nuclei - Trickest Platform Documentation

Details

Category: Scanners

Publisher: trickest

Created Date: 6/23/2021

Container: quay.io/trickest/nuclei:v3.3.5

Source URL: https://github.com/projectdiscovery/nuclei

Parameters

sni

string

Command: -sni - tls sni hostname to use (default: input domain name)

var

string

Command: -var - custom vars in key=value format

code

boolean

Command: -code - enable loading code protocol-based templates

dast

boolean

Command: -dast - only run DAST templates

list

file

required

Command: -list - List of target URLs/hosts to scan

tags

string

Command: -tags - templates to run based on tags (comma-separated)

type

string

Command: -type - templates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript

ztls

boolean

Command: -ztls - use ztls library with autofallback to standard one for tls13

debug

boolean

Command: -debug - show all requests and responses

jsonl

boolean

Command: -jsonl - write output in JSONL(ines) format

proxy

string

Command: -proxy - list of http/socks5 proxy to use (comma separated)

reset

boolean

Command: -reset - reset removes all nuclei configuration and data files (including nuclei-templates)

stats

boolean

Command: -stats - Display stats of the running scan.

author

string

Command: -author - templates to run based on authors (comma-separated)

config

file

Command: -config - path to the nuclei configuration file

header

string

Command: -header - custom header/cookie to include in all http requests in header:value format

no-mhe

boolean

Command: -no-mhe - disable skipping host from scan based on errors

redact

string

Command: -redact - redact given list of keys from query parameter, request header and body

resume

file

Command: -resume - Resume scan using resume.cfg (clustering will be disabled)

silent

string

Command: -silent - display findings only

stream

boolean

Command: -stream - stream mode - start elaborating without sorting the input

target

string

required

Command: -target - target URLs/hosts to scan

no-meta

boolean

Command: -no-meta - disable printing result metadata in cli output

passive

boolean

Command: -passive - enable passive HTTP response processing mode

profile

string

Command: -profile - template profile config file to run

project

boolean

Command: -project - Use a project folder to avoid sending same request multiple times.

retries

string

Command: -retries - number of times to retry a failed request (default 1)

timeout

string

Command: -timeout - time to wait in seconds before timeout (default 10)

uncover

boolean

Command: -uncover - enable uncover engine

verbose

boolean

Command: -verbose - show verbose output

env-vars

boolean

Command: -env-vars - enable environment variables to be used in template

headless

string

Command: -headless - enable templates that require headless browser support (root user on linux will disable sandbox)

no-color

boolean

Command: -no-color - disable output content coloring (ANSI escape codes)

no-httpx

boolean

Command: -no-httpx - disable httpx probing for non-url input

no-stdin

boolean

Command: -no-stdin - disable stdin processing

omit-raw

boolean

Command: -omit-raw - omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)

severity

string

Command: -severity - templates to run based on severity. Possible values: info, low, medium, high, critical, unknown

template

file

required

Command: -templates - template file to run

validate

boolean

Command: -validate - validate the passed templates to nuclei

bulk-size

string

Command: -bulk-size - maximum number of hosts to be analyzed in parallel per template (default 25)

client-ca

file

Command: -client-ca - client certificate authority file (PEM-encoded) used for authenticating against scanned hosts

debug-req

boolean

Command: -debug-req - show all sent requests

interface

string

Command: -interface - network interface to use for network scan

list-tags

boolean

Command: -tgl - list all available tags

resolvers

file

Command: -resolvers - file containing resolver list for nuclei

source-ip

string

Command: -source-ip - source ip address to use for network scan

tags-list

file

Command: -tags - templates to run based on tags

templates

folder

required

Command: -templates - folder of templates to run

timestamp

boolean

Command: -timestamp - enables printing timestamp in cli output

vars-list

file

Command: -var - custom vars in key=value format

workflows

string

Command: -workflows - list of workflow or workflow directory to run (comma-separated)

client-key

file

Command: -client-key - client key file (PEM-encoded) used for authenticating against scanned hosts

debug-resp

boolean

Command: -debug-resp - show all received responses

exclude-id

string

Command: -exclude-id - templates to exclude based on template ids (comma-separated)

ip-version

string

Command: -ip-version - IP version to scan of hostname (4,6) - (default 4)

proxy-list

file

Command: -proxy - list of http/socks5 proxy to use

rate-limit

string

Command: -rate-limit - maximum number of requests to send per second (default 150)

