Running Nuclei
Learn about how to run Nuclei and produce results
How to Run Nuclei
Nuclei templates offer two primary execution methods:
Executing Nuclei Templates
-t/templates
Default Templates
Most community templates from our nuclei-template repository are executed by default, directly from the standard installation path. The typical command is as follows:
However, there are some exceptions regarding the templates that run by default:
- Certain tags and templates listed in the default
.nuclei-ignore
file are not included. - Code Templates require the
-code
flag to execute. - Headless Templates will not run unless you pass the
-headless
flag. - A separate collection of Fuzzing Templates, located in a different repository, must be downloaded and configured separately for use.
You can also run templates against a list of URLs:
Custom Templates
To run a custom template directory or multiple directories, use the following command structure:
Templates from custom GitHub repositories, stored under the github directory, can be executed with this command:
You can also directly run a template from any ProjectDiscovery Cloud Platform URL like this:
Executing Template Workflows
-w/workflows
Workflows can be executed using the following command:
Similarly, Workflows can be executed against a list of URLs.
Types of Templates
Template Filters
Nuclei engine supports three basic filters to customize template execution.
-
Tags (
-tags
)Filter based on tags field available in the template.
-
Severity (
-severity
)Filter based on severity field available in the template.
-
Author (
-author
)Filter based on author field available in the template.
As default, Filters are applied on installed path of templates and can be customized with manual template path input.
For example, below command will run all the templates installed at ~/nuclei-templates/
directory and has cve
tags in it.
And this example will run all the templates available under ~/nuclei-templates/exposures/
directory and has config
tag in it.
Multiple filters works together with AND condition,
below example runs all templates with cve
tags
AND has critical
OR high
severity AND geeknik
as author of template.
Advanced Filters
Multiple filters can also be combined using the template condition flag (-tc
) that allows complex expressions like the following ones:
The supported fields are:
id
stringname
stringdescription
stringtags
slice of stringsauthors
slice of stringsseverity
stringprotocol
stringhttp_method
slice of stringsbody
string (containing all request bodies if any)matcher_type
slice of stringextractor_type
slice of stringdescription
string
Also, every key-value pair from the template metadata section is accessible. All fields can be combined with logical operators (||
and &&
) and used with DSL helper functions.
Similarly, all filters are supported in workflows as well.
Workflows
In Workflows, Nuclei filters are applied on templates or sub-templates running via workflows, not on the workflows itself.
Public Templates
Nuclei has built-in support for automatic template download/update from nuclei templates project which provides community-contributed list of ready-to-use templates that is constantly updated.
Nuclei checks for new community template releases upon each execution and automatically downloads the latest version when available. optionally, this feature can be disabled using the -duc
cli flag or the configuration file.
Custom Templates
Users can create custom templates on a personal public / private GitHub / AWS Bucket that they wish to run / update while using nuclei from any environment without manually downloading the GitHub repository everywhere.
To use this feature, users need to set the following environment variables:
Environment variables can also be provided to disable download from default and custom template locations:
Once the environment variables are set, following command to download the custom templates:
This command will clone the repository containing the custom templates to the default nuclei templates directory ($HOME/nuclei-templates/github/
).
The directory structure of the custom templates looks as follows:
Users can then use the custom templates with the -t
flag as follows:
The nuclei engine can be updated to latest version by using the -update
flag.
Writing your own unique templates will always keep you one step ahead of others.
Nuclei Flags
This will display help for the tool. Here are all the switches it supports.
From Nuclei v3.0.0 -metrics
port has been removed and merged with -stats
when using -stats
flag metrics will be by default available at localhost:9092/metrics
and metrics-port can be configured by -metrics-port
flag
Rate Limits
Nuclei have multiple rate limit controls for multiple factors, including a number of templates to execute in parallel, a number of hosts to be scanned in parallel for each template, and the global number of request / per second you wanted to make/limit using nuclei, here is an example of each flag with description.
Flag | Description |
---|---|
rate-limit | Control the total number of request to send per seconds |
bulk-size | Control the number of hosts to process in parallel for each template |
c | Control the number of templates to process in parallel |
Feel free to play with these flags to tune your nuclei scan speed and accuracy.
rate-limit
flag takes precedence over the other two flags, the number of
requests/seconds can’t go beyond the value defined for rate-limit
flag
regardless the value of c
and bulk-size
flag.
Traffic Tagging
Many BugBounty platform/programs requires you to identify the HTTP traffic you make, this can be achieved by setting custom header using config file at $HOME/.config/nuclei/config.yaml
or CLI flag -H / header
Setting custom header using config file
Setting custom header using CLI flag
Template Exclusion
Nuclei supports a variety of methods for excluding / blocking templates from execution. By default, nuclei excludes the tags/templates listed below from execution to avoid unexpected fuzz based scans and some that are not supposed to run for mass scan, and these can be easily overwritten with nuclei configuration file / flags.
