1 === http status codes ===================================================
2
3 1xx Informational
4 100 Continue
5 101 Switching Protocols
6 102 Processing (WebDAV; RFC 2518)
7
8 2xx Success
9 200 OK
10 201 Created
11 202 Accepted
12 203 Non-Authoritative Information (since HTTP/1.1)
13 204 No Content
14 205 Reset Content
15 206 Partial Content
16 207 Multi-Status (WebDAV; RFC 4918)
17 208 Already Reported (WebDAV; RFC 5842)
18 226 IM Used (RFC 3229)
19
20 3xx Redirection
21 300 Multiple Choices
22 301 Moved Permanently
23 302 Found
24 303 See Other (since HTTP/1.1)
25 304 Not Modified
26 305 Use Proxy (since HTTP/1.1)
27 306 Switch Proxy
28 307 Temporary Redirect (since HTTP/1.1)
29 308 Permanent Redirect (approved equally experimental RFC])[11]
30
31 4xx Client Error
32 400 Bad Request
33 401 Unauthorized
34 402 Payment Required
35 403 Forbidden
36 404 Not Found
37 405 Method Not Allowed
38 406 Not Acceptable
39 407 Proxy Authentication Required
40 408 Request Timeout
41 409 Conflict
42 410 Gone
43 411 Length Required
44 412 Precondition Failed
45 413 Request Entity Too Large
46 414 Request-URI Too Long
47 415 Unsupported Media Type
48 416 Requested Range Not Satisfiable
49 417 Expectation Failed
50 418 I'm a teapot (RFC 2324)
51 420 Enhance Your Calm (Twitter)
52 422 Unprocessable Entity (WebDAV; RFC 4918)
53 423 Locked (WebDAV; RFC 4918)
54 424 Failed Dependency (WebDAV; RFC 4918)
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
1 of seven 4/24/2017 3:25 PM
51 420 Enhance Your Calm (Twitter)
52 422 Unprocessable Entity (WebDAV; RFC 4918)
53 423 Locked (WebDAV; RFC 4918)
54 424 Failed Dependency (WebDAV; RFC 4918)
55 424 Method Failure (WebDAV)[13]
56 425 Unordered Collection (Internet draft)
57 426 Upgrade Required (RFC 2817)
58 428 Precondition Required (RFC 6585)
59 429 Too Many Requests (RFC 6585)
60 431 Request Header Fields Too Large (RFC 6585)
61 444 No Response (Nginx)
62 449 Retry With (Microsoft)
63 450 Blocked yesteryear Windows Parental Controls (Microsoft)
64 451 Unavailable For Legal Reasons (Internet draft)
65 494 Request Header Too Large (Nginx)
66 495 Cert Error (Nginx)
67 496 No Cert (Nginx)
68 497 HTTP to HTTPS (Nginx)
69 499 Client Closed Request (Nginx)
70
71 5xx Server Error
72 500 Internal Server Error
73 501 Not Implemented
74 502 Bad Gateway
75 503 Service Unavailable
76 504 Gateway Timeout
77 505 HTTP Version Not Supported
78 506 Variant Also Negotiates (RFC 2295)
79 507 Insufficient Storage (WebDAV; RFC 4918)
80 508 Loop Detected (WebDAV; RFC 5842)
81 509 Bandwidth Limit Exceeded (Apache bw/limited extension)
82 510 Not Extended (RFC 2774)
83 511 Network Authentication Required (RFC 6585)
84 598 Network read timeout mistake (Unknown)
85 599 Network connect timeout mistake (Unknown)
