cyber-security-resources/recon/intro_to_nuclei.md

# Introducing Nuclei: A Fast and Customizable Vulnerability Scanner

## Introduction

[Nuclei](https://github.com/projectdiscovery/nuclei) is an open-source, fast, and customizable vulnerability scanner developed by [ProjectDiscovery](https://github.com/projectdiscovery/). It is designed to send requests across targets based on predefined templates, enabling efficient and accurate vulnerability detection with minimal false positives. [Nuclei](https://github.com/projectdiscovery/nuclei) supports scanning for various protocols, including TCP, DNS, HTTP, SSL, File, Whois, and Websocket.

## Some of the Key Features

1. Template-based scanning: Nuclei uses YAML-based templates to define scanning logic, making it highly extensible and customizable.

2. Multi-protocol support: Enables scanning across various network protocols and services.

3. Fast and efficient: Optimized for speed, allowing rapid scanning of large numbers of hosts.

4. Low false positives: Template-based approach helps minimize false positive results.

5. Community-driven: Large repository of community-contributed templates for detecting various vulnerabilities.

6. Easy integration: Can be easily integrated into CI/CD pipelines and other automated security workflows.

## Usage Examples

### Basic Scanning

To scan a single target using Nuclei:

```bash
nuclei -u http://10.6.6.23
```

To scan multiple targets from a file:

```bash
nuclei -l targets.txt
```

### Using Specific Templates

Scan with particular templates:

```bash
nuclei -u https://example.com -t cves/ -t exposures/
```

### Filtering Templates

Scan using templates with specific tags:

```bash
nuclei -u https://example.com -tags cve,oast
```

Exclude certain tags:

```bash
nuclei -u https://example.com -etags dos,fuzz
```

### Output Formatting

Generate JSON output:

```bash
nuclei -u https://example.com -json-output results.json
```

### Rate Limiting

Limit requests per second:

```bash
nuclei -u https://example.com -rate-limit 100
```

## Creating Nuclei Templates

Nuclei templates are YAML files that define the scanning logic. Here's a basic structure of a Nuclei template:

```yaml
id: example-template
info:
  name: Example Vulnerability Check
  author: YourName
  severity: medium
  description: Checks for an example vulnerability
  
requests:
  - method: GET
    path:
      - "{{BaseURL}}/vulnerable-endpoint"
    matchers:
      - type: word
        words:
          - "vulnerable string"
```

Key components of a template:

1. `id`: Unique identifier for the template
2. `info`: Metadata about the template
3. `requests`: Defines the HTTP requests to be made
4. `matchers`: Specifies conditions to identify vulnerabilities

### Example: CVE Detection Template

Here's an example template for detecting CVE-2021-44228 (Log4j vulnerability):

```yaml
id: CVE-2021-44228

info:
  name: Apache Log4j RCE
  author: pdteam
  severity: critical
  description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228

requests:
  - raw:
      - |
        GET /${jndi:ldap://{{interactsh-url}}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: ${jndi:ldap://{{interactsh-url}}}
        Referer: ${jndi:ldap://{{interactsh-url}}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"

      - type: regex
        part: interactsh_request
        regex:
          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
```

This template sends requests with JNDI lookup strings in various HTTP headers and checks for DNS or HTTP callbacks to detect the Log4j vulnerability[8].

## Best Practices for Template Creation

1. Use clear and descriptive template IDs and names
2. Include accurate metadata (author, severity, description)
3. Utilize dynamic variables like `{{BaseURL}}` for flexibility
4. Implement precise matchers to reduce false positives
5. Test templates thoroughly before submission
6. Follow the [community template contributions](https://github.com/projectdiscovery/nuclei-templates/tree/main/dns)
Create intro_to_nuclei.md 2024-07-18 14:42:57 -04:00			`# Introducing Nuclei: A Fast and Customizable Vulnerability Scanner`

