Nuclei 用於基於模板跨目標發送請求,從而實現零誤報並提供對大量主機的快速弱點掃描。 Nuclei 提供各種協定的掃描,包括 TCP、DNS、HTTP、SSL、File、Whois、Websocket、Headless、Code 等,常見用法如下。
https://github.com/projectdiscovery/nuclei
選目標
TARGET:
-u, -target string[] target URLs/hosts to scan
-l, -list string path to file containing a list of target URLs/hosts to scan (one per line)
Run nuclei on single host:$ nuclei -target example.com
$ nuclei -u example.com
Run nuclei against a list of hosts:$ nuclei -list hosts.txt
過濾
-tags: Filter based on tags field available in the template.
-severity: Filter based on severity field available in the template.
-t, -templates: list of template or template directory
-id, -template-id: templates to run based on template ids
指定template檔案或template目錄
$ nuclei -u example.com -t CVE-2024-4577.yaml$ nuclei -u example.com -t http/cves/ -t ssl$ nuclei -u https://example.com -t cves/ -t exposures/
透過id指定特定template, 例如wp-xmlrpc.yaml內的ID為wordpress-xmlrpc-file
$ nuclei -u https://example.com -template-id wordpress-xmlrpc-file$ nuclei -u https://example.com -id wordpress-xmlrpc-file
指定tag$ nuclei -u https://example.com -tags cve$ nuclei -u https://example.com -tags sqli$ nuclei -u https://example.com -tags lfi,xss,rce
指定severity$ nuclei -u https://example.com -tags cve -severity critical,high
輸出
輸出結果到report.csv
$ nuclei -target example.com -o report.csv
Run nuclei with a JSON output:$ nuclei -target example.com -json-export output.json
-v: 顯示詳細輸出
-stats :顯示進度
[0:00:02] | Templates: 4870 | Hosts: 217 | RPS: 18 | Matched: 0 | Errors: 25 | Requests: 36/1455202 (0%)
[0:00:03] | Templates: 4870 | Hosts: 217 | RPS: 16 | Matched: 0 | Errors: 25 | Requests: 46/1455202 (0%)
[0:00:03] | Templates: 4870 | Hosts: 217 | RPS: 14 | Matched: 0 | Errors: 25 | Requests: 47/1455202 (0%)效能
-c or -concurrency
同時請求的數量,預設25
其他控制運作方式
-mhe or -max-host-error : 單一目標容許多少次這類錯誤,超過就停止對該目標掃描
This flag controls the maximum number of (network type) errors to allow per host before removing the unresponsive host from the scan (current default is 30)
說明:用 Nuclei 去批次掃描大量網站或目標時,每個目標 host 可能會遇到一些連線問題,像是:
• 無法連線 (Connection timeout)
• DNS 解析失敗
• SSL/TLS 握手錯誤
• 其他類似的 network type error
這個參數就是用來設定「單一目標容許多少次這類錯誤,超過就停止對該目標掃描」,避免浪費時間卡在已經死掉的目標上。
-resume 回復到之前中斷的進度繼續掃描
# nuclei -l url.list
...omit...
^C[INF] CTRL+C pressed: Exiting
[INF] Creating resume file: /Users/Eo/.config/nuclei/resume-cfb3outnsevg6m3t0jvg.cfg
# nuclei -l url.list -resume "/Users/Eo/.config/nuclei/resume-cfb3outnsevg6m3t0jvg.cfg" rule
nuclei是特徵掃描類型的工具,所以依賴大量的特徵規則,也稱nuclei-template
規則清單 https://github.com/projectdiscovery/nuclei-templates
規則寫法 https://docs.projectdiscovery.io/templates/introduction
其他和Nuclei搭配的掃描工具
- NucleiScanner
- scan4all
NucleiScanner
NucleiScanner是一個自動化工具。它使用Subfinder來收集子網域,Gau透過過濾不需要的擴充功能來收集URL,ParamSpider用於識別潛在的入口點,Nuclei Scanning templates用於掃描漏洞。
Tools included:
Nuclei git clone https://github.com/projectdiscovery/nuclei.git
Subfinder git clone https://github.com/projectdiscovery/subfinder.git
Gau git clone https://github.com/lc/gau.git
ParamSpider git clone https://github.com/0xKayala/ParamSpider.git
httpx git clone https://github.com/projectdiscovery/httpx.git
Templates:
Nuclei Templates git clone https://github.com/projectdiscovery/nuclei-templates.git
refer
https://github.com/0xKayala/NucleiScanner
scan4all
整合 vscan、nuclei、ksubdomain、subfinder等,充分自動化、智能化 並對這些集成的項目進行代碼級別優化、參數優化,個別模組,如 vscan filefuzz部分進行了重寫。並包含15000+PoC漏洞掃描;23 種應用弱口令爆破;7000+Web指紋;146種協定90000+規則Port掃描;Fuzz、HW打點、BugBounty神器
refer
https://github.com/GhostTroops/scan4all/blob/main/README_CN.md