nuclei
Fast and customizable vulnerability scanner based on simple YAML based DSL.
Details
Category: Scanners
Publisher: trickest
Created Date: 6/23/2021
Container: quay.io/trickest/nuclei:v3.3.5
Source URL: https://github.com/projectdiscovery/nuclei
Parameters
Command:
-sni
- tls sni hostname to use (default: input domain name)Command:
-var
- custom vars in key=value formatCommand:
-code
- enable loading code protocol-based templatesCommand:
-dast
- only run DAST templatesCommand:
-list
- List of target URLs/hosts to scanCommand:
-tags
- templates to run based on tags (comma-separated)Command:
-type
- templates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascriptCommand:
-ztls
- use ztls library with autofallback to standard one for tls13Command:
-debug
- show all requests and responsesCommand:
-jsonl
- write output in JSONL(ines) formatCommand:
-proxy
- list of http/socks5 proxy to use (comma separated)Command:
-reset
- reset removes all nuclei configuration and data files (including nuclei-templates)Command:
-stats
- Display stats of the running scan.Command:
-author
- templates to run based on authors (comma-separated)Command:
-config
- path to the nuclei configuration fileCommand:
-header
- custom header/cookie to include in all http requests in header:value formatCommand:
-no-mhe
- disable skipping host from scan based on errorsCommand:
-redact
- redact given list of keys from query parameter, request header and bodyCommand:
-resume
- Resume scan using resume.cfg (clustering will be disabled)Command:
-silent
- display findings onlyCommand:
-stream
- stream mode - start elaborating without sorting the inputCommand:
-target
- target URLs/hosts to scanCommand:
-no-meta
- disable printing result metadata in cli outputCommand:
-passive
- enable passive HTTP response processing modeCommand:
-profile
- template profile config file to runCommand:
-project
- Use a project folder to avoid sending same request multiple times.Command:
-retries
- number of times to retry a failed request (default 1)Command:
-timeout
- time to wait in seconds before timeout (default 10)Command:
-uncover
- enable uncover engineCommand:
-verbose
- show verbose outputCommand:
-env-vars
- enable environment variables to be used in templateCommand:
-headless
- enable templates that require headless browser support (root user on linux will disable sandbox)Command:
-no-color
- disable output content coloring (ANSI escape codes)Command:
-no-httpx
- disable httpx probing for non-url inputCommand:
-no-stdin
- disable stdin processingCommand:
-omit-raw
- omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)Command:
-severity
- templates to run based on severity. Possible values: info, low, medium, high, critical, unknownCommand:
-templates
- template file to runCommand:
-validate
- validate the passed templates to nucleiCommand:
-bulk-size
- maximum number of hosts to be analyzed in parallel per template (default 25)Command:
-client-ca
- client certificate authority file (PEM-encoded) used for authenticating against scanned hostsCommand:
-debug-req
- show all sent requestsCommand:
-interface
- network interface to use for network scanCommand:
-tgl
- list all available tagsCommand:
-resolvers
- file containing resolver list for nucleiCommand:
-source-ip
- source ip address to use for network scanCommand:
-tags
- templates to run based on tagsCommand:
-templates
- folder of templates to runCommand:
-timestamp
- enables printing timestamp in cli outputCommand:
-var
- custom vars in key=value formatCommand:
-workflows
- list of workflow or workflow directory to run (comma-separated)Command:
-client-key
- client key file (PEM-encoded) used for authenticating against scanned hostsCommand:
-debug-resp
- show all received responsesCommand:
-exclude-id
- templates to exclude based on template ids (comma-separated)Command:
-ip-version
- IP version to scan of hostname (4,6) - (default 4)Command:
-proxy
- list of http/socks5 proxy to useCommand:
-rate-limit
- maximum number of requests to send per second (default 150)Command:
-stats-json
- Write statistics data to stdout in JSONL(ines) formatCommand:
-attack-type
- type of payload combinations to perform (batteringram,pitchfork,clusterbomb)Command:
-author
- templates to run based on authorsCommand:
-client-cert
- client certificate file (PEM-encoded) used for authenticating against scanned hostsCommand:
-concurrency
- maximum number of templates to be executed in parallel (default 25)Command:
-force-http2
- force http2 connection on requestsCommand:
-secret-file
- path to config file containing secrets for nuclei authenticated scanCommand:
-template-id
- templates to run based on template ids (comma-separated)Command:
-enable-pprof
- enable pprof debugging serverCommand:
-exclude-tags
- templates to exclude based on tags (comma-separated)Command:
-exclude-type
- templates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascriptCommand:
-fuzzing-mode
- overrides fuzzing mode set in template (multiple, single)Command:
-fuzzing-type
- overrides fuzzing type set in template (replace, prefix, postfix, infix)Command:
-hang-monitor
- enable nuclei hang monitoringCommand:
-header
- custom list of headers/cookies to include in all http requests in header:valueCommand:
-health-check
- run diagnostic check upCommand:
-include-tags
- tags to be executed even if they are excluded either by default or configurationCommand:
-metrics-port
- port to expose nuclei metrics on (default 9092)Command:
-page-timeout
- seconds to wait for each page in headless mode (default 20)Command:
-profile-list
- list community template profilesCommand:
-project-path
- Use a user defined project folder. Temporary folder is used if not specified but enabled.Command:
-scan-all-ips
- scan all the IP's associated with dns recordCommand:
-template-url
- template urls to run (comma-separated)Command:
-workflow-url
- workflow urls to run (comma-separated)Command:
-exclude-hosts
