How to properly install Nuclei
Installation step by step avoiding pitfalls
You might think that installing Go and nuclei is simple. That's what I thought.
I had several instances of Nuclei running in different servers. I wanted to use a machine with low load to do some scans. An Ubuntu 18.04 Linux instance and it took me couple of hours to get it running.
Let me explain you why. There are two things that can fail (and will, especially if you are in a hurry or need to do something important, that's Murphy's law, it's science).
Update: If you use Ubuntu 20.04 the installation process is much simpler and you don’t need to do the next manual steps.
Using an old Go version might really destroy your ego
So, you need to install Go. What do you do?
> sudo apt install golang
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
golang-1.10 golang-1.10-doc golang-doc
The following NEW packages will be installed:
golang golang-1.10 golang-1.10-doc golang-doc
0 upgraded, 4 newly installed, 0 to remove and 10 not upgraded.
Need to get 2436 kB of archives.
After this operation, 4280 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Preparing to unpack .../golang-doc_2%3a1.10~4ubuntu1_all.deb ...
Unpacking golang-doc (2:1.10~4ubuntu1) ...
Selecting previously unselected package golang.
Preparing to unpack .../golang_2%3a1.10~4ubuntu1_amd64.deb ...
Unpacking golang (2:1.10~4ubuntu1) ...
Setting up golang-1.10-doc (1.10.4-2ubuntu1~18.04.2) ...
Setting up golang-doc (2:1.10~4ubuntu1) ...
Setting up golang-1.10 (1.10.4-2ubuntu1~18.04.2) ...
Setting up golang (2:1.10~4ubuntu1) ...
Then, let's set some variables (add at the end of .bashrc file):
Great. Now let's install nuclei:
GO111MODULE=on go get github.com/projectdiscovery/nuclei/v2/cmd/nuclei
What do we get?
GO111MODULE=on go get github.com/projectdiscovery/nuclei/v2/cmd/nucleipackage github.com/pierrec/lz4/v4: cannot find package "github.com/pierrec/lz4/v4" in any of:
/usr/lib/go/src/github.com/pierrec/lz4/v4 (from $GOROOT)
/home/ubuntu/go/src/github.com/pierrec/lz4/v4 (from $GOPATH)
package github.com/google/go-github/v32/github: cannot find package "github.com/google/go-github/v32/github" in any of:
/usr/lib/go/src/github.com/google/go-github/v32/github (from $GOROOT)
/home/ubuntu/go/src/github.com/google/go-github/v32/github (from $GOPATH)
package crypto/ed25519: unrecognized import path "crypto/ed25519" (import path does not begin with hostname)
What's the problem? Please tell me.
Well, we forgot one step. Check the installed go version:
> go versiongo version go1.10.4 linux/amd64
go1.10.4, which is…. a VERY OLD version. According to Wikipedia is from the beginning of 2018, centuries ago. I have no idea why the default go package is so old. Well, I have some idea, it's old Ubuntu version, dah.
To solve this you'll need to install Go from its website. At the time of writing the latest version is 1.16.5.
Fail to set environment variables properly could give you a headache
Mostly because old and the newer versions of Go use different installation paths. The dependencies of Nuclei will try to install or read other packages from another paths. That's confusing and annoying.
Bonus: Using -u flag while doing go get
This is a source of problems. You think you're updating packages in order to make your program work better, faster, fancier. But no, this flag might crash the installation of nuclei.
So, here the steps to properly and nicely install nuclei.
#download compress file
wget https://golang.org/dl/go1.16.5.linux-amd64.tar.gz#cleaning previous installations
sudo rm -rf /usr/local/go #decompressing to /usr/local
sudo tar -C /usr/local -xzf go1.16.5.linux-amd64.tar.gz#add variables to .bashrc
echo 'export GOROOT=/usr/local/go' >> .bashrc
echo 'export GOPATH=$HOME/go' >> .bashrc
echo 'export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH' >> .bashrc #reload .bashrc
source ~/.bashrc#check version
Now, let's install nuclei:
GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei
Check that's running and the version:
> nuclei -v
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.3.7projectdiscovery.io[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[FTL] Program exiting: no template/templates provided
No so fast, let's install the templates, sometimes you need to manually create the template folder:
mkdir ~/nuclei-templates#download/update templates
nuclei -ut vulnerabilities/wordpress/wp-plugin-statistics-sqli.yaml
workflows/airflow-workflow.yamlNuclei Templates v8.3.3 Changelog
| TOTAL | ADDED | REMOVED |
| 1198 | 81 | 11 |
[INF] Successfully updated nuclei-templates (v8.3.3). Enjoy!
In my case the folder was updated with newer templates.
Now you're ready to scan!