Nuclei is a fast and efficient vulnerability scanner that allows penetration testers to automate the process of identifying and exploiting security vulnerabilities in web applications, services, and infrastructure. This comprehensive nuclei cheatsheet will help you get started with the tool, understand its various features, and optimize your security testing process. Make sure to bookmark this page for quick reference during your penetration testing engagements.
Installing Nuclei
Before you can use the nuclei cheatsheet, ensure that you have the tool installed on your system. To install nuclei, follow the steps below:
- Ensure you have the latest version of Go installed on your system.
- Run the following command to download and install nuclei:
GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei
Nuclei Command-Line Options
Nuclei offers several command-line options to customize its behavior. Here’s a quick overview of the most important options:
-c, --concurrency: The number of concurrent requests to send (default: 25).-l, --list: The list of targets to scan.-nC, --no-color: Disable colored output.-o, --output: File to write output results.-r, --retries: The number of times to retry a failed request (default: 1).-t, --templates: The list of nuclei templates to use for scanning.-u, --update-templates: Update the nuclei-templates repository.-v, --verbose: Enable verbose output.-V, --version: Show nuclei version information.
Basic Nuclei Usage
The nuclei cheatsheet includes several examples to help you understand how to use the tool effectively. Here’s a basic example to get you started:
nuclei -l targets.txt -t nuclei-templates/cves/
In this example, nuclei scans a list of targets specified in the targets.txt file using the CVE templates from the nuclei-templates repository.
Updating Nuclei Templates
Nuclei relies on a repository of templates to identify and exploit vulnerabilities. To update the nuclei-templates repository, run the following command:
nuclei templates
Creating Custom Templates
Creating custom templates is essential for optimizing your penetration testing process. Here’s a basic template structure to help you get started:
Template Components
id: Unique identifier for the template.info: Metadata about the template.requests: Defines the HTTP requests to be sent.matchers: Conditions to determine if the response matches the expected pattern.
Tips for Effective Nuclei Usage
- Regularly update the nuclei-templates repository to stay up-to-date with the latest vulnerabilities.
- Customize existing templates or create your own to suit your unique testing requirements.
- Use the
-oflag to save your results in a file for further analysis and reporting.
Advanced Nuclei Usage
To enhance your penetration testing experience, take advantage of the following advanced nuclei features:
Using Custom Headers
You can add custom headers to the HTTP requests sent by nuclei. This is particularly useful when testing authenticated endpoints or specific user agents:
nuclei -l targets.txt -t nuclei-templates/custom/ -H -H
Tuning Concurrency and Retries
Adjust the concurrency and retries options to improve the performance and reliability of your scans:
nuclei -l targets.txt -t nuclei-templates/custom/ -c 50 -r 3
This example sets the concurrency to 50 requests and the number of retries to 3.
Excluding Templates
In certain scenarios, you may want to exclude specific templates from your scans. Use the --exclude flag to achieve this:
nuclei -l targets.txt -t nuclei-templates/custom/ --exclude
Using Workflow Templates
Workflow templates enable you to chain multiple templates together and execute them in a specific order. This feature is useful for organizing complex testing scenarios. Create a workflow template as follows:
To use the workflow template, execute the following command:
nuclei -l targets.txt -t -workflow.yaml
Integrating Nuclei with Other Tools
Nuclei can be integrated with other security testing tools for a seamless and efficient workflow. Below are some examples:
Combining Nuclei with Subfinder
Subfinder is a subdomain enumeration tool that can be used alongside nuclei to identify vulnerabilities in newly discovered subdomains:
subfinder -d example.com -silent | nuclei -t nuclei-templates/cves/ -c 50
Integrating Nuclei with HTTPX
HTTPX is a powerful HTTP toolkit that can be used to filter and process URLs before passing them to nuclei:
targets.txt | httpx -silent | nuclei -t nuclei-templates/cves/
Conclusion
The nuclei cheatsheet is an invaluable resource for both novice and experienced penetration testers looking to optimize their security testing process. By using nuclei effectively, you can automate the detection and exploitation of vulnerabilities, ultimately strengthening your organization’s security posture. Don’t forget to share this cheatsheet with your fellow penetration testers to help them master the nuclei tool as well.