Bug Bounty
Published in

Bug Bounty

How to properly install Nuclei

Installation step by step avoiding pitfalls

nuclei is the greatest tool ever. PERIOD.

You might think that installing Go and nuclei is simple. That's what I thought.

I had several instances of Nuclei running in different servers. I wanted to use a machine with low load to do some scans. An Ubuntu 18.04 Linux instance and it took me couple of hours to get it running.

Let me explain you why. There are two things that can fail (and will, especially if you are in a hurry or need to do something important, that's Murphy's law, it's science).

Update: If you use Ubuntu 20.04 the installation process is much simpler and you don’t need to do the next manual steps.

Using an old Go version might really destroy your ego

So, you need to install Go. What do you do?

> sudo apt install golang
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
golang-1.10 golang-1.10-doc golang-doc
The following NEW packages will be installed:
golang golang-1.10 golang-1.10-doc golang-doc
0 upgraded, 4 newly installed, 0 to remove and 10 not upgraded.
Need to get 2436 kB of archives.
After this operation, 4280 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
... trunked
Preparing to unpack .../golang-doc_2%3a1.10~4ubuntu1_all.deb ...
Unpacking golang-doc (2:1.10~4ubuntu1) ...
Selecting previously unselected package golang.
Preparing to unpack .../golang_2%3a1.10~4ubuntu1_amd64.deb ...
Unpacking golang (2:1.10~4ubuntu1) ...
Setting up golang-1.10-doc (1.10.4-2ubuntu1~18.04.2) ...
Setting up golang-doc (2:1.10~4ubuntu1) ...
Setting up golang-1.10 (1.10.4-2ubuntu1~18.04.2) ...
Setting up golang (2:1.10~4ubuntu1) ...

Then, let's set some variables (add at the end of .bashrc file):

export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH

Great. Now let's install nuclei:

GO111MODULE=on go get github.com/projectdiscovery/nuclei/v2/cmd/nuclei

What do we get?

GO111MODULE=on go get github.com/projectdiscovery/nuclei/v2/cmd/nucleipackage github.com/pierrec/lz4/v4: cannot find package "github.com/pierrec/lz4/v4" in any of:
/usr/lib/go/src/github.com/pierrec/lz4/v4 (from $GOROOT)
/home/ubuntu/go/src/github.com/pierrec/lz4/v4 (from $GOPATH)
package github.com/google/go-github/v32/github: cannot find package "github.com/google/go-github/v32/github" in any of:
/usr/lib/go/src/github.com/google/go-github/v32/github (from $GOROOT)
/home/ubuntu/go/src/github.com/google/go-github/v32/github (from $GOPATH)
package crypto/ed25519: unrecognized import path "crypto/ed25519" (import path does not begin with hostname)

What's the problem? Please tell me.

Well, we forgot one step. Check the installed go version:

> go versiongo version go1.10.4 linux/amd64

go1.10.4, which is…. a VERY OLD version. According to Wikipedia is from the beginning of 2018, centuries ago. I have no idea why the default go package is so old. Well, I have some idea, it's old Ubuntu version, dah.

To solve this you'll need to install Go from its website. At the time of writing the latest version is 1.16.5.

Fail to set environment variables properly could give you a headache

Mostly because old and the newer versions of Go use different installation paths. The dependencies of Nuclei will try to install or read other packages from another paths. That's confusing and annoying.

Bonus: Using -u flag while doing go get

This is a source of problems. You think you're updating packages in order to make your program work better, faster, fancier. But no, this flag might crash the installation of nuclei.

So, here the steps to properly and nicely install nuclei.

Install Go:

#download compress file
wget https://golang.org/dl/go1.16.5.linux-amd64.tar.gz
#cleaning previous installations
sudo rm -rf /usr/local/go
#decompressing to /usr/local
sudo tar -C /usr/local -xzf go1.16.5.linux-amd64.tar.gz
#add variables to .bashrc
echo 'export GOROOT=/usr/local/go' >> .bashrc
echo 'export GOPATH=$HOME/go' >> .bashrc
echo 'export PATH=$GOPATH/bin:$GOROOT/bin:$HOME/.local/bin:$PATH' >> .bashrc
#reload .bashrc
source ~/.bashrc
#check version
go version

Now, let's install nuclei:

GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei

Check that's running and the version:

> nuclei -v
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.3.7
projectdiscovery.io[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[FTL] Program exiting: no template/templates provided

That's it?

No so fast, let's install the templates, sometimes you need to manually create the template folder:

#folder creation
mkdir ~/nuclei-templates
#download/update templates
nuclei -ut
Nuclei Templates v8.3.3 Changelog
| 1198 | 81 | 11 |
[INF] Successfully updated nuclei-templates (v8.3.3). Enjoy!

In my case the folder was updated with newer templates.

Now you're ready to scan!




Articles related to bug bounty

Recommended from Medium

Google’s Move to Hide Full URL In Chrome

Django Development Internship Experience — startwithgenesis.in

From a naive method to a data structure

Step-By-Step Web Scraping Process

How to Configure Webserver on top of Docker Using Ansible

What is Infrastructure as Code (IaC)?

date command in Linux

Complete Introduction to Git

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Philippe Delteil

Philippe Delteil

More from Medium

Finding an unseen SQL Injection by bypassing escape functions in mysqljs/mysql

Searching for Deserialization Protection Bypasses in Microsoft Exchange (CVE-2022–21969)

Bypassing HttpOnly with phpinfo file

How to manually exploit SQL Injection?