Learn about how to run Nuclei and produce results
-t/templates
Default Templates
Most community templates from our nuclei-template repository are executed by default, directly from the standard installation path. The typical command is as follows:
.nuclei-ignore
file are not included.-code
flag to execute.-headless
flag.-w/workflows
Workflows can be executed using the following command:
-tags
)
Filter based on tags field available in the template.
-severity
)
Filter based on severity field available in the template.
-author
)
Filter based on author field available in the template.
~/nuclei-templates/
directory and has cve
tags in it.
~/nuclei-templates/exposures/
directory and has config
tag in it.
cve
tags
AND has critical
OR high
severity AND geeknik
as author of template.
-tc
) that allows complex expressions like the following ones:
id
stringname
stringdescription
stringtags
slice of stringsauthors
slice of stringsseverity
stringprotocol
stringhttp_method
slice of stringsbody
string (containing all request bodies if any)matcher_type
slice of stringextractor_type
slice of stringdescription
string||
and &&
) and used with DSL helper functions.
Similarly, all filters are supported in workflows as well.
-duc
cli flag or the configuration file.
For GitHub Project
For GitLab Project
For AWS Bucket
For Azure Blob Storage
$HOME/nuclei-templates/github/
).
The directory structure of the custom templates looks as follows:
-t
flag as follows:
-update
flag.
-metrics
port has been removed and merged with -stats
when using -stats
flag metrics will be by default available at localhost:9092/metrics
and metrics-port can be configured by -metrics-port
flagFlag | Description |
---|---|
rate-limit | Control the total number of request to send per seconds |
bulk-size | Control the number of hosts to process in parallel for each template |
c | Control the number of templates to process in parallel |
rate-limit
flag takes precedence over the other two flags, the number of
requests/seconds can’t go beyond the value defined for rate-limit
flag
regardless the value of c
and bulk-size
flag.$HOME/.config/nuclei/config.yaml
or CLI flag -H / header
-exclude-templates/exclude
)
exclude-templates flag is used to exclude single or multiple templates and directory, multiple -exclude-templates
flag can be used to provide multiple values.
-exclude-tags/etags
)
exclude-tags flag is used to exclude templates based in defined tags, single or multiple can be used to exclude templates.
-include-tags
, -include-templates
flag.
-tl
option in Nuclei is used to list the paths of templates, rather than executing them. This can help you inspect which templates would be used for scan given your current template filter.
Flag | Short | Description |
---|---|---|
scan-strategy | -ss | Scan Strategy to Use (auto/host-spray/template-spray) |
bulk-size | -bs | Max Number of targets to scan in parallel |
concurrency | -c | Max Number of templates to use in parallel while scanning |
stream | - | stream mode - start elaborating without sorting the input |
-rate-limit
, -retries
, -timeout
, -max-host-error
also need to be tuned
based on targets that are being scannedhost-spray
: All templates are iterated over each target.template-spray
: Each template is iterated over all targets.auto
(Default) : Placeholder of template-spray
for now.template-spray
should be used. This strategy is slightly faster than host-spray
but uses more RAM and does not optimally reuse connections.host-spray
should be used. This strategy uses less RAM than template-spray
and reuses HTTP connections along with some minor improvements and these are crucial when mass scanning.scan-strategy
is -concurrency
and -bulk-size
are crucial for tuning any type of scan. While tuning these parameters following points should be noted.
If scan-strategy
is template-spray
-concurrency
< bulk-size
(Ex: -concurrency 10 -bulk-size 200
)scan-strategy
is host-spray
-concurrency
> bulk-size
(Ex: -concurrency 200 -bulk-size 10
)-concurrency
x -bulk-size
<= 2500 (depending on system config)
Since release of v2.3.2 nuclei uses goflags for clean CLI experience and long/short formatted flags.
goflags comes with auto-generated config file support that coverts all available CLI flags into config file, basically you can define all CLI flags into config file to avoid repetitive CLI flags that loads as default for every scan of nuclei.
Default path of nuclei config file is $HOME/.config/nuclei/config.yaml
, uncomment and configure the flags you wish to run as default.
Here is an example config file:
-config
flag.
nuclei -auth
command, enter your API key when prompted.-cloud-upload
option while running a nuclei scan.ENABLE_CLOUD_UPLOAD
environment variable.
DISABLE_CLOUD_UPLOAD_WRN
environment variable.
$HOME/.pdcp/credentials.yaml
Platform | GitHub | GitLab | Jira | Markdown | SARIF | Elasticsearch | Splunk HEC |
---|---|---|---|---|---|---|---|
Support | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
-rc, -report-config
flag can be used to provide a config file to read configuration details of the platform to integrate. Here is an example config file for all supported platforms.
For example, to create tickets on GitHub, create a config file with the following content and replace the appropriate values:
$CVSSMetrics
, $CVEID
, $CWEID
, $Host
, $Severity
, $CVSSScore
, $Name
In addition, Jira is strict when it comes to custom field entry. If the field is a dropdown, Jira accepts only the case sensitive specific string and the API call is slightly different. To support this, there are three types of customfields.
name
is the dropdown valueid
is the ID value of the dropdownfreeform
is if the customfield the entry of any valueCLOSED_STATUS
can be changed in the Jira template file using the status-not
variable.
summary ~ TEMPLATE_NAME AND summary ~ HOSTNAME AND status != CLOSED_STATUS
deny-list
can be used to exclude issues with a specific severity.
If you are running periodic scans on the same assets, you might want to consider -rdb, -report-db
flag that creates a local copy of the valid findings in the given directory utilized by reporting module to compare and create tickets for unique issues only.
-me, -markdown-export
flag, this flag takes directory as input to store markdown formatted reports.
Including request/response in the markdown report is optional, and included when -irr, -include-rr
flag is used along with -me
.
-se, -sarif-export
flag. This flag takes a file as input to store SARIF formatted report.
Nuclei
has no liability
towards any of these options to visualize Nuclei results. These are just
some publicly available options to visualize SARIF files.9092
when -metrics
flag is used and can be accessed at localhost:9092/metrics, default port to expose scan information is configurable using -metrics-port
flag.
Here is an example to query metrics
while running nuclei as following nuclei -t cves/ -l urls.txt -metrics
{{BasedURL}}
or {{BasedURL/}}
as base path.google.com
, prints the results to JSON and removes the container once it
has completed:
.jsonl
file and removes the
container once it has completed.