mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
82 KiB
82 KiB
Table of contents
👾 Welcome!
🤩 Generic Methodologies & Resources
- Pentesting Methodology
- External Recon Methodology
- Pentesting Network
- Pentesting Wifi
- Phishing Methodology
- Basic Forensic Methodology
- Brute Force - CheatSheet
- Python Sandbox Escape & Pyscript
- Exfiltration
- Tunneling and Port Forwarding
- Threat Modeling
- Search Exploits
- Reverse Shells (Linux, Windows, MSFVenom)
🐧 Linux Hardening
- Checklist - Linux Privilege Escalation
- Linux Privilege Escalation
- Arbitrary File Write to Root
- Cisco - vmanage
- Containerd (ctr) Privilege Escalation
- D-Bus Enumeration & Command Injection Privilege Escalation
- Docker Security
- Escaping from Jails
- euid, ruid, suid
- Interesting Groups - Linux Privesc
- Logstash
- ld.so privesc exploit example
- Linux Active Directory
- Linux Capabilities
- NFS no_root_squash/no_all_squash misconfiguration PE
- Node inspector/CEF debug abuse
- Payloads to execute
- RunC Privilege Escalation
- SELinux
- Socket Command Injection
- Splunk LPE and Persistence
- SSH Forward Agent exploitation
- Wildcards Spare tricks
- Useful Linux Commands
- Bypass Linux Restrictions
- Linux Environment Variables
- Linux Post-Exploitation
- FreeIPA Pentesting
🍏 MacOS Hardening
- macOS Security & Privilege Escalation
- macOS Apps - Inspecting, debugging and Fuzzing
- macOS AppleFS
- macOS Bypassing Firewalls
- macOS Defensive Apps
- macOS GCD - Grand Central Dispatch
- macOS Kernel & System Extensions
- macOS Network Services & Protocols
- macOS File Extension & URL scheme app handlers
- macOS Files, Folders, Binaries & Memory
- macOS Objective-C
- macOS Privilege Escalation
- macOS Process Abuse
- macOS Dirty NIB
- macOS Chromium Injection
- macOS Electron Applications Injection
- macOS Function Hooking
- macOS IPC - Inter Process Communication
- macOS Java Applications Injection
- macOS Library Injection
- macOS Perl Applications Injection
- macOS Python Applications Injection
- macOS Ruby Applications Injection
- macOS .Net Applications Injection
- macOS Security Protections
- macOS Gatekeeper / Quarantine / XProtect
- macOS Launch/Environment Constraints & Trust Cache
- macOS Sandbox
- macOS Authorizations DB & Authd
- macOS SIP
- macOS TCC
- macOS Dangerous Entitlements & TCC perms
- macOS - AMFI - AppleMobileFileIntegrity
- macOS MACF - Mandatory Access Control Framework
- macOS Code Signing
- macOS FS Tricks
- macOS Users & External Accounts
- macOS Red Teaming
- macOS Useful Commands
- macOS Auto Start
🪟 Windows Hardening
- Checklist - Local Windows Privilege Escalation
- Windows Local Privilege Escalation
- Abusing Tokens
- Access Tokens
- ACLs - DACLs/SACLs/ACEs
- AppendData/AddSubdirectory permission over service registry
- Create MSI with WIX
- COM Hijacking
- Dll Hijacking
- DPAPI - Extracting Passwords
- From High Integrity to SYSTEM with Name Pipes
- Integrity Levels
- JuicyPotato
- Leaked Handle Exploitation
- MSI Wrapper
- Named Pipe Client Impersonation
- Privilege Escalation with Autoruns
- RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
- SeDebug + SeImpersonate copy token
- SeImpersonate from High To System
- Windows C Payloads
- Active Directory Methodology
- Abusing Active Directory ACLs/ACEs
- AD Certificates
- AD information in printers
- AD DNS Records
- ASREPRoast
- BloodHound & Other AD Enum Tools
- Constrained Delegation
- Custom SSP
- DCShadow
- DCSync
- Diamond Ticket
- DSRM Credentials
- External Forest Domain - OneWay (Inbound) or bidirectional
- External Forest Domain - One-Way (Outbound)
- Golden Ticket
- Kerberoast
- Kerberos Authentication
- Kerberos Double Hop Problem
- LAPS
- MSSQL AD Abuse
- Over Pass the Hash/Pass the Key
- Pass the Ticket
- Password Spraying / Brute Force
- PrintNightmare
- Force NTLM Privileged Authentication
- Privileged Groups
- RDP Sessions Abuse
- Resource-based Constrained Delegation
- Security Descriptors
- SID-History Injection
- Silver Ticket
- Skeleton Key
- Unconstrained Delegation
- Windows Security Controls
- NTLM
- Lateral Movement
- Pivoting to the Cloud
- Stealing Windows Credentials
- Basic Win CMD for Pentesters
- Basic PowerShell for Pentesters
- Antivirus (AV) Bypass
📱 Mobile Pentesting
- Android APK Checklist
- Android Applications Pentesting
- Android Applications Basics
- Android Task Hijacking
- ADB Commands
- APK decompilers
- AVD - Android Virtual Device
- Bypass Biometric Authentication (Android)
- content:// protocol
- Drozer Tutorial
- Exploiting a debuggeable application
- Frida Tutorial
- Google CTF 2018 - Shall We Play a Game?
