nuclei v2.5.8 releases: fast tool for configurable targeted scanning

by do son · Published April 7, 2020 · Updated January 13, 2022

nuclei

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

It is used to send requests across targets based on a template leading to zero false positives and providing effective scanning for known paths. Main use cases for nuclei are during the initial reconnaissance phase to quickly check for low-hanging fruits or CVEs across targets that are known and easily detectable. It uses a retryablehttp-go library designed to handle various errors and retries in case of blocking by WAFs, this is also one of our core modules from custom-queries.

Feature

Simple and modular codebase making it easy to contribute.
Fast And fully configurable using a template-based engine.
Handles edge cases doing retries, backoffs, etc for handling WAFs.
Smart matching functionality for zero false-positive scanning.

Changelog v2.5.8

Added template ID based template execution / exclusion (id/eid) by @Mzack9999 in #1448
Added interactsh server pool support with interactsh by @Ice3man543 in #1468
Added ldap search query interaction support with interactsh by @maikthulhu in #1383
Added support for making AWS signed request using self-contained HTTP template by @Mzack9999 in #1247
Added stop-at-first-match for interactsh matchers by @parrasajad in #1417
Added additional interactsh variables support by @Ice3man543 in #1468
Added pause/resume support (resume) by @Mzack9999 in #1308
Added support for navigation history to matchers in headless protocol by @Mzack9999 in #1432
Added support for .nuclei-ignore file path override if custom config file is used by @Mzack9999 in #1441
Fixed bug in project flag for HTTP protocol by @Mzack9999 in #1416
Fixed bug to follow 307/308 redirects by @Mzack9999 in #1446
Fixed URL printing issue by @Mzack9999 in #1445
Fixed CVE annotation crash by @Mzack9999 in #1407
Updated expression regex with lexical analyzer by @Mzack9999 in #1440

Use

1. Running nuclei with a single template.

This will run the tool against all the hosts in urls.txt and returns the matched results.

> nuclei -l urls.txt -t git-core.yaml -o results.txt

You can also pass the list of hosts at standard input (STDIN). This allows for easy integration in automation pipelines.

This will run the tool against all the hosts in urls.txt and returns the matched results.

> cat urls.txt | nuclei -t git-core.yaml -o results.txt

2. Running nuclei with multiple templates.

This will run the tool against all the hosts in urls.txt with all the templates in the path-to-templates directory and returns the matched results.

> nuclei -l urls.txt -t "path-to-templates/*.yaml" -o results.txt

3. Automating nuclei with subfinder and any other similar tool.

> subfinder -d hackerone.com | httprob | nuclei -t "path-to-templates/*.yaml" -o results.txt

Nuclei supports glob expression ending in .yaml meaning multiple templates can be easily passed to be executed one after the other. Please refer to this guide to build your own custom templates.