86
87 === HTTP 1.1 Methods ====================================================
88
89 OPTIONS
90 GET
91 HEAD
92 POST
93 PUT
94 DELETE
95 TRACE
96 CONNECT
97
98 === nmap ================================================================
99
100 Usage: nmap [Scan Type(s)] [Options] {target specification}
101 TARGET SPECIFICATION:
102 Can top hostnames, IP addresses, networks, etc.
103 Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
104 -iL : Input from listing of hosts/networks
105 -iR : Choose random targets
106 --exclude : Exclude hosts/networks
107 --excludefile : Exclude listing from file
108 HOST DISCOVERY:
109 -sL: List Scan - only listing targets to scan
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
2 of seven 4/24/2017 3:25 PM
106 --exclude : Exclude hosts/networks
107 --excludefile : Exclude listing from file
108 HOST DISCOVERY:
109 -sL: List Scan - only listing targets to scan
110 -sP: Ping Scan - become no farther than determining if host is online
111 -PN: Treat all hosts equally online -- skip host discovery
112 -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP uncovering to given ports
113 -PE/PP/PM: ICMP echo, timestamp, in addition to netmask asking uncovering probes
114 -PO[protocol list]: IP Protocol Ping
115 -n/-R: Never produce DNS resolution/Always resolve [default: sometimes]
116 --dns-servers : Specify custom DNS servers
117 --system-dns: Use OS's DNS resolver
118 --traceroute: Trace hop path to each host
119 SCAN TECHNIQUES:
120 -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
121 -sU: UDP Scan
122 -sN/sF/sX: TCP Null, FIN, in addition to Xmas scans
123 --scanflags : Customize TCP scan flags
124 -sI : Idle scan
125 -sY/sZ: SCTP INIT/COOKIE-ECHO scans
126 -sO: IP protocol scan
127 -b : FTP bounce scan
128 PORT SPECIFICATION AND SCAN ORDER:
129 -p : Only scan specified ports
130 Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
131 -F: Fast trend - Scan fewer ports than the default scan
132 -r: Scan ports consecutively - don't randomize
133 --top-ports : Scan almost mutual ports
134 --port-ratio : Scan ports to a greater extent than mutual than
135 SERVICE/VERSION DETECTION:
136 -sV: Probe opened upward ports to create upward one's heed service/version info
137 --version-intensity : Set from 0 (light) to ix (try all probes)
138 --version-light: Limit to almost probable probes (intensity 2)
139 --version-all: Try every unmarried probe (intensity 9)
140 --version-trace: Show detailed version scan activeness (for debugging)
141 SCRIPT SCAN:
142 -sC: equivalent to --script=default
143 --script=: is a comma separated listing of
144 directories, script-files or script-categories
145 --script-args=: furnish arguments to scripts
146 --script-trace: Show all information sent in addition to received
147 --script-updatedb: Update the script database.
148 OS DETECTION:
149 -O: Enable OS detection
150 --osscan-limit: Limit OS detection to promising targets
151 --osscan-guess: Guess OS to a greater extent than aggressively
152 TIMING AND PERFORMANCE:
153 Options which accept are inwards milliseconds, unless you lot append 's'
154 (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
155 -T<0-5>: Set timing template (higher is faster)
156 --min-hostgroup/max-hostgroup : Parallel host scan grouping sizes
157 --min-parallelism/max-parallelism : Probe parallelization
158 --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
159 probe circular trip time.
160 --max-retries : Caps give away of port scan probe retransmissions.
161 --host-timeout : Give upward on target later this long
162 --scan-delay/--max-scan-delay : Adjust delay betwixt probes
163 --min-rate : Send packets no slower than per second
164 --max-rate : Send packets no faster than per second
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
3 of seven 4/24/2017 3:25 PM
162 --scan-delay/--max-scan-delay : Adjust delay betwixt probes
163 --min-rate : Send packets no slower than per second
164 --max-rate : Send packets no faster than per second
165 FIREWALL/IDS EVASION AND SPOOFING:
166 -f; --mtu : fragment packets (optionally w/given MTU)
167 -D : Cloak a scan amongst decoys
168 -S : Spoof source address
169 -e : Use specified interface
170 -g/--source-port : Use given port number
171 --data-length : Append random information to sent packets
172 --ip-options : Send packets amongst specified ip options
173 --ttl : Set IP time-to-live field
174 --spoof-mac : Spoof your MAC address
175 --badsum: Send packets amongst a bogus TCP/UDP/SCTP checksum
176 --adler32: Use deprecated Adler32 instead of CRC32C for SCTP checksums
177 OUTPUT:
178 -oN/-oX/-oS/-oG : Output scan inwards normal, XML, s|<ript kiddi3,<br=&
quot;&quot;&quot;" /> in addition to Grepable format,
respectively, to the given filename.
