mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
60 KiB
60 KiB
Table of contents
👾 Welcome!
🤩 Generic Methodologies & Resources
- Pentesting Methodology
- External Recon Methodology
- Pentesting Network
- Pentesting Wifi
- Phishing Methodology
- Basic Forensic Methodology
- Brute Force - CheatSheet
- Python Sandbox Escape & Pyscript
- Exfiltration
- Tunneling and Port Forwarding
- Search Exploits
- Shells (Linux, Windows, MSFVenom)
🐧 Linux Hardening
- Checklist - Linux Privilege Escalation
- Linux Privilege Escalation
- Cisco - vmanage
- Containerd (ctr) Privilege Escalation
- Docker Basics & Breakout
- Escaping from Jails
- euid, ruid, suid
- Logstash
- Node inspector/CEF debug abuse
- D-Bus Enumeration & Command Injection Privilege Escalation
- Interesting Groups - Linux PE
- ld.so exploit example
- Linux Active Directory
- Linux Capabilities
- NFS no_root_squash/no_all_squash misconfiguration PE
- Payloads to execute
- RunC Privilege Escalation
- SELinux
- Socket Command Injection
- Splunk LPE and Persistence
- SSH Forward Agent exploitation
- Wildcards Spare tricks
- Write to Root
- Useful Linux Commands
- Bypass Linux Shell Restrictions
- Linux Environment Variables
- Linux Post-Exploitation
- FreeIPA Pentesting
🍏 MacOS Hardening
🪟 Windows Hardening
- Checklist - Local Windows Privilege Escalation
- Windows Local Privilege Escalation
- Abusing Tokens
- Access Tokens
- ACLs - DACLs/SACLs/ACEs
- AppendData/AddSubdirectory permission over service registry
- Create MSI with WIX
- COM Hijacking
- Dll Hijacking
- DPAPI - Extracting Passwords
- From High Integrity to SYSTEM with Name Pipes
- Integrity Levels
- JAWS
- JuicyPotato
- Leaked Handle Exploitation
- MSI Wrapper
- Named Pipe Client Impersonation
- PowerUp
- Privilege Escalation with Autoruns
- RoguePotato, PrintSpoofer, SharpEfsPotato
- RottenPotato
- Seatbelt
- SeDebug + SeImpersonate copy token
- SeImpersonate from High To System
- Windows C Payloads
- Active Directory Methodology
- Abusing Active Directory ACLs/ACEs
- AD Certificates
- AD information in printers
- AD DNS Records
- ASREPRoast
- BloodHound & Other AD Enum Tools
- Constrained Delegation
- Custom SSP
- DCShadow
- DCSync
- Diamond Ticket
- DSRM Credentials
- External Forest Domain - OneWay (Inbound) or bidirectional
- External Forest Domain - One-Way (Outbound)
- Golden Ticket
- Kerberoast
- Kerberos Authentication
- Kerberos Double Hop Problem
- LAPS
- MSSQL AD Abuse
- Over Pass the Hash/Pass the Key
- Pass the Ticket
- Password Spraying
- PrintNightmare
- Force NTLM Privileged Authentication
- Privileged Groups
- RDP Sessions Abuse
- Resource-based Constrained Delegation
- Security Descriptors
- SID-History Injection
- Silver Ticket
- Skeleton Key
- Unconstrained Delegation
- Windows Security Controls
- NTLM
- Lateral Movement
- Stealing Credentials
- Basic CMD for Pentesters
- Basic PowerShell for Pentesters
- AV Bypass
📱 Mobile Pentesting
- Android APK Checklist
- Android Applications Pentesting
- Android Applications Basics
- Android Task Hijacking
- ADB Commands
- APK decompilers
- AVD - Android Virtual Device
- Burp Suite Configuration for Android
- content:// protocol
- Drozer Tutorial
- Exploiting a debuggeable applciation
- Frida Tutorial
- Google CTF 2018 - Shall We Play a Game?
