Vulnerability Scanning
Lesson on Nuclei for OSINT & Vulnerability
Scanning
Nuclei is a powerful tool for vulnerability scanning, reconnaissance, and OSINT.
It is widely used by security professionals to scan websites, APIs, and network
assets for misconfigurations, leaks, and vulnerabilities.
📌 1. What is Nuclei?
Nuclei is an open-source fast vulnerability scanner that uses YAML-based
templates to detect misconfigurations, CVEs, and security issues.
It is developed by ProjectDiscovery and is widely used in OSINT, penetration
testing, and bug bounty hunting.
🛠️ Features:
✅ Fast & Lightweight – Uses parallel scanning.
✅ Customizable Templates – You can write your own vulnerability checks.
✅ Scans Web, Network, APIs, and Cloud – Supports various protocols (HTTP,
DNS, SSL, etc.).
✅ Great for OSINT – Can find exposed sensitive information.
📌 2. Installing Nuclei on Kali Linux
Nuclei is pre-installed in Kali Linux. If missing, install it with:
sudo apt install nuclei
Or install manually:
Vulnerability Scanning 1
� curl -s [Link] | g
rep "browser_download_url.*linux_amd64.zip" | cut -d '"' -f 4 | wget -qi -
unzip [Link]
chmod +x nuclei
sudo mv nuclei /usr/local/bin/
Verify installation:
nuclei -version
📌 3. Updating Nuclei & Templates
To ensure you have the latest scanning capabilities:
nuclei -update
nuclei -ut
📌 4. Basic Nuclei Scanning
🔹 Scan a Website for Vulnerabilities
nuclei -u [Link]
🚀 What it does? – Scans [Link] using built-in vulnerability templates.
🔹 Scan a List of Domains
nuclei -l [Link]
📜 Example [Link] file:
[Link]
[Link]
Vulnerability Scanning 2
� [Link]
🔹 Check for Exposed Sensitive Information (OSINT Use Case)
nuclei -u [Link] -t exposures/
🔍 Finds:
Open directories
Public logs
Misconfigured cloud storage (S3, Azure, Google Cloud)
📌 5. Advanced Scanning
🔹 Scan for Specific Vulnerabilities
Example: Scan for Log4j vulnerability
nuclei -u [Link] -t cves/2021/[Link]
📌 Use Case: Checks if the website is vulnerable to the Log4j RCE exploit.
🔹 Scan for Web Technologies
nuclei -u [Link] -t technologies/
🔍 Finds:
CMS (WordPress, Joomla, Drupal)
Web frameworks (Django, Laravel, [Link])
Web servers (Apache, Nginx, IIS)
🔹 Scan for Open Ports & Network Issues
Vulnerability Scanning 3
� nuclei -u [Link] -t network/
🔍 Finds:
Open ports
Misconfigured services
Weak TLS settings
📌 6. Writing Custom Nuclei Templates
You can create your own vulnerability or reconnaissance checks using YAML
templates.
Example: Custom Template for Finding Admin Panels
Create a file [Link] :
id: admin-panel-detect
info:
name: Admin Panel Finder
author: YourName
severity: info
tags: panel,admin
requests:
- method: GET
path:
- "{{BaseURL}}/admin/"
- "{{BaseURL}}/login/"
matchers:
- type: status
status:
- 200
Vulnerability Scanning 4
� Run your custom template:
nuclei -u [Link] -t [Link]
📌 7. Real-World OSINT Use Cases for Nuclei
1️⃣ Find Exposed API Keys & Credentials
nuclei -u [Link] -t exposures/credentials/
🔍 Finds:
Hardcoded API keys
Publicly accessible .env files
Exposed database credentials
2️⃣ Find Leaked Sensitive Files
nuclei -u [Link] -t exposures/files/
🔍 Finds:
Open directories ( /backup/ , /logs/ )
Public .git repositories
Leaked configuration files
3️⃣ Find Publicly Open S3 Buckets
nuclei -u [Link] -t cloud/aws/[Link]
🔍 Finds:
Misconfigured Amazon S3 buckets
Publicly accessible cloud storage
📌
Vulnerability Scanning 5
� 📌 8. Practical Exercise for Students
🔹 Task 1: Run a basic scan on [Link]
🔹 Task 2: Find publicly accessible files ( )
exposures/
🔹 Task 3: Scan a list of websites and report findings
🔹 Summary
Feature Nuclei Command
Scan a single website nuclei -u [Link]
Scan a list of websites nuclei -l [Link]
Check for exposed sensitive
nuclei -u [Link] -t exposures/
files
nuclei -u [Link] -t cves/2021/CVE-2021-
Scan for a specific CVE
[Link]
Update templates nuclei -ut
📌 9. Additional Resources
📘 Nuclei Documentation
🔍 Nuclei Templates
💻 ProjectDiscovery GitHub
Vulnerability Scanning 6
