Skip to main content
Nuclei scans run in the background without sudo. SMB signing checks use NetExec’s --gen-relay-list to identify hosts suitable for NTLM relay attacks.

POST /api/network/nuclei/scan

Launches a Nuclei scan against web services discovered in the most recent Nmap web-port XML file in recon/. The endpoint reads the XML, extracts all open web ports, builds a target URL list (recon/WebApps.txt), and starts Nuclei in the background. The scan requires at least one Nmap XML file with "web" in the filename (e.g. nmap_web_20240115.xml) to exist in recon/. 
curl -X POST http://localhost:8000/api/network/nuclei/scan \
  -H "Content-Type: application/json" \
  -d '{
    "templates": ["cves", "exposures"],
    "custom_cmd": "-severity critical,high"
  }'

Request Body

templates
array
Array of Nuclei template tag strings to filter by (e.g. ["cves", "exposures", "default-logins"]). If empty or omitted, all templates are used.
custom_cmd
string
Additional raw Nuclei flags appended to the command (e.g. "-severity critical,high" or "-rl 10").

Response

status
string
"success" when the scan was launched.
scan_id
string
UUID for polling with /api/scan-status/{scan_id}.
webapp_count
integer
Number of web application targets extracted from the Nmap XML.
templates
string | array
The template tags used, or "all" if no templates were specified.
command
string
The Nuclei command that was launched.
Example response: 
{
  "status": "success",
  "scan_id": "c3d4e5f6-a7b8-9012-cdef-012345678901",
  "webapp_count": 8,
  "templates": ["cves", "exposures"],
  "command": "nuclei -l recon/WebApps.txt -j -tags cves,exposures -o recon/nuclei_c3d4e5f6.json"
}

POST /api/network/nuclei/scan-direct

Launches a Nuclei scan against an explicit list of target URLs. Bypasses the Nmap XML lookup — useful when you want to scan specific targets that may not be in the database. 
curl -X POST http://localhost:8000/api/network/nuclei/scan-direct \
  -H "Content-Type: application/json" \
  -d '{
    "targets": ["http://10.10.10.1:80", "https://10.10.10.1:443"],
    "templates": ["default-logins"]
  }'

Request Body

targets
array
required
Array of target URL strings (e.g. ["http://10.10.10.1:80", "https://10.10.10.1:8443"]).
templates
array
Nuclei template tag filters. If empty, all templates are run.
custom_cmd
string
Additional raw Nuclei CLI flags.

Response

status
string
"success" when the scan was launched.
scan_id
string
UUID for polling.
target_count
integer
Number of targets written to the scan list.
templates
string | array
Template tags used, or "all".
command
string
The Nuclei command launched.

POST /api/network/nuclei/stop/

Stops a running Nuclei scan by updating its database status to stopped. The underlying process is killed via pkill. 
curl -X POST http://localhost:8000/api/network/nuclei/stop/c3d4e5f6-a7b8-9012-cdef-012345678901

Path Parameter

scan_id
string
required
UUID of the Nuclei scan to stop.

Response

{ "status": "stopped" }

GET /api/network/nuclei/xml-files

Lists all Nmap XML files in recon/ whose name contains "web". These are the files that the /api/network/nuclei/scan endpoint uses as scan input. The most recently created file is marked with "latest": true. 
curl http://localhost:8000/api/network/nuclei/xml-files

Response

files
array
Array of XML file descriptors, sorted newest first.
Example response: 
{
  "files": [
    { "path": "/home/kali/etherreaper/recon/nmap_web_20240115_143200.xml", "name": "nmap_web_20240115_143200.xml", "latest": true },
    { "path": "/home/kali/etherreaper/recon/nmap_web_20240114_091022.xml", "name": "nmap_web_20240114_091022.xml", "latest": false }
  ]
}

POST /api/smb-signing/scan

Runs a NetExec SMB signing check against a target using netexec smb <target> --gen-relay-list. Hosts with SMB signing disabled are written to recon/smb_relay.txt and their signing/SMBv1 status is updated in the hosts database. This is a synchronous call — it waits for the scan to complete (up to 5 minutes). 
curl -X POST http://localhost:8000/api/smb-signing/scan \
  -H "Content-Type: application/json" \
  -d '{"target": "10.10.10.0/24"}'

Request Body

target
string
required
IP, CIDR, or range to check (e.g. "10.10.10.0/24").

Response

status
string
"success" on completion.
message
string
Summary including count of vulnerable hosts.
vulnerable_count
integer
Number of hosts with SMB signing disabled (relay targets).
total_hosts
integer
Total number of hosts observed during the scan.
command
string
NetExec command executed.
Example response: 
{
  "status": "success",
  "message": "SMB signing scan completed - 3 host(s) without signing",
  "vulnerable_count": 3,
  "total_hosts": 12,
  "command": "netexec smb 10.10.10.0/24 --gen-relay-list smb_relay.txt"
}

POST /api/smbsigning/run

Alternate SMB signing endpoint that accepts an array of targets. Functionally equivalent to /api/smb-signing/scan but designed for use when you have a pre-populated list of IPs (e.g. from the Scope table). When more than one target is provided, they are written to a temporary file and passed to NetExec with -iL. 
curl -X POST http://localhost:8000/api/smbsigning/run \
  -H "Content-Type: application/json" \
  -d '{
    "targets": ["10.10.10.1", "10.10.10.2", "10.10.10.3"]
  }'

Request Body

target
string
Single target IP, CIDR, or comma-separated list.
targets
array
Array of IP strings. Takes precedence over target when both are provided.

Response

status
string
"success" on completion.
message
string
Summary of results.
scan_id
string
UUID of the scan record created.
output
string
Raw NetExec output.

Build docs developers (and LLMs) love

Get started for freeTalk to us