- hosts to exclude to scan from the input list (ip, cidr, hostname)Command:
-max-redirects
- max number of redirects to follow for http templates (default 10)Command:
-new-templates
- run only new templates added in latest nuclei-templates releaseCommand:
-no-interactsh
- disable interactsh server for OAST testing, exclude OAST based templatesCommand:
-omit-template
- omit encoded template in the JSON, JSONL outputCommand:
-report-config
- nuclei reporting module configuration fileCommand:
-scan-strategy
- strategy to use while scanning(auto/host-spray/template-spray) (default auto)Command:
-show-var-dump
- show variables dump for debuggingCommand:
-system-chrome
- use local installed Chrome browser instead of nuclei installedCommand:
-target
- folder containing files to execute file templates onCommand:
-template-url
- list of template urls to runCommand:
-uncover-delay
- delay between uncover query requests in seconds (0 to disable) (default 1)Command:
-uncover-field
- uncover fields to return (ip,port,host) (default ip:port)Command:
-uncover-limit
- uncover results to return (default 100)Command:
-uncover-query
- uncover search queryCommand:
-workflow-url
- list of workflow urls to runCommand:
-automatic-scan
- automatic web scan using wappalyzer technology detection to tags mappingCommand:
-js-concurrency
- maximum number of javascript runtimes to be executed in parallel (default 120)Command:
-tl
- list all available templatesCommand:
-matcher-status
- display match failure statusCommand:
-max-host-error
- max errors for a host before skipping from scan (default 30)Command:
-proxy-internal
- proxy all internal requestsCommand:
-stats-interval
- number of seconds to wait between showing a statistics update (default 5)Command:
-templates
- list of template to runCommand:
-uncover-engine
- uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas) (default shodan)Command:
-workflows
- list of workflow or workflow directory to runCommand:
-exclude-id
- templates to exclude based on template idsCommand:
-show-match-line
- show match lines for file templates, works with extractors onlyCommand:
-tls-impersonate
- enable experimental client hello (ja3) tls randomizationCommand:
-exclude-matchers
- template matchers to exclude in resultCommand:
-exclude-severity
- templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknownCommand:
-follow-redirects
- enable following redirects for http templatesCommand:
-headless-options
- start headless chrome with additional optionsCommand:
-interactsh-token
- authentication token for self-hosted interactsh serverCommand:
-no-strict-syntax
- Disable strict syntax check on templatesCommand:
-prefetch-secrets
- prefetch secrets from the secrets fileCommand:
-system-resolvers
- use system DNS resolving as error fallbackCommand:
-template-id
- templates to run based on template idsCommand:
-track-error
- adds given error to max-host-error watchlistCommand:
-dialer-keep-alive
- keep-alive duration for network requests.Command:
-disable-redirects
- disable redirects for http templatesCommand:
-vv
- display templates loaded for scanCommand:
-exclude-tags
- templates to exclude based on tagsCommand:
-exclude-templates
- template or template directory to exclude (comma-separated)Command:
-include-tags
- tags to be executed even if they are excluded either by default or configurationCommand:
-include-templates
- templates to be executed even if they are excluded either by default or configurationCommand:
-interactsh-server
- interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)Command:
-list-dsl-function
- list all supported DSL function signaturesCommand:
-rate-limit-minute
- maximum number of requests to send per minuteCommand:
-templates-version
- shows the version of the installed nuclei-templatesCommand:
-uncover-ratelimit
- override ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60)Command:
-disable-clustering
- disable clustering of requestsCommand:
-headless-bulk-size
- maximum number of headless hosts to be analyzed in parallel per template (default 10)Command:
-input-read-timeout
- timeout on input read (default 3m0s)Command:
-response-size-read
- max response size to read in bytes (default 10485760)Command:
-response-size-save
- max response size to read in bytes (default 1048576)Command:
-template-condition
- templates to run based on expression conditionCommand:
-templates
- template directory to runCommand:
-leave-default-ports
- leave default HTTP/HTTPS ports (eg. host:80,host:443Command:
-payload-concurrency
- max payload concurrency for each template (default 25)Command:
-stop-at-first-match
- stop processing HTTP requests after the first match (may break template/workflow logic)Command:
-disable-update-check
- disable automatic nuclei/templates update checkCommand:
-headless-concurrency
- maximum number of headless templates to be executed in parallel (default 10)Command:
-list-headless-action
- list available headless actionsCommand:
-exclude-matchers
- template matchers to exclude in resultCommand:
-follow-host-redirects
- follow redirects on the same hostCommand:
-interactions-eviction
- number of seconds to wait before evicting requests from cache (default 60)Command:
-new-templates-version
- run new templates added in specific versionCommand:
-exclude-templates
- template or template directory to excludeCommand:
-include-templates
- templates to be executed even if they are excluded either by default or configurationCommand:
-allow-local-file-access
- allows file (payload) access anywhere on the systemCommand:
-interactions-cache-size
- number of requests to keep in the interactions cache (default 5000)Command:
-interactions-poll-duration
- number of seconds to wait before each interaction poll request (default 5)Command:
-interactions-cooldown-period
- extra time for interaction polling before exiting (default 5)Command:
-restrict-local-network-access
- blocks connections to the local / private network