- Inspeckage Tutorial
- Intent Injection
- Make APK Accept CA Certificate
- Manual DeObfuscation
- React Native Application
- Reversing Native Libraries
- Smali - Decompiling/[Modifying]/Compiling
- Spoofing your location in Play Store
- Webview Attacks
- iOS Pentesting Checklist
- iOS Pentesting
- Basic iOS Testing Operations
- Burp Suite Configuration for iOS
- Extracting Entitlements From Compiled Application
- Frida Configuration in iOS
- iOS App Extensions
- iOS Basics
- iOS Custom URI Handlers / Deeplinks / Custom Schemes
- iOS Hooking With Objection
- iOS Protocol Handlers
- iOS Serialisation and Encoding
- iOS Testing Environment
- iOS UIActivity Sharing
- iOS Universal Links
- iOS UIPasteboard
- iOS WebViews
👽 Network Services Pentesting
- Pentesting JDWP - Java Debug Wire Protocol
- Pentesting Printers
- Pentesting SAP
- Pentesting Remote GdbServer
- 7/tcp/udp - Pentesting Echo
- 21 - Pentesting FTP
- 22 - Pentesting SSH/SFTP
- 23 - Pentesting Telnet
- 25,465,587 - Pentesting SMTP/s
- 43 - Pentesting WHOIS
- 49 - Pentesting TACACS+
- 53 - Pentesting DNS
- 69/UDP TFTP/Bittorrent-tracker
- 79 - Pentesting Finger
- 80,443 - Pentesting Web Methodology
- 403 & 401 Bypasses
- AEM - Adobe Experience Cloud
- Apache
- Artifactory Hacking guide
- Buckets
- CGI
- Code Review Tools
- DotNetNuke (DNN)
- Drupal
- Flask
- NodeJS Express
- Git
- Golang
- GraphQL
- H2 - Java SQL database
- IIS - Internet Information Services
- JBOSS
- JIRA
- Joomla
- JSP
- Laravel
- Moodle
- Nginx
- PHP Tricks
- PHP - Useful Functions & disable_functions/open_basedir bypass
- disable_functions bypass - php-fpm/FastCGI
- disable_functions bypass - dl function
- disable_functions bypass - PHP 7.0-7.4 (*nix only)
- disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
- disable_functions - PHP 5.x Shellshock Exploit
- disable_functions - PHP 5.2.4 ionCube extension Exploit
- disable_functions bypass - PHP <= 5.2.9 on windows
- disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
- disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
- disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
- disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
- disable_functions bypass - PHP 5.2 - FOpen Exploit
- disable_functions bypass - via mem
- disable_functions bypass - mod_cgi
- disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
- PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
- PHP - Useful Functions & disable_functions/open_basedir bypass
- Python
- Special HTTP headers
- Spring Actuators
- Symfony
- Tomcat
- Uncovering CloudFlare
- VMWare (ESX, VCenter...)
- WAF Bypass
- Web API Pentesting
- WebDav
- werkzeug
- Wordpress
- XSS to RCE Electron Desktop Apps
- 88tcp/udp - Pentesting Kerberos
- 110,995 - Pentesting POP
- 111/TCP/UDP - Pentesting Portmapper
- 113 - Pentesting Ident
- 123/udp - Pentesting NTP
- 135, 593 - Pentesting MSRPC
- 137,138,139 - Pentesting NetBios
- 139,445 - Pentesting SMB
- 143,993 - Pentesting IMAP
- 161,162,10161,10162/udp - Pentesting SNMP
- 194,6667,6660-7000 - Pentesting IRC
- 264 - Pentesting Check Point FireWall-1
- 389, 636, 3268, 3269 - Pentesting LDAP
- 500/udp - Pentesting IPsec/IKE VPN
- 502 - Pentesting Modbus
- 512 - Pentesting Rexec
- 513 - Pentesting Rlogin
- 514 - Pentesting Rsh
- 515 - Pentesting Line Printer Daemon (LPD)
- 548 - Pentesting Apple Filing Protocol (AFP)
- 554,8554 - Pentesting RTSP
- 623/UDP/TCP - IPMI
- 631 - Internet Printing Protocol(IPP)
- 873 - Pentesting Rsync
- 1026 - Pentesting Rusersd
- 1080 - Pentesting Socks
- 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
- 1433 - Pentesting MSSQL - Microsoft SQL Server
- 1521,1522-1529 - Pentesting Oracle TNS Listener
- 1723 - Pentesting PPTP
- 1883 - Pentesting MQTT (Mosquitto)
- 2049 - Pentesting NFS Service
- 2301,2381 - Pentesting Compaq/HP Insight Manager
- 2375, 2376 Pentesting Docker
- 3128 - Pentesting Squid
- 3260 - Pentesting ISCSI
- 3299 - Pentesting SAPRouter
- 3306 - Pentesting Mysql
- 3389 - Pentesting RDP
- 3632 - Pentesting distcc
- 3690 - Pentesting Subversion (svn server)
- 3702/UDP - Pentesting WS-Discovery
- 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
- 4786 - Cisco Smart Install
- 5000 - Pentesting Docker Registry