			`## Introduction`

Update intro_to_nuclei.md 2024-07-18 14:47:00 -04:00			[Nuclei](https://github.com/projectdiscovery/nuclei) is an open-source, fast, and customizable vulnerability scanner developed by [ProjectDiscovery](https://github.com/projectdiscovery/). It is designed to send requests across targets based on predefined templates, enabling efficient and accurate vulnerability detection with minimal false positives. [Nuclei](https://github.com/projectdiscovery/nuclei) supports scanning for various protocols, including TCP, DNS, HTTP, SSL, File, Whois, and Websocket.
Create intro_to_nuclei.md 2024-07-18 14:42:57 -04:00
Update intro_to_nuclei.md 2024-07-18 14:47:00 -04:00			`## Some of the Key Features`
Create intro_to_nuclei.md 2024-07-18 14:42:57 -04:00
			`1. Template-based scanning: Nuclei uses YAML-based templates to define scanning logic, making it highly extensible and customizable.`

			`2. Multi-protocol support: Enables scanning across various network protocols and services.`

			`3. Fast and efficient: Optimized for speed, allowing rapid scanning of large numbers of hosts.`

			`4. Low false positives: Template-based approach helps minimize false positive results.`

			`5. Community-driven: Large repository of community-contributed templates for detecting various vulnerabilities.`

			`6. Easy integration: Can be easily integrated into CI/CD pipelines and other automated security workflows.`

			`## Usage Examples`

			`### Basic Scanning`

			`To scan a single target using Nuclei:`

			```bash
Update intro_to_nuclei.md 2024-07-18 14:47:00 -04:00			`nuclei -u http://10.6.6.23`
Create intro_to_nuclei.md 2024-07-18 14:42:57 -04:00			```

			`To scan multiple targets from a file:`

			```bash
			`nuclei -l targets.txt`
			```

			`### Using Specific Templates`

			`Scan with particular templates:`

			```bash
			`nuclei -u https://example.com -t cves/ -t exposures/`
			```

			`### Filtering Templates`

			`Scan using templates with specific tags:`

			```bash
			`nuclei -u https://example.com -tags cve,oast`
			```

			`Exclude certain tags:`

			```bash
			`nuclei -u https://example.com -etags dos,fuzz`
			```

			`### Output Formatting`

			`Generate JSON output:`

			```bash
			`nuclei -u https://example.com -json-output results.json`
			```

			`### Rate Limiting`

			`Limit requests per second:`

			```bash
			`nuclei -u https://example.com -rate-limit 100`
			```

			`## Creating Nuclei Templates`

			`Nuclei templates are YAML files that define the scanning logic. Here's a basic structure of a Nuclei template:`

			```yaml
			`id: example-template`
			`info:`
			`name: Example Vulnerability Check`
			`author: YourName`
			`severity: medium`
			`description: Checks for an example vulnerability`

			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/vulnerable-endpoint"`
			`matchers:`
			`- type: word`
			`words:`
			`- "vulnerable string"`
			```

			`Key components of a template:`

			1. `id`: Unique identifier for the template
			2. `info`: Metadata about the template
			3. `requests`: Defines the HTTP requests to be made
			4. `matchers`: Specifies conditions to identify vulnerabilities

			`### Example: CVE Detection Template`

			`Here's an example template for detecting CVE-2021-44228 (Log4j vulnerability):`

			```yaml
			`id: CVE-2021-44228`

			`info:`
			`name: Apache Log4j RCE`
			`author: pdteam`
			`severity: critical`
			`description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints.`
			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-44228`

			`requests:`
			`- raw:`
			`- \|`
			`GET /${jndi:ldap://{{interactsh-url}}} HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: ${jndi:ldap://{{interactsh-url}}}`
			`Referer: ${jndi:ldap://{{interactsh-url}}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "dns"`
			`- "http"`

			`- type: regex`
			`part: interactsh_request`
			`regex:`
			`- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'`
			```

			`This template sends requests with JNDI lookup strings in various HTTP headers and checks for DNS or HTTP callbacks to detect the Log4j vulnerability[8].`

			`## Best Practices for Template Creation`

			`1. Use clear and descriptive template IDs and names`
			`2. Include accurate metadata (author, severity, description)`
			3. Utilize dynamic variables like `{{BaseURL}}` for flexibility
			`4. Implement precise matchers to reduce false positives`
			`5. Test templates thoroughly before submission`
Update intro_to_nuclei.md 2024-07-18 14:47:00 -04:00			`6. Follow the [community template contributions](https://github.com/projectdiscovery/nuclei-templates/tree/main/dns)`