Day 2: Scanning, Enumeration, and Vulnerability Analysis

Today's Objective

Nmap, Masscan, Nikto, and enum4linux — systematic discovery of services, versions, and the exposure that turns a scan into a prioritized attack plan.

Burp Suite Fundamentals

Burp Suite intercepts HTTP/HTTPS traffic between your browser and the target. The Proxy tab captures requests you can modify and replay. The Repeater sends manual requests. The Scanner (Pro) automates vulnerability detection. The Intruder runs fuzzing attacks. Set your browser to use Burp as a proxy (127.0.0.1:8080) and install the Burp CA certificate to inspect HTTPS.

SQL Injection

SQL injection exploits improper input sanitization to manipulate database queries. Test for it by injecting a single quote (') and observing errors. SQLmap automates detection and exploitation — it can dump databases, bypass authentication, and even get a shell if the DB user has FILE privileges. OWASP's DVWA and WebGoat provide safe practice targets.

Cross-Site Scripting (XSS)

XSS injects malicious scripts into pages viewed by other users. Reflected XSS returns your payload in the same request. Stored XSS persists in the database and affects every user who visits the page. DOM-based XSS manipulates client-side JavaScript. XSS can steal session cookies, redirect users, and perform actions on their behalf.

bash

# SQLmap basic usage
sqlmap -u 'http://192.168.1.100/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit' \
  --cookie='PHPSESSID=abc123; security=low' \
  --dbs

# SQLmap dump a specific table
sqlmap -u '[url]' --cookie='[cookie]' -D dvwa -T users --dump

# XSS test payload
# <script>alert('XSS')</script>
# <img src=x onerror=alert(1)>

# Burp Suite CLI scanner (Pro)
java -jar burpsuite_pro.jar --project-file=scan.burp

# OWASP ZAP CLI alternative (free)
zap-cli --zap-path /usr/share/zaproxy quick-scan \
  --self-contained --start-options '-config api.disablekey=true' \
  http://192.168.1.100

💡

Always test SQLi with manual confirmation before running SQLmap — automated tools can be noisy and trigger WAFs. A single quote and Boolean-based tests tell you if injection is viable.

📝 Day 2 Exercise

Find SQLi and XSS in DVWA

Set up DVWA in your Metasploitable VM or as a standalone Docker container
Configure Burp Suite as your browser proxy and capture a login request
Test the DVWA SQL injection page manually with a single quote payload
Run SQLmap against the vulnerable URL and dump the users table
Find the stored XSS vulnerability in DVWA and inject a persistent alert payload

Day 2 Summary

Burp Suite is the primary tool for web application penetration testing
SQLmap automates SQL injection detection and exploitation
XSS (reflected, stored, DOM) allows script injection into web pages
OWASP Top 10 is the baseline checklist for every web engagement
Test manually first, automate second — understand what your tools are doing

Challenge

Complete the OWASP WebGoat SQL Injection module and the XSS module. Screenshot all successful exploits and write a 2-sentence finding for each.

← Previous

Day 1: Pen-Test Methodology & Setup

Day 3: Network Penetration Testing

→

What's Next

The foundations from today carry directly into Day 3. In the next session the focus shifts to Exploitation with Metasploit — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

Scanning, Enumeration, and Vulnerability Analysis — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

Scanning, Enumeration, and Vulnerability Analysis Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 2 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 3?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 3

Day 3: Network Penetration Testing

→