Details

Category: Scanners

Publisher: trickest

Created Date: 6/23/2021

Container: quay.io/trickest/nuclei:v3.3.5

Source URL: https://github.com/projectdiscovery/nuclei

Parameters

sni
string
Command: -sni - tls sni hostname to use (default: input domain name)
var
string
Command: -var - custom vars in key=value format
code
boolean
Command: -code - enable loading code protocol-based templates
dast
boolean
Command: -dast - only run DAST templates
list
file
required
Command: -list - List of target URLs/hosts to scan
tags
string
Command: -tags - templates to run based on tags (comma-separated)
type
string
Command: -type - templates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript
ztls
boolean
Command: -ztls - use ztls library with autofallback to standard one for tls13
debug
boolean
Command: -debug - show all requests and responses
jsonl
boolean
Command: -jsonl - write output in JSONL(ines) format
proxy
string
Command: -proxy - list of http/socks5 proxy to use (comma separated)
reset
boolean
Command: -reset - reset removes all nuclei configuration and data files (including nuclei-templates)
stats
boolean
Command: -stats - Display stats of the running scan.
author
string
Command: -author - templates to run based on authors (comma-separated)
config
file
Command: -config - path to the nuclei configuration file
Command: -header - custom header/cookie to include in all http requests in header:value format
no-mhe
boolean
Command: -no-mhe - disable skipping host from scan based on errors
redact
string
Command: -redact - redact given list of keys from query parameter, request header and body
resume
file
Command: -resume - Resume scan using resume.cfg (clustering will be disabled)
silent
string
Command: -silent - display findings only
stream
boolean
Command: -stream - stream mode - start elaborating without sorting the input
target
string
required
Command: -target - target URLs/hosts to scan
no-meta
boolean
Command: -no-meta - disable printing result metadata in cli output
passive
boolean
Command: -passive - enable passive HTTP response processing mode
profile
string
Command: -profile - template profile config file to run
project
boolean
Command: -project - Use a project folder to avoid sending same request multiple times.
retries
string
Command: -retries - number of times to retry a failed request (default 1)
timeout
string
Command: -timeout - time to wait in seconds before timeout (default 10)
uncover
boolean
Command: -uncover - enable uncover engine
verbose
boolean
Command: -verbose - show verbose output
env-vars
boolean
Command: -env-vars - enable environment variables to be used in template
headless
string
Command: -headless - enable templates that require headless browser support (root user on linux will disable sandbox)
no-color
boolean
Command: -no-color - disable output content coloring (ANSI escape codes)
no-httpx
boolean
Command: -no-httpx - disable httpx probing for non-url input
no-stdin
boolean
Command: -no-stdin - disable stdin processing
omit-raw
boolean
Command: -omit-raw - omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)
severity
string
Command: -severity - templates to run based on severity. Possible values: info, low, medium, high, critical, unknown
template
file
required
Command: -templates - template file to run
validate
boolean
Command: -validate - validate the passed templates to nuclei
bulk-size
string
Command: -bulk-size - maximum number of hosts to be analyzed in parallel per template (default 25)
client-ca
file
Command: -client-ca - client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
debug-req
boolean
Command: -debug-req - show all sent requests
interface
string
Command: -interface - network interface to use for network scan
list-tags
boolean
Command: -tgl - list all available tags
resolvers
file
Command: -resolvers - file containing resolver list for nuclei
source-ip
string
Command: -source-ip - source ip address to use for network scan
tags-list
file
Command: -tags - templates to run based on tags
templates
folder
required
Command: -templates - folder of templates to run
timestamp
boolean
Command: -timestamp - enables printing timestamp in cli output
vars-list
file
Command: -var - custom vars in key=value format
workflows
string
Command: -workflows - list of workflow or workflow directory to run (comma-separated)
client-key
file
Command: -client-key - client key file (PEM-encoded) used for authenticating against scanned hosts
debug-resp
boolean
Command: -debug-resp - show all received responses
exclude-id
string
Command: -exclude-id - templates to exclude based on template ids (comma-separated)
ip-version
string
Command: -ip-version - IP version to scan of hostname (4,6) - (default 4)
proxy-list
file
Command: -proxy - list of http/socks5 proxy to use
rate-limit
string
Command: -rate-limit - maximum number of requests to send per second (default 150)
stats-json
boolean
Command: -stats-json - Write statistics data to stdout in JSONL(ines) format
attack-type
string
Command: -attack-type - type of payload combinations to perform (batteringram,pitchfork,clusterbomb)
