NERVE - Network Exploitation, Reconnaissance & Vulnerability Engine


NERVE is a vulnerability scanner tailored to find low-hanging fruit level vulnerabilities, in specific application configurations, network services, and unpatched services.

It is not a replacement for Qualys, Nessus, or OpenVAS. It does not do authenticated scans and operates in black-box mode only.

NERVE will do "some" CVE checks, but this is primarily coming from version fingerprinting.

Example of some of NERVE's detection capabilities:

  • Interesting Panels (Solr, Django, PHPMyAdmin, etc.)
  • Subdomain takeovers
  • Open Repositories
  • Information Disclosures
  • Abandoned / Default Web Pages
  • Misconfigurations in services (Nginx, Apache, IIS, etc.)
  • SSH Servers
  • Open Databases
  • Open Caches
  • Directory Indexing
  • Best Practices

Continuous Security

We believe security scanning should be done continuously. Not daily, weekly, monthly, or quarterly.

The benefit of running security scanning continuously can be any of the following:

  • You have a dynamic environment where infrastructure gets created every minute/hour/etc.
  • You want to be the first to catch issues before anyone else
  • You want the ability to respond quickly.

NERVE was created to address this problem. Commercial tools are great, but they are also heavy, not easily extensible, and cost money.


NERVE offers the following features:

  • Dashboard (With a Login interface)
  • REST API (Scheduling assessments, Obtaining results, etc)
  • Notifications
    • Slack
    • Email
    • Webhook
  • Reports
    • TXT
    • CSV
    • HTML
  • Customizable scans
    • Configurable intrusiveness levels
    • Scan depth
    • Exclusions
    • DNS / IP Based
    • Threading
  • Network Topology Graphs

We put together Graphical User Interface primarily for ease of use, but we will be putting more emphasis on detections and new signatures than creating a full-blown user interface.


NERVE will install all the prerequisites for you automatically if you choose the Server installation (CentOS 7.x and Ubuntu 18.x were tested) (by using install/ a script). It also comes with a Dockerfile for your convenience.

Keep in mind, NERVE requires root access for the initial setup on bare metal (package installation, etc).

Services and Packages required for NERVE to run:

  • Web Server (Flask)
  • Redis server (binds locally)
  • Nmap package (binary and Python Nmap library)
  • Inbound access on HTTP/S port (you can define this in

The installation script takes care of everything for you, but if you want to install it by yourself, keep in mind these are required.


Deployment Recommendation

The best way to deploy it is to run it against your infrastructure from multiple regions (e.g. multiple instances of NERVE, in multiple countries), and toggle continuous mode so that you can catch short-lived vulnerabilities in dynamic environments/cloud.

We typically recommend not to whitelist the IP addresses where NERVE will be initiating the scans from, to truly test your infrastructure from an attacker standpoint.

To make NERVE fairly lightweight, there's no use of a database other than Redis.

If you want to store your vulnerabilities long term, we recommend using the Webhook feature. At the end of each scan cycle, NERVE will dispatch a JSON payload to an endpoint of your choice, and you can then store it in a database for further analysis.

Here are the high-level steps we recommend to get the most optimal results:

  1. Deploy NERVE on 1 or more servers.
  2. Create a script that fetches your Cloud services (such as AWS Route53 to get the DNS, AWS EC2 to get the instance IPs, AWS RDS to get the database IPs, etc.) and maybe a static list of IP addresses if you have assets in a Datacenter.
  3. Call NERVE API (POST /api/scan/submit) and schedule a scan using the assets you gathered in step #2.
  4. Fetch the results programmatically and act on them (SOAR, JIRA, SIEM, etc.)
  5. Add your own logic (exclude certain alerts, add to database, etc.)


Clone the repository

git clone [email protected]:PaytmLabs/nerve.git && cd nerve

Build the Docker image

docker build -t nerve .

Create a container from the image

docker run -e username="YOUR_USER" -e password="YOUR_PASSWORD" -d -p 80:8080 nerve

In your browser, navigate to and login with the credentials you specified in the previous command.


Navigate to /opt

cd /opt/

Clone the repository

git clone [email protected]:PaytmLabs/nerve.git && cd nerve

Run Installer (requires root)

bash install/

Check NERVE is running

systemctl status nerve

In your browser, navigate to and use the credentials printed in your terminal.


There are a few security mechanisms implemented into NERVE you need to be aware of.

  • Content Security Policy - A response header that controls where the resource scan can be loaded from.
  • Other Security Policies - These Response headers are enabled: Content-Type Options, X-XSS-Protection, X-Frame-Options, Referer-Policy
  • Brute Force Protection - A user will get locked if more than 5 incorrect login attempts are made.
  • Cookie Protection - Cookie security flags are used, such as SameSite, HttpOnly, etc.

If you identify a security vulnerability, please submit a bug to us on GitHub.

We recommend taking the following steps before and after installation

  1. Set a strong password (a password will be set for you if you use the bare metal installation)
  2. Protect the inbound access to the panel (Add your management IP addresses to the allow list of the local firewall)
  3. Add HTTPS (you can either patch Flask directly, or use a reverse proxy like nginx)
  4. Keep the instance patched


To learn about NERVE (GUI, API, etc.) we advise you to check out the documentation available to you via the platform. Once you deploy it, authenticate, and on the left sidebar you will find a documentation link for API and GUI usage.

GUI Documentation

API Documentation


October 1, 2020


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023