- Install Burp Certificate
- Intent Injection
- Make APK Accept CA Certificate
- Manual DeObfuscation
- React Native Application
- Reversing Native Libraries
- Smali - Decompiling/[Modifying]/Compiling
- Spoofing your location in Play Store
- Tapjacking
- Webview Attacks
- iOS Pentesting Checklist
- iOS Pentesting
- iOS App Extensions
- iOS Basics
- iOS Basic Testing Operations
- iOS Burp Suite Configuration
- iOS Custom URI Handlers / Deeplinks / Custom Schemes
- iOS Extracting Entitlements From Compiled Application
- iOS Frida Configuration
- iOS Hooking With Objection
- iOS Protocol Handlers
- iOS Serialisation and Encoding
- iOS Testing Environment
- iOS UIActivity Sharing
- iOS Universal Links
- iOS UIPasteboard
- iOS WebViews
- Cordova Apps
- Xamarin Apps
👽 Network Services Pentesting
- Pentesting JDWP - Java Debug Wire Protocol
- Pentesting Printers
- Pentesting SAP
- Pentesting VoIP
- Pentesting Remote GdbServer
- 7/tcp/udp - Pentesting Echo
- 21 - Pentesting FTP
- 22 - Pentesting SSH/SFTP
- 23 - Pentesting Telnet
- 25,465,587 - Pentesting SMTP/s
- 43 - Pentesting WHOIS
- 49 - Pentesting TACACS+
- 53 - Pentesting DNS
- 69/UDP TFTP/Bittorrent-tracker
- 79 - Pentesting Finger
- 80,443 - Pentesting Web Methodology
- 403 & 401 Bypasses
- AEM - Adobe Experience Cloud
- Angular
- Apache
- Artifactory Hacking guide
- Bolt CMS
- Buckets
- CGI
- DotNetNuke (DNN)
- Drupal
- Electron Desktop Apps
- Flask
- NodeJS Express
- Git
- Golang
- GWT - Google Web Toolkit
- Grafana
- GraphQL
- H2 - Java SQL database
- IIS - Internet Information Services
- ImageMagick Security
- JBOSS
- Jira & Confluence
- Joomla
- JSP
- Laravel
- Moodle
- Nginx
- NextJS
- PHP Tricks
- PHP - Useful Functions & disable_functions/open_basedir bypass
- disable_functions bypass - php-fpm/FastCGI
- disable_functions bypass - dl function
- disable_functions bypass - PHP 7.0-7.4 (*nix only)
- disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
- disable_functions - PHP 5.x Shellshock Exploit
- disable_functions - PHP 5.2.4 ionCube extension Exploit
- disable_functions bypass - PHP <= 5.2.9 on windows
- disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
- disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
- disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
- disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
- disable_functions bypass - PHP 5.2 - FOpen Exploit
- disable_functions bypass - via mem
- disable_functions bypass - mod_cgi
- disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
- PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
- PHP SSRF
- PHP - Useful Functions & disable_functions/open_basedir bypass
- PrestaShop
- Python
- Rocket Chat
- Special HTTP headers
- Source code Review / SAST Tools
- Spring Actuators
- Symfony
- Tomcat
- Uncovering CloudFlare
- VMWare (ESX, VCenter...)
