Automated Scanning with Nuclei
nuclei does most of the heavy
lifting in the hunting phase. It runs a big community library of YAML
templates — each one a precise check for a specific CVE, misconfiguration,
default credential, or information exposure — against your targets. It’s fast,
the false-positive rate is low (each template encodes a real matcher), and the
template set gets updated constantly.
Setup
nuclei -update # update the binary
nuclei -update-templates # pull the latest template library
Run against your live URLs
Feed nuclei the live URL list from HTTP probing. Use a project file so re-runs don’t repeat work:
nuclei -l recon/live-urls.txt \
-project -project-path .nuclei \
-severity low,medium,high,critical \
-o recon/nuclei-all.txt \
-json-export recon/nuclei-all.json \
-stats
Scan by template category
Arsenic splits nuclei into focused passes — technologies first (to fingerprint what’s there), then CVEs (to find what’s exploitable). Running targeted template groups is faster and easier to triage than one giant run:
# Fingerprint technologies / detections
nuclei -l recon/live-urls.txt -project -project-path .nuclei \
-tags tech -o recon/nuclei-technologies.txt
# Known CVEs
nuclei -l recon/live-urls.txt -project -project-path .nuclei \
-tags cve -severity high,critical -o recon/nuclei-cves.txt
# Exposures: panels, config files, backups, secrets
nuclei -l recon/live-urls.txt -project -project-path .nuclei \
-t http/exposures/ -t http/exposed-panels/ -o recon/nuclei-exposures.txt
# Default credentials
nuclei -l recon/live-urls.txt -project -project-path .nuclei \
-t http/default-logins/ -o recon/nuclei-default-logins.txt
Split results back to per-host
To keep findings with their host (Arsenic stores nuclei-cves.txt under each
host’s recon/), partition the output by hostname:
while read -r host; do
grep -F "$host" recon/nuclei-cves.txt > "hosts/$host/recon/nuclei-cves.txt"
[ -s "hosts/$host/recon/nuclei-cves.txt" ] || rm -f "hosts/$host/recon/nuclei-cves.txt"
done < <(ls hosts/)
Be a good guest
-rl 150— cap requests/second (rate limit) for fragile targets.-c 25— control concurrency.-exclude-tags intrusive,dos,fuzz— skip templates that can damage or destabilize a target unless you’re explicitly cleared for them.-proxy http://127.0.0.1:8080— route through Burp to log and review every request.
Triage every hit
Nuclei is high-signal but it isn’t infallible. For each result:
- Read the matched template (
nuclei -tl -t <template>shows it). - Reproduce the finding manually —
curl, browser, or Burp. - Only then promote it to a finding.
The template severity is a starting point; the real severity depends on the asset and the business context. A “medium” exposure on an admin panel can be your highest-impact finding.
Next: map service versions to public exploits with searchsploit.