Mastering Arsenal (How to Use the Nuclei Tool Effectively)

In the “Mastering the Arsenal” series, we’ll examine various tools employed in day-to-day penetration testing and learn how to unlock their true potential through effective usage. In this opening chapter, we’ll discuss the Nuclei tool — a highly powerful and versatile solution that, when used proficiently, can handle a wide range of tasks typically requiring multiple tools.

Nuclei is an open-source, template-based vulnerability scanner designed for scalable and efficient security automation. It allows security researchers and penetration testers to quickly identify security misconfigurations, vulnerabilities, and other security issues in web applications, network devices, and infrastructure. Nuclei use custom YAML templates to define tests, making it easy to create and share new scanning configurations.

To maximize Nuclei’s capabilities and get more accurate results while minimizing false positives, we’ll explore its various features and functionalities along with best practices for using them effectively.

We’ll first start with this basic yet effective functionality of Nuclei where you can pause an ongoing scan just by pressing the CTRL+C and then later resume it again with resume file.

Now this helps in the cases when your scan takes too much time to finish and you can’t wait for it to finish, in such case you can just press CTRL+C and it will save a resume file in nuclei config directory, but don’t forget use -o output to a file option so that your results remains stored.

and later whenever you want you scan resume the scan and it will continue from where it left and also you’ll notice that your output file will also appends with new results.

However, this has a small disadvantage on speed as nuclei clustering will be disabled when you resume the scan and clustering helps in reducing the requests count.

Perform a dry run by running Nuclei for a minute on the target with the default command (nuclei -u https://example.com -p http://127.0.0.1:8080) and proxying the traffic through a fresh Burp instance. This helps you identify any rate-limiting rules configured on the target that could hinder your complete scan.

If you notice 429 status codes after certain requests, tweak Nuclei’s rate limit with the -rl flag, as it sends 150 requests per second by default.

You can also create your own template to test rate limits by following Nuclei’s official template guide

Nuclei is more than just an HTTP-based web scanner; it supports scanning through multiple protocols, such as DNS, TCP, and file-based scanning. For file-based scanning, provide Nuclei with a file or folder of files, and it will run its file-based templates on them, showing you the matched results.

File-based templates include Google API key identifiers, potential DOM XSS identifiers, key/credential scanners, and endpoint or URL scanners.

Run these templates on target JS and HTML files using the following command:

Using Nuclei to scan JS files of single-page applications like React or Vue can give valuable information such as API endpoints, URIs, and API keys.

For optimal results, avoid running Nuclei directly on discovered subdomains. Instead, perform a port scan of all subdomains using Naabu, pipe the output to Httpx, and store the resulting URLs in a file. Then, use this new URLs file to scan with Nuclei:

naabu -l subdomains.txt -silent | httpx -silent -o URLs.txt

Enable the retry option in Nuclei to ensure that failed connection attempts are retried. By default, Nuclei won’t retry a failed connection, which can result in potential vulnerabilities being missed. Use the -retries flag to set the number of retries:

Enabling this option can be particularly helpful in cases where legacy applications are slow to perform.

Typically, we run Nuclei using only a URL and templates, but this approach can overlook potential vulnerabilities hidden behind the authentication layer. Therefore, it’s essential to perform authenticated scanning to ensure that all vulnerabilities are identified.

To perform a scan using authenticated cookies, use the following command:

To perform a scan using an authenticated token, use the following command:

Running Nuclei in headless mode offers numerous advantages, one of which is the ability to run headless-based templates, including URL extractor, post message detection, and window name XSS. You can find all headless templates in the main directory of nuclei-templates with the name ‘headless’.

To run Nuclei in headless mode, use the following command:

While we typically use Nuclei to scan web applications, it also includes numerous templates for identifying vulnerabilities in network assets. To do this, you can compile a list of IPs from Shodan, Censys, or any other sources.

To run Nuclei for network assets, use the following command:

When running Nuclei for network assets, you may also come across multiple informational results that can be useful for further exploitation. You can refer to resources like Hacktricks

for more information on how to use these results.

Sometimes, you may come across random tokens and keys in JavaScript files, GitHub, or Pastebin dumps, and you may not know their use case. In such cases, you can use Nuclei templates to spray these tokens or keys on 200+ portals.

All you need to do is use the following command with your random token or key:

Nuclei includes thousands of templates, and many of them have complex workflows to identify vulnerabilities. For example, if Nuclei identifies a RCE vulnerability in a POST request, replicating the vulnerability at your end may require understanding the workings of the template, including what was sent that triggered the vulnerability.

To avoid this complex process, you can use Nuclei to generate a markdown report. This report will include the request and response in the same raw format as seen in Burp, making it easy to replicate the vulnerability.

To generate a markdown report, add the -me flag to your command, along with an empty folder directory where the report will be created.

In the output folder, you’ll find individual findings reports and an index

To view these reports, open the index using any markdown viewer or editor, such as Obsidian. You can click on the vulnerability hyperlink to jump to the detailed report.

The detailed report provides all the necessary information to replicate the issue, including a curl command and reference (if it exists in the template).

If running all the official Nuclei templates does not produce valuable results, you can try using external templates that did not make it to the official repository. These templates may not have been included in official repo for various reasons, such as an inadequate structure, explanation or not being submitted for the review.

To obtain these unofficial templates, you can use a tool called ‘cent.’ This tool will dump the unofficial templates and remove any duplicate templates. To use cent, enter the following command:

After cloning these templates to your current directory with the name ‘cent-nuclei-templates,’ you can provide their path to Nuclei to run all the templates.”

In conclusion, the Nuclei is a powerful and versatile addition to your arsenal. By understanding and leveraging its various features and functionalities, you can maximize its potential and obtain accurate results.

To further enhance the tool’s capabilities and customize it to specific needs, you can explore custom Nuclei template development by referring to the official Nuclei template guide. This allows for a more precise scanning experience and helps identify those edge cases that are more relevant to your testing patterns.