- Web API Pentesting
- WebDav
- Werkzeug / Flask Debug
- Wordpress
- 88tcp/udp - Pentesting Kerberos
- 110,995 - Pentesting POP
- 111/TCP/UDP - Pentesting Portmapper
- 113 - Pentesting Ident
- 123/udp - Pentesting NTP
- 135, 593 - Pentesting MSRPC
- 137,138,139 - Pentesting NetBios
- 139,445 - Pentesting SMB
- 143,993 - Pentesting IMAP
- 161,162,10161,10162/udp - Pentesting SNMP
- 194,6667,6660-7000 - Pentesting IRC
- 264 - Pentesting Check Point FireWall-1
- 389, 636, 3268, 3269 - Pentesting LDAP
- 500/udp - Pentesting IPsec/IKE VPN
- 502 - Pentesting Modbus
- 512 - Pentesting Rexec
- 513 - Pentesting Rlogin
- 514 - Pentesting Rsh
- 515 - Pentesting Line Printer Daemon (LPD)
- 548 - Pentesting Apple Filing Protocol (AFP)
- 554,8554 - Pentesting RTSP
- 623/UDP/TCP - IPMI
- 631 - Internet Printing Protocol(IPP)
- 700 - Pentesting EPP
- 873 - Pentesting Rsync
- 1026 - Pentesting Rusersd
- 1080 - Pentesting Socks
- 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
- 1414 - Pentesting IBM MQ
- 1433 - Pentesting MSSQL - Microsoft SQL Server
- 1521,1522-1529 - Pentesting Oracle TNS Listener
- 1723 - Pentesting PPTP
- 1883 - Pentesting MQTT (Mosquitto)
- 2049 - Pentesting NFS Service
- 2301,2381 - Pentesting Compaq/HP Insight Manager
- 2375, 2376 Pentesting Docker
- 3128 - Pentesting Squid
- 3260 - Pentesting ISCSI
- 3299 - Pentesting SAPRouter
- 3306 - Pentesting Mysql
- 3389 - Pentesting RDP
- 3632 - Pentesting distcc
- 3690 - Pentesting Subversion (svn server)
- 3702/UDP - Pentesting WS-Discovery
- 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
- 4786 - Cisco Smart Install
- 4840 - OPC Unified Architecture
- 5000 - Pentesting Docker Registry
- 5353/UDP Multicast DNS (mDNS) and DNS-SD
- 5432,5433 - Pentesting Postgresql
- 5439 - Pentesting Redshift
- 5555 - Android Debug Bridge
- 5601 - Pentesting Kibana
- 5671,5672 - Pentesting AMQP
- 5800,5801,5900,5901 - Pentesting VNC
- 5984,6984 - Pentesting CouchDB
- 5985,5986 - Pentesting WinRM
- 5985,5986 - Pentesting OMI
- 6000 - Pentesting X11
- 6379 - Pentesting Redis
- 8009 - Pentesting Apache JServ Protocol (AJP)
- 8086 - Pentesting InfluxDB
- 8089 - Pentesting Splunkd
- 8333,18333,38333,18444 - Pentesting Bitcoin
- 9000 - Pentesting FastCGI
- 9001 - Pentesting HSQLDB
- 9042/9160 - Pentesting Cassandra
- 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
- 9200 - Pentesting Elasticsearch
- 10000 - Pentesting Network Data Management Protocol (ndmp)
- 11211 - Pentesting Memcache
- 15672 - Pentesting RabbitMQ Management
- 24007,24008,24009,49152 - Pentesting GlusterFS
- 27017,27018 - Pentesting MongoDB
- 44134 - Pentesting Tiller (Helm)
- 44818/UDP/TCP - Pentesting EthernetIP
- 47808/udp - Pentesting BACNet
- 50030,50060,50070,50075,50090 - Pentesting Hadoop
🕸️ Pentesting Web
- Web Vulnerabilities Methodology
- Reflecting Techniques - PoCs and Polygloths CheatSheet
- 2FA/MFA/OTP Bypass
- Account Takeover
- Browser Extension Pentesting Methodology
- Bypass Payment Process
- Captcha Bypass
- Cache Poisoning and Cache Deception
- Clickjacking
- Client Side Template Injection (CSTI)
- Client Side Path Traversal
- Command Injection
- Content Security Policy (CSP) Bypass
- Cookies Hacking
- CORS - Misconfigurations & Bypass
- CRLF (%0D%0A) Injection
- CSRF (Cross Site Request Forgery)
- Dangling Markup - HTML scriptless injection
- Dependency Confusion
- Deserialization
- NodeJS - __proto__ & prototype Pollution
- Java JSF ViewState (.faces) Deserialization
- Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
- Basic Java Deserialization (ObjectInputStream, readObject)
- PHP - Deserialization + Autoload Classes
- CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
- Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
- Exploiting __VIEWSTATE knowing the secrets
- Exploiting __VIEWSTATE without knowing the secrets
- Python Yaml Deserialization
- JNDI - Java Naming and Directory Interface & Log4Shell
- Domain/Subdomain takeover
- Email Injections
- File Inclusion/Path traversal
- File Upload
- Formula/CSV/Doc/LaTeX/GhostScript Injection
- gRPC-Web Pentest
- HTTP Connection Contamination
- HTTP Connection Request Smuggling
- HTTP Request Smuggling / HTTP Desync Attack
- HTTP Response Smuggling / Desync
- Upgrade Header Smuggling
- hop-by-hop headers
- IDOR
- JWT Vulnerabilities (Json Web Tokens)
- LDAP Injection
- Login Bypass
- NoSQL injection
- OAuth to Account takeover
- Open Redirect
- ORM Injection
- Parameter Pollution
- Phone Number Injections
- PostMessage Vulnerabilities
- Proxy / WAF Protections Bypass
- Race Condition
- Rate Limit Bypass
- Registration & Takeover Vulnerabilities
- Regular expression Denial of Service - ReDoS
- Reset/Forgotten Password Bypass
- Reverse Tab Nabbing
- SAML Attacks
- Server Side Inclusion/Edge Side Inclusion Injection
- SQL Injection
- SSRF (Server Side Request Forgery)
- SSTI (Server Side Template Injection)
- Timing Attacks
- Unicode Injection
- UUID Insecurities
- WebSocket Attacks
- Web Tool - WFuzz
- XPATH injection
- XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
- XXE - XEE - XML External Entity
- XSS (Cross Site Scripting)
- Abusing Service Workers
- Chrome Cache to XSS
- Debugging Client Side JS
- Dom Clobbering
- DOM Invader
- DOM XSS
- Iframes in XSS, CSP and SOP
- Integer Overflow
- JS Hoisting
- Misc JS Tricks & Relevant Info
- PDF Injection
- Server Side XSS (Dynamic PDF)
- Shadow DOM
- SOME - Same Origin Method Execution
- Sniff Leak
- Steal Info JS
- XSS in Markdown
- XSSI (Cross-Site Script Inclusion)
- XS-Search/XS-Leaks
- Iframe Traps
⛈️ Cloud Security
- Pentesting Kubernetes
- Pentesting Cloud (AWS, GCP, Az...)
- Pentesting CI/CD (Github, Jenkins, Terraform...)
😎 Hardware/Physical Access
🎯 Binary Exploitation
- Basic Stack Binary Exploitation Methodology
- Stack Overflow
- ROP - Return Oriented Programing
- Array Indexing
- Integer Overflow
- Format Strings
- Libc Heap
- Bins & Memory Allocations
- Heap Memory Functions
- Use After Free
- Double Free
- Overwriting a freed chunk
- Heap Overflow
- Unlink Attack
- Fast Bin Attack
- Unsorted Bin Attack
- Large Bin Attack
- Tcache Bin Attack
- Off by one overflow
- House of Spirit
- House of Lore | Small bin Attack
- House of Einherjar
- House of Force
- House of Orange
- House of Rabbit
- House of Roman
- Common Binary Exploitation Protections & Bypasses
- Write What Where 2 Exec
- Common Exploiting Problems
- Windows Exploiting (Basic Guide - OSCP lvl)
🔩 Reversing
🔮 Crypto & Stego
- Cryptographic/Compression Algorithms
- Certificates
- Cipher Block Chaining CBC-MAC
- Crypto CTFs Tricks
- Electronic Code Book (ECB)
- Hash Length Extension Attack
- Padding Oracle
- RC4 - Encrypt&Decrypt
- Stego Tricks
- Esoteric languages
- Blockchain & Crypto Currencies
🦂 C2
✍️ TODO
- Other Big References
- Rust Basics
- More Tools
- MISC
- Pentesting DNS
- Hardware Hacking
- Industrial Control Systems Hacking
- Radio Hacking
- Industrial Control Systems Hacking
- Test LLMs
- LLM Training
- Burp Suite
- Other Web Tricks
- Interesting HTTP
- Android Forensics
- TR-069
- 6881/udp - Pentesting BitTorrent
- Online Platforms with API
- Stealing Sensitive Information Disclosure from a Web
- Post Exploitation
- Investment Terms
- Cookies Policy