179 -oA : Output inwards the 3 major formats at once
180 -v: Increase verbosity flat (use twice or to a greater extent than for greater effect)
181 -d[level]: Set or increase debugging flat (Up to ix is meaningful)
182 --reason: Display the argue a port is inwards a especial state
183 --open: Only demo opened upward (or perhaps open) ports
184 --packet-trace: Show all packets sent in addition to received
185 --iflist: Print host interfaces in addition to routes (for debugging)
186 --log-errors: Log errors/warnings to the normal-format output file
187 --append-output: Append to rather than clobber specified output files
188 --resume : Resume an aborted scan
189 --stylesheet : XSL stylesheet to transform XML output to HTML
190 --webxml: Reference stylesheet from Nmap.Org for to a greater extent than portable XML
191 --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
192 MISC:
193 -6: Enable IPv6 scanning
194 -A: Enables OS detection in addition to Version detection, Script scanning and
Traceroute
195 --datadir : Specify custom Nmap information file location
196 --send-eth/--send-ip: Send using raw ethernet frames or IP packets
197 --privileged: Assume that the user is fully privileged
198 --unprivileged: Assume the user lacks raw socket privileges
199 -V: Print version number
200 -h: Print this attention summary page.
201 EXAMPLES:
202 nmap -v -A scanme.nmap.org
203 nmap -v -sP 192.168.0.0/16 10.0.0.0/8
204 nmap -v -iR 10000 -PN -p 80
205 SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND
EXAMPLES
206
207 === elements of SOA in addition to replies (dig)
===============================================
208 domain.com. 3553 IN SOA ns.domain.com. hostmaster.domain.com.
2012090635 3600 1800 1209600 3600
209
210 2012090635 serial
211 3600 refresh
212 1800 retry
213 1209600 expire
214 3600 minimum
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
4 of seven 4/24/2017 3:25 PM
211 3600 refresh
212 1800 retry
213 1209600 expire
214 3600 minimum
215
216 www.domain.com. 3600 IN CNAME server.domain.com.
217 server.domain.com. 3600 IN Influenza A virus subtype H5N1 193.190.130.15
218
219 3600 ttl
220
221 === host ================================================================
222
223 Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
224 [-R number] [-m flag] hostname [server]
225 -a is equivalent to -v -t ANY
226 -c specifies query flat for non-IN data
227 -C compares SOA records on authoritative nameservers
228 -d is equivalent to -v
229 -l lists all hosts inwards a domain, using AXFR
230 -i IP6.INT contrary lookups
231 -N changes the give away of dots allowed earlier rootage lookup is done
232 -r disables recursive processing
233 -R specifies give away of retries for UDP packets
234 -s a SERVFAIL response should halt query
235 -t specifies the query type
236 -T enables TCP/IP mode
237 -v enables verbose output
238 -w specifies to hold off forever for a reply
239 -W specifies how long to hold off for a reply
240 -4 role IPv4 query carry only
241 -6 role IPv6 query carry only
242 -m laid retentiveness debugging flag (trace|record|usage)
243
244 === dig =================================================================
245
246 Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
247 {global-d-opt} host [@local-server] {local-d-opt}
248 [ host [@local-server] {local-d-opt} [...]]