Nuclei engine supports two ways to manually exclude templates from scan,
-
Exclude Templates (
-exclude-templates/exclude
)exclude-templates flag is used to exclude single or multiple templates and directory, multiple
-exclude-templates
flag can be used to provide multiple values. -
Exclude Tags (
-exclude-tags/etags
)exclude-tags flag is used to exclude templates based in defined tags, single or multiple can be used to exclude templates.
Example of excluding single template
Example of multiple template exclusion
Example of excluding templates with single tag
Example of excluding templates with multiple tags
- .nuclei-ignore list - default list of tags and templates excluded from nuclei scan as default.
.nuclei-ignore file is not supposed to be modified by user, as it gets used by nuclei internally, to overwrite ignore list, utilize nuclei configuration file.
To overwrite nuclei-ignore, Nuclei engine supports -include-tags
, -include-templates
flag.
Example of running blocked templates
List Template Path
-tl
option in Nuclei is used to list the paths of templates, rather than executing them. This can help you inspect which templates would be used for scan given your current template filter.
Scan on internet database
Nuclei supports integration with uncover module that supports services like Shodan, Censys, Hunter, Zoomeye, many more to execute Nuclei on these databases.
Here are uncover options to use -
You need to set the API key of the engine you are using as an environment variable in your shell.
Required API keys can be obtained by signing up on following platform Shodan, Censys, Fofa, Quake, Hunter and ZoomEye .
Example of template execution using a search query.
It can also read queries from templates metadata and execute template against hosts returned by uncover for that query.
Example of template execution using template-defined search queries.
Template snippet of CVE-2021-26855
We can update the nuclei configuration file to include these tags for all scans.
Large scans using Nuclei
Nuclei fully utilises resources to optimise scanning speed. However, when scanning thousands, if not millions, of targets, scanning using default parameter values is bound to cause some performance issues ex: low RPS, Slow Scans, Process Killed, High RAM consumption, etc. this is due to limited resources and network I/O. Hence following parameters need to be tuned based on system configuration and targets.
For enterprises dealing with large-scale scanning, optimizing Nuclei can be a burdensome task, especially when scans change frequently. That’s where Nuclei Enterprise comes in. With its managed offering and dedicated support, Nuclei Enterprise minimizes the burden of optimizing Nuclei on large scans, making it an ideal choice for enterprise-level scanning needs.
Flag | Short | Description |
---|---|---|
scan-strategy | -ss | Scan Strategy to Use (auto/host-spray/template-spray) |
bulk-size | -bs | Max Number of targets to scan in parallel |
concurrency | -c | Max Number of templates to use in parallel while scanning |
stream | - | stream mode - start elaborating without sorting the input |
These are common parameters that need to be tuned. Apart from these
-rate-limit
, -retries
, -timeout
, -max-host-error
also need to be tuned
based on targets that are being scanned
Which Scan Strategy to Use?
scan-strategy option can have three possible values
host-spray
: All templates are iterated over each target.template-spray
: Each template is iterated over all targets.auto
(Default) : Placeholder oftemplate-spray
for now.
User should select Scan Strategy based on number of targets and Each strategy has its own pros & cons.
- When targets < 1000,
template-spray
should be used. This strategy is slightly faster thanhost-spray
but uses more RAM and does not optimally reuse connections. - When targets > 1000,
host-spray
should be used. This strategy uses less RAM thantemplate-spray
and reuses HTTP connections along with some minor improvements and these are crucial when mass scanning.
Concurrency & Bulk-Size
Whatever the scan-strategy
is -concurrency
and -bulk-size
are crucial for tuning any type of scan. While tuning these parameters following points should be noted.
If scan-strategy
is template-spray
-concurrency
<bulk-size
(Ex:-concurrency 10 -bulk-size 200
)
If scan-strategy
is host-spray
-concurrency
>bulk-size
(Ex:-concurrency 200 -bulk-size 10
)
-concurrency
x -bulk-size
<= 2500 (depending on system config) Stream
This option should only be enabled if targets > 10k . This skips any type of sorting or preprocessing on target list.
Nuclei Config
Since release of v2.3.2 nuclei uses goflags for clean CLI experience and long/short formatted flags.
goflags comes with auto-generated config file support that coverts all available CLI flags into config file, basically you can define all CLI flags into config file to avoid repetitive CLI flags that loads as default for every scan of nuclei.
Default path of nuclei config file is
$HOME/.config/nuclei/config.yaml
, uncomment and configure the flags you wish to run as default.
Here is an example config file:
Once configured, config file be used as default, additionally custom config file can be also provided using -config
flag.
Running nuclei with custom config file
Nuclei Result Dashboard
Nuclei now allows seamless integration with the ProjectDiscovery Cloud Platform to simplify the visualization of Nuclei results and generate swift reports. This highly requested feature from the community enables easier handling of scan results with minimal effort.
Follow the steps below to set up your PDCP Result Dashboard:
- Visit https://cloud.projectdiscovery.io to create free PDCP API key.