stats-json

boolean

Command: -stats-json - Write statistics data to stdout in JSONL(ines) format

attack-type

string

Command: -attack-type - type of payload combinations to perform (batteringram,pitchfork,clusterbomb)

author-list

file

Command: -author - templates to run based on authors

client-cert

file

Command: -client-cert - client certificate file (PEM-encoded) used for authenticating against scanned hosts

concurrency

string

Command: -concurrency - maximum number of templates to be executed in parallel (default 25)

force-http2

boolean

Command: -force-http2 - force http2 connection on requests

secret-file

file

Command: -secret-file - path to config file containing secrets for nuclei authenticated scan

template-id

string

Command: -template-id - templates to run based on template ids (comma-separated)

enable-pprof

boolean

Command: -enable-pprof - enable pprof debugging server

exclude-tags

string

Command: -exclude-tags - templates to exclude based on tags (comma-separated)

exclude-type

string

Command: -exclude-type - templates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript

fuzzing-mode

string

Command: -fuzzing-mode - overrides fuzzing mode set in template (multiple, single)

fuzzing-type

string

Command: -fuzzing-type - overrides fuzzing type set in template (replace, prefix, postfix, infix)

hang-monitor

boolean

Command: -hang-monitor - enable nuclei hang monitoring

headers-list

file

Command: -header - custom list of headers/cookies to include in all http requests in header:value

health-check

boolean

Command: -health-check - run diagnostic check up

include-tags

string

Command: -include-tags - tags to be executed even if they are excluded either by default or configuration

metrics-port

string

Command: -metrics-port - port to expose nuclei metrics on (default 9092)

page-timeout

string

Command: -page-timeout - seconds to wait for each page in headless mode (default 20)

profile-list

boolean

Command: -profile-list - list community template profiles

project-path

folder

Command: -project-path - Use a user defined project folder. Temporary folder is used if not specified but enabled.

scan-all-ips

boolean

Command: -scan-all-ips - scan all the IP's associated with dns record

template-url

string

Command: -template-url - template urls to run (comma-separated)

workflow-url

string

Command: -workflow-url - workflow urls to run (comma-separated)

exclude-hosts

file

Command: -exclude-hosts - hosts to exclude to scan from the input list (ip, cidr, hostname)

max-redirects

string

Command: -max-redirects - max number of redirects to follow for http templates (default 10)

new-templates

boolean

Command: -new-templates - run only new templates added in latest nuclei-templates release

no-interactsh

boolean

Command: -no-interactsh - disable interactsh server for OAST testing, exclude OAST based templates

omit-template

boolean

Command: -omit-template - omit encoded template in the JSON, JSONL output

report-config

file

Command: -report-config - nuclei reporting module configuration file

scan-strategy

string

Command: -scan-strategy - strategy to use while scanning(auto/host-spray/template-spray) (default auto)

show-var-dump

boolean

Command: -show-var-dump - show variables dump for debugging

system-chrome

boolean

Command: -system-chrome - use local installed Chrome browser instead of nuclei installed

target-folder

folder

Command: -target - folder containing files to execute file templates on

template-urls

file

Command: -template-url - list of template urls to run

uncover-delay

string

Command: -uncover-delay - delay between uncover query requests in seconds (0 to disable) (default 1)

uncover-field

string

Command: -uncover-field - uncover fields to return (ip,port,host) (default ip:port)

uncover-limit

string

Command: -uncover-limit - uncover results to return (default 100)

uncover-query

string

Command: -uncover-query - uncover search query

workflow-urls

file

Command: -workflow-url - list of workflow urls to run

automatic-scan

boolean

Command: -automatic-scan - automatic web scan using wappalyzer technology detection to tags mapping

js-concurrency

string

Command: -js-concurrency - maximum number of javascript runtimes to be executed in parallel (default 120)

list-templates

boolean

Command: -tl - list all available templates

matcher-status

boolean

Command: -matcher-status - display match failure status

max-host-error

string

Command: -max-host-error - max errors for a host before skipping from scan (default 30)

proxy-internal

boolean

Command: -proxy-internal - proxy all internal requests

stats-interval

string

Command: -stats-interval - number of seconds to wait between showing a statistics update (default 5)

templates-list

file

Command: -templates - list of template to run

uncover-engine

string

Command: -uncover-engine - uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas) (default shodan)

workflows-list

file

Command: -workflows - list of workflow or workflow directory to run

exclude-id-list

file

Command: -exclude-id - templates to exclude based on template ids

show-match-line

boolean

Command: -show-match-line - show match lines for file templates, works with extractors only