249 Where: domain is inwards the Domain Name System
250 q-class is ane of (in,hs,ch,...) [default: in]
251 q-type is ane of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
252 (Use ixfr=version for type ixfr)
253 q-opt is ane of:
254 -x dot-notation (shortcut for contrary lookups)
255 -i (use IP6.INT for IPv6 contrary lookups)
256 -f filename (batch mode)
257 -b address[#port] (bind to source address/port)
258 -p port (specify port number)
259 -q cite (specify query name)
260 -t type (specify query type)
261 -c flat (specify query class)
262 -k keyfile (specify tsig telephone commutation file)
263 -y [hmac:]name:key (specify named base64 tsig key)
264 -4 (use IPv4 query carry only)
265 -6 (use IPv6 query carry only)
266 -m (enable retentiveness usage debugging)
267 d-opt is of the cast +keyword[=value], where keyword is:
268 +[no]vc (TCP mode)
269 +[no]tcp (TCP mode, alternate syntax)
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
5 of seven 4/24/2017 3:25 PM
267 d-opt is of the cast +keyword[=value], where keyword is:
268 +[no]vc (TCP mode)
269 +[no]tcp (TCP mode, alternate syntax)
270 +time=### (Set query timeout) [5]
271 +tries=### (Set give away of UDP attempts) [3]
272 +retry=### (Set give away of UDP retries) [2]
273 +domain=### (Set default domainname)
274 +bufsize=### (Set EDNS0 Max UDP package size)
275 +ndots=### (Set NDOTS value)
276 +edns=### (Set EDNS version)
277 +[no]search (Set whether to role searchlist)
278 +[no]showsearch (Search amongst intermediate results)
279 +[no]defname (Ditto)
280 +[no]recurse (Recursive mode)
281 +[no]ignore (Don't revert to TCP for TC
responses.)
282 +[no]fail (Don't essay side yesteryear side server on SERVFAIL)
283 +[no]besteffort (Try to parse fifty-fifty illegal messages)
284 +[no]aaonly (Set AA flag inwards query (+[no]aaflag))
285 +[no]adflag (Set AD flag inwards query)
286 +[no]cdflag (Set CD flag inwards query)
287 +[no]cl (Control display of flat inwards records)
288 +[no]cmd (Control display of dominance line)
289 +[no]comments (Control display of comment lines)
290 +[no]question (Control display of question)
291 +[no]answer (Control display of answer)
292 +[no]authority (Control display of authority)
293 +[no]additional (Control display of additional)
294 +[no]stats (Control display of statistics)
295 +[no]short (Disable everything except short
296 cast of answer)
297 +[no]ttlid (Control display of ttls inwards records)
298 +[no]all (Set or clear all display flags)
299 +[no]qr (Print query earlier sending)
300 +[no]nssearch (Search all authoritative nameservers)
301 +[no]identify (ID responders inwards brusque answers)
302 +[no]trace (Trace delegation downward from root)
303 +[no]dnssec (Request DNSSEC records)
304 +[no]nsid (Request Name Server ID)
305 +[no]multiline (Print records inwards an expanded format)
306 global d-opts in addition to servers (before host name) impact all queries.
307 local d-opts in addition to servers (after host name) impact alone that lookup.
308 -h (print attention in addition to exit)
309 -v (print version in addition to exit)
310
311 === nc ==================================================================
312
313 usage: nc [-46DdhklnrtUuvz] [-i interval] [-p source_port]
314 [-s source_ip_address] [-w timeout] [-X proxy_version]
315 [-x proxy_address[:port]] [hostname] [port[s]]
316 Command Summary:
317 -4 Use IPv4
318 -6 Use IPv6
319 -D Enable the debug socket option
320 -d Detach from stdin
321 -h This attention text
322 -i secs Delay interval for lines sent, ports scanned
323 -k Keep inbound sockets opened upward for multiple connects
