hacktricks/SUMMARY.md

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Table of contents

• HackTricks
• About the author
• Getting Started in Hacking
• Pentesting Methodology
• External Recon Methodology
  • Github Leaked Secrets
• Phishing Methodology
  • Clone a Website
  • Detecting Phising
  • Phishing Documents
• Brute Force - CheatSheet
• Exfiltration
• Tunneling and Port Forwarding
• Search Exploits

Shells

• Shells (Linux, Windows, MSFVenom)
  • MSFVenom - CheatSheet
  • Shells - Windows
  • Shells - Linux
  • Full TTYs

Linux/Unix

• Checklist - Linux Privilege Escalation
• Linux Privilege Escalation
  • PAM - Pluggable Authentication Modules
  • SELinux
  • Logstash
  • Containerd (ctr) Privilege Escalation
  • Docker Basics & Breakout
    • AuthZ& AuthN - Docker Access Authorization Plugin
    • Docker Breakout / Privilege Escalation
      • release_agent exploit - Relative Paths to PIDs
      • Docker release_agent cgroups escape
      • Sensitive Mounts
    • Seccomp
    • AppArmor
    • Namespaces
    • Docker --privileged
    • Abusing Docker Socket for Privilege Escalation
  • Node inspector/CEF debug abuse
  • Escaping from Jails
  • Cisco - vmanage
  • D-Bus Enumeration & Command Injection Privilege Escalation
  • Interesting Groups - Linux PE
    • lxd/lxc Group - Privilege escalation
  • ld.so exploit example
  • Linux Capabilities
  • NFS no_root_squash/no_all_squash misconfiguration PE
  • Payloads to execute
  • RunC Privilege Escalation
  • Splunk LPE and Persistence
  • SSH Forward Agent exploitation
  • Socket Command Injection
  • Wildcards Spare tricks
  • Linux Active Directory
• Useful Linux Commands
  • Bypass Bash Restrictions
• Linux Environment Variables

MacOS

• MacOS Security & Privilege Escalation
  • Mac OS Architecture
  • MacOS MDM
    • Enrolling Devices in Other Organisations
  • MacOS Protocols
  • MacOS Red Teaming
  • MacOS Serial Number
  • MacOS Apps - Inspecting, debugging and Fuzzing

Windows

• Checklist - Local Windows Privilege Escalation
• Windows Local Privilege Escalation
  • AppendData/AddSubdirectory permission over service registry
  • Create MSI with WIX
  • DPAPI - Extracting Passwords
  • SeImpersonate from High To System
  • Access Tokens
  • ACLs - DACLs/SACLs/ACEs
  • Dll Hijacking
  • From High Integrity to SYSTEM with Name Pipes
  • Integrity Levels
  • JAWS
  • JuicyPotato
  • Leaked Handle Exploitation
  • MSI Wrapper
  • Named Pipe Client Impersonation
  • PowerUp
  • Privilege Escalation Abusing Tokens
  • Privilege Escalation with Autoruns
  • RottenPotato
  • Seatbelt
  • SeDebug + SeImpersonate copy token
  • Windows C Payloads
• Active Directory Methodology
  • Abusing Active Directory ACLs/ACEs
  • AD information in printers
  • ASREPRoast
  • BloodHound
  • Constrained Delegation
  • Custom SSP
  • DCShadow
  • DCSync
  • DSRM Credentials
  • Golden Ticket
  • Kerberos Authentication
  • Kerberoast
  • MSSQL Trusted Links
  • Over Pass the Hash/Pass the Key
  • Pass the Ticket
  • Password Spraying
  • Force NTLM Privileged Authentication
  • Privileged Accounts and Token Privileges
  • Resource-based Constrained Delegation
  • Security Descriptors
  • Silver Ticket
  • Skeleton Key
  • Unconstrained Delegation
• NTLM
  • Places to steal NTLM creds
  • PsExec/Winexec/ScExec
  • SmbExec/ScExec
  • WmicExec
  • AtExec / SchtasksExec
  • WinRM
• Stealing Credentials
  • Credentials Protections
  • Mimikatz
• Authentication, Credentials, UAC and EFS
• Basic CMD for Pentesters
• Basic PowerShell for Pentesters
  • PowerView
• AV Bypass