tls-impersonate

boolean

Command: -tls-impersonate - enable experimental client hello (ja3) tls randomization

exclude-matchers

string

Command: -exclude-matchers - template matchers to exclude in result

exclude-severity

string

Command: -exclude-severity - templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown

follow-redirects

boolean

Command: -follow-redirects - enable following redirects for http templates

headless-options

string

Command: -headless-options - start headless chrome with additional options

interactsh-token

string

Command: -interactsh-token - authentication token for self-hosted interactsh server

no-strict-syntax

boolean

Command: -no-strict-syntax - Disable strict syntax check on templates

prefetch-secrets

boolean

Command: -prefetch-secrets - prefetch secrets from the secrets file

system-resolvers

boolean

Command: -system-resolvers - use system DNS resolving as error fallback

template-id-list

file

Command: -template-id - templates to run based on template ids

track-error-file

file

Command: -track-error - adds given error to max-host-error watchlist

dialer-keep-alive

string

Command: -dialer-keep-alive - keep-alive duration for network requests.

disable-redirects

boolean

Command: -disable-redirects - disable redirects for http templates

display-templates

boolean

Command: -vv - display templates loaded for scan

exclude-tags-list

file

Command: -exclude-tags - templates to exclude based on tags

exclude-templates

string

Command: -exclude-templates - template or template directory to exclude (comma-separated)

include-tags-list

file

Command: -include-tags - tags to be executed even if they are excluded either by default or configuration

include-templates

string

Command: -include-templates - templates to be executed even if they are excluded either by default or configuration

interactsh-server

string

Command: -interactsh-server - interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)

list-dsl-function

boolean

Command: -list-dsl-function - list all supported DSL function signatures

rate-limit-minute

string

Command: -rate-limit-minute - maximum number of requests to send per minute

templates-version

boolean

Command: -templates-version - shows the version of the installed nuclei-templates

uncover-ratelimit

string

Command: -uncover-ratelimit - override ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60)

disable-clustering

boolean

Command: -disable-clustering - disable clustering of requests

headless-bulk-size

string

Command: -headless-bulk-size - maximum number of headless hosts to be analyzed in parallel per template (default 10)

input-read-timeout

string

Command: -input-read-timeout - timeout on input read (default 3m0s)

response-size-read

string

Command: -response-size-read - max response size to read in bytes (default 10485760)

response-size-save

string

Command: -response-size-save - max response size to read in bytes (default 1048576)

template-condition

string

Command: -template-condition - templates to run based on expression condition

template-directory

string

Command: -templates - template directory to run

leave-default-ports

boolean

Command: -leave-default-ports - leave default HTTP/HTTPS ports (eg. host:80,host:443

payload-concurrency

string

Command: -payload-concurrency - max payload concurrency for each template (default 25)

stop-at-first-match

boolean

Command: -stop-at-first-match - stop processing HTTP requests after the first match (may break template/workflow logic)

disable-update-check

boolean

Command: -disable-update-check - disable automatic nuclei/templates update check

headless-concurrency

string

Command: -headless-concurrency - maximum number of headless templates to be executed in parallel (default 10)

list-headless-action

boolean

Command: -list-headless-action - list available headless actions

exclude-matchers-list

file

Command: -exclude-matchers - template matchers to exclude in result

follow-host-redirects

boolean

Command: -follow-host-redirects - follow redirects on the same host

interactions-eviction

string

Command: -interactions-eviction - number of seconds to wait before evicting requests from cache (default 60)

new-templates-version

string

Command: -new-templates-version - run new templates added in specific version

exclude-templates-list

file

Command: -exclude-templates - template or template directory to exclude

include-templates-list

file

Command: -include-templates - templates to be executed even if they are excluded either by default or configuration

allow-local-file-access

boolean

Command: -allow-local-file-access - allows file (payload) access anywhere on the system

interactions-cache-size

string

Command: -interactions-cache-size - number of requests to keep in the interactions cache (default 5000)

interactions-poll-duration

string

Command: -interactions-poll-duration - number of seconds to wait before each interaction poll request (default 5)

interactions-cooldown-period

string

Command: -interactions-cooldown-period - extra time for interaction polling before exiting (default 5)

restrict-local-network-access

boolean

Command: -restrict-local-network-access - blocks connections to the local / private network

Library

Details

Parameters