56 KiB
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.
Table of contents
- HackTricks
- About the author
- Getting Started in Hacking
- Pentesting Methodology
- External Recon Methodology
- Phishing Methodology
- Brute Force - CheatSheet
- Exfiltration
- Tunneling and Port Forwarding
- Search Exploits
Shells
Linux/Unix
- Checklist - Linux Privilege Escalation
- Linux Privilege Escalation
- PAM - Pluggable Authentication Modules
- SELinux
- Logstash
- Containerd (ctr) Privilege Escalation
- Docker Basics & Breakout
- Node inspector/CEF debug abuse
- Escaping from Jails
- Cisco - vmanage
- D-Bus Enumeration & Command Injection Privilege Escalation
- Interesting Groups - Linux PE
- ld.so exploit example
- Linux Capabilities
- NFS no_root_squash/no_all_squash misconfiguration PE
- Payloads to execute
- RunC Privilege Escalation
- Splunk LPE and Persistence
- SSH Forward Agent exploitation
- Socket Command Injection
- Wildcards Spare tricks
- Linux Active Directory
- Useful Linux Commands
- Linux Environment Variables
MacOS
Windows
- Checklist - Local Windows Privilege Escalation
- Windows Local Privilege Escalation
- AppendData/AddSubdirectory permission over service registry
- Create MSI with WIX
- DPAPI - Extracting Passwords
- SeImpersonate from High To System
- Access Tokens
- ACLs - DACLs/SACLs/ACEs
- Dll Hijacking
- From High Integrity to SYSTEM with Name Pipes
- Integrity Levels
- JAWS
- JuicyPotato
- Leaked Handle Exploitation
- MSI Wrapper
- Named Pipe Client Impersonation
- PowerUp
- Privilege Escalation Abusing Tokens
- Privilege Escalation with Autoruns
- RottenPotato
- Seatbelt
- SeDebug + SeImpersonate copy token
- Windows C Payloads
- Active Directory Methodology
- Abusing Active Directory ACLs/ACEs
- AD information in printers
- ASREPRoast
- BloodHound
- Constrained Delegation
- Custom SSP
- DCShadow
- DCSync
- DSRM Credentials
- Golden Ticket
- Kerberos Authentication
- Kerberoast
- MSSQL Trusted Links
- Over Pass the Hash/Pass the Key
- Pass the Ticket
- Password Spraying
- Force NTLM Privileged Authentication
- Privileged Accounts and Token Privileges
- Resource-based Constrained Delegation
- Security Descriptors
- Silver Ticket
- Skeleton Key
- Unconstrained Delegation
- NTLM
- Stealing Credentials
- Authentication, Credentials, UAC and EFS
- Basic CMD for Pentesters
- Basic PowerShell for Pentesters
- AV Bypass
Mobile Apps Pentesting
- Android APK Checklist
- Android Applications Pentesting
- Android Applications Basics
- Android Task Hijacking
- ADB Commands
- APK decompilers
- AVD - Android Virtual Device
- Burp Suite Configuration for Android
- content:// protocol
- Drozer Tutorial
- Exploiting a debuggeable applciation
- Frida Tutorial
- Google CTF 2018 - Shall We Play a Game?
- Inspeckage Tutorial
- Intent Injection
- Make APK Accept CA Certificate
- Manual DeObfuscation
- React Native Application
- Reversing Native Libraries
- Smali - Decompiling/[Modifying]/Compiling
- Spoofing your location in Play Store
- Webview Attacks
- iOS Pentesting Checklist
- iOS Pentesting
- Basic iOS Testing Operations
- Burp Suite Configuration for iOS
- Extracting Entitlements From Compiled Application
- Frida Configuration in iOS
- iOS App Extensions
- iOS Basics
- iOS Custom URI Handlers / Deeplinks / Custom Schemes
- iOS Hooking With Objection
- iOS Protocol Handlers
- iOS Serialisation and Encoding
- iOS Testing Environment
- iOS UIActivity Sharing
- iOS Universal Links
- iOS UIPasteboard
- iOS WebViews
Pentesting
- Pentesting Network
- Pentesting Wifi
- Pentesting JDWP - Java Debug Wire Protocol
- Pentesting Printers
- Pentesting SAP
- 7/tcp/udp - Pentesting Echo
- 21 - Pentesting FTP
- 22 - Pentesting SSH/SFTP
- 23 - Pentesting Telnet
- 25,465,587 - Pentesting SMTP/s
- 43 - Pentesting WHOIS
- 53 - Pentesting DNS
- 69/UDP TFTP/Bittorrent-tracker
- 79 - Pentesting Finger
- 80,443 - Pentesting Web Methodology
- 403 & 401 Bypasses
- AEM - Adobe Experience Cloud
- Apache
- Artifactory Hacking guide
- Buckets
- CGI
- Code Review Tools
- Drupal
- Flask
- Git
- Golang
- GraphQL
- H2 - Java SQL database
- IIS - Internet Information Services
- JBOSS
- JIRA
- Joomla
- JSP
- Laravel
- Moodle
- Nginx
- PHP Tricks (SPA)
- PHP - Useful Functions & disable_functions/open_basedir bypass
- disable_functions bypass - php-fpm/FastCGI
- disable_functions bypass - dl function
- disable_functions bypass - PHP 7.0-7.4 (*nix only)
- disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
- disable_functions - PHP 5.x Shellshock Exploit
- disable_functions - PHP 5.2.4 ionCube extension Exploit
- disable_functions bypass - PHP <= 5.2.9 on windows
- disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
- disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
- disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
- disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
- disable_functions bypass - PHP 5.2 - FOpen Exploit
- disable_functions bypass - via mem
- disable_functions bypass - mod_cgi
- disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
- PHP - Useful Functions & disable_functions/open_basedir bypass
- Python
- Special HTTP headers
- Spring Actuators
- Symphony
- Tomcat
- Uncovering CloudFlare
- VMWare (ESX, VCenter...)
