nuclei

Best vulnscan for webApp pentesting

sudo apt install nuclei

sudo nuclei -un (update engine)

sudo nuclei -ut (update templates) # -up in latest version

sudo nuclei -tags cve -l targets.txt  (CVE scan)

sudo nuclei -tags lfi,ssrf,rce -t cves/ -l targets.txt (using tags)

sudo nuclei -l targets.txt -s medium,high,critical,unknown (excludes info)

#Fuzzing Templates (now merged as 'dast' into nuclei templates)

nuclei -t sqli -l urls.txt -dast     (MUST ADD -dast FLAG TO RUN PROPERLY) 

#Installing from source for better performance

#As of July 2023, make sure you have Go v20 installed 

#grab latest release @ https://go.dev/dl/ , all commands below to be run as root

tar -C /usr/local/ -xzf {insert go zipfile name}

nano ~/.zshrc

#go variables in zshrc
export GOPATH=/root/go-workspace
export GOROOT=/usr/local/go
PATH=$PATH:$GOROOT/bin/:$GOPATH/bin

#reload source
source ~/.zshrc

go version

---------
#Install nuclei

go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

#More convoluted way to accomplish the same
cd nuclei/v2/cmd/nuclei
sudo su
go build
sudo cp nuclei /usr/local/bin

nuclei -v

#Bash tricks

#Bash-Fu to recursively grep for specific BaseURL endpoints , 
useful when fuzzing a target with ffuf or feroxbuster

#Example grepping Jenkins endpoints (run from /nuclei-templates/http)

for i in `grep -R tags | grep jenkins | grep yaml | awk -F: '{print $1}'`; do cat $i | grep 'BaseURL}}/' | awk -F '{{BaseURL}}' '{print $2}' | sed 's/"//g' | sed "s/'//g"; done > nuclei-jenkins.txt