From 9698154298fb8d60f93a4fdba5373d08fe1a7203 Mon Sep 17 00:00:00 2001
From: Omar Santos <santosomar@gmail.com>
Date: Tue, 10 Dec 2024 15:50:24 -0500
Subject: [PATCH] Update intro_to_nuclei.md

---
 recon/intro_to_nuclei.md | 193 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 191 insertions(+), 2 deletions(-)

diff --git a/recon/intro_to_nuclei.md b/recon/intro_to_nuclei.md
index f3e90c6..8741d23 100644
--- a/recon/intro_to_nuclei.md
+++ b/recon/intro_to_nuclei.md
@@ -94,7 +94,7 @@ requests:
           - "vulnerable string"
 ```
 
-Key components of a template:
+The following are the typical components of a template:
 
 1. `id`: Unique identifier for the template
 2. `info`: Metadata about the template
@@ -103,7 +103,7 @@ Key components of a template:
 
 ### Example: CVE Detection Template
 
-Here's an example template for detecting CVE-2021-44228 (Log4j vulnerability):
+Example template for detecting CVE-2021-44228 (Log4j vulnerability):
 
 ```yaml
 id: CVE-2021-44228
@@ -149,3 +149,192 @@ This template sends requests with JNDI lookup strings in various HTTP headers an
 5. Test templates thoroughly before submission
 6. Follow the [community template contributions](https://github.com/projectdiscovery/nuclei-templates/tree/main/dns)
 
+
+## Additional Examples of Basic Usage
+
+The simplest command to run Nuclei against a single target is:
+
+```bash
+nuclei -target http://10.6.6.6
+```
+
+This uses the default directory of templates (`~/.nuclei-templates/`). To specify a particular template or directory, use `-t`:
+
+```bash
+nuclei -target http://10.6.6.6 -t nuclei-templates/cves/
+```
+
+Nuclei can also take a list of targets (e.g., multiple IPs, domains) from a file:
+
+```bash
+nuclei -l targets.txt -t nuclei-templates/misconfiguration/
+```
+
+---
+
+## Preparing for the Example Scan
+
+### Our Scenario
+
+- **Target:** `10.6.6.6`
+- **Possible Services:** Let’s assume this IP hosts a web service on port 80/443.  
+- **Goals:**
+  1. Enumerate potential vulnerabilities using a broad template set.
+  2. Check for known CVEs in popular web frameworks.
+  3. Identify misconfigurations or sensitive endpoints.
+
+### Adjusting the Command
+
+For internal scans (like scanning `http://10.6.6.6`), you might want to:
+- Specify the template directory.
+- Focus on particular template categories.
+- Adjust rate limits to avoid overwhelming the target.
+
+#### Example Commands:
+
+1. **Run all default templates against the target:**
+   ```bash
+   nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/
+   ```
+   
+   This can be quite noisy; it tries all templates. It’s often better to narrow down the scope.
+
+2. **Targeting Specific Categories:**
+   For instance, just run CVE-related templates:
+   ```bash
+   nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/cves/
+   ```
+   
+   This will check common CVE patterns. If the web service is a known framework (WordPress, Joomla, etc.), these templates might find known issues.
+
+3. **Running a Specific Template:**
+   Suppose you suspect the server might be running phpMyAdmin and you want to detect any phpMyAdmin login panel exposures. Find the phpMyAdmin templates (for example `exposed-panels/phpmyadmin-login.yaml`) and run:
+   ```bash
+   nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/exposed-panels/phpmyadmin-login.yaml
+   ```
+
+4. **Setting Rate Limits and Concurrency:**
+   If you’re scanning a network service that might be sensitive, slow down the requests:
+   ```bash
+   nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -rl 50 -c 10
+   ```
+   `-rl 50` limits to 50 requests per second and `-c 10` sets concurrency to 10 templates at a time.
+
+---
+
+## Interpreting Results
+
+The output of Nuclei prints findings to the terminal. A typical finding might look like:
+
+```
+[critical] [cves/2021/CVE-2021-XXXXX.yaml] http://10.6.6.6/vulnerable-endpoint
+```
+
+- **Severity Tag:** `[critical]` indicates the severity level from the template.
+- **Template Info:** `cves/2021/CVE-2021-XXXXX.yaml` indicates which template matched.
+- **Matched URL:** `http://10.6.6.6/vulnerable-endpoint` is the discovered vulnerable endpoint.
+
+You can also output results to a file:
+
+```bash
+nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -o results.txt
+```
+
+Nuclei can also output in JSON for easier parsing:
+
+```bash
+nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -json -o results.json
+```
+
+---
+
+## Running Against Multiple Targets in the 10.6.6.0/24 Network
+
+If you have a list of hosts or endpoints within the network, say `targets.txt`:
+
+```
+http://10.6.6.6
+http://10.6.6.7
+http://10.6.6.8
+```
+
+You can run:
+
+```bash
+nuclei -l targets.txt -t ~/.nuclei-templates/ -o network_results.txt
+```
+
+This will scan each listed host against all templates. To target only a certain set, like misconfiguration checks:
+
+```bash
+nuclei -l targets.txt -t ~/.nuclei-templates/misconfiguration/ -o misconfig_results.txt
+```
+
+
+
+## Advanced Usage: Workflows and Tagging
+
+Nuclei supports:
+- **Workflows:** Chain multiple templates so one finding triggers another template.
+- **Tagging:** Run templates by tags, like `-tags exposure` to run all templates tagged as `exposure`.
+
+For example, if you want to run only templates that are labeled with `exposure` tag:
+
+```bash
+nuclei -u http://10.6.6.6 -tags exposure
+```
+
+If you have a workflow file (a collection of templates in a certain order), you can specify it:
+
+```bash
+nuclei -u http://10.6.6.6 -w ~/my-workflows/exposure-workflow.yaml
+```
+
+---
+
+## Tuning and Optimization
+
+- **Exclude Templates:** Use `-exclude` flag to exclude certain templates or directories that produce false positives or are irrelevant.
+- **Stop at First Match:** If you just want to know if there’s any vulnerability at all, you can optimize by stopping after first match with certain parameters.
+- **Integration with Other Tools:** Combine Nuclei with subdomain enumeration (e.g., `subfinder`), and pipe results directly. For example:
+  ```bash
+  echo http://10.6.6.6 | nuclei -t ~/.nuclei-templates/
+  ```
+
+---
+
+## Practical Example Recap
+
+Let’s finalize with a practical scenario using the fictitious target:
+
+1. **Initial Broad Scan (All Templates):**
+   ```bash
+   nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -o broad_scan.txt
+   ```
+   Wait for results. Check `broad_scan.txt` for interesting findings.
+
+2. **Focused CVE Scan:**
+   ```bash
+   nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/cves/ -o cves_findings.txt
+   ```
+
+3. **Misconfiguration Checks:**
+   ```bash
+   nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/misconfiguration/ -o misconfig_findings.txt
+   ```
+
+4. **Custom Endpoint Check:**
+   ```bash
+   nuclei -u http://10.6.6.6 -t internal-status.yaml -o custom_check.txt
+   ```
+
+5. **JSON Output for Tool Integration:**
+   ```bash
+   nuclei -u http://10.6.6.6 -t ~/.nuclei-templates/ -json -o results.json
+   ```
+   Then parse `results.json` with a script.
+
+
+
+
+