324 -l Listen mode, for inbound connects
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
6 of seven 4/24/2017 3:25 PM
321 -h This attention text
322 -i secs Delay interval for lines sent, ports scanned
323 -k Keep inbound sockets opened upward for multiple connects
324 -l Listen mode, for inbound connects
325 -n Suppress name/port resolutions
326 -p port Specify local port for remote connects
327 -r Randomize remote ports
328 -s addr Local source address
329 -t Answer TELNET negotiation
330 -U Use UNIX domain socket
331 -u UDP mode
332 -v Verbose
333 -w secs Timeout for connects in addition to concluding internet reads
334 -X proto Proxy protocol: "4", "5" (SOCKS) or
"connect"
335 -x addr[:port] Specify proxy address in addition to port
336 -z Zero-I/O trend [used for scanning]
337 Port numbers tin flame endure private or ranges: lo-hi [inclusive]
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
7
2
3 1xx Informational
4 100 Continue
5 101 Switching Protocols
6 102 Processing (WebDAV; RFC 2518)
7
8 2xx Success
9 200 OK
10 201 Created
11 202 Accepted
12 203 Non-Authoritative Information (since HTTP/1.1)
13 204 No Content
14 205 Reset Content
15 206 Partial Content
16 207 Multi-Status (WebDAV; RFC 4918)
17 208 Already Reported (WebDAV; RFC 5842)
18 226 IM Used (RFC 3229)
19
20 3xx Redirection
21 300 Multiple Choices
22 301 Moved Permanently
23 302 Found
24 303 See Other (since HTTP/1.1)
25 304 Not Modified
26 305 Use Proxy (since HTTP/1.1)
27 306 Switch Proxy
28 307 Temporary Redirect (since HTTP/1.1)
29 308 Permanent Redirect (approved equally experimental RFC])[11]
30
31 4xx Client Error
32 400 Bad Request
33 401 Unauthorized
34 402 Payment Required
35 403 Forbidden
36 404 Not Found
37 405 Method Not Allowed
38 406 Not Acceptable
39 407 Proxy Authentication Required
40 408 Request Timeout
41 409 Conflict
42 410 Gone
43 411 Length Required
44 412 Precondition Failed
45 413 Request Entity Too Large
46 414 Request-URI Too Long
47 415 Unsupported Media Type
48 416 Requested Range Not Satisfiable
49 417 Expectation Failed
50 418 I'm a teapot (RFC 2324)
51 420 Enhance Your Calm (Twitter)
52 422 Unprocessable Entity (WebDAV; RFC 4918)
53 423 Locked (WebDAV; RFC 4918)
54 424 Failed Dependency (WebDAV; RFC 4918)
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
1 of seven 4/24/2017 3:25 PM
51 420 Enhance Your Calm (Twitter)
52 422 Unprocessable Entity (WebDAV; RFC 4918)
53 423 Locked (WebDAV; RFC 4918)
54 424 Failed Dependency (WebDAV; RFC 4918)
55 424 Method Failure (WebDAV)[13]
56 425 Unordered Collection (Internet draft)
57 426 Upgrade Required (RFC 2817)
58 428 Precondition Required (RFC 6585)
59 429 Too Many Requests (RFC 6585)
60 431 Request Header Fields Too Large (RFC 6585)
61 444 No Response (Nginx)
62 449 Retry With (Microsoft)
63 450 Blocked yesteryear Windows Parental Controls (Microsoft)
64 451 Unavailable For Legal Reasons (Internet draft)
65 494 Request Header Too Large (Nginx)
66 495 Cert Error (Nginx)
67 496 No Cert (Nginx)
68 497 HTTP to HTTPS (Nginx)
69 499 Client Closed Request (Nginx)
70
71 5xx Server Error
72 500 Internal Server Error
73 501 Not Implemented
74 502 Bad Gateway
75 503 Service Unavailable
76 504 Gateway Timeout
77 505 HTTP Version Not Supported
78 506 Variant Also Negotiates (RFC 2295)
79 507 Insufficient Storage (WebDAV; RFC 4918)
80 508 Loop Detected (WebDAV; RFC 5842)
81 509 Bandwidth Limit Exceeded (Apache bw/limited extension)
82 510 Not Extended (RFC 2774)
83 511 Network Authentication Required (RFC 6585)
84 598 Network read timeout mistake (Unknown)
85 599 Network connect timeout mistake (Unknown)
