Hello, aspiring ethical hackers. In our previous blogpost, you learnt about vulnerability scanning. In this article, you will learn about Nuclei, a high performance, fast and customizable vulnerability scanner that uses YAML based templates. Its features include,
- Simple YAML format for creating and customizing vulnerability templates.
- Contributions from thousands of security professionals to tackle trending vulnerabilities.
- Reduced false positives by simulating real-world steps to verify a vulnerability.
- Ultra-fast parallel scan processing and request clustering.
- Integration into CI/CD pipelines for vulnerability detection and regression testing.
- Supports multiple protocols like TCP, DNS, HTTP, SSL, WHOIS JavaScript, code and more.
- Integration with Jira, Splunk, GitHub, Elastic, GitLab.
Let’s see how this tool works. For this, we will be using Kali Linux as attacker system as Nuclei is available by default in its repositories. As target, we will be using Metasploitable 2. Both these systems are part of our Simple Hacking Lab. Nuclei can be installed on Kali as shown below.
Scanning (-u, -t)
Nuclei can be specified with a target URL or IP to scan as shown below.
Here’s how its output looks like.
See all available templates (-tl)
While studying about its features, you have read that Nuclei uses lot of vulnerability templates for performing a vulnerability scan. At the time of scan initialization, Nuclei installs and uses these templates. Templates form a very important part of Nuclei. You can see all the available templates of Nuclei using command shown below.
nuclei -tl
As already mentioned, these templates are in YAML format.
Run a particular template (-t)
If you want to run a specific template instead of all the templates, you can do so with this option. For example, let’s just run phpmyadmin-misconfiguration template as shown below.
List all tags (-tgl)
The templates of Nuclei are also divided based on tags. A tag can be all the templates belonging to a specific software or technology. For example, let’s say WordPress, SSH etc. All the tags in Nuclei can be searched using command shown below.
nuclei -tgl
Run templates belonging to a specific tag (-tags)
This option can be used to run all templates belonging to a specific tag. For example, let’s say we want to run all templates belonging to tag “ftp” on our target, we can do it as shown below.
Here’s its output.
Run code based templates (-Code)
This option can be used to run all “Code” protocol based templates.
Here’s its output.
Run file based templates (-file)
Just like code related templates, Nuclei has file based templates. This option can be used to run them.
Run templates based on severity (-s)
We can also run Nuclei templates based on the severity of vulnerabilities. The possible values it can take is info, low, medium, high and unknown. You have seen in the above scan results of Nuclei that vulnerabilities are being classified from info to critical etc.
For example, let’s just run templates with severity “critical”.
As you can see in the above image, it is only running templates with critical severity.
Silent mode (-silent)
Silent mode of Nuclei just displays results.
Scan multiple targets at once (-L)
Nuclei can also be used to scan multiple targets. For this, all you have to do is save all targets in a text file and use the command shown below.
nuclei -l <target_file>
Saving output (-o)
The output of Nuclei’s vulnerability scan can be saved to a file using the option as shown below.
Next, learn about Nessus vulnerability scanner.
Follow Us