- Web API Pentesting
- WebDav
- werkzeug
- Wordpress
- XSS to RCE Electron Desktop Apps
- 88tcp/udp - Pentesting Kerberos
- 110,995 - Pentesting POP
- 111/TCP/UDP - Pentesting Portmapper
- 113 - Pentesting Ident
- 123/udp - Pentesting NTP
- 135, 593 - Pentesting MSRPC
- 137,138,139 - Pentesting NetBios
- 139,445 - Pentesting SMB
- 143,993 - Pentesting IMAP
- 161,162,10161,10162/udp - Pentesting SNMP
- 194,6667,6660-7000 - Pentesting IRC
- 264 - Pentesting Check Point FireWall-1
- 389, 636, 3268, 3269 - Pentesting LDAP
- 500/udp - Pentesting IPsec/IKE VPN
- 502 - Pentesting Modbus
- 512 - Pentesting Rexec
- 513 - Pentesting Rlogin
- 514 - Pentesting Rsh
- 515 - Pentesting Line Printer Daemon (LPD)
- 548 - Pentesting Apple Filing Protocol (AFP)
- 554,8554 - Pentesting RTSP
- 623/UDP/TCP - IPMI
- 631 - Internet Printing Protocol(IPP)
- 873 - Pentesting Rsync
- 1026 - Pentesting Rusersd
- 1080 - Pentesting Socks
- 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
- 1433 - Pentesting MSSQL - Microsoft SQL Server
- 1521,1522-1529 - Pentesting Oracle TNS Listener
- 1723 - Pentesting PPTP
- 1883 - Pentesting MQTT (Mosquitto)
- 2049 - Pentesting NFS Service
- 2301,2381 - Pentesting Compaq/HP Insight Manager
- 2375, 2376 Pentesting Docker
- 3128 - Pentesting Squid
- 3260 - Pentesting ISCSI
- 3299 - Pentesting SAPRouter
- 3306 - Pentesting Mysql
- 3389 - Pentesting RDP
- 3632 - Pentesting distcc
- 3690 - Pentesting Subversion (svn server)
- 3702/UDP - Pentesting WS-Discovery
- 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
- 5000 - Pentesting Docker Registry
- 5353/UDP Multicast DNS (mDNS) and DNS-SD
- 5432,5433 - Pentesting Postgresql
- 5555 - Android Debug Bridge
- 5601 - Pentesting Kibana
- 5671,5672 - Pentesting AMQP
- 5800,5801,5900,5901 - Pentesting VNC
- 5984,6984 - Pentesting CouchDB
- 5985,5986 - Pentesting WinRM
- 5985,5986 - Pentesting OMI
- 6000 - Pentesting X11
- 6379 - Pentesting Redis
- 8009 - Pentesting Apache JServ Protocol (AJP)
- 8086 - Pentesting InfluxDB
- 8089 - Pentesting Splunkd
- 8333,18333,38333,18444 - Pentesting Bitcoin
- 9000 - Pentesting FastCGI
- 9001 - Pentesting HSQLDB
- 9042/9160 - Pentesting Cassandra
- 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
- 9200 - Pentesting Elasticsearch
- 10000 - Pentesting Network Data Management Protocol (ndmp)
- 11211 - Pentesting Memcache
- 15672 - Pentesting RabbitMQ Management
- 24007,24008,24009,49152 - Pentesting GlusterFS
- 27017,27018 - Pentesting MongoDB
- 44134 - Pentesting Tiller (Helm)
- 44818/UDP/TCP - Pentesting EthernetIP
- 47808/udp - Pentesting BACNet
- 50030,50060,50070,50075,50090 - Pentesting Hadoop
- Pentesting Remote GdbServer
Pentesting Web
- Web Vulnerabilities Methodology
- Reflecting Techniques - PoCs and Polygloths CheatSheet
- 2FA/OTP Bypass
- Bypass Payment Process
- Captcha Bypass
- Cache Poisoning and Cache Deception
- Clickjacking
- Client Side Template Injection (CSTI)
- Command Injection
- Content Security Policy (CSP) Bypass
- Cookies Hacking
- CORS - Misconfigurations & Bypass
- CRLF (%0D%0A) Injection
- Cross-site WebSocket hijacking (CSWSH)
- CSRF (Cross Site Request Forgery)
- Dangling Markup - HTML scriptless injection
- Deserialization
- NodeJS - __proto__ & prototype Pollution
