Press ESC to close

The Ultimate Guide to Nuclei Enumeration Scanner

What is Nuclei?

Nuclei is an open-source tool developed by ProjectDiscovery, designed to streamline the process of identifying vulnerabilities, misconfigurations, and other security issues. It uses a template-driven approach, which allows users to define specific behaviors for scans. By leveraging YAML templates, Nuclei can be easily customized to suit different penetration testing scenarios.

Why Nuclei Stands Out:

  • Speed: Capable of handling large-scale scanning efficiently.
  • Extensibility: YAML templates allow the addition of custom vulnerabilities.
  • Versatility: Supports scanning across multiple protocols, including HTTP, DNS, SSL, and more.
  • Community-Driven: Regular updates and contributions from the security community.
  • Seamless Integration: Works well in combination with asset discovery tools like Subfinder and HTTPx, and integrates into CI/CD pipelines.

Whether you are performing reconnaissance, scanning for specific CVEs, or hunting for misconfigurations, Nuclei is a highly valuable tool in the arsenal of any ethical hacker or penetration tester.


Getting Started with Nuclei

Installation of Nuclei:

# Using Homebrew (macOS) 
brew install nuclei 

# Using APT (Linux) 
apt install nuclei

# Using Go (any platform)
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

Customizing Nuclei Templates

Template Structure

Nuclei templates are written in YAML and follow this structure:

id: example-template
info:
  name: Example Template
  author: your-name
  severity: medium
  description: "A basic example template"
requests:
  - method: GET
    path:
      - "{{BaseURL}}/example-path"
    matchers:
      - type: word
        words:
          - "Example keyword"

Steps to Create Custom Templates

  1. Identify Target Behavior Determine what the request and response should look like for the issue you’re testing.
  2. Define Template Metadata Include fields like id, name, author, severity, and description.
  3. Write Request Logic Specify the HTTP method, paths, headers, and payloads.
  4. Define Matchers Use matchers to identify patterns in the response.

Using Nuclei to find WordPress Login Pages

id: wp-admin-login
info:
  name: Detect Exposed wp-admin Login Pages
  author: parrotassassin15
  severity: medium
  description: "Identify publicly accessible WordPress admin login pages with minimal false positives."
requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin"
      - "{{BaseURL}}/wp-login.php"
    headers:
      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"  # Custom user agent
    redirects: true
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "WordPress"  # Confirm WordPress presence
          - "wp-login"   # WordPress-specific login form keyword
        part: body
      - type: regex
        regex:
          - "<input[^>]+name=\"log\""  # WordPress login form username field
          - "<input[^>]+name=\"pwd\""  # WordPress login form password field
        part: body
      - type: word
        words:
          - "X-Frame-Options"  # Common header in WordPress
        part: header
      - type: regex
        regex:
          - "wp-admin/(css|js)/"  # Ensure WordPress assets are loaded
        part: body

Screenshot showing its success:


Nuclei Options and Matchers

Common Nuclei CLI Options

OptionDescription
-uTarget URL
-listList of target URLs
-tTemplate or directory of templates
-severityFilter templates by severity (low, medium)
-oOutput file for scan results
-rate-limitLimit requests per second
-silentOnly output results

Matchers Syntax

Matcher TypeDescription
wordMatch specific words in the response
regexMatch patterns using regular expressions
statusMatch HTTP status codes
sizeMatch response size
dslUse custom logical conditions

Checklist: Optimizing Nuclei Scans

  1. Pre-scan Preparation
  2. Execution
  3. Post-scan Analysis

Visualizing Nuclei Data

Common Findings with Nuclei

High-Risk CVEs   | ████████████████████
Misconfigurations| ████████████
Open Redirects   | ███████
Sensitive Files  | ██████████
SSL Issues       | ██████
Exposed Panels   | ████████

Scan Workflow Flowchart

[Start]
   |
[Asset Discovery]
   |
[Run Nuclei Scans]
   |
[Filter Results]
   |
[Manual Validation]
   |
[Report Findings]
   |
[End]

Advanced Tips

  1. Use Tags for Targeted Scansnuclei -tags cve,dns
  2. Leverage dsl Matchers for Complex Logicmatchers-condition: and matchers: - type: dsl dsl: - "status_code == 200 && body contains 'login'"
  3. Integrate Nuclei in CI/CD Pipelines
    • Automate scans for new deployments.
    • Trigger Nuclei during code pushes to staging environments.

Conclusion

Nuclei empowers security professionals to efficiently identify vulnerabilities with minimal setup. By mastering custom templates and utilizing the cheat sheets and tools provided here, you can enhance your security assessments and streamline your workflows. With its modular design and community-driven template repository, Nuclei is an indispensable tool in any ethical hacker’s arsenal.

Leave a Reply

Your email address will not be published. Required fields are marked *