Automating Your Nuclei Recon Pipeline
🛡️ Ethical Use Reminder: All tools and techniques discussed in this post are intended for ethical, legal, and educational use only. Only perform security testing on systems you own or have explicit permission to test. This content is for researchers, students and professionals following responsible disclosure and legal guidelines.
Now that you’ve learned how to run scans, rotate IPs, and trigger Discord alerts — let’s automate the whole recon flow. This script ties everything together into a repeatable, single-command bug bounty recon pipeline using subfinder, httpx, nuclei, NordVPN, and Discord alerts.
What This Script Does
- Enumerates subdomains using
subfinder
- Probes for live hosts using
httpx
- Rotates your NordVPN IP between each target
- Runs Nuclei with tuned templates and filters
- Sends results to Discord if any vulnerabilities are found
Full Bash Script
Save this as nuclei-recon.sh and make it executable with chmod +x nuclei-recon.sh.
#!/bin/bash
set -euo pipefail
# Setup
DATE=$(date +”%Y-%m-%d_%H-%M-%S”)
BASE_OUTDIR=”nuclei_run_$DATE”
mkdir -p “$BASE_OUTDIR”
DISCORD_WEBHOOK=”https://discord.com/api/webhooks/XXX/YYY” # replace this
# Check if domains file is provided
if [[ $# -eq 0 ]]; then
echo “Usage: $0 ”
echo “Example: $0 domains.txt”
exit 1
fi
DOMAINS_FILE=”$1″
if [[ ! -f “$DOMAINS_FILE” ]]; then
echo “Error: Domains file ‘$DOMAINS_FILE’ not found”
exit 1
fi
while read -r DOMAIN; do
# Skip empty lines and comments
[[ -z “$DOMAIN” || “$DOMAIN” =~ ^#.*$ ]] && continue
CLEAN=$(echo “$DOMAIN” | sed ‘s/*\.//g’)
OUTDIR=”$BASE_OUTDIR/$CLEAN”
mkdir -p “$OUTDIR”
echo “[*] Rotating VPN…”
if command -v nordvpn >/dev/null 2>&1; then
nordvpn disconnect || true
sleep 2
nordvpn connect || true
sleep 6
curl -s https://ipinfo.io/ip > “$OUTDIR/ip.txt” || echo “unknown” > “$OUTDIR/ip.txt”
else
echo “Warning: NordVPN not found, skipping VPN rotation”
curl -s https://ipinfo.io/ip > “$OUTDIR/ip.txt” || echo “unknown” > “$OUTDIR/ip.txt”
fi
echo “[*] Subdomain scan on $CLEAN”
subfinder -d “$CLEAN” -silent > “$OUTDIR/subs.txt” || touch “$OUTDIR/subs.txt”
echo “[*] Probing live hosts”
if [[ -s “$OUTDIR/subs.txt” ]]; then
httpx -l “$OUTDIR/subs.txt” -silent -timeout 5 -threads 100 > “$OUTDIR/live.txt” || touch “$OUTDIR/live.txt”
else
echo “No subdomains found”
touch “$OUTDIR/live.txt”
fi
echo “[*] Running nuclei scan”
if [[ -s “$OUTDIR/live.txt” ]]; then
nuclei -l “$OUTDIR/live.txt” \
-t cves/,exposed-panels/,misconfiguration/,files/ \
-tags rce,xss,unauth,exposure \
-severity high,critical \
-rate-limit 25 -retries 3 -timeout 10 \
-o “$OUTDIR/findings.json” -v -debug || true
else
echo “No live hosts found”
echo “[]” > “$OUTDIR/findings.json”
fi
# Send Discord notification if findings exist
if [[ -s “$OUTDIR/findings.json” ]] && [[ “$(cat “$OUTDIR/findings.json”)” != “[]” ]]; then
if command -v jq >/dev/null 2>&1; then
COUNT=$(jq length “$OUTDIR/findings.json” 2>/dev/null || echo “0”)
if [[ “$COUNT” -gt 0 ]]; then
FIRST=$(jq -r ‘.[0] | “\(.info.severity | ascii_upcase) – \(.templateID) on \(.matched)”‘ “$OUTDIR/findings.json” 2>/dev/null || echo “Unable to parse finding”)
CURRENT_IP=$(cat “$OUTDIR/ip.txt” 2>/dev/null || echo “unknown”)
PAYLOAD=$(jq -n \
–arg username “Nuclei Bot” \
–arg content “🚨 **$COUNT finding(s)** for \`$CLEAN\`
First hit: $FIRST
IP: \`$CURRENT_IP\`” \
‘{username: $username, content: $content}’)
curl -s -H “Content-Type: application/json” \
-X POST -d “$PAYLOAD” \
“$DISCORD_WEBHOOK” || echo “Failed to send Discord notification”
fi
else
echo “Warning: jq not found, skipping Discord notification”
fi
else
echo “No findings for $CLEAN”
fi
echo “[*] Completed scan for $CLEAN”
echo “—————————————-”
done < "$DOMAINS_FILE"
echo "[*] All scans completed. Results in: $BASE_OUTDIR"
Usage
Create a file called h1_scopes.txt with a list of wildcard domains (e.g. *.example.com), then run:
Set execute permission on the script:
chmod +x nuclei-recon.sh
Then you can run it with:
./nuclei-recon.sh
Make It Your Own
You can expand this script with:
- Slack or email alerts
- JS-based Nuclei scans using
-headless
- Scheduled runs with
cro
⭐ Ready for a reliable, high-performance VPS at an unbeatable price? We host our own Kali labs on Hostinger: 4 vCPU, NVMe storage, 16 GB RAM and 16 TB bandwidth, backed by 24/7 support and a 30-day money-back guarantee. You’ll save up to 20% when you lock in a 24-month plan. Grab a Hostinger VPS using this referral link and support our content.
🚀 Claim Your Hostinger VPS Now (from only US$ 7.99/mo)
