Installations

Install Go

ProjectDiscovery runs on any OS that supports Go.

This example uses Linux, but this blog post provides instructions for other OSs. You can also refer to Go’s installation guide.
1

Get the latest version

Download and install the latest version of Go.

2

Verify the version

Run go version to confirm installation (v 1.21 at the time of writing)

Update your $PATH

The $PATH variable defines directories with executable programs. You need to add the go/bin directory (where ProjectDiscovery binaries reside) to $PATH manually.

This folder is not automatically added to your $PATH. Refer to the steps below to update it manually.
1

Verify your GOPATH

Run go env | grep GOPATH and copy the output path. Append /bin to it if needed.

2

Open your shell config file

Edit your shell config (e.g., nano ~/.zshrc for zsh or nano ~/.bashrc for bash). Add export PATH="$PATH:/your/go/path/bin" at the end.

3

Reset your terminal

Run source ~/.zshrc or source ~/.bashrc, or restart your terminal.

4

Verify your updated PATH

Run echo $PATH to confirm the Go binary directory is included.

Install Nuclei

A quick overview of Nuclei and its templates before installation.

What is Nuclei?

Nuclei is a community-powered vulnerability scanner that uses templates to identify vulnerabilities in your assets. As an open-source tool, it has the benefit of a huge community of users and contributors who have helped to create a vast library of templates.

Templates, are YAML files used to define what is scanned by Nuclei. The template library includes many options and customizations, and supports any templates you create to meet your requirements.

1

Install Nuclei with Go

Run go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest in your terminal.

2

Confirm installation

Run nuclei -h to see available options and flags.

Sample Nuclei Output

user@Sample ~ % nuclei -h
Nuclei is a fast, template based vulnerability scanner focused
on configurability, extensibility and ease of use.

Usage:
  nuclei [flags]

Flags:
TARGET:
   -u, -target string[]       target URLs/hosts to scan
   -l, -list string           path to file containing a list of target URLs/hosts to scan (one per line)
   -resume string             resume scan using resume.cfg (clustering will be disabled)
   -sa, -scan-all-ips         scan all the IP's associated with DNS record
   -iv, -ip-version string[]  IP version to scan of hostname (4,6) - (default 4)

TEMPLATES:
   -nt, -new-templates                    run only new templates added in latest nuclei-templates release
   -ntv, -new-templates-version string[]  run new templates added in specific version
   -as, -automatic-scan                   automatic web scan using wappalyzer technology detection to tags mapping
   -t, -templates string[]                list of template or template directory to run (comma-separated, file)
   -tu, -template-url string[]            list of template urls to run (comma-separated, file)
   -w, -workflows string[]                list of workflow or workflow directory to run (comma-separated, file)
   -wu, -workflow-url string[]            list of workflow urls to run (comma-separated, file)
   -validate                              validate the passed templates to nuclei
   -nss, -no-strict-syntax                disable strict syntax check on templates
   -td, -template-display                 displays the templates content
   -tl                                    list all available templates

Run a Scan

Let’s run a scan against a test host to showcase Nuclei’s behavior.

We’ll be using the test URL(http://honey.scanme.sh/) to demonstrate the expected scan behavior and walk you through some results.

Scan your host

Run nuclei -u http://honey.scanme.sh/ to scan the target host with all available templates.

The -u option specifies the target you want to scan with all available templates.

View results

Here we have an example (edited for easier readability)

user@Test-MBP ~ %  nuclei -u http://scanme.sh


                    __     _
  ____  __  _______/ /__  (_)
 / __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.9.4


       projectdiscovery.io


[WRN] Found 2298 templates with syntax error (use -validate flag for further examination)
[WRN] Found 16 templates with runtime error (use -validate flag for further examination)
[INF] Current nuclei version: v2.9.4 (outdated)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 73
[INF] Templates loaded for current scan: 4982
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1230 (Reduced 1179 Requests)
[INF] Using Interactsh Server: oast.fun
[ssl-issuer] [ssl] [info] scanme.sh:443 [pd]
[self-signed-ssl] [ssl] [low] scanme.sh:443
[mismatched-ssl-certificate] [ssl] [low] scanme.sh:443 [CN: scanme]
[http-missing-security-headers:strict-transport-security] [http] [info] http://scanme.sh
[http-missing-security-headers:permissions-policy] [http] [info] http://scanme.sh
----
[weak-cipher-suites:tls-1.1] [ssl] [low] scanme.sh:443 [[tls11 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA]]
[nameserver-fingerprint] [dns] [info] scanme.sh [ns69.domaincontrol.com.,ns70.domaincontrol.com.]

Understanding your results

If you examine the following line of output

[mismatched-ssl-certificate] [ssl] [low] scanme.sh:443 [CN: scanme]

The fields are as follows:

  • [mismatched-ssl-certificate] is the template-id for the finding
  • [ssl] is the protocol associated with the finding
  • [low] is the severity associated with the finding
  • Scanme.sh:443 is the output (in this case the host that the finding applies to)
  • [CN: scanme] - This output also includes an extracted value, which is not typically in all templates but does show an example of some of the other types of output you might see.

So, each line of output follows this structure: [template-id] [protocol] [severity] output (impacted host, etc)

Other examples:

[wp-ambience-xss] [http] [medium] http://honey.scanme.sh/wp-content/themes/ambience/thumb.php?src=%3Cbody%20onload%3Dalert(1)%3E.jpg
[tikiwiki-reflected-xss] [http] [high] http://honey.scanme.sh/tiki-5.2/tiki-edit_wiki_section.php?type=%22%3E%3Cscript%3Ealert(31337)%3C/script%3E
Take a look at the “Next Steps” section for suggestions on what to explore next.