GWAPT (GIAC Web Application Penetration Tester) certification cheat sheet

GWAPT (GIAC Web Application Penetration Tester) certification cheat sheet
1 === http status codes ===================================================
2
3 1xx Informational
4 100 Continue
5 101 Switching Protocols
6 102 Processing (WebDAV; RFC 2518)
7
8 2xx Success
9 200 OK
10 201 Created
11 202 Accepted
12 203 Non-Authoritative Information (since HTTP/1.1)
13 204 No Content
14 205 Reset Content
15 206 Partial Content
16 207 Multi-Status (WebDAV; RFC 4918)
17 208 Already Reported (WebDAV; RFC 5842)
18 226 IM Used (RFC 3229)
19
20 3xx Redirection
21 300 Multiple Choices
22 301 Moved Permanently
23 302 Found
24 303 See Other (since HTTP/1.1)
25 304 Not Modified
26 305 Use Proxy (since HTTP/1.1)
27 306 Switch Proxy
28 307 Temporary Redirect (since HTTP/1.1)
29 308 Permanent Redirect (approved as experimental RFC])[11]
30
31 4xx Client Error
32 400 Bad Request
33 401 Unauthorized
34 402 Payment Required
35 403 Forbidden
36 404 Not Found
37 405 Method Not Allowed
38 406 Not Acceptable
39 407 Proxy Authentication Required
40 408 Request Timeout
41 409 Conflict
42 410 Gone
43 411 Length Required
44 412 Precondition Failed
45 413 Request Entity Too Large
46 414 Request-URI Too Long
47 415 Unsupported Media Type
48 416 Requested Range Not Satisfiable
49 417 Expectation Failed
50 418 I'm a teapot (RFC 2324)
51 420 Enhance Your Calm (Twitter)
52 422 Unprocessable Entity (WebDAV; RFC 4918)
53 423 Locked (WebDAV; RFC 4918)
54 424 Failed Dependency (WebDAV; RFC 4918)
SANS SEC542 (Web App Penetration Testing and Ethical Hacking) chea... https://ift.tt/2x34Tz3...
1 of 7 4/24/2017 3:25 PM
51 420 Enhance Your Calm (Twitter)
52 422 Unprocessable Entity (WebDAV; RFC 4918)
53 423 Locked (WebDAV; RFC 4918)
54 424 Failed Dependency (WebDAV; RFC 4918)
55 424 Method Failure (WebDAV)[13]
56 425 Unordered Collection (Internet draft)
57 426 Upgrade Required (RFC 2817)
58 428 Precondition Required (RFC 6585)
59 429 Too Many Requests (RFC 6585)
60 431 Request Header Fields Too Large (RFC 6585)
61 444 No Response (Nginx)
62 449 Retry With (Microsoft)
63 450 Blocked by Windows Parental Controls (Microsoft)
64 451 Unavailable For Legal Reasons (Internet draft)
65 494 Request Header Too Large (Nginx)
66 495 Cert Error (Nginx)
67 496 No Cert (Nginx)
68 497 HTTP to HTTPS (Nginx)
69 499 Client Closed Request (Nginx)
70
71 5xx Server Error
72 500 Internal Server Error
73 501 Not Implemented
74 502 Bad Gateway
75 503 Service Unavailable
76 504 Gateway Timeout
77 505 HTTP Version Not Supported
78 506 Variant Also Negotiates (RFC 2295)
79 507 Insufficient Storage (WebDAV; RFC 4918)
80 508 Loop Detected (WebDAV; RFC 5842)
81 509 Bandwidth Limit Exceeded (Apache bw/limited extension)
82 510 Not Extended (RFC 2774)
83 511 Network Authentication Required (RFC 6585)
84 598 Network read timeout error (Unknown)
85 599 Network connect timeout error (Unknown)
86
87 === HTTP 1.1 Methods ====================================================
88
89 OPTIONS
90 GET
91 HEAD
92 POST
93 PUT
94 DELETE
95 TRACE
96 CONNECT
97
98 === nmap ================================================================
99
100 Usage: nmap [Scan Type(s)] [Options] {target specification}
101 TARGET SPECIFICATION:
102 Can pass hostnames, IP addresses, networks, etc.
103 Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
104 -iL : Input from list of hosts/networks
105 -iR : Choose random targets
106 --exclude : Exclude hosts/networks
107 --excludefile : Exclude list from file
108 HOST DISCOVERY:
109 -sL: List Scan - simply list targets to scan
SANS SEC542 (Web App Penetration Testing and Ethical Hacking) chea... https://ift.tt/2x34Tz3...
