Can't Find Vulnerabilities? Try Nuclei, the Lightweight Template Scanner
The article introduces Nuclei, a fast, template‑driven vulnerability scanner that outperforms heavyweight tools like OpenVAS and Nessus, explains how to install it on Kali, update templates, run single‑target and bulk scans with various options, and demonstrates writing custom YAML templates and using its new AI‑assisted detection feature.
Overview
Nuclei is a template‑driven vulnerability scanner. The official template library contains over 7,000 YAML templates covering CVEs, default‑configuration leaks, penetration‑testing checks, technology fingerprinting, and network‑infrastructure detection. The library is updated daily.
Installation
On Kali Linux Nuclei is pre‑installed. If it is missing, install it with:
sudo apt update
sudo apt install nuclei -yUpdating Templates
Templates are the sole source of detection logic, so update them before scanning: nuclei -ut This command clones or pulls the official repository from GitHub into ~/.local/nuclei-templates/. If the automatic download fails, clone manually:
https://github.com/projectdiscovery/nuclei-templates
Scanning Targets
Single target
nuclei -u https://example.comThe default run loads all templates (e.g., 2,390 templates in the example) and sends a request for each.
Bulk scanning
nuclei -l targets.txtSilent mode (show only findings)
nuclei -u https://example.com -silentSeverity filter
nuclei -u https://example.com -s high,criticalSupported severity levels: info, low, medium, high, critical, unknown.
Template ID selection
nuclei -u https://example.com -id spring4shell,log4shellMultiple IDs are comma‑separated; wildcards are allowed.
Scanning a specific template directory
nuclei -u https://example.com -t http/cves/
# Scan only CVE templates
nuclei -u https://example.com -t http/cves/2024/Technology‑aware scanning (-as)
In Nuclei 3.x the -as flag runs Wappalyzer first to detect the target’s technology stack (e.g., Nginx, PHP, WordPress) and then loads only the relevant templates, reducing scan time and false positives.
nuclei -u https://example.com -as -s medium,high,critical -o vulns.txtAI‑Assisted Template Generation
From version 3.x, Nuclei can generate a detection template from a natural‑language description when an OpenAI‑compatible API key is configured.
nuclei -u https://example.com -ai "检测 Apache Shiro 反序列化漏洞"Writing Custom Templates
A custom YAML template can be created to check for a specific condition. Example: detect whether a web application exposes an admin panel.
id: myapp-admin-panel
info:
name: MyApp Admin Panel
author: 逍遥子大表哥
severity: info
description: 检测 MyApp 后台管理页面
metadata:
max-request: 1
http:
- method: GET
path:
- "{{BaseURL}}/admin/"
matchers-condition: and
matchers:
- type: word
words:
- "MyApp Admin"
- "Dashboard"
condition: or
- type: status
status:
- 200Save the file as myapp-admin.yaml and run it against a target:
nuclei -u https://example.com -t myapp-admin.yamlSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