Mobile Apps Pentesting

• Android APK Checklist
• Android Applications Pentesting
  • Android Applications Basics
  • Android Task Hijacking
  • ADB Commands
  • APK decompilers
  • AVD - Android Virtual Device
  • Burp Suite Configuration for Android
  • content:// protocol
  • Drozer Tutorial
    • Exploiting Content Providers
  • Exploiting a debuggeable applciation
  • Frida Tutorial
    • Frida Tutorial 1
    • Frida Tutorial 2
    • Frida Tutorial 3
    • Objection Tutorial
  • Google CTF 2018 - Shall We Play a Game?
  • Inspeckage Tutorial
  • Intent Injection
  • Make APK Accept CA Certificate
  • Manual DeObfuscation
  • React Native Application
  • Reversing Native Libraries
  • Smali - Decompiling/[Modifying]/Compiling
  • Spoofing your location in Play Store
  • Webview Attacks
• iOS Pentesting Checklist
• iOS Pentesting
  • Basic iOS Testing Operations
  • Burp Suite Configuration for iOS
  • Extracting Entitlements From Compiled Application
  • Frida Configuration in iOS
  • iOS App Extensions
  • iOS Basics
  • iOS Custom URI Handlers / Deeplinks / Custom Schemes
  • iOS Hooking With Objection
  • iOS Protocol Handlers
  • iOS Serialisation and Encoding
  • iOS Testing Environment
  • iOS UIActivity Sharing
  • iOS Universal Links
  • iOS UIPasteboard
  • iOS WebViews