86
87 === HTTP 1.1 Methods ====================================================
88
89 OPTIONS
90 GET
91 HEAD
92 POST
93 PUT
94 DELETE
95 TRACE
96 CONNECT
97
98 === nmap ================================================================
99
100 Usage: nmap [Scan Type(s)] [Options] {target specification}
101 TARGET SPECIFICATION:
102 Can top hostnames, IP addresses, networks, etc.
103 Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
104 -iL : Input from listing of hosts/networks
105 -iR : Choose random targets
106 --exclude : Exclude hosts/networks
107 --excludefile : Exclude listing from file
108 HOST DISCOVERY:
109 -sL: List Scan - only listing targets to scan
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
2 of seven 4/24/2017 3:25 PM
106 --exclude : Exclude hosts/networks
107 --excludefile : Exclude listing from file
108 HOST DISCOVERY:
109 -sL: List Scan - only listing targets to scan
110 -sP: Ping Scan - become no farther than determining if host is online
111 -PN: Treat all hosts equally online -- skip host discovery
112 -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP uncovering to given ports
113 -PE/PP/PM: ICMP echo, timestamp, in addition to netmask asking uncovering probes
114 -PO[protocol list]: IP Protocol Ping
115 -n/-R: Never produce DNS resolution/Always resolve [default: sometimes]
116 --dns-servers : Specify custom DNS servers
117 --system-dns: Use OS's DNS resolver
118 --traceroute: Trace hop path to each host
119 SCAN TECHNIQUES:
120 -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
121 -sU: UDP Scan
122 -sN/sF/sX: TCP Null, FIN, in addition to Xmas scans
123 --scanflags : Customize TCP scan flags
124 -sI : Idle scan
125 -sY/sZ: SCTP INIT/COOKIE-ECHO scans
126 -sO: IP protocol scan
127 -b : FTP bounce scan
128 PORT SPECIFICATION AND SCAN ORDER:
129 -p : Only scan specified ports
130 Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
131 -F: Fast trend - Scan fewer ports than the default scan
132 -r: Scan ports consecutively - don't randomize
133 --top-ports : Scan almost mutual ports
134 --port-ratio : Scan ports to a greater extent than mutual than
135 SERVICE/VERSION DETECTION:
136 -sV: Probe opened upward ports to create upward one's heed service/version info
137 --version-intensity : Set from 0 (light) to ix (try all probes)
138 --version-light: Limit to almost probable probes (intensity 2)
139 --version-all: Try every unmarried probe (intensity 9)
140 --version-trace: Show detailed version scan activeness (for debugging)
141 SCRIPT SCAN:
142 -sC: equivalent to --script=default
143 --script=: is a comma separated listing of
144 directories, script-files or script-categories
145 --script-args=: furnish arguments to scripts
146 --script-trace: Show all information sent in addition to received
147 --script-updatedb: Update the script database.
148 OS DETECTION:
149 -O: Enable OS detection
150 --osscan-limit: Limit OS detection to promising targets
151 --osscan-guess: Guess OS to a greater extent than aggressively
152 TIMING AND PERFORMANCE:
153 Options which accept are inwards milliseconds, unless you lot append 's'
154 (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
155 -T&amp;lt;0-5&amp;gt;: Set timing template (higher is faster)
156 --min-hostgroup/max-hostgroup : Parallel host scan grouping sizes
157 --min-parallelism/max-parallelism : Probe parallelization
158 --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
159 probe circular trip time.
160 --max-retries : Caps give away of port scan probe retransmissions.
161 --host-timeout : Give upward on target later this long
162 --scan-delay/--max-scan-delay : Adjust delay betwixt probes
163 --min-rate : Send packets no slower than per second
164 --max-rate : Send packets no faster than per second
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
3 of seven 4/24/2017 3:25 PM
162 --scan-delay/--max-scan-delay : Adjust delay betwixt probes
163 --min-rate : Send packets no slower than per second
164 --max-rate : Send packets no faster than per second
165 FIREWALL/IDS EVASION AND SPOOFING:
166 -f; --mtu : fragment packets (optionally w/given MTU)
167 -D : Cloak a scan amongst decoys
168 -S : Spoof source address
169 -e : Use specified interface
170 -g/--source-port : Use given port number
171 --data-length : Append random information to sent packets
172 --ip-options : Send packets amongst specified ip options
173 --ttl : Set IP time-to-live field
174 --spoof-mac : Spoof your MAC address
175 --badsum: Send packets amongst a bogus TCP/UDP/SCTP checksum
176 --adler32: Use deprecated Adler32 instead of CRC32C for SCTP checksums
177 OUTPUT:
178 -oN/-oX/-oS/-oG : Output scan inwards normal, XML, s|<ript kiddi3,<br=&
quot;&quot;&quot;" /> in addition to Grepable format,
respectively, to the given filename.