- Use the
nuclei -auth
command, enter your API key when prompted. - To perform a scan and upload the results straight to the cloud, use the
-cloud-upload
option while running a nuclei scan.
An example command might look like this:
And the output would be like this:
After the scan, a URL will be displayed on the command line interface. Visit this URL to check your results on the Cloud Dashboard.
Advanced Integration Options
Setting API key via environment variable
Avoid entering your API key via interactive prompt by setting it via environment variable.
Enabling result upload by default
If you want all your scans to automatically upload results to the cloud, enable the ENABLE_CLOUD_UPLOAD
environment variable.
Disabling cloud upload warnings
To suppress warnings about result uploads, disable the DISABLE_CLOUD_UPLOAD_WRN
environment variable.
Your configured PDCP API key stored in $HOME/.pdcp/credentials.yaml
Nuclei OSS results uploaded to the cloud platform are scheduled for automatic cleanup after 30 days, although this duration is subject to change as we gauge user feedback and requirement.
Nuclei Reporting
Nuclei comes with reporting module support with the release of v2.3.0 supporting GitHub, GitLab, and Jira integration, this allows nuclei engine to create automatic tickets on the supported platform based on found results.
Platform | GitHub | GitLab | Jira | Markdown | SARIF | Elasticsearch | Splunk HEC |
---|---|---|---|---|---|---|---|
Support | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
-rc, -report-config
flag can be used to provide a config file to read configuration details of the platform to integrate. Here is an example config file for all supported platforms.
For example, to create tickets on GitHub, create a config file with the following content and replace the appropriate values:
Alternatively if you use GitLab, create a config file following content and replace the appropriate values:
To store results in Elasticsearch, create a config file with the following content and replace the appropriate values:
To forward results to Splunk HEC, create a config file with the following content and replace the appropriate values:
To forward results to Jira, create a config file with the following content and replace the appropriate values:
The Jira reporting options allows for custom fields, as well as using variables from the Nuclei templates in those custom fields.
The supported variables currently are: $CVSSMetrics
, $CVEID
, $CWEID
, $Host
, $Severity
, $CVSSScore
, $Name
In addition, Jira is strict when it comes to custom field entry. If the field is a dropdown, Jira accepts only the case sensitive specific string and the API call is slightly different. To support this, there are three types of customfields.
name
is the dropdown valueid
is the ID value of the dropdownfreeform
is if the customfield the entry of any value
To avoid duplication, the JQL query run can be slightly modified by the config file.
The CLOSED_STATUS
can be changed in the Jira template file using the status-not
variable.
summary ~ TEMPLATE_NAME AND summary ~ HOSTNAME AND status != CLOSED_STATUS
Running nuclei with reporting module:
Similarly, other platforms can be configured. Reporting module also supports basic filtering and duplicate checks to avoid duplicate ticket creation.
This will ensure to only creating tickets for issues identified with high and critical severity; similarly, deny-list
can be used to exclude issues with a specific severity.
If you are running periodic scans on the same assets, you might want to consider -rdb, -report-db
flag that creates a local copy of the valid findings in the given directory utilized by reporting module to compare and create tickets for unique issues only.
Markdown Export
Nuclei supports markdown export of valid findings with -me, -markdown-export
flag, this flag takes directory as input to store markdown formatted reports.
Including request/response in the markdown report is optional, and included when -irr, -include-rr
flag is used along with -me
.
SARIF Export
Nuclei supports SARIF export of valid findings with -se, -sarif-export
flag. This flag takes a file as input to store SARIF formatted report.
It is also possible to visualize Nuclei results using SARIF files.
-
By uploading a SARIF file to SARIF Viewer
-
By uploading a SARIF file to Github Actions
More info on the SARIF output is documented here.
These are not official viewers of Nuclei and Nuclei
has no liability
towards any of these options to visualize Nuclei results. These are just
some publicly available options to visualize SARIF files.
Scan Metrics
Nuclei expose running scan metrics on a local port 9092
when -metrics
flag is used and can be accessed at localhost:9092/metrics, default port to expose scan information is configurable using -metrics-port
flag.
Here is an example to query metrics
while running nuclei as following nuclei -t cves/ -l urls.txt -metrics
Passive Scan
Nuclei engine supports passive mode scanning for HTTP based template utilizing file support, with this support we can run HTTP based templates against locally stored HTTP response data collected from any other tool.
{{BasedURL}}
or {{BasedURL/}}
as base path.Running With Docker
If Nuclei was installed within a Docker container based on the installation instructions, the executable does not have the context of the host machine. This means that the executable will not be able to access local files such as those used for input lists or templates. To resolve this, the container should be run with volumes mapped to the local filesystem to allow access to these files.
Basic Usage
This example runs a Nuclei container against google.com
, prints the results to JSON and removes the container once it
has completed:
Using Volumes
This example runs a Nuclei container against a list of URLs, writes the results to a .jsonl
file and removes the
container once it has completed.