Pentesting

• Pentesting Network
  • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
  • Spoofing SSDP and UPnP Devices with EvilSSDP
  • Pentesting IPv6
  • Nmap Summary (ESP)
  • Network Protocols Explained (ESP)
  • IDS and IPS Evasion
  • DHCPv6
• Pentesting Wifi
  • Evil Twin EAP-TLS
• Pentesting JDWP - Java Debug Wire Protocol
• Pentesting Printers
  • Accounting bypass
  • Buffer Overflows
  • Credentials Disclosure / Brute-Force
  • Cross-Site Printing
  • Document Processing
  • Factory Defaults
  • File system access
  • Firmware updates
  • Memory Access
  • Physical Damage
  • Software packages
  • Transmission channel
  • Print job manipulation
  • Print Job Retention
  • Scanner and Fax
• Pentesting SAP
• 7/tcp/udp - Pentesting Echo
• 21 - Pentesting FTP
  • FTP Bounce attack - Scan
  • FTP Bounce - Download 2ºFTP file
• 22 - Pentesting SSH/SFTP
• 23 - Pentesting Telnet
• 25,465,587 - Pentesting SMTP/s
  • SMTP - Commands
• 43 - Pentesting WHOIS
• 53 - Pentesting DNS
• 69/UDP TFTP/Bittorrent-tracker
• 79 - Pentesting Finger
• 80,443 - Pentesting Web Methodology
  • 403 & 401 Bypasses
  • AEM - Adobe Experience Cloud
  • Apache
  • Artifactory Hacking guide
  • Buckets
    • Firebase Database
    • AWS-S3
  • CGI
  • Code Review Tools
  • Drupal
  • Flask
  • Git
  • Golang
  • GraphQL
  • H2 - Java SQL database
  • IIS - Internet Information Services
  • JBOSS
  • JIRA
  • Joomla
  • JSP
  • Laravel
  • Moodle
  • Nginx
  • PHP Tricks (SPA)
    • PHP - Useful Functions & disable_functions/open_basedir bypass
      • disable_functions bypass - php-fpm/FastCGI
      • disable_functions bypass - dl function
      • disable_functions bypass - PHP 7.0-7.4 (*nix only)
      • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
      • disable_functions - PHP 5.x Shellshock Exploit
      • disable_functions - PHP 5.2.4 ionCube extension Exploit
      • disable_functions bypass - PHP <= 5.2.9 on windows
      • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
      • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
      • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
      • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
      • disable_functions bypass - PHP 5.2 - FOpen Exploit
      • disable_functions bypass - via mem
      • disable_functions bypass - mod_cgi
      • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
  • Python
  • Special HTTP headers
  • Spring Actuators
  • Symphony
  • Tomcat
  • Uncovering CloudFlare
  • VMWare (ESX, VCenter...)
  • Web API Pentesting
  • WebDav
  • werkzeug
  • Wordpress
  • XSS to RCE Electron Desktop Apps
    • Electron contextIsolation RCE via preload code
    • Electron contextIsolation RCE via Electron internal code
    • Electron contextIsolation RCE via IPC
• 88tcp/udp - Pentesting Kerberos
  • Harvesting tickets from Windows
  • Harvesting tickets from Linux
• 110,995 - Pentesting POP
• 111/TCP/UDP - Pentesting Portmapper
• 113 - Pentesting Ident
• 123/udp - Pentesting NTP
• 135, 593 - Pentesting MSRPC
• 137,138,139 - Pentesting NetBios
• 139,445 - Pentesting SMB
• 143,993 - Pentesting IMAP
• 161,162,10161,10162/udp - Pentesting SNMP
  • SNMP RCE
• 194,6667,6660-7000 - Pentesting IRC
• 264 - Pentesting Check Point FireWall-1
• 389, 636, 3268, 3269 - Pentesting LDAP
• 500/udp - Pentesting IPsec/IKE VPN
• 502 - Pentesting Modbus
• 512 - Pentesting Rexec
• 513 - Pentesting Rlogin
• 514 - Pentesting Rsh
• 515 - Pentesting Line Printer Daemon (LPD)
• 548 - Pentesting Apple Filing Protocol (AFP)
• 554,8554 - Pentesting RTSP
• 623/UDP/TCP - IPMI
• 631 - Internet Printing Protocol(IPP)
• 873 - Pentesting Rsync
• 1026 - Pentesting Rusersd
• 1080 - Pentesting Socks
• 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
• 1433 - Pentesting MSSQL - Microsoft SQL Server
• 1521,1522-1529 - Pentesting Oracle TNS Listener
  • Oracle Pentesting requirements installation
  • TNS Poison
  • Remote stealth pass brute force
  • Oracle RCE & more
• 1723 - Pentesting PPTP
• 1883 - Pentesting MQTT (Mosquitto)
• 2049 - Pentesting NFS Service
• 2301,2381 - Pentesting Compaq/HP Insight Manager
• 2375, 2376 Pentesting Docker
• 3128 - Pentesting Squid
• 3260 - Pentesting ISCSI
• 3299 - Pentesting SAPRouter
• 3306 - Pentesting Mysql
• 3389 - Pentesting RDP
• 3632 - Pentesting distcc
• 3690 - Pentesting Subversion (svn server)
• 3702/UDP - Pentesting WS-Discovery
• 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
• 5000 - Pentesting Docker Registry
• 5353/UDP Multicast DNS (mDNS) and DNS-SD
• 5432,5433 - Pentesting Postgresql
• 5555 - Android Debug Bridge
• 5601 - Pentesting Kibana
• 5671,5672 - Pentesting AMQP
• 5800,5801,5900,5901 - Pentesting VNC
• 5984,6984 - Pentesting CouchDB
• 5985,5986 - Pentesting WinRM
• 5985,5986 - Pentesting OMI
• 6000 - Pentesting X11
• 6379 - Pentesting Redis
• 8009 - Pentesting Apache JServ Protocol (AJP)
• 8086 - Pentesting InfluxDB
• 8089 - Pentesting Splunkd
• 8333,18333,38333,18444 - Pentesting Bitcoin
• 9000 - Pentesting FastCGI
• 9001 - Pentesting HSQLDB
• 9042/9160 - Pentesting Cassandra
• 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
• 9200 - Pentesting Elasticsearch
• 10000 - Pentesting Network Data Management Protocol (ndmp)
• 11211 - Pentesting Memcache
• 15672 - Pentesting RabbitMQ Management
• 24007,24008,24009,49152 - Pentesting GlusterFS
• 27017,27018 - Pentesting MongoDB
• 44134 - Pentesting Tiller (Helm)
• 44818/UDP/TCP - Pentesting EthernetIP
• 47808/udp - Pentesting BACNet
• 50030,50060,50070,50075,50090 - Pentesting Hadoop
• Pentesting Remote GdbServer

