| title | description | sidebarTitle | icon |
|---|---|---|---|
Nuclei Setup Example |
Learn how to install Nuclei and start scanning for vulnerabilities. |
Examples |
play |
ProjectDiscovery runs on any OS that supports Go.
This example uses Linux, but this blog post provides instructions for other OSs. You can also refer to Go's installation guide.
Download and install [the latest version of Go](https://go.dev/doc/install). Run `go version` to confirm installation (_v 1.21 at the time of writing_)The $PATH variable defines directories with executable programs. You need to add the go/bin directory (where ProjectDiscovery binaries reside) to $PATH manually.
This folder is not automatically added to your $PATH. Refer to the steps below to update it manually.
A quick overview of Nuclei and its templates before installation.
What is Nuclei?
Nuclei is a community-powered vulnerability scanner that uses templates to identify vulnerabilities in your assets. As an open-source tool, it has the benefit of a huge community of users and contributors who have helped to create a vast library of templates.
Templates, are YAML files used to define what is scanned by Nuclei. The template library includes many options and customizations, and supports any templates you create to meet your requirements.
Run `go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest` in your terminal. Run `nuclei -h` to see available options and flags.user@Sample ~ % nuclei -h
Nuclei is a fast, template based vulnerability scanner focused
on configurability, extensibility and ease of use.
Usage:
nuclei [flags]
Flags:
TARGET:
-u, -target string[] target URLs/hosts to scan
-l, -list string path to file containing a list of target URLs/hosts to scan (one per line)
-resume string resume scan using resume.cfg (clustering will be disabled)
-sa, -scan-all-ips scan all the IP's associated with DNS record
-iv, -ip-version string[] IP version to scan of hostname (4,6) - (default 4)
TEMPLATES:
-nt, -new-templates run only new templates added in latest nuclei-templates release
-ntv, -new-templates-version string[] run new templates added in specific version
-as, -automatic-scan automatic web scan using wappalyzer technology detection to tags mapping
-t, -templates string[] list of template or template directory to run (comma-separated, file)
-tu, -template-url string[] list of template urls to run (comma-separated, file)
-w, -workflows string[] list of workflow or workflow directory to run (comma-separated, file)
-wu, -workflow-url string[] list of workflow urls to run (comma-separated, file)
-validate validate the passed templates to nuclei
-nss, -no-strict-syntax disable strict syntax check on templates
-td, -template-display displays the templates content
-tl list all available templatesLet's run a scan against a test host to showcase Nuclei’s behavior.
We'll be using the test URL(
http://honey.scanme.sh/) to demonstrate the expected scan behavior and walk you through some results.
Run nuclei -u http://honey.scanme.sh/ to scan the target host with all available templates.
The -u option specifies the target you want to scan with all available templates.
Here we have an example (edited for easier readability)
user@Test-MBP ~ % nuclei -u http://scanme.sh
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.9.4
projectdiscovery.io
[WRN] Found 2298 templates with syntax error (use -validate flag for further examination)
[WRN] Found 16 templates with runtime error (use -validate flag for further examination)
[INF] Current nuclei version: v2.9.4 (outdated)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 73
[INF] Templates loaded for current scan: 4982
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1230 (Reduced 1179 Requests)
[INF] Using Interactsh Server: oast.fun
[ssl-issuer] [ssl] [info] scanme.sh:443 [pd]
[self-signed-ssl] [ssl] [low] scanme.sh:443
[mismatched-ssl-certificate] [ssl] [low] scanme.sh:443 [CN: scanme]
[http-missing-security-headers:strict-transport-security] [http] [info] http://scanme.sh
[http-missing-security-headers:permissions-policy] [http] [info] http://scanme.sh
----
[weak-cipher-suites:tls-1.1] [ssl] [low] scanme.sh:443 [[tls11 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA]]
[nameserver-fingerprint] [dns] [info] scanme.sh [ns69.domaincontrol.com.,ns70.domaincontrol.com.]If you examine the following line of output
[mismatched-ssl-certificate] [ssl] [low] scanme.sh:443 [CN: scanme]
The fields are as follows:
[mismatched-ssl-certificate]is the template-id for the finding[ssl]is the protocol associated with the finding[low]is the severity associated with the findingScanme.sh:443is the output (in this case the host that the finding applies to)[CN: scanme]- This output also includes an extracted value, which is not typically in all templates but does show an example of some of the other types of output you might see.
So, each line of output follows this structure:
[template-id] [protocol] [severity] output (impacted host, etc)
Other examples:
[wp-ambience-xss] [http] [medium] http://honey.scanme.sh/wp-content/themes/ambience/thumb.php?src=%3Cbody%20onload%3Dalert(1)%3E.jpg
[tikiwiki-reflected-xss] [http] [high] http://honey.scanme.sh/tiki-5.2/tiki-edit_wiki_section.php?type=%22%3E%3Cscript%3Ealert(31337)%3C/script%3E
Take a look at the "Next Steps" section for suggestions on what to explore next.