179 -oA : Output inwards the 3 major formats at once
180 -v: Increase verbosity flat (use twice or to a greater extent than for greater effect)
181 -d[level]: Set or increase debugging flat (Up to ix is meaningful)
182 --reason: Display the argue a port is inwards a especial state
183 --open: Only demo opened upward (or perhaps open) ports
184 --packet-trace: Show all packets sent in addition to received
185 --iflist: Print host interfaces in addition to routes (for debugging)
186 --log-errors: Log errors/warnings to the normal-format output file
187 --append-output: Append to rather than clobber specified output files
188 --resume : Resume an aborted scan
189 --stylesheet : XSL stylesheet to transform XML output to HTML
190 --webxml: Reference stylesheet from Nmap.Org for to a greater extent than portable XML
191 --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
192 MISC:
193 -6: Enable IPv6 scanning
194 -A: Enables OS detection in addition to Version detection, Script scanning and
Traceroute
195 --datadir : Specify custom Nmap information file location
196 --send-eth/--send-ip: Send using raw ethernet frames or IP packets
197 --privileged: Assume that the user is fully privileged
198 --unprivileged: Assume the user lacks raw socket privileges
199 -V: Print version number
200 -h: Print this attention summary page.
201 EXAMPLES:
202 nmap -v -A scanme.nmap.org
203 nmap -v -sP 192.168.0.0/16 10.0.0.0/8
204 nmap -v -iR 10000 -PN -p 80
205 SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND
EXAMPLES
206
207 === elements of SOA in addition to replies (dig)
===============================================
208 domain.com. 3553 IN SOA ns.domain.com. hostmaster.domain.com.
2012090635 3600 1800 1209600 3600
209
210 2012090635 serial
211 3600 refresh
212 1800 retry
213 1209600 expire
214 3600 minimum
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
4 of seven 4/24/2017 3:25 PM
211 3600 refresh
212 1800 retry
213 1209600 expire
214 3600 minimum
215
216 www.domain.com. 3600 IN CNAME server.domain.com.
217 server.domain.com. 3600 IN Influenza A virus subtype H5N1 193.190.130.15
218
219 3600 ttl
220
221 === host ================================================================
222
223 Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]
224 [-R number] [-m flag] hostname [server]
225 -a is equivalent to -v -t ANY
226 -c specifies query flat for non-IN data
227 -C compares SOA records on authoritative nameservers
228 -d is equivalent to -v
229 -l lists all hosts inwards a domain, using AXFR
230 -i IP6.INT contrary lookups
231 -N changes the give away of dots allowed earlier rootage lookup is done
232 -r disables recursive processing
233 -R specifies give away of retries for UDP packets
234 -s a SERVFAIL response should halt query
235 -t specifies the query type
236 -T enables TCP/IP mode
237 -v enables verbose output
238 -w specifies to hold off forever for a reply
239 -W specifies how long to hold off for a reply
240 -4 role IPv4 query carry only
241 -6 role IPv6 query carry only
242 -m laid retentiveness debugging flag (trace|record|usage)
243
244 === dig =================================================================
245
246 Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
247 {global-d-opt} host [@local-server] {local-d-opt}
248 [ host [@local-server] {local-d-opt} [...]]