Pentesting Web

• Web Vulnerabilities Methodology
• Reflecting Techniques - PoCs and Polygloths CheatSheet
  • Web Vulns List
• 2FA/OTP Bypass
• Bypass Payment Process
• Captcha Bypass
• Cache Poisoning and Cache Deception
• Clickjacking
• Client Side Template Injection (CSTI)
• Command Injection
• Content Security Policy (CSP) Bypass
  • CSP bypass: self + 'unsafe-inline' with Iframes
• Cookies Hacking
  • Cookie Tossing
  • Cookie Jar Overflow
  • Cookie Bomb
• CORS - Misconfigurations & Bypass
• CRLF (%0D%0A) Injection
• Cross-site WebSocket hijacking (CSWSH)
• CSRF (Cross Site Request Forgery)
• Dangling Markup - HTML scriptless injection
  • HTML Injection / Char-by-char Exfiltration
    • CSS Injection Code
• Deserialization
  • NodeJS - __proto__ & prototype Pollution
    • Client Side Prototype Pollution
  • Java JSF ViewState (.faces) Deserialization
  • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
  • Basic Java Deserialization (ObjectInputStream, readObject)
  • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
  • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
  • Exploiting __VIEWSTATE knowing the secrets
  • Exploiting __VIEWSTATE without knowing the secrets
  • Python Yaml Deserialization
  • JNDI - Java Naming and Directory Interface & Log4Shell
• Domain/Subdomain takeover
• Email Injections
• File Inclusion/Path traversal
  • phar:// deserialization
  • LFI2RCE via Nginx temp files
  • Via PHP_SESSION_UPLOAD_PROGRESS
  • LFI2RCE via phpinfo()
  • LFI2RCE Via temp file uploads
  • LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
• File Upload
  • PDF Upload - XXE and CORS bypass
• Formula Injection
• HTTP Request Smuggling / HTTP Desync Attack
  • Request Smuggling in HTTP/2 Downgrades
• HTTP Response Smuggling / Desync
• H2C Smuggling
• hop-by-hop headers
• IDOR
• JWT Vulnerabilities (Json Web Tokens)
• NoSQL injection
• LDAP Injection
• Login Bypass
  • Login bypass List
• OAuth to Account takeover
• Open Redirect
• Parameter Pollution
• PostMessage Vulnerabilities
• Race Condition
• Rate Limit Bypass
• Registration & Takeover Vulnerabilities
• Regular expression Denial of Service - ReDoS
• Reset/Forgotten Password Bypass
• SAML Attacks
  • SAML Basics
• Server Side Inclusion/Edge Side Inclusion Injection
• SQL Injection
  • MSSQL Injection
  • Oracle injection
  • PostgreSQL injection
    • dblink/lo_import data exfiltration
    • PL/pgSQL Password Bruteforce
    • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
    • Big Binary Files Upload (PostgreSQL)
    • RCE with PostgreSQL Extensions
  • MySQL injection
    • Mysql SSRF
  • SQLMap - Cheetsheat
    • Second Order Injection - SQLMap
• SSRF (Server Side Request Forgery)
  • URL Format Bypass
  • SSRF Vulnerable Platforms
  • Cloud SSRF
• SSTI (Server Side Template Injection)
  • EL - Expression Language
• Reverse Tab Nabbing
• Unicode Normalization vulnerability
• Web Tool - WFuzz
• XPATH injection
• XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
• XXE - XEE - XML External Entity
• XSS (Cross Site Scripting)
  • PDF Injection
  • DOM XSS
  • Debugging Client Side JS
  • Server Side XSS (Dynamic PDF)
  • XSS Tools
  • Iframes in XSS and CSP
  • Other JS Tricks
  • Steal Info JS
• XSSI (Cross-Site Script Inclusion)
• XS-Search

Forensics

• Basic Forensic Methodology
  • Baseline Monitoring
  • Anti-Forensic Techniques
  • Docker Forensics
  • Image Adquisition & Mount
  • Linux Forensics
  • Malware Analysis
  • Memory dump analysis
    • Volatility - CheatSheet
  • Partitions/File Systems/Carving
    • EXT
    • File/Data Carving & Recovery Tools
    • NTFS
  • Pcap Inspection
    • DNSCat pcap analysis
    • USB Keystrokes
    • Wifi Pcap Analysis
    • Wireshark tricks
  • Specific Software/File-Type Tricks
    • Decompile compiled python binaries (exe, elf) - Retreive from .pyc
    • Browser Artifacts
    • Desofuscation vbs (cscript.exe)
    • Local Cloud Storage
    • Office file analysis
    • PDF File analysis
    • PNG tricks
    • Video and Audio file analysis
    • ZIPs tricks
  • Windows Artifacts
    • Windows Processes
    • Interesting Windows Registry Keys

