Network (TCP) protocol templates enable testing of non-HTTP services like databases, message queues, custom protocols, and any TCP-based service.
Basic network request
A simple TCP connection and response check:
id: basic-network-example
info:
name: Basic Network Request
author: pdteam
severity: info
network:
- host:
- "{{Hostname}}"
inputs:
- data: "PING\r\n"
read-size: 1024
matchers:
- type: word
words:
- "PONG"
Both network: and tcp: keywords are supported. They are equivalent and can be used interchangeably.
Network request components
Host
Target hosts to connect to. Supports hostnames, IPs, and custom ports.network:
- host:
- "{{Hostname}}"
- "{{Hostname}}:9000"
- "192.168.1.1:8080"
TLS connections
Enable TLS by prefixing with tls://:
network:
- host:
- "tls://{{Hostname}}:443"
inputs:
- data: "GET / HTTP/1.0\r\n\r\n"
Data to send to the target. Supports multiple sequential inputs.network:
- host:
- "{{Hostname}}:6379"
inputs:
- data: "INFO\r\n"
Text input
network:
- host:
- "{{Hostname}}:3306"
inputs:
- data: "SHOW DATABASES\r\n"
type: text
network:
- host:
- "{{Hostname}}:5000"
inputs:
- data: "504B0304" # ZIP header
type: hex
Reading responses
Fixed-size read
Number of bytes to read from the response.network:
- host:
- "{{Hostname}}:22"
read-size: 2048
matchers:
- type: word
words:
- "SSH-2.0"
Read all
Read the entire response stream until EOF.network:
- host:
- "{{Hostname}}:80"
inputs:
- data: "GET / HTTP/1.0\r\n\r\n"
read-all: true
Multi-step interactions
Send data, read response, send more data:
id: redis-auth-test
info:
name: Redis Authentication Test
author: pdteam
severity: medium
network:
- host:
- "{{Hostname}}:6379"
inputs:
- data: "AUTH {{password}}\r\n"
read: 1024
- data: "INFO\r\n"
read: 2048
payloads:
password:
- admin
- password
- redis
matchers:
- type: word
words:
- "+OK"
- "redis_version"
condition: and
id: smtp-vrfy
info:
name: SMTP VRFY Command
author: pdteam
severity: info
network:
- host:
- "{{Hostname}}:25"
inputs:
- data: "EHLO scanner\r\n"
read: 1024
name: banner
- data: "VRFY root\r\n"
read: 512
name: vrfy_response
matchers:
- type: word
part: vrfy_response
words:
- "250"
- "252"
condition: or
Example: SSH version detection
id: ssh-version-detect
info:
name: SSH Version Detection
author: pdteam
severity: info
description: Detects SSH server version from banner
network:
- host:
- "{{Hostname}}:22"
read-size: 1024
matchers:
- type: regex
regex:
- "SSH-([0-9.]+)"
extractors:
- type: regex
name: ssh_version
regex:
- "SSH-([0-9.]+)-(.+)"
group: 2
Example: MySQL banner grab
id: mysql-detect
info:
name: MySQL Server Detection
author: pdteam
severity: info
network:
- host:
- "{{Hostname}}:3306"
read-size: 512
matchers:
- type: binary
binary:
- "000000" # MySQL handshake starts with packet length
part: data
- type: word
words:
- "mysql"
condition: or
extractors:
- type: regex
name: mysql_version
regex:
- "([0-9]+\\.[0-9]+\\.[0-9]+)"
group: 1
Example: Redis info dump
id: redis-info
info:
name: Redis Server Information
author: pdteam
severity: info
network:
- host:
- "{{Hostname}}:6379"
inputs:
- data: "INFO\r\n"
read-size: 4096
matchers:
- type: word
words:
- "redis_version"
- "redis_mode"
condition: and
extractors:
- type: regex
name: redis_version
regex:
- "redis_version:([0-9.]+)"
group: 1
- type: regex
name: redis_mode
regex:
- "redis_mode:(\\w+)"
group: 1
Payloads with network
Test multiple credentials or inputs:
id: service-auth-bruteforce
info:
name: Service Authentication Test
author: pdteam
severity: medium
network:
- host:
- "{{Hostname}}:{{port}}"
inputs:
- data: "AUTH {{username}} {{password}}\r\n"
payloads:
username:
- admin
- root
password:
- admin
- password
port:
- 6379 # Redis
- 11211 # Memcached
attack: clusterbomb
threads: 5
matchers:
- type: word
words:
- "+OK"
- "STORED"
condition: or
Network response parts
Received data from the server (default)matchers:
- type: word
part: data
words:
- "220"
Complete interaction including sent and received data
Advanced options
Port scanning
Default port or port range to scan.network:
- host:
- "{{Hostname}}"
port: "8000-8100"
inputs:
- data: "HEAD / HTTP/1.0\r\n\r\n"
matchers:
- type: word
words:
- "HTTP/1"
Exclude ports
Ports to skip during scanning.network:
- host:
- "{{Hostname}}"
port: "8000-9000"
exclude-ports: "8080,8443"
Threads
Number of concurrent connections.network:
- host:
- "{{Hostname}}"
port: "8000-9000"
threads: 10
Matchers for network
Word matchers
matchers:
- type: word
words:
- "SSH-2.0"
- "220 FTP"
- "+OK"
condition: or
Regex matchers
matchers:
- type: regex
regex:
- "MySQL ([0-9.]+)"
- "PostgreSQL ([0-9.]+)"
condition: or
Binary matchers
matchers:
- type: binary
binary:
- "1503" # TLS alert
- "0d0a" # CRLF
part: data
DSL matchers
matchers:
- type: dsl
dsl:
- "len(data) > 100"
- "contains(data, 'admin')"
condition: and
Complete examples
id: ftp-detect
info:
name: FTP Service Detection
author: pdteam
severity: info
network:
- host:
- "{{Hostname}}:21"
read-size: 1024
matchers:
- type: word
words:
- "220"
- "FTP"
condition: and
extractors:
- type: regex
name: ftp_banner
regex:
- "220 (.+)"
group: 1
Testing tips
Use -debug to see raw data exchange:nuclei -t network-template.yaml -u example.com:22 -debug
Set up test services locally:# Start Redis
docker run -p 6379:6379 redis
# Test template
nuclei -t redis-template.yaml -u localhost:6379
Some services are slow to respond. Increase timeout:nuclei -t template.yaml -u host:port -timeout 30
Common protocols
SSH (22)
Banner grabbing, version detection
FTP (21)
Anonymous access, banner info
SMTP (25)
Open relay, VRFY command
MySQL (3306)
Version detection, authentication
PostgreSQL (5432)
Service fingerprinting
Redis (6379)
Unauthenticated access, info
MongoDB (27017)
Version, configuration
Telnet (23)
Banner, access control
LDAP (389)
Anonymous bind, information
Next steps
SSL/TLS protocol
Certificate and TLS testing
JavaScript protocol
Custom protocol logic
Matchers
Complete matcher reference
Payloads
Working with payloads