249 Where: domain is inwards the Domain Name System
250 q-class is ane of (in,hs,ch,...) [default: in]
251 q-type is ane of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
252 (Use ixfr=version for type ixfr)
253 q-opt is ane of:
254 -x dot-notation (shortcut for contrary lookups)
255 -i (use IP6.INT for IPv6 contrary lookups)
256 -f filename (batch mode)
257 -b address[#port] (bind to source address/port)
258 -p port (specify port number)
259 -q cite (specify query name)
260 -t type (specify query type)
261 -c flat (specify query class)
262 -k keyfile (specify tsig telephone commutation file)
263 -y [hmac:]name:key (specify named base64 tsig key)
264 -4 (use IPv4 query carry only)
265 -6 (use IPv6 query carry only)
266 -m (enable retentiveness usage debugging)
267 d-opt is of the cast +keyword[=value], where keyword is:
268 +[no]vc (TCP mode)
269 +[no]tcp (TCP mode, alternate syntax)
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
5 of seven 4/24/2017 3:25 PM
267 d-opt is of the cast +keyword[=value], where keyword is:
268 +[no]vc (TCP mode)
269 +[no]tcp (TCP mode, alternate syntax)
270 +time=### (Set query timeout) [5]
271 +tries=### (Set give away of UDP attempts) [3]
272 +retry=### (Set give away of UDP retries) [2]
273 +domain=### (Set default domainname)
274 +bufsize=### (Set EDNS0 Max UDP package size)
275 +ndots=### (Set NDOTS value)
276 +edns=### (Set EDNS version)
277 +[no]search (Set whether to role searchlist)
278 +[no]showsearch (Search amongst intermediate results)
279 +[no]defname (Ditto)
280 +[no]recurse (Recursive mode)
281 +[no]ignore (Don't revert to TCP for TC
responses.)
282 +[no]fail (Don't essay side yesteryear side server on SERVFAIL)
283 +[no]besteffort (Try to parse fifty-fifty illegal messages)
284 +[no]aaonly (Set AA flag inwards query (+[no]aaflag))
285 +[no]adflag (Set AD flag inwards query)
286 +[no]cdflag (Set CD flag inwards query)
287 +[no]cl (Control display of flat inwards records)
288 +[no]cmd (Control display of dominance line)
289 +[no]comments (Control display of comment lines)
290 +[no]question (Control display of question)
291 +[no]answer (Control display of answer)
292 +[no]authority (Control display of authority)
293 +[no]additional (Control display of additional)
294 +[no]stats (Control display of statistics)
295 +[no]short (Disable everything except short
296 cast of answer)
297 +[no]ttlid (Control display of ttls inwards records)
298 +[no]all (Set or clear all display flags)
299 +[no]qr (Print query earlier sending)
300 +[no]nssearch (Search all authoritative nameservers)
301 +[no]identify (ID responders inwards brusque answers)
302 +[no]trace (Trace delegation downward from root)
303 +[no]dnssec (Request DNSSEC records)
304 +[no]nsid (Request Name Server ID)
305 +[no]multiline (Print records inwards an expanded format)
306 global d-opts in addition to servers (before host name) impact all queries.
307 local d-opts in addition to servers (after host name) impact alone that lookup.
308 -h (print attention in addition to exit)
309 -v (print version in addition to exit)
310
311 === nc ==================================================================
312
313 usage: nc [-46DdhklnrtUuvz] [-i interval] [-p source_port]
314 [-s source_ip_address] [-w timeout] [-X proxy_version]
315 [-x proxy_address[:port]] [hostname] [port[s]]
316 Command Summary:
317 -4 Use IPv4
318 -6 Use IPv6
319 -D Enable the debug socket option
320 -d Detach from stdin
321 -h This attention text
322 -i secs Delay interval for lines sent, ports scanned
323 -k Keep inbound sockets opened upward for multiple connects
324 -l Listen mode, for inbound connects
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
6 of seven 4/24/2017 3:25 PM
321 -h This attention text
322 -i secs Delay interval for lines sent, ports scanned
323 -k Keep inbound sockets opened upward for multiple connects
324 -l Listen mode, for inbound connects
325 -n Suppress name/port resolutions
326 -p port Specify local port for remote connects
327 -r Randomize remote ports
328 -s addr Local source address
329 -t Answer TELNET negotiation
330 -U Use UNIX domain socket
331 -u UDP mode
332 -v Verbose
333 -w secs Timeout for connects in addition to concluding internet reads
334 -X proto Proxy protocol: "4", "5" (SOCKS) or
"connect"
335 -x addr[:port] Specify proxy address in addition to port
336 -z Zero-I/O trend [used for scanning]
337 Port numbers tin flame endure private or ranges: lo-hi [inclusive]
SANS SEC542 (Web App Penetration Testing in addition to Ethical Hacking) chea... https://www.vanimpe.eu/2012/09/23/sans-sec542-web-app-penetration-te...
7