Cloud Security

• GCP Security
  • GCP - Other Services Enumeration
  • GCP - Abuse GCP Permissions
    • GCP - Privesc to other Principals
    • GCP - Privesc to Resources
  • GCP - Buckets: Public Assets Brute-Force & Discovery, & Buckets Privilege Escalation
  • GCP - Compute Enumeration
  • GCP - Network Enumeration
  • GCP - KMS & Secrets Management Enumeration
  • GCP - Databases Enumeration
  • GCP - Serverless Code Exec Services Enumeration
  • GCP - Buckets Enumeration
  • GCP - Local Privilege Escalation / SSH Pivoting
  • GCP - Persistance
• Workspace Security
• Github Security
  • Basic Github Information
• Gitea Security
  • Basic Gitea Information
• Kubernetes Security
  • Kubernetes Basics
  • Pentesting Kubernetes Services
  • Exposing Services in Kubernetes
  • Attacking Kubernetes from inside a Pod
  • Kubernetes Enumeration
  • Kubernetes Role-Based Access Control (RBAC)
  • Abusing Roles/ClusterRoles in Kubernetes
    • K8s Roles Abuse Lab
    • Pod Escape Privileges
  • Kubernetes Namespace Escalation
  • Kubernetes Access to other Clouds
  • Kubernetes Hardening
    • Monitoring with Falco
    • Kubernetes SecurityContext(s)
    • Kubernetes NetworkPolicies
  • Kubernetes Network Attacks
• Concourse
  • Concourse Architecture
  • Concourse Lab Creation
  • Concourse Enumeration & Attacks
• CircleCI
• Jenkins
• Apache Airflow
  • Airflow Configuration
  • Airflow RBAC
• Atlantis
• Cloud Security Review
• AWS Security

A.I. Exploiting

• BRA.I.NSMASHER Presentation
  • Basic Bruteforcer
  • Basic Captcha Breaker
  • BIM Bruteforcer
  • Hybrid Malware Classifier Part 1
  • ML Basics
    • Feature Engineering

Blockchain

• Blockchain & Crypto Currencies
  • Page 1

Courses and Certifications Reviews

• INE Courses and eLearnSecurity Certifications Reviews

Physical attacks

• Physical Attacks
• Escaping from KIOSKs
  • Show file extensions
• Firmware Analysis
  • Bootloader testing
  • Firmware Integrity

Reversing

• Reversing Tools & Basic Methods
  • Angr
    • Angr - Examples
  • Z3 - Satisfiability Modulo Theories (SMT)
  • Cheat Engine
  • Blobrunner
• Common API used in Malware
• Cryptographic/Compression Algorithms
  • Unpacking binaries
• Word Macros

Exploiting

• Linux Exploiting (Basic) (SPA)
  • Format Strings Template
  • ROP - call sys_execve
  • ROP - Leaking LIBC address
    • ROP - Leaking LIBC template
  • Bypassing Canary & PIE
  • Ret2Lib
  • Fusion
• Exploiting Tools
  • PwnTools
• Windows Exploiting (Basic Guide - OSCP lvl)

Cryptography

• Certificates
• Cipher Block Chaining CBC-MAC
• Crypto CTFs Tricks
• Electronic Code Book (ECB)
• Hash Length Extension Attack
• Padding Oracle
• RC4 - Encrypt&Decrypt

BACKDOORS

• Merlin
• Empire
• Salseo
• ICMPsh

Stego

• Stego Tricks
• Esoteric languages

MISC

• Basic Python
  • venv
  • Bypass Python sandboxes
    • Output Searching Python internals
  • Magic Methods
  • Web Requests
  • Bruteforce hash (few chars)
• Other Big References

TODO

• More Tools
• MISC
• Pentesting DNS
• Hardware Hacking
  • I2C
  • UART
  • Radio
  • JTAG
  • SPI

---

• Radio Hacking
  • Pentesting RFID
  • Low-Power Wide Area Network
  • Pentesting BLE - Bluetooth Low Energy
• Burp Suite
• Other Web Tricks
• Interesting HTTP
• Emails Vulnerabilities
• Android Forensics
• TR-069
• 6881/udp - Pentesting BitTorrent
• CTF Write-ups
  • challenge-0521.intigriti.io
  • Try Hack Me
    • hc0n Christmas CTF - 2019
    • Pickle Rick
• 1911 - Pentesting fox
• Online Platforms with API
• Stealing Sensitive Information Disclosure from a Web
• Post Exploitation

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.