author-list
file
Command: -author - templates to run based on authors
client-cert
file
Command: -client-cert - client certificate file (PEM-encoded) used for authenticating against scanned hosts
concurrency
string
Command: -concurrency - maximum number of templates to be executed in parallel (default 25)
force-http2
boolean
Command: -force-http2 - force http2 connection on requests
secret-file
file
Command: -secret-file - path to config file containing secrets for nuclei authenticated scan
template-id
string
Command: -template-id - templates to run based on template ids (comma-separated)
enable-pprof
boolean
Command: -enable-pprof - enable pprof debugging server
exclude-tags
string
Command: -exclude-tags - templates to exclude based on tags (comma-separated)
exclude-type
string
Command: -exclude-type - templates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript
fuzzing-mode
string
Command: -fuzzing-mode - overrides fuzzing mode set in template (multiple, single)
fuzzing-type
string
Command: -fuzzing-type - overrides fuzzing type set in template (replace, prefix, postfix, infix)
hang-monitor
boolean
Command: -hang-monitor - enable nuclei hang monitoring
headers-list
file
Command: -header - custom list of headers/cookies to include in all http requests in header:value
health-check
boolean
Command: -health-check - run diagnostic check up
include-tags
string
Command: -include-tags - tags to be executed even if they are excluded either by default or configuration
metrics-port
string
Command: -metrics-port - port to expose nuclei metrics on (default 9092)
page-timeout
string
Command: -page-timeout - seconds to wait for each page in headless mode (default 20)
profile-list
boolean
Command: -profile-list - list community template profiles
project-path
folder
Command: -project-path - Use a user defined project folder. Temporary folder is used if not specified but enabled.
scan-all-ips
boolean
Command: -scan-all-ips - scan all the IP's associated with dns record
template-url
string
Command: -template-url - template urls to run (comma-separated)
workflow-url
string
Command: -workflow-url - workflow urls to run (comma-separated)
exclude-hosts
file
Command: -exclude-hosts - hosts to exclude to scan from the input list (ip, cidr, hostname)
max-redirects
string
Command: -max-redirects - max number of redirects to follow for http templates (default 10)
new-templates
boolean
Command: -new-templates - run only new templates added in latest nuclei-templates release
no-interactsh
boolean
Command: -no-interactsh - disable interactsh server for OAST testing, exclude OAST based templates
omit-template
boolean
Command: -omit-template - omit encoded template in the JSON, JSONL output
report-config
file
Command: -report-config - nuclei reporting module configuration file
scan-strategy
string
Command: -scan-strategy - strategy to use while scanning(auto/host-spray/template-spray) (default auto)
show-var-dump
boolean
Command: -show-var-dump - show variables dump for debugging
system-chrome
boolean
Command: -system-chrome - use local installed Chrome browser instead of nuclei installed
target-folder
folder
Command: -target - folder containing files to execute file templates on
template-urls
file
Command: -template-url - list of template urls to run
uncover-delay
string
Command: -uncover-delay - delay between uncover query requests in seconds (0 to disable) (default 1)
uncover-field
string
Command: -uncover-field - uncover fields to return (ip,port,host) (default ip:port)
uncover-limit
string
Command: -uncover-limit - uncover results to return (default 100)
uncover-query
string
Command: -uncover-query - uncover search query
workflow-urls
file
Command: -workflow-url - list of workflow urls to run
automatic-scan
boolean
Command: -automatic-scan - automatic web scan using wappalyzer technology detection to tags mapping
js-concurrency
string
Command: -js-concurrency - maximum number of javascript runtimes to be executed in parallel (default 120)
list-templates
boolean
Command: -tl - list all available templates
matcher-status
boolean
Command: -matcher-status - display match failure status
max-host-error
string
Command: -max-host-error - max errors for a host before skipping from scan (default 30)
proxy-internal
boolean
Command: -proxy-internal - proxy all internal requests
stats-interval
string
Command: -stats-interval - number of seconds to wait between showing a statistics update (default 5)
templates-list
file
Command: -templates - list of template to run
uncover-engine
string
Command: -uncover-engine - uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas) (default shodan)
workflows-list
file
Command: -workflows - list of workflow or workflow directory to run
exclude-id-list
file
Command: -exclude-id - templates to exclude based on template ids
show-match-line
boolean
Command: -show-match-line - show match lines for file templates, works with extractors only
tls-impersonate
boolean
Command: -tls-impersonate - enable experimental client hello (ja3) tls randomization
