Last active
April 16, 2024 07:01
-
-
Save queencitycyber/58f4b24a5ec5402e7395b665e33aeb26 to your computer and use it in GitHub Desktop.
Resources
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Mostly older shit from '17-'20. Some good, some stale. Posting here for posterity. | |
| Pulled from my private Workflowy repo. | |
| ====================================== | |
| hackery (@Section31D) | |
| - Penetration Testing/Assessment Workflow | |
| "& other fun infosec stuff | |
| *My attempt to organize (in a somewhat logical fashion) the vast amount of information, tools, resources, tip and tricks surrounding penetration testing, vulnerability assessment, and information security as a whole*" | |
| - Reconnaissance | |
| - Start here | |
| - Graphical Analyzer - https://webbreacher.com/2018/06/24/introducing-osint-yoga/ | |
| - http://osintframework.com/ | |
| - https://start.me/p/m6XQ08/osint | |
| - Passive/Semi-Passive | |
| - Tools | |
| - Discover - https://github.com/leebaird/discover | |
| - Third Party Resources | |
| - Large Framework - http://osintframework.com/ | |
| - Locate Target Range | |
| - ARIN - https://www.arin.net/ | |
| - Fingerprint Domain/Website | |
| - Extended Network Information | |
| - Central Ops - https://centralops.net/co/DomainDossier.aspx | |
| - Robtex - https://www.robtex.net/ | |
| - Metasploit Scanning | |
| - auxiliary/scanner/* | |
| - portscan/tcp | |
| - http/http_version | |
| - http/tomcat_enum | |
| - http/trace_axd | |
| - Google - site:<result from above> filetype:axd OR inurl:trace.axd | |
| - Shodan - https://www.shodan.io/ | |
| - https://pen-testing.sans.org/blog/2015/12/08/effective-shodan-searches/ | |
| - Censys - https://www.censys.io/ | |
| - Zoomeye - https://www.zoomeye.org | |
| - Netcraft - https://www.netcraft.com/ | |
| - DNS Enumeration/Information | |
| - DNSdumpster - https://dnsdumpster.com/ | |
| - Subli3ster - https://github.com/aboul3la/Sublist3r | |
| - Social Media | |
| - https://socialbearing.com/search/ | |
| - Command Line Recon | |
| - Network Information | |
| - nslookup <target> | |
| - dig <target> | |
| - Security Mechanisms | |
| - Halberd - Identify HTTP load balancers | |
| - https://github.com//jmbr/halberd | |
| - Metadata | |
| - exiftool | |
| - strings | |
| - strings -e b (big endian) OR -e l (little endian) | |
| - Just-Metadata | |
| - https://github.com/ChrisTruncer/Just-Metadata | |
| - People Search | |
| - Yahoo People Search - http://itools.com/tool/yahoo-people-search | |
| - Switchboard - http://www.switchboard.com/person | |
| - Google Finance - https://www.google.com/finance | |
| - Zaba - http://www.zabasearch.com/ | |
| - Active | |
| - Guides | |
| - https://github.com/ehsahil/recon-my-way | |
| - https://blog.it-securityguard.com/visual-recon-a-beginners-guide/ | |
| - Command Line Recon Tools | |
| - General Recon | |
| - Recon-NG - https://bitbucket.org/LaNMaSteR53/recon-ng | |
| - Automated with https://github.com/jhaddix/domain | |
| - Domain/Subdomain Enumeration/Information | |
| - Quick Site: https://findsubdomains.com/ | |
| - https://0xpatrik.com/subdomain-enumeration-2019/ | |
| - Google - https://transparencyreport.google.com/https/certificates | |
| - CTSearch - https://github.com/llamasoft/CTSearch | |
| - Subli3ster - https://github.com/aboul3la/Sublist3r | |
| - SubFinder - https://github.com/subfinder/subfinder | |
| - amass - https://github.com/caffix/amass | |
| - Fierce - https://github.com/mschwager/fierce | |
| - EyeWitness - https://github.com/ChrisTruncer/EyeWitness | |
| - dnssearch - https://github.com/evilsocket/dnssearch | |
| - Altdns - https://github.com/infosec-au/altdns | |
| - Best List - https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 | |
| - Nmap | |
| - nmap -Pn -sSU -sV --top-ports 20 <target> | |
| - Create Custom Worldlist | |
| - cewl - https://digi.ninja/projects/cewl.php | |
| - wget - http://wiki.securityweekly.com/wiki/index.php/Episode129 | |
| - Tools | |
| - WPS (Wi-Fi) Information Gathering | |
| - https://www.coresecurity.com/corelabs-research/open-source-tools/wpsig | |
| - Automating Various Pentesting Tasks | |
| - Viper - https://github.com/chrismaddalena/viper | |
| - Sniper - https://blackarch.org/tools.html | |
| - iPwn - https://github.com/altjx/ipwn | |