2 of 7 4/24/2017 3:25 PM
106 --exclude : Exclude hosts/networks
107 --excludefile : Exclude list from file
108 HOST DISCOVERY:
109 -sL: List Scan - simply list targets to scan
110 -sP: Ping Scan - go no further than determining if host is online
111 -PN: Treat all hosts as online -- skip host discovery
112 -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
113 -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
114 -PO[protocol list]: IP Protocol Ping
115 -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
116 --dns-servers : Specify custom DNS servers
117 --system-dns: Use OS's DNS resolver
118 --traceroute: Trace hop path to each host
119 SCAN TECHNIQUES:
120 -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
121 -sU: UDP Scan
122 -sN/sF/sX: TCP Null, FIN, and Xmas scans
123 --scanflags : Customize TCP scan flags
124 -sI : Idle scan
125 -sY/sZ: SCTP INIT/COOKIE-ECHO scans
126 -sO: IP protocol scan
127 -b : FTP bounce scan
128 PORT SPECIFICATION AND SCAN ORDER:
129 -p : Only scan specified ports
130 Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
131 -F: Fast mode - Scan fewer ports than the default scan
132 -r: Scan ports consecutively - don't randomize
133 --top-ports : Scan most common ports
134 --port-ratio : Scan ports more common than
135 SERVICE/VERSION DETECTION:
136 -sV: Probe open ports to determine service/version info
137 --version-intensity : Set from 0 (light) to 9 (try all probes)
138 --version-light: Limit to most likely probes (intensity 2)
139 --version-all: Try every single probe (intensity 9)
140 --version-trace: Show detailed version scan activity (for debugging)
141 SCRIPT SCAN:
142 -sC: equivalent to --script=default
143 --script=: is a comma separated list of
144 directories, script-files or script-categories
145 --script-args=: provide arguments to scripts
146 --script-trace: Show all data sent and received
147 --script-updatedb: Update the script database.
148 OS DETECTION:
149 -O: Enable OS detection
150 --osscan-limit: Limit OS detection to promising targets
151 --osscan-guess: Guess OS more aggressively
152 TIMING AND PERFORMANCE:
153 Options which take are in milliseconds, unless you append 's'
154 (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
155 -T<0-5>: Set timing template (higher is faster)
156 --min-hostgroup/max-hostgroup : Parallel host scan group sizes
157 --min-parallelism/max-parallelism : Probe parallelization
158 --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
159 probe round trip time.
160 --max-retries : Caps number of port scan probe retransmissions.
161 --host-timeout : Give up on target after this long
162 --scan-delay/--max-scan-delay : Adjust delay between probes
163 --min-rate : Send packets no slower than per second
164 --max-rate : Send packets no faster than per second
SANS SEC542 (Web App Penetration Testing and Ethical Hacking) chea... https://ift.tt/2x34Tz3...
3 of 7 4/24/2017 3:25 PM
162 --scan-delay/--max-scan-delay : Adjust delay between probes
163 --min-rate : Send packets no slower than per second
164 --max-rate : Send packets no faster than per second
165 FIREWALL/IDS EVASION AND SPOOFING:
166 -f; --mtu : fragment packets (optionally w/given MTU)
167 -D : Cloak a scan with decoys
168 -S : Spoof source address
169 -e : Use specified interface
170 -g/--source-port : Use given port number
171 --data-length : Append random data to sent packets
172 --ip-options : Send packets with specified ip options
173 --ttl : Set IP time-to-live field
174 --spoof-mac : Spoof your MAC address
175 --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
176 --adler32: Use deprecated Adler32 instead of CRC32C for SCTP checksums
177 OUTPUT:
178 -oN/-oX/-oS/-oG : Output scan in normal, XML, s|<ript kiddi3,<br=&
quot;""" /> and Grepable format,
respectively, to the given filename.
179 -oA : Output in the three major formats at once
180 -v: Increase verbosity level (use twice or more for greater effect)
181 -d[level]: Set or increase debugging level (Up to 9 is meaningful)
182 --reason: Display the reason a port is in a particular state
183 --open: Only show open (or possibly open) ports
184 --packet-trace: Show all packets sent and received
185 --iflist: Print host interfaces and routes (for debugging)
186 --log-errors: Log errors/warnings to the normal-format output file
187 --append-output: Append to rather than clobber specified output files
188 --resume : Resume an aborted scan
189 --stylesheet : XSL stylesheet to transform XML output to HTML
190 --webxml: Reference stylesheet from Nmap.Org for more portable XML
191 --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
192 MISC:
193 -6: Enable IPv6 scanning
194 -A: Enables OS detection and Version detection, Script scanning and
Traceroute
195 --datadir : Specify custom Nmap data file location
196 --send-eth/--send-ip: Send using raw ethernet frames or IP packets
197 --privileged: Assume that the user is fully privileged
198 --unprivileged: Assume the user lacks raw socket privileges
199 -V: Print version number
200 -h: Print this help summary page.
201 EXAMPLES:
202 nmap -v -A scanme.nmap.org
203 nmap -v -sP 192.168.0.0/16 10.0.0.0/8
204 nmap -v -iR 10000 -PN -p 80
205 SEE THE MAN PAGE (https://ift.tt/N7rcIB) FOR MORE OPTIONS AND
EXAMPLES
206
207 === elements of SOA and replies (dig)
===============================================
208 domain.com. 3553 IN SOA ns.domain.com. hostmaster.domain.com.
2012090635 3600 1800 1209600 3600
209
210 2012090635 serial
211 3600 refresh
212 1800 retry
213 1209600 expire
214 3600 minimum
SANS SEC542 (Web App Penetration Testing and Ethical Hacking) chea... https://ift.tt/2x34Tz3...
4 of 7 4/24/2017 3:25 PM
211 3600 refresh
212 1800 retry
213 1209600 expire
214 3600 minimum
215
216 www.domain.com. 3600 IN CNAME server.domain.com.
217 server.domain.com. 3600 IN A 193.190.130.15
218
219 3600 ttl
220
221 === host ================================================================
222
223 Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
224 [-R number] [-m flag] hostname [server]
225 -a is equivalent to -v -t ANY
226 -c specifies query class for non-IN data
227 -C compares SOA records on authoritative nameservers
228 -d is equivalent to -v
229 -l lists all hosts in a domain, using AXFR
230 -i IP6.INT reverse lookups
231 -N changes the number of dots allowed before root lookup is done
232 -r disables recursive processing
233 -R specifies number of retries for UDP packets
234 -s a SERVFAIL response should stop query
235 -t specifies the query type
236 -T enables TCP/IP mode
237 -v enables verbose output
238 -w specifies to wait forever for a reply
239 -W specifies how long to wait for a reply
240 -4 use IPv4 query transport only
241 -6 use IPv6 query transport only
242 -m set memory debugging flag (trace|record|usage)
243
244 === dig =================================================================
245
246 Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
247 {global-d-opt} host [@local-server] {local-d-opt}
248 [ host [@local-server] {local-d-opt} [...]]
249 Where: domain is in the Domain Name System
250 q-class is one of (in,hs,ch,...) [default: in]
251 q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
252 (Use ixfr=version for type ixfr)
253 q-opt is one of:
254 -x dot-notation (shortcut for reverse lookups)
255 -i (use IP6.INT for IPv6 reverse lookups)
256 -f filename (batch mode)
257 -b address[#port] (bind to source address/port)
258 -p port (specify port number)
259 -q name (specify query name)
260 -t type (specify query type)
261 -c class (specify query class)
262 -k keyfile (specify tsig key file)
263 -y [hmac:]name:key (specify named base64 tsig key)
264 -4 (use IPv4 query transport only)
265 -6 (use IPv6 query transport only)
266 -m (enable memory usage debugging)
267 d-opt is of the form +keyword[=value], where keyword is:
268 +[no]vc (TCP mode)
269 +[no]tcp (TCP mode, alternate syntax)
SANS SEC542 (Web App Penetration Testing and Ethical Hacking) chea... https://ift.tt/2x34Tz3...
5 of 7 4/24/2017 3:25 PM
267 d-opt is of the form +keyword[=value], where keyword is:
268 +[no]vc (TCP mode)
269 +[no]tcp (TCP mode, alternate syntax)
270 +time=### (Set query timeout) [5]
271 +tries=### (Set number of UDP attempts) [3]
272 +retry=### (Set number of UDP retries) [2]
273 +domain=### (Set default domainname)
274 +bufsize=### (Set EDNS0 Max UDP packet size)
275 +ndots=### (Set NDOTS value)
276 +edns=### (Set EDNS version)
277 +[no]search (Set whether to use searchlist)
278 +[no]showsearch (Search with intermediate results)
279 +[no]defname (Ditto)
280 +[no]recurse (Recursive mode)
281 +[no]ignore (Don't revert to TCP for TC
responses.)
282 +[no]fail (Don't try next server on SERVFAIL)
283 +[no]besteffort (Try to parse even illegal messages)
284 +[no]aaonly (Set AA flag in query (+[no]aaflag))
285 +[no]adflag (Set AD flag in query)
286 +[no]cdflag (Set CD flag in query)
287 +[no]cl (Control display of class in records)
288 +[no]cmd (Control display of command line)
289 +[no]comments (Control display of comment lines)
290 +[no]question (Control display of question)
291 +[no]answer (Control display of answer)
292 +[no]authority (Control display of authority)
293 +[no]additional (Control display of additional)
294 +[no]stats (Control display of statistics)
295 +[no]short (Disable everything except short
296 form of answer)
297 +[no]ttlid (Control display of ttls in records)
298 +[no]all (Set or clear all display flags)
299 +[no]qr (Print question before sending)
300 +[no]nssearch (Search all authoritative nameservers)
301 +[no]identify (ID responders in short answers)
302 +[no]trace (Trace delegation down from root)
303 +[no]dnssec (Request DNSSEC records)
304 +[no]nsid (Request Name Server ID)
305 +[no]multiline (Print records in an expanded format)
306 global d-opts and servers (before host name) affect all queries.
307 local d-opts and servers (after host name) affect only that lookup.
308 -h (print help and exit)
309 -v (print version and exit)
310
311 === nc ==================================================================
312
313 usage: nc [-46DdhklnrtUuvz] [-i interval] [-p source_port]
314 [-s source_ip_address] [-w timeout] [-X proxy_version]
315 [-x proxy_address[:port]] [hostname] [port[s]]
316 Command Summary:
317 -4 Use IPv4
318 -6 Use IPv6
319 -D Enable the debug socket option
320 -d Detach from stdin
321 -h This help text
322 -i secs Delay interval for lines sent, ports scanned
323 -k Keep inbound sockets open for multiple connects
324 -l Listen mode, for inbound connects
SANS SEC542 (Web App Penetration Testing and Ethical Hacking) chea... https://ift.tt/2x34Tz3...
6 of 7 4/24/2017 3:25 PM
321 -h This help text
322 -i secs Delay interval for lines sent, ports scanned
323 -k Keep inbound sockets open for multiple connects
324 -l Listen mode, for inbound connects
325 -n Suppress name/port resolutions
326 -p port Specify local port for remote connects
327 -r Randomize remote ports
328 -s addr Local source address
329 -t Answer TELNET negotiation
330 -U Use UNIX domain socket
331 -u UDP mode
332 -v Verbose
333 -w secs Timeout for connects and final net reads
334 -X proto Proxy protocol: "4", "5" (SOCKS) or
"connect"
335 -x addr[:port] Specify proxy address and port
336 -z Zero-I/O mode [used for scanning]
337 Port numbers can be individual or ranges: lo-hi [inclusive]
SANS SEC542 (Web App Penetration Testing and Ethical Hacking) chea... https://ift.tt/2x34Tz3...
7

from BITCOIN NEWS https://ift.tt/2oYvB8h
via Bitcoin News Update