- 5353/UDP Multicast DNS (mDNS) and DNS-SD
- 5432,5433 - Pentesting Postgresql
- 5555 - Android Debug Bridge
- 5601 - Pentesting Kibana
- 5671,5672 - Pentesting AMQP
- 5800,5801,5900,5901 - Pentesting VNC
- 5984,6984 - Pentesting CouchDB
- 5985,5986 - Pentesting WinRM
- 5985,5986 - Pentesting OMI
- 6000 - Pentesting X11
- 6379 - Pentesting Redis
- 8009 - Pentesting Apache JServ Protocol (AJP)
- 8086 - Pentesting InfluxDB
- 8089 - Pentesting Splunkd
- 8333,18333,38333,18444 - Pentesting Bitcoin
- 9000 - Pentesting FastCGI
- 9001 - Pentesting HSQLDB
- 9042/9160 - Pentesting Cassandra
- 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
- 9200 - Pentesting Elasticsearch
- 10000 - Pentesting Network Data Management Protocol (ndmp)
- 11211 - Pentesting Memcache
- 15672 - Pentesting RabbitMQ Management
- 24007,24008,24009,49152 - Pentesting GlusterFS
- 27017,27018 - Pentesting MongoDB
- 44134 - Pentesting Tiller (Helm)
- 44818/UDP/TCP - Pentesting EthernetIP
- 47808/udp - Pentesting BACNet
- 50030,50060,50070,50075,50090 - Pentesting Hadoop
🕸 Pentesting Web
- Web Vulnerabilities Methodology
- Reflecting Techniques - PoCs and Polygloths CheatSheet
- 2FA/OTP Bypass
- Bypass Payment Process
- Captcha Bypass
- Cache Poisoning and Cache Deception
- Clickjacking
- Client Side Template Injection (CSTI)
- Command Injection
- Content Security Policy (CSP) Bypass
- Cookies Hacking
- CORS - Misconfigurations & Bypass
- CRLF (%0D%0A) Injection
- Cross-site WebSocket hijacking (CSWSH)
- CSRF (Cross Site Request Forgery)
- Dangling Markup - HTML scriptless injection
- Deserialization
- NodeJS - __proto__ & prototype Pollution
- Java JSF ViewState (.faces) Deserialization
- Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
- Basic Java Deserialization (ObjectInputStream, readObject)
- CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
- Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
- Exploiting __VIEWSTATE knowing the secrets
- Exploiting __VIEWSTATE without knowing the secrets
- Python Yaml Deserialization
- JNDI - Java Naming and Directory Interface & Log4Shell
- Domain/Subdomain takeover
- Email Injections
- File Inclusion/Path traversal
- File Upload
- Formula/CSV/Doc/LaTeX Injection
- HTTP Connection Request Smuggling
- HTTP Request Smuggling / HTTP Desync Attack
- HTTP Response Smuggling / Desync
- Upgrade Header Smuggling
- hop-by-hop headers
- IDOR
- Integer Overflow
- JWT Vulnerabilities (Json Web Tokens)
- LDAP Injection
- Login Bypass
- NoSQL injection
- OAuth to Account takeover
- Open Redirect
- Parameter Pollution
- PostMessage Vulnerabilities
- Race Condition
- Rate Limit Bypass
- Registration & Takeover Vulnerabilities
- Regular expression Denial of Service - ReDoS
- Reset/Forgotten Password Bypass
- SAML Attacks
- Server Side Inclusion/Edge Side Inclusion Injection
- SQL Injection
- SSRF (Server Side Request Forgery)
- SSTI (Server Side Template Injection)
- Reverse Tab Nabbing
- Unicode Injection
- Web Tool - WFuzz
- XPATH injection
- XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
- XXE - XEE - XML External Entity
- XSS (Cross Site Scripting)
- XSSI (Cross-Site Script Inclusion)
- XS-Search/XS-Leaks
⛈ Cloud Security
- Pentesting Kubernetes
- Pentesting Cloud (AWS, GCP, Az...)
- Pentesting CI/CD (Github, Jenkins, Terraform...)
😎 Hardware/Physical Access
🦅 Reversing & Exploiting
- Reversing Tools & Basic Methods
- Common API used in Malware
- Word Macros
- Linux Exploiting (Basic) (SPA)
- Exploiting Tools
- Windows Exploiting (Basic Guide - OSCP lvl)
🔮 Crypto & Stego
- Cryptographic/Compression Algorithms
- Certificates
- Cipher Block Chaining CBC-MAC
- Crypto CTFs Tricks
- Electronic Code Book (ECB)
- Hash Length Extension Attack
- Padding Oracle
- RC4 - Encrypt&Decrypt
- Stego Tricks
- Esoteric languages
- Blockchain & Crypto Currencies
🧐 External Platforms Reviews/Writeups
🦂 C2
✍ TODO
- Other Big References
- Rust Basics
- More Tools
- MISC
- Pentesting DNS
- Hardware Hacking
- Radio Hacking
- Burp Suite
- Other Web Tricks
- Interesting HTTP
- Emails Vulnerabilities
- Android Forensics
- TR-069
- 6881/udp - Pentesting BitTorrent
- CTF Write-ups
- 1911 - Pentesting fox
- Online Platforms with API
- Stealing Sensitive Information Disclosure from a Web
- Post Exploitation