| - pyFOCA - Python version of FOCA | |
| - https://github.com/altjx/ipwn#user-content-pyfoca | |
| - truffleHog - https://github.com/dxa4481/truffleHog | |
| - Github | |
| - Best - https://github.com/anshumanbh/git-all-secrets | |
| - Dorks - https://github.com/techgaun/github-dorks | |
| - Repo Info - https://github.com/koto/gitpillage | |
| - Discover - https://github.com/leebaird/discover | |
| - CloudFail - https://github.com/m0rtem/CloudFail | |
| - Automate Various Tasks | |
| - Photon - https://github.com/s0md3v/Photon | |
| - BlackWidow - https://github.com/1N3/BlackWidow | |
| - GUI | |
| - FOCA - https://www.elevenpaths.com/labstools/foca/index.html | |
| - EvilFOCA - https://github.com/ElevenPaths/EvilFOCA | |
| - Maltego - http://sectools.org/tool/maltego/ | |
| - Dirbuster - http://sectools.org/tool/dirbuster/ | |
| - Misc. | |
| - Sending fake emails - http://hackanddefense.com/blog/how-to-send-fake-emails/index.html | |
| - Google Searching | |
| - site:"target name" jobs,careers,openings,etc | |
| - intitle:"index of <Keyword>" | |
| - Keyword | |
| - .bash_history | |
| - etc/shadow | |
| - finances.xls(x) | |
| - htpasswd | |
| - inurl:maillog | |
| - site:*.edu filetype:*.bak OR <keyword> | |
| - Keyword | |
| - *.conf | |
| - *.backup | |
| - Phishing | |
| - Initial Access Techniques | |
| - Malicious Office XLS macros | |
| - https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator | |
| - Transform EXE into PPT - https://github.com/r00t-3xp10it/backdoorppt | |
| - Basic Auth using HTML and Word | |
| - https://securitycafe.ro/2017/09/06/phishy-basic-authentication-prompts/ | |
| - Office Document Properties | |
| - https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-1-of-2/ | |
| - https://www.blackhillsinfosec.com/hide-payload-ms-office-document-properties/ | |
| - Important: Immediately pivot from initial host | |
| - Frameworks | |
| - Modlishka - https://github.com/drk1wi/Modlishka | |
| - Evilginx - https://github.com/kgretzky/evilginx2 | |
| - GoPhish - https://github.com/gophish/gophish | |
| - Phishing Frenzy - https://www.phishingfrenzy.com/ | |
| - King Phisher - https://github.com/securestate/king-phisher | |
| - FiercePhish - https://github.com/Raikia/FiercePhish | |
| - Empire - https://enigma0x3.net/2016/03/15/phishing-with-empire/ | |
| - Reverse Proxy - http://www.chokepoint.net/2017/03/reverse-proxy-phishing-with-valid.html | |
| - Mercure - https://github.com/atexio/mercure | |
| - Tools for Internal Use | |
| - Basic AUTH credential harvesting - https://github.com/ryhanson/phishery | |
| - Enumeration | |
| - Internal | |
| - Scanning | |
| - AD Enumeration | |
| - AD Info - https://github.com/NetSPI/goddi | |
| - User enumeration - https://www.attackdebris.com/?p=470 | |
| - Map Internal Network | |
| - Command Line Tools | |
| - http://www.0daysecurity.com/pentest.html | |
| - arp -a | |
| - ip neigh show | |
| - smbtree -NS 2>/dev/null | |
| - nbtscan -r <current_IPrange> | |
| - netdiscover -r <current_IPrange> | |
| - nmap -n -Pn -T5 -sS <current_IPrange> | |
| - nmap NSE scripts | |
| - NFS | |
| - SMB | |
| - SMB | |
| - SMBSpider - https://github.com/altjx/ipwn#user-content-smbspider | |
| - More - https://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions | |
| - Find Routers - https://github.com/pentestmonkey/gateway-finder | |
| - User-focused | |
| - Automato - https://github.com/skahwah/automato | |
| - Automated | |
| - https://github.com/Tib3rius/AutoRecon | |
| - Pivoting | |
| - Port Forwarding/Pivoting | |
| - Windows - http://woshub.com/port-forwarding-in-windows/ | |
| - https://bitrot.sh/cheatsheet/14-12-2017-pivoting/ | |
| - https://justpentest.blogspot.in/2015/07/port-forwarding-and-pivoting.html | |
| - https://nullsweep.com/pivot-cheatsheet-for-pentesters/ | |
| - SSH Proxy Tunneling with Proxychain | |
| - Jump Host - https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Jump_Hosts_--_Passing_Through_a_Gateway_or_Two | |
| - Tunneling - https://www.taos.com/advanced-ssh-tunneling/ | |
| - External | |
| - Scanning | |
| - Start here | |
| - Read - https://github.com/appsecco/the-art-of-subdomain-enumeration | |
| - Tool List - https://docs.google.com/document/d/1eVPh6jNn3jZbnHZitevbSSe9GDoi7PmrolