mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 22:52:06 +00:00
40 KiB
40 KiB
Table of contents
- HackTricks
- About the author
- Getting Started in Hacking
- Pentesting Methodology
- External Recon Methodology
- Phishing Methodology
- Exfiltration
- Tunneling and Port Forwarding
- Brute Force - CheatSheet
- Search Exploits
Shells
Linux/Unix
- Checklist - Linux Privilege Escalation
- Linux Privilege Escalation
- Logstash
- AppArmor
- Containerd
ctr
Privilege Escalation - Docker Breakout
- electron/CEF/chromium debugger abuse
- Escaping from Jails
- Cisco - vmanage
- D-Bus Enumeration & Command Injection Privilege Escalation
- Interesting Groups - Linux PE
- ld.so exploit example
- Linux Capabilities
- NFS no_root_squash/no_all_squash misconfiguration PE
- Payloads to execute
- RunC Privilege Escalation
- Seccomp
- Splunk LPE and Persistence
- SSH Forward Agent exploitation
- Socket Command Injection
- Wildcards Spare tricks
- Useful Linux Commands
- Linux Environment Variables
Windows
- Checklist - Local Windows Privilege Escalation
- Windows Local Privilege Escalation
- AppendData/AddSubdirectory permission over service registry
- Create MSI with WIX
- DPAPI - Extracting Passwords
- SeImpersonate from High To System
- Access Tokens
- ACLs - DACLs/SACLs/ACEs
- Dll Hijacking
- From High Integrity to SYSTEM with Name Pipes
- Integrity Levels
- JAWS
- JuicyPotato
- Leaked Handle Exploitation
- MSI Wrapper
- Named Pipe Client Impersonation
- PowerUp
- Privilege Escalation Abusing Tokens
- Privilege Escalation with Autoruns
- RottenPotato
- Seatbelt
- SeDebug + SeImpersonate copy token
- Windows C Payloads
- Active Directory Methodology
- Abusing Active Directory ACLs/ACEs
- AD information in printers
- ASREPRoast
- BloodHound
- Constrained Delegation
- Custom SSP
- DCShadow
- DCSync
- DSRM Credentials
- Golden Ticket
- Kerberos Authentication
- Kerberoast
- MSSQL Trusted Links
- Over Pass the Hash/Pass the Key
- Pass the Ticket
- Password Spraying
- Force NTLM Privileged Authentication
- Privileged Accounts and Token Privileges
- Resource-based Constrained Delegation
- Security Descriptors
- Silver Ticket
- Skeleton Key
- Unconstrained Delegation
- NTLM
- Stealing Credentials
- Authentication, Credentials, UAC and EFS
- Basic CMD for Pentesters
- Basic PowerShell for Pentesters
- AV Bypass
Mobile Apps Pentesting
- Android APK Checklist
- Android Applications Pentesting
- Android Applications Basics
- ADB Commands
- APK decompilers
- AVD - Android Virtual Device
- Burp Suite Configuration for Android
- content:// protocol
- Drozer Tutorial
- Exploiting a debuggeable applciation
- Frida Tutorial
- Google CTF 2018 - Shall We Play a Game?
- Make APK Accept CA Certificate
- Manual DeObfuscation
- React Native Application
- Reversing Native Libraries
- Smali - Decompiling/[Modifying]/Compiling
- Spoofing your location in Play Store
- Webview Attacks
- iOS Pentesting Checklist
- iOS Pentesting
- Basic iOS Testing Operations
- Burp Suite Configuration for iOS
- Extracting Entitlements From Compiled Application
- Frida Configuration in iOS
- iOS App Extensions
- iOS Basics
- iOS Custom URI Handlers / Deeplinks / Custom Schemes
- iOS Hooking With Objection
- iOS Protocol Handlers
- iOS Serialisation and Encoding
- iOS Testing Environment
- iOS UIActivity Sharing
- iOS Universal Links
- iOS UIPasteboard
- iOS WebViews
Pentesting
- Pentesting Network
- Pentesting JDWP - Java Debug Wire Protocol
- Pentesting Printers
- Pentesting SAP
- Pentesting Kubernetes
- 7/tcp/udp - Pentesting Echo
- 21 - Pentesting FTP
- 22 - Pentesting SSH/SFTP
- 23 - Pentesting Telnet
- 25,465,587 - Pentesting SMTP/s
- 43 - Pentesting WHOIS
- 53 - Pentesting DNS
- 69/UDP TFTP/Bittorrent-tracker
- 79 - Pentesting Finger
- 80,443 - Pentesting Web Methodology
- Golang
- Uncovering CloudFlare
- Laravel
- Code Review Tools
- Symphony
- XSS to RCE Electron Desktop Apps
- Spring Actuators
- Artifactory Hacking guide
- Apache
- JSP
- API Pentesting
- Buckets
- CGI
- Drupal
- Moodle
- Flask
- Git
- GraphQL
- H2 - Java SQL database
- IIS - Internet Information Services
- JBOSS
- Jenkins
- JIRA
- Joomla
- Nginx
- PHP Tricks (SPA)
- PHP - Useful Functions & disable_functions/open_basedir bypass
- disable_functions bypass - php-fpm/FastCGI
- disable_functions bypass - dl function
- disable_functions bypass - PHP 7.0-7.4 (*nix only)
- disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
- disable_functions - PHP 5.x Shellshock Exploit
- disable_functions - PHP 5.2.4 ionCube extension Exploit
- disable_functions bypass - PHP <= 5.2.9 on windows
- disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
- disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
- disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
- disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
- disable_functions bypass - PHP 5.2 - FOpen Exploit
- disable_functions bypass - via mem
- disable_functions bypass - mod_cgi
- disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
- PHP - Useful Functions & disable_functions/open_basedir bypass
- Python
- SpEL - Spring Expression Language
- Tomcat
- VMWare (ESX, VCenter...)
- WebDav
- werkzeug
- Wordpress
- 88tcp/udp - Pentesting Kerberos
- 110,995 - Pentesting POP
- 111/TCP/UDP - Pentesting Portmapper
- 113 - Pentesting Ident
- 123/udp - Pentesting NTP
- 135, 593 - Pentesting MSRPC
- 137,138,139 - Pentesting NetBios
- 139,445 - Pentesting SMB
- 143,993 - Pentesting IMAP
- 161,162,10161,10162/udp - Pentesting SNMP
- 194,6667,6660-7000 - Pentesting IRC
- 264 - Pentesting Check Point FireWall-1
- 389, 636, 3268, 3269 - Pentesting LDAP
- 500/udp - Pentesting IPsec/IKE VPN
- 502 - Pentesting Modbus
- 512 - Pentesting Rexec
- 513 - Pentesting Rlogin
- 514 - Pentesting Rsh
- 515 - Pentesting Line Printer Daemon (LPD)
- 548 - Pentesting Apple Filing Protocol (AFP)
- 554,8554 - Pentesting RTSP
- 623/UDP/TCP - IPMI
- 631 - Internet Printing Protocol(IPP)
- 873 - Pentesting Rsync
- 1026 - Pentesting Rusersd
- 1080 - Pentesting Socks
- 1098/1099 - Pentesting Java RMI
- 1433 - Pentesting MSSQL - Microsoft SQL Server
- 1521,1522-1529 - Pentesting Oracle TNS Listener
- 1723 - Pentesting PPTP
- 1883 - Pentesting MQTT (Mosquitto)
- 2049 - Pentesting NFS Service
- 2301,2381 - Pentesting Compaq/HP Insight Manager
- 2375, 2376 Pentesting Docker
- 3128 - Pentesting Squid
- 3260 - Pentesting ISCSI
- 3299 - Pentesting SAPRouter
- 3306 - Pentesting Mysql
- 3389 - Pentesting RDP
- 3632 - Pentesting distcc
- 3690 - Pentesting Subversion (svn server)
- 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
- 5000 - Pentesting Docker Registry
- 5353/UDP Multicast DNS (mDNS)
- 5432,5433 - Pentesting Postgresql
- 5601 - Pentesting Kibana
- 5671,5672 - Pentesting AMQP
- 5800,5801,5900,5901 - Pentesting VNC
- 5984,6984 - Pentesting CouchDB
- 5985,5986 - Pentesting WinRM
- 6000 - Pentesting X11
- 6379 - Pentesting Redis
- 8009 - Pentesting Apache JServ Protocol (AJP)
- 8089 - Splunkd
- 9000 - Pentesting FastCGI
- 9001 - Pentesting HSQLDB
- 9042/9160 - Pentesting Cassandra
- 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
- 9200 - Pentesting Elasticsearch
- 10000 - Pentesting Network Data Management Protocol (ndmp)
- 11211 - Pentesting Memcache
- 15672 - Pentesting RabbitMQ Management
- 27017,27018 - Pentesting MongoDB
- 44818/UDP/TCP - Pentesting EthernetIP
- 47808/udp - Pentesting BACNet
- 50030,50060,50070,50075,50090 - Pentesting Hadoop
Pentesting Web
- 2FA/OTP Bypass
- Abusing hop-by-hop headers
- Bypass Payment Process
- Captcha Bypass
- Cache Poisoning and Cache Deception
- Clickjacking
- Client Side Template Injection (CSTI)
- Command Injection
- Content Security Policy
CSP
Bypass - Cookies Hacking
- CORS - Misconfigurations & Bypass
- CRLF
%0D%0A
Injection - Cross-site WebSocket hijacking (CSWSH)
- CSRF (Cross Site Request Forgery)
- Dangling Markup - HTML scriptless injection
- Deserialization
- NodeJS - __proto__ & prototype Pollution
- Java JSF ViewState
.faces
Deserialization - Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
- Basic Java Deserialization (ObjectInputStream, readObject)
- CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
- Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
- Exploiting __VIEWSTATE knowing the secrets
- Exploiting __VIEWSTATE without knowing the secrets
- Domain/Subdomain takeover
- Email Header Injection
- File Inclusion/Path traversal
- File Upload
- Formula Injection
- HTTP Request Smuggling / HTTP Desync Attack
- H2C Smuggling
- IDOR
- JWT Vulnerabilities (Json Web Tokens)
- NoSQL injection
- LDAP Injection
- OAuth to Account takeover
- Open Redirect
- Parameter Pollution
- PostMessage Vulnerabilities
- Race Condition
- Rate Limit Bypass
- Regular expression Denial of Service - ReDoS
- Reset/Forgotten Password Bypass
- SQL Injection
- SSRF (Server Side Request Forgery)
- SSTI (Server Side Template Injection)
- Reverse Tab Nabbing
- Unicode Normalization vulnerability
- Web Tool - WFuzz
- XPATH injection
- XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
- XXE - XEE - XML External Entity
- XSS (Cross Site Scripting)
- XSSI (Cross-Site Script Inclusion)
- XS-Search
Cloud Security
Forensics
- Basic Forensic Methodology
Physical attacks
Reversing
Exploiting
Crypto
- Certificates
- Electronic Code Book (ECB)
- Cipher Block Chaining CBC-MAC
- Padding Oracle
- RC4 - Encrypt&Decrypt
- Crypto CTFs Tricks