LinuxCommandLibrary

nuclei

Scan for security vulnerabilities using templates

TLDR

Update nuclei templates to the latest released version (downloaded to ~/nuclei-templates on macOS/Linux or %USERPROFILE%\nuclei-templates on Windows)

$ nuclei [[-ut|-update-templates]]
copy

[l]ist all [t]emplates by specific [p]rotocol [t]ype
$ nuclei -tl [[-pt|-type]] [dns|file|http|headless|tcp|workflow|ssl|websocket|whois|code|javascript]
copy

Run an automatic web scan using Wappalyzer technology detection for a specific target [u]RL/host
$ nuclei [[-as|-automatic-scan]] [[-u|-target]] [example.com]
copy

Run HTTP [p]rotocol [t]ype templates of specific severity, exporting results to markdown files inside a specific directory
$ nuclei [[-s|-severity]] [high,critical,...] [[-pt|-type]] http [[-u|-target]] [https://example.com] [[-me|-markdown-export]] [path/to/directory]
copy

Run all templates with a custom rate limit, maximum bulk size, and silent output (only findings shown)
$ nuclei [[-rl|-rate-limit]] [150] [[-bs|-bulk-size]] [25] [[-c|-concurrency]] [25] -silent [[-u|-target]] [https://example.com]
copy

Run a specific nuclei-bundled workflow against a target
$ nuclei [[-w|-workflows]] [workflows/wordpress-workflow.yaml] [[-u|-target]] [https://example.com]
copy

Run one or more specific templates or directory with templates with verbose output in stderr and output detected issues/vulnerabilities to a file
$ nuclei [[-t|-templates]] [path/to/nuclei-templates/http] [[-u|-target]] [https://example.com] [[-v|-verbose]] [[-o|-output]] [path/to/results]
copy

Run a scan based on one or more template conditions
$ nuclei [[-tc|-template-condition]] "[contains(tags, 'xss') && contains(tags, 'cve')]" [[-u|-target]] [https://example.com]
copy

SYNOPSIS

nuclei [options] [-u | -l] target(s) [-t] template(s)

Common usage examples:
nuclei -u https://example.com -t cves/2023/
nuclei -l targets.txt -t http/technologies/ -json -o results.json
nuclei -update-templates
nuclei -version

PARAMETERS

-h, --help
    Displays help message for nuclei.

-u, --target <URL>
    Target URL or IP address to scan. Can be repeated for multiple targets.

-l, --list <file>
    Path to a file containing a list of target URLs/IPs (one per line).

-t, --templates <path>
    Path(s) to nuclei template files or directories. Can be a comma-separated list.

-update-templates
    Updates the installed nuclei templates to the latest version from the ProjectDiscovery repository.

-tags <tag1,tag2,...>
    Runs templates that match the specified tags (e.g., cve,exposed).

-exclude-tags <tag1,tag2,...>
    Excludes templates that match the specified tags from the scan.

-severity <info,low,medium,high,critical>
    Filters templates by their severity levels. Can be a comma-separated list.

-json, -jsonl
    Output results in JSON or JSONL (line-by-line JSON) format.

-o, --output <file>
    File to write scan results to. If not specified, results are printed to stdout.

-rl, --rate-limit <rate>
    Maximum requests per second to send (default: 150).

-c, --concurrency <count>
    Maximum number of concurrent hosts to scan (default: 10).

-proxy <URL>
    HTTP/Socks proxy to use for all requests (e.g., http://127.0.0.1:8080).

-silent
    Suppresses informational and banner messages, only showing results.

-version
    Displays the current version of nuclei.

DESCRIPTION

nuclei is an open-source, fast, and customizable vulnerability scanner developed by ProjectDiscovery. It is widely used by security researchers, penetration testers, and bug bounty hunters for rapidly identifying security vulnerabilities, misconfigurations, and exposed assets across a multitude of targets.

Unlike traditional scanners, nuclei operates by executing specialized, YAML-based "templates" against specified targets. These templates define various security checks, ranging from identifying known CVEs and insecure configurations to detecting specific technologies and sensitive information disclosure. The extensive and constantly growing community-driven template library allows users to perform a wide array of checks efficiently.

Its strength lies in its flexibility, allowing users to write custom templates for specific needs, and its speed, enabling large-scale scanning operations. nuclei supports scanning single targets, lists of targets, or even output from other reconnaissance tools, making it an an integral part of automated security workflows. It's often integrated into CI/CD pipelines or used for continuous monitoring of an organization's attack surface.

CAVEATS

nuclei is not a default system utility in Linux distributions and must be installed separately.

Effective use relies heavily on having up-to-date templates, which are regularly maintained by the ProjectDiscovery team and the community. Outdated templates may lead to missed vulnerabilities.

When performing scans, especially against external targets, always ensure you have explicit authorization. Unauthorized scanning can be illegal and unethical, potentially causing disruption or legal repercussions. Be mindful of the network traffic and load generated, as aggressive scanning can impact target systems.

TEMPLATE SYSTEM

The core of nuclei's functionality is its highly flexible and extensible template system. Templates are written in YAML and define the logic for a specific security check, including HTTP requests, response patterns, and vulnerability conditions. This allows users to create custom checks for virtually any scenario, from detecting specific software versions to identifying complex logical vulnerabilities. The ProjectDiscovery team maintains a public repository of thousands of community-contributed templates covering a wide range of CVEs, misconfigurations, and information disclosures, which are automatically updated by the nuclei tool.

INSTALLATION

nuclei is typically installed via go install if you have Go language environment set up (e.g., go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest), or by downloading pre-compiled binaries from the ProjectDiscovery GitHub releases page. After installation, it's crucial to run nuclei -update-templates to fetch the latest vulnerability definitions.

ETHICAL USE

Due to its powerful scanning capabilities, it is imperative to use nuclei responsibly and ethically. Always obtain explicit permission from target system owners before initiating any scans. Unauthorized scanning can lead to legal consequences and ethical breaches. nuclei is a tool intended for authorized security assessments and bug bounty programs.

HISTORY

nuclei was developed by ProjectDiscovery, a group known for creating various open-source reconnaissance and security testing tools. Since its initial release, nuclei has rapidly gained traction within the cybersecurity community due to its innovative template-based approach, high performance, and the active contributions from its community.

It emerged as a powerful alternative and complement to traditional vulnerability scanners, offering unparalleled flexibility through its YAML-based template engine. This design allows security researchers and developers to quickly define and share custom checks for newly discovered vulnerabilities or specific organizational requirements, fostering a collaborative environment for security research and automation.

SEE ALSO

nmap(1), curl(1), grep(1), jq(1), subfinder(1), httpx(1)

Copied to clipboard