What is Nuclei?
Nuclei is an open-source tool developed by ProjectDiscovery, designed to streamline the process of identifying vulnerabilities, misconfigurations, and other security issues. It uses a template-driven approach, which allows users to define specific behaviors for scans. By leveraging YAML templates, Nuclei can be easily customized to suit different penetration testing scenarios.
Why Nuclei Stands Out:
- Speed: Capable of handling large-scale scanning efficiently.
- Extensibility: YAML templates allow the addition of custom vulnerabilities.
- Versatility: Supports scanning across multiple protocols, including HTTP, DNS, SSL, and more.
- Community-Driven: Regular updates and contributions from the security community.
- Seamless Integration: Works well in combination with asset discovery tools like Subfinder and HTTPx, and integrates into CI/CD pipelines.
Whether you are performing reconnaissance, scanning for specific CVEs, or hunting for misconfigurations, Nuclei is a highly valuable tool in the arsenal of any ethical hacker or penetration tester.
Getting Started with Nuclei
Installation of Nuclei:
# Using Homebrew (macOS)
brew install nuclei
# Using APT (Linux)
apt install nuclei
# Using Go (any platform)
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
Customizing Nuclei Templates
Template Structure
Nuclei templates are written in YAML and follow this structure:
id: example-template
info:
name: Example Template
author: your-name
severity: medium
description: "A basic example template"
requests:
- method: GET
path:
- "{{BaseURL}}/example-path"
matchers:
- type: word
words:
- "Example keyword"
Steps to Create Custom Templates
- Identify Target Behavior Determine what the request and response should look like for the issue you’re testing.
- Define Template Metadata Include fields like
id
,name
,author
,severity
, anddescription
. - Write Request Logic Specify the HTTP method, paths, headers, and payloads.
- Define Matchers Use matchers to identify patterns in the response.
Using Nuclei to find WordPress Login Pages
id: wp-admin-login
info:
name: Detect Exposed wp-admin Login Pages
author: parrotassassin15
severity: medium
description: "Identify publicly accessible WordPress admin login pages with minimal false positives."
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin"
- "{{BaseURL}}/wp-login.php"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" # Custom user agent
redirects: true
matchers:
- type: status
status:
- 200
- type: word
words:
- "WordPress" # Confirm WordPress presence
- "wp-login" # WordPress-specific login form keyword
part: body
- type: regex
regex:
- "<input[^>]+name=\"log\"" # WordPress login form username field
- "<input[^>]+name=\"pwd\"" # WordPress login form password field
part: body
- type: word
words:
- "X-Frame-Options" # Common header in WordPress
part: header
- type: regex
regex:
- "wp-admin/(css|js)/" # Ensure WordPress assets are loaded
part: body
Screenshot showing its success:
Nuclei Options and Matchers
Common Nuclei CLI Options
Option | Description |
---|---|
-u | Target URL |
-list | List of target URLs |
-t | Template or directory of templates |
-severity | Filter templates by severity (low, medium) |
-o | Output file for scan results |
-rate-limit | Limit requests per second |
-silent | Only output results |
Matchers Syntax
Matcher Type | Description |
word | Match specific words in the response |
regex | Match patterns using regular expressions |
status | Match HTTP status codes |
size | Match response size |
dsl | Use custom logical conditions |
Checklist: Optimizing Nuclei Scans
- Pre-scan Preparation
- Execution
- Post-scan Analysis
Visualizing Nuclei Data
Common Findings with Nuclei
High-Risk CVEs | ████████████████████
Misconfigurations| ████████████
Open Redirects | ███████
Sensitive Files | ██████████
SSL Issues | ██████
Exposed Panels | ████████
Scan Workflow Flowchart
[Start]
|
[Asset Discovery]
|
[Run Nuclei Scans]
|
[Filter Results]
|
[Manual Validation]
|
[Report Findings]
|
[End]
Advanced Tips
- Use Tags for Targeted Scans
nuclei -tags cve,dns
- Leverage
dsl
Matchers for Complex Logicmatchers-condition: and matchers: - type: dsl dsl: - "status_code == 200 && body contains 'login'"
- Integrate Nuclei in CI/CD Pipelines
- Automate scans for new deployments.
- Trigger Nuclei during code pushes to staging environments.
Conclusion
Nuclei empowers security professionals to efficiently identify vulnerabilities with minimal setup. By mastering custom templates and utilizing the cheat sheets and tools provided here, you can enhance your security assessments and streamline your workflows. With its modular design and community-driven template repository, Nuclei is an indispensable tool in any ethical hacker’s arsenal.
Leave a Reply