient vulnerability scanner that allows penetration testers to automate the process of identifying and exploiting security vulnerabilities in web applications, services, and infrastructure. This comprehensive nuclei cheatsheet will help you get started with the tool, understand its various features, and optimize your security testing process. Make sure to bookmark this page for quick reference during your penetration testing engagements.

Installing Nuclei

Before you can use the nuclei cheatsheet, ensure that you have the tool installed on your system. To install nuclei, follow the steps below:

  1. Ensure you have the latest version of Go installed on your system.
  2. Run the following command to download and install nuclei:
GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei

Nuclei Command-Line Options

Nuclei offers several command-line options to customize its behavior. Here’s a quick overview of the most important options:

  • -c, --concurrency: The number of concurrent requests to send (default: 25).
  • -l, --list: The list of targets to scan.
  • -nC, --no-color: Disable colored output.
  • -o, --output: File to write output results.
  • -r, --retries: The number of times to retry a failed request (default: 1).
  • -t, --templates: The list of nuclei templates to use for scanning.
  • -u, --update-templates: Update the nuclei-templates repository.
  • -v, --verbose: Enable verbose output.
  • -V, --version: Show nuclei version information.

Basic Nuclei Usage

The nuclei cheatsheet includes several examples to help you understand how to use the tool effectively. Here’s a basic example to get you started:

nuclei -l targets.txt -t nuclei-templates/cves/

In this example, nuclei scans a list of targets specified in the targets.txt file using the CVE templates from the nuclei-templates repository.

Updating Nuclei Templates

Nuclei relies on a repository of templates to identify and exploit vulnerabilities. To update the nuclei-templates repository, run the following command:

nuclei -update-templates

Creating Custom Templates

Creating custom templates is essential for optimizing your penetration testing process. Here’s a basic template structure to help you get started:

id: custom-template
info:
name: Custom Template Example
author: yourname
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/example"
matchers:
- type: word
words:
- "example"
condition: and

Template Components

  • id: Unique identifier for the template.
  • info: Metadata about the template.
  • requests: Defines the HTTP requests to be sent.
  • matchers: Conditions to determine if the response matches the expected pattern.

Tips for Effective Nuclei Usage

  1. Regularly update the nuclei-templates repository to stay up-to-date with the latest vulnerabilities.
  2. Customize existing templates or create your own to suit your unique testing requirements.
  3. Use the -o flag to save your results in a file for further analysis and reporting.

Advanced Nuclei Usage

To enhance your penetration testing experience, take advantage of the following advanced nuclei features:

Using Custom Headers

You can add custom headers to the HTTP requests sent by nuclei. This is particularly useful when testing authenticated endpoints or specific user agents:

nuclei -l targets.txt -t nuclei-templates/custom/ -H "Authorization: Bearer your_token" -H "User-Agent: custom-user-agent"

Tuning Concurrency and Retries

Adjust the concurrency and retries options to improve the performance and reliability of your scans:

nuclei -l targets.txt -t nuclei-templates/custom/ -c 50 -r 3

This example sets the concurrency to 50 requests and the number of retries to 3.

Excluding Templates

In certain scenarios, you may want to exclude specific templates from your scans. Use the --exclude flag to achieve this:

nuclei -l targets.txt -t nuclei-templates/custom/ --exclude "nuclei-templates/excluded-template.yaml"

Using Workflow Templates

Workflow templates enable you to chain multiple templates together and execute them in a specific order. This feature is useful for organizing complex testing scenarios. Create a workflow template as follows:

id: custom-workflow
info:
name: Custom Workflow Example
author: yourname
workflows:
- template: nuclei-templates/cves/cve-2020-12345.yaml
- template: nuclei-templates/cves/cve-2021-6789.yaml

To use the workflow template, execute the following command:

nuclei -l targets.txt -t custom-workflow.yaml

Integrating Nuclei with Other Tools

Nuclei can be integrated with other security testing tools for a seamless and efficient workflow. Below are some examples:

Combining Nuclei with Subfinder

Subfinder is a subdomain enumeration tool that can be used alongside nuclei to identify vulnerabilities in newly discovered subdomains:

subfinder -d example.com -silent | nuclei -t nuclei-templates/cves/ -c 50

Integrating Nuclei with HTTPX

HTTPX is a powerful HTTP toolkit that can be used to filter and process URLs before passing them to nuclei:

cat targets.txt | httpx -silent | nuclei -t nuclei-templates/cves/

Conclusion

The nuclei cheatsheet is an invaluable resource for both novice and experienced penetration testers looking to optimize their security testing process. By using nuclei effectively, you can automate the detection and exploitation of vulnerabilities, ultimately strengthening your organization’s security posture. Don’t forget to share this cheatsheet with your fellow penetration testers to help them master the nuclei tool as well.

You may also like