Skip to content

Nuclei

Overview

BBOT integrates with Nuclei, an open-source web vulnerability scanner by Project Discovery. This is one of the ways BBOT makes it possible to go from a single target domain/IP all the way to confirmed vulnerabilities, in one scan.

Nuclei Killchain

  • The BBOT Nuclei module ingests [URL] events and emits events of type [VULNERABILITY] or [FINDING]
  • Vulnerabilities will inherit their severity from the Nuclei templates
  • Nuclei templates of severity INFO will be emitted as [FINDINGS]

Default Behavior

  • By default, only "directory URLs" (URLs ending in a slash) will be scanned, but ALL templates will be used (BE CAREFUL!)
  • Because it's so aggressive, Nuclei is considered a deadly module. This means you need to use the flag --allow-deadly to turn it on.

Configuration and Options

The Nuclei module has many configuration options:

Config Option Type Description Default
modules.nuclei.batch_size int Number of targets to send to Nuclei per batch (default 200) 200
modules.nuclei.budget int Used in budget mode to set the number of requests which will be allotted to the nuclei scan 1
modules.nuclei.concurrency int maximum number of templates to be executed in parallel (default 25) 25
modules.nuclei.directory_only bool Filter out 'file' URL event (default True) True
modules.nuclei.etags str tags to exclude from the scan
modules.nuclei.mode str manual technology
modules.nuclei.ratelimit int maximum number of requests to send per second (default 150) 150
modules.nuclei.retries int number of times to retry a failed request (default 0) 0
modules.nuclei.severity str Filter based on severity field available in the template.
modules.nuclei.tags str execute a subset of templates that contain the provided tags
modules.nuclei.templates str template or template directory paths to include in the scan
modules.nuclei.version str nuclei version 3.0.4

Most of these you probably will NOT want to change. In particular, we advise against changing the version of Nuclei, as it's possible the latest version won't work right with BBOT.

We also do not recommend changing directory_only mode. This will cause Nuclei to process every URL. Because BBOT is recursive, this can get very out-of-hand very quickly, depending on which other modules are in use.

Modes

The modes with the Nuclei module are generally in place to help you limit the number of templates you are scanning with, to make your scans quicker.

Manual

This is the default setting, and will use all templates. However, if you're looking to do something particular, you might pair this with some of the pass-through options shown in the next setting.

Severe

severe mode uses only high/critical severity templates. It also excludes the intrusive tag. This is intended to be a shortcut for times when you need to rapidly identify high severity vulnerabilities but can't afford the full scan. Because most templates are INFO, LOW, or MEDIUM, your scan will finish much faster.

Technology

This is equivalent to the Nuclei '-as' scan option. It only use templates that match detected technologies, using wappalyzer-based signatures. This can be a nice way to run a light-weight scan that still has a chance to find some good vulnerabilities.

Budget

Budget mode is unique to BBOT.

For larger scans with thousands of targets, doing a FULL Nuclei scan (1000s of Requests) for each is not realistic. As an alternative to the other modes, you can take advantage of Nuclei's "collapsible" template feature.

For only the cost of one (or more) "extra" request(s) per host, it can activate several hundred modules. These are modules which happen to look at a BaseUrl, and typically look for a specific string or other attribute. Nuclei is smart about reusing the request data when it can, and we can use this to our advantage.

The budget parameter is the # of extra requests per host you are willing to send to "feed" Nuclei templates (defaults to 1). For those times when vulnerability scanning isn't the main focus, but you want to look for easy wins.

Of course, there is a rapidly diminishing return when you set he value to more than a handful. Eventually, this becomes 1 template per 1 budget value increase. However, in the 1-10 range there is a lot of value. This graphic should give you a rough visual idea of this concept.

Nuclei Budget Mode

Nuclei pass-through options

Most of the rest of the options are usually passed straight through to Nuclei when its executed. You can do things like set specific tags to include, (or exclude with etags), exactly how you'd do with Nuclei directly. You can also limit the templates with severity.

The ratelimit and concurrency settings default to the same defaults that Nuclei does. These are relatively sane settings, but if you are in a sensitive environment it can certainly help to turn them down.

templates will allow you to set your own templates directory. This can be very useful if you have your own custom templates that you want to use with BBOT.

Example Commands

# Scan a SINGLE target with a basic port scan and web modules
bbot -f web-basic -m nmap nuclei --allow-deadly -t app.evilcorp.com
# Scanning MULTIPLE targets
bbot -f web-basic -m nmap nuclei --allow-deadly -t app1.evilcorp.com app2.evilcorp.com app3.evilcorp.com
# Scanning MULTIPLE targets while performing subdomain enumeration
bbot -f subdomain-enum web-basic -m nmap nuclei --allow-deadly -t app1.evilcorp.com app2.evilcorp.com app3.evilcorp.com
# Scanning MULTIPLE targets on a BUDGET
bbot -f subdomain-enum web-basic -m nmap nuclei --allow-deadly -c modules.nuclei.mode=budget -t app1.evilcorp.com app2.evilcorp.com app3.evilcorp.com