Nuclei

Nuclei 用於基於模板跨目標發送請求,從而實現零誤報並提供對大量主機的快速弱點掃描。 Nuclei 提供各種協定的掃描,包括 TCP、DNS、HTTP、SSL、File、Whois、Websocket、Headless、Code 等,常見用法如下。

https://github.com/projectdiscovery/nuclei


選目標

TARGET:
-u, -target string[] target URLs/hosts to scan
-l, -list string path to file containing a list of target URLs/hosts to scan (one per line)

Run nuclei on single host:
$ nuclei -target example.com

$ nuclei -u example.com

Run nuclei against a list of hosts:
$ nuclei -list hosts.txt


過濾

-tags: Filter based on tags field available in the template.
-severity: Filter based on severity field available in the template.
-t, -templates: list of template or template directory
-id, -template-id: templates to run based on template ids

指定template檔案或template目錄

$ nuclei -u example.com -t CVE-2024-4577.yaml
$ nuclei -u example.com -t http/cves/ -t ssl
$ nuclei -u https://example.com -t cves/ -t exposures/

透過id指定特定template, 例如wp-xmlrpc.yaml內的ID為wordpress-xmlrpc-file

$ nuclei -u https://example.com -template-id wordpress-xmlrpc-file
$ nuclei -u https://example.com -id wordpress-xmlrpc-file

指定tag
$ nuclei -u https://example.com -tags cve
$ nuclei -u https://example.com -tags sqli
$ nuclei -u https://example.com -tags lfi,xss,rce

指定severity
$ nuclei -u https://example.com -tags cve -severity critical,high


輸出

輸出結果到report.csv

$ nuclei -target example.com -o report.csv

Run nuclei with a JSON output:
$ nuclei -target example.com -json-export output.json

-v: 顯示詳細輸出

-stats :顯示進度

[0:00:02] | Templates: 4870 | Hosts: 217 | RPS: 18 | Matched: 0 | Errors: 25 | Requests: 36/1455202 (0%)
[0:00:03] | Templates: 4870 | Hosts: 217 | RPS: 16 | Matched: 0 | Errors: 25 | Requests: 46/1455202 (0%)
[0:00:03] | Templates: 4870 | Hosts: 217 | RPS: 14 | Matched: 0 | Errors: 25 | Requests: 47/1455202 (0%)

效能

-c or -concurrency

同時請求的數量,預設25


其他控制運作方式

-mhe or -max-host-error : 單一目標容許多少次這類錯誤,超過就停止對該目標掃描
This flag controls the maximum number of (network type) errors to allow per host before removing the unresponsive host from the scan (current default is 30)

說明:用 Nuclei 去批次掃描大量網站或目標時,每個目標 host 可能會遇到一些連線問題,像是:

• 無法連線 (Connection timeout)
• DNS 解析失敗
• SSL/TLS 握手錯誤
• 其他類似的 network type error

這個參數就是用來設定「單一目標容許多少次這類錯誤,超過就停止對該目標掃描」,避免浪費時間卡在已經死掉的目標上。

-resume 回復到之前中斷的進度繼續掃描

# nuclei -l url.list
...omit...
^C[INF] CTRL+C pressed: Exiting
[INF] Creating resume file: /Users/Eo/.config/nuclei/resume-cfb3outnsevg6m3t0jvg.cfg

# nuclei -l url.list -resume "/Users/Eo/.config/nuclei/resume-cfb3outnsevg6m3t0jvg.cfg" 

rule

nuclei是特徵掃描類型的工具,所以依賴大量的特徵規則,也稱nuclei-template

規則清單 https://github.com/projectdiscovery/nuclei-templates

規則寫法 https://docs.projectdiscovery.io/templates/introduction


其他和Nuclei搭配的掃描工具

  • NucleiScanner 
  • scan4all

NucleiScanner 

NucleiScanner是一個自動化工具。它使用Subfinder來收集子網域,Gau透過過濾不需要的擴充功能來收集URL,ParamSpider用於識別潛在的入口點,Nuclei Scanning templates用於掃描漏洞。

Tools included:

Nuclei git clone https://github.com/projectdiscovery/nuclei.git

Subfinder git clone https://github.com/projectdiscovery/subfinder.git

Gau git clone https://github.com/lc/gau.git

ParamSpider git clone https://github.com/0xKayala/ParamSpider.git

httpx git clone https://github.com/projectdiscovery/httpx.git

Templates:

Nuclei Templates git clone https://github.com/projectdiscovery/nuclei-templates.git

refer
https://github.com/0xKayala/NucleiScanner


scan4all

整合 vscan、nuclei、ksubdomain、subfinder等,充分自動化、智能化 並對這些集成的項目進行代碼級別優化、參數優化,個別模組,如 vscan filefuzz部分進行了重寫。並包含15000+PoC漏洞掃描;23 種應用弱口令爆破;7000+Web指紋;146種協定90000+規則Port掃描;Fuzz、HW打點、BugBounty神器

refer
https://github.com/GhostTroops/scan4all/blob/main/README_CN.md