Nuclei Cheat Sheet
Nuclei is a fast and flexible vulnerability scanner that uses templates to detect security issues. Below is a summary of the most commonly used commands for running scans with Nuclei.
Basic Syntax
nuclei -target <URL/IP> -t <templates>
<URL/IP>: The target URL or IP address to scan.<templates>: The template(s) you want to use for scanning.
Common Flags
-target <URL/IP>: The target to scan.
Example:
nuclei -target https://example.com
-l <file.txt>: Scan multiple targets from a file.
Example:
nuclei -l targets.txt
-t <template>: Specify the template or template directory.
Example:
nuclei -target https://example.com -t cves/
-o <file.txt>: Output results to a file.
Example:
nuclei -target https://example.com -o results.txt
-json: Output results in JSON format for easy parsing or integration.
Example:
nuclei -target https://example.com -json -o results.json
-silent: Run the scan with minimal output (ideal for automation).
Example:
nuclei -target https://example.com -silent
-rate-limit <RPS>: Limit requests per second to avoid overloading the target.
Example:
nuclei -target https://example.com -rate-limit 5
-proxy <URL>: Use a proxy server to route your requests.
Example:
nuclei -target https://example.com -proxy http://127.0.0.1:8080
-H "Header: Value": Add custom headers (useful for authentication, etc.).
Example:
nuclei -target https://example.com -H "Authorization: Bearer <token>"
-exclude-severity <level>: Exclude results based on severity levels (info, low, medium, high, critical).
Example:
nuclei -target https://example.com -exclude-severity low,info
Example Commands
1. Basic Scan
nuclei -target https://example.com -t cves/
Scans https://example.com for CVEs using the built-in CVE templates.
2. Scan Multiple Targets
nuclei -l targets.txt -t vulnerabilities/
Loads and scans multiple targets from the file targets.txt using general vulnerability templates.
3. Scan with Custom Headers
nuclei -target https://example.com -H "User-Agent: Mozilla/5.0" -H "Authorization: Bearer <token>" -t cves/
Scans https://example.com for CVEs with a custom user-agent and an authorization header.
4. Save Output to File
nuclei -target https://example.com -o results.txt -t vulnerabilities/
Saves the scan results to results.txt.
5. Limit Request Rate
nuclei -target https://example.com -rate-limit 10 -t subdomain-takeover/
Limits the scan to 10 requests per second to avoid overloading the target.
6. Silent Scan with JSON Output
nuclei -target https://example.com -silent -json -t misconfigurations/
Performs a scan silently and outputs results in JSON format.
Template Categories
Here are some of the template categories you can use with Nuclei:
cves/: Known CVEs (Common Vulnerabilities and Exposures).vulnerabilities/: General security vulnerabilities.misconfigurations/: Misconfigurations in the target.default-logins/: Weak or default login credentials.subdomain-takeover/: Subdomain takeover checks.technologies/: Identifies technologies used by the target.exposed-panels/: Identifies publicly exposed admin panels and dashboards.network/: Scans for network-related security issues.files/: Searches for exposed sensitive files.secrets/: Detects API keys, credentials, and other secrets.
Tips for Efficient Scanning
- Update Templates Regularly: Run
nuclei -update-templates to ensure you have the latest templates.
- Use Silent Mode for Automation: The
-silent flag reduces unnecessary output when running automated scans.
- Test with Proxies: Use the
-proxy option to route traffic through security testing tools like Burp Suite or OWASP ZAP.
- Chain Multiple Flags: Combine flags like
-rate-limit and -exclude-severity for more granular control over your scans.