- Java JSF ViewState (.faces) Deserialization
- Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
- Basic Java Deserialization (ObjectInputStream, readObject)
- CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
- Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
- Exploiting __VIEWSTATE knowing the secrets
- Exploiting __VIEWSTATE without knowing the secrets
- Python Yaml Deserialization
- JNDI - Java Naming and Directory Interface & Log4Shell
- Domain/Subdomain takeover
- Email Injections
- File Inclusion/Path traversal
- File Upload
- Formula Injection
- HTTP Request Smuggling / HTTP Desync Attack
- HTTP Response Smuggling / Desync
- H2C Smuggling
- hop-by-hop headers
- IDOR
- JWT Vulnerabilities (Json Web Tokens)
- NoSQL injection
- LDAP Injection
- Login Bypass
- OAuth to Account takeover
- Open Redirect
- Parameter Pollution
- PostMessage Vulnerabilities
- Race Condition
- Rate Limit Bypass
- Registration & Takeover Vulnerabilities
- Regular expression Denial of Service - ReDoS
- Reset/Forgotten Password Bypass
- SAML Attacks
- Server Side Inclusion/Edge Side Inclusion Injection
- SQL Injection
- SSRF (Server Side Request Forgery)
- SSTI (Server Side Template Injection)
- Reverse Tab Nabbing
- Unicode Normalization vulnerability
- Web Tool - WFuzz
- XPATH injection
- XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
- XXE - XEE - XML External Entity
- XSS (Cross Site Scripting)
- XSSI (Cross-Site Script Inclusion)
- XS-Search
Forensics
- Basic Forensic Methodology
Cloud Security
- GCP Security
- GCP - Other Services Enumeration
- GCP - Abuse GCP Permissions
- GCP - Buckets: Public Assets Brute-Force & Discovery, & Buckets Privilege Escalation
- GCP - Compute Enumeration
- GCP - Network Enumeration
- GCP - KMS & Secrets Management Enumeration
- GCP - Databases Enumeration
- GCP - Serverless Code Exec Services Enumeration
- GCP - Buckets Enumeration
- GCP - Local Privilege Escalation / SSH Pivoting
- GCP - Persistance
- Workspace Security
- Github Security
- Gitea Security
- Kubernetes Security
- Kubernetes Basics
- Pentesting Kubernetes Services
- Exposing Services in Kubernetes
- Attacking Kubernetes from inside a Pod
- Kubernetes Enumeration
- Kubernetes Role-Based Access Control (RBAC)
- Abusing Roles/ClusterRoles in Kubernetes
- Kubernetes Namespace Escalation
- Kubernetes Access to other Clouds
- Kubernetes Hardening
- Kubernetes Network Attacks
- Concourse
- CircleCI
- Jenkins
- Apache Airflow
- Atlantis
- Cloud Security Review
- AWS Security
A.I. Exploiting
Blockchain
Courses and Certifications Reviews
Physical attacks
Reversing
- Reversing Tools & Basic Methods
- Common API used in Malware
- Cryptographic/Compression Algorithms
- Word Macros
Exploiting
Cryptography
- Certificates
- Cipher Block Chaining CBC-MAC
- Crypto CTFs Tricks
- Electronic Code Book (ECB)
- Hash Length Extension Attack
- Padding Oracle
- RC4 - Encrypt&Decrypt
BACKDOORS
Stego
MISC
TODO
- Radio Hacking
- Burp Suite
- Other Web Tricks
- Interesting HTTP
- Emails Vulnerabilities
- Android Forensics
- TR-069
- 6881/udp - Pentesting BitTorrent
- CTF Write-ups
- 1911 - Pentesting fox
- Online Platforms with API
- Stealing Sensitive Information Disclosure from a Web
- Post Exploitation
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.