exclude-matchers
string
Command: -exclude-matchers - template matchers to exclude in result
exclude-severity
string
Command: -exclude-severity - templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown
follow-redirects
boolean
Command: -follow-redirects - enable following redirects for http templates
headless-options
string
Command: -headless-options - start headless chrome with additional options
interactsh-token
string
Command: -interactsh-token - authentication token for self-hosted interactsh server
no-strict-syntax
boolean
Command: -no-strict-syntax - Disable strict syntax check on templates
prefetch-secrets
boolean
Command: -prefetch-secrets - prefetch secrets from the secrets file
system-resolvers
boolean
Command: -system-resolvers - use system DNS resolving as error fallback
template-id-list
file
Command: -template-id - templates to run based on template ids
track-error-file
file
Command: -track-error - adds given error to max-host-error watchlist
dialer-keep-alive
string
Command: -dialer-keep-alive - keep-alive duration for network requests.
disable-redirects
boolean
Command: -disable-redirects - disable redirects for http templates
display-templates
boolean
Command: -vv - display templates loaded for scan
exclude-tags-list
file
Command: -exclude-tags - templates to exclude based on tags
exclude-templates
string
Command: -exclude-templates - template or template directory to exclude (comma-separated)
include-tags-list
file
Command: -include-tags - tags to be executed even if they are excluded either by default or configuration
include-templates
string
Command: -include-templates - templates to be executed even if they are excluded either by default or configuration
interactsh-server
string
Command: -interactsh-server - interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)
list-dsl-function
boolean
Command: -list-dsl-function - list all supported DSL function signatures
rate-limit-minute
string
Command: -rate-limit-minute - maximum number of requests to send per minute
templates-version
boolean
Command: -templates-version - shows the version of the installed nuclei-templates
uncover-ratelimit
string
Command: -uncover-ratelimit - override ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60)
disable-clustering
boolean
Command: -disable-clustering - disable clustering of requests
headless-bulk-size
string
Command: -headless-bulk-size - maximum number of headless hosts to be analyzed in parallel per template (default 10)
input-read-timeout
string
Command: -input-read-timeout - timeout on input read (default 3m0s)
response-size-read
string
Command: -response-size-read - max response size to read in bytes (default 10485760)
response-size-save
string
Command: -response-size-save - max response size to read in bytes (default 1048576)
template-condition
string
Command: -template-condition - templates to run based on expression condition
template-directory
string
Command: -templates - template directory to run
leave-default-ports
boolean
Command: -leave-default-ports - leave default HTTP/HTTPS ports (eg. host:80,host:443
payload-concurrency
string
Command: -payload-concurrency - max payload concurrency for each template (default 25)
stop-at-first-match
boolean
Command: -stop-at-first-match - stop processing HTTP requests after the first match (may break template/workflow logic)
disable-update-check
boolean
Command: -disable-update-check - disable automatic nuclei/templates update check
headless-concurrency
string
Command: -headless-concurrency - maximum number of headless templates to be executed in parallel (default 10)
list-headless-action
boolean
Command: -list-headless-action - list available headless actions
exclude-matchers-list
file
Command: -exclude-matchers - template matchers to exclude in result
follow-host-redirects
boolean
Command: -follow-host-redirects - follow redirects on the same host
interactions-eviction
string
Command: -interactions-eviction - number of seconds to wait before evicting requests from cache (default 60)
new-templates-version
string
Command: -new-templates-version - run new templates added in specific version
exclude-templates-list
file
Command: -exclude-templates - template or template directory to exclude
include-templates-list
file
Command: -include-templates - templates to be executed even if they are excluded either by default or configuration
allow-local-file-access
boolean
Command: -allow-local-file-access - allows file (payload) access anywhere on the system
interactions-cache-size
string
Command: -interactions-cache-size - number of requests to keep in the interactions cache (default 5000)
interactions-poll-duration
string
Command: -interactions-poll-duration - number of seconds to wait before each interaction poll request (default 5)
interactions-cooldown-period
string
Command: -interactions-cooldown-period - extra time for interaction polling before exiting (default 5)
restrict-local-network-access
boolean
Command: -restrict-local-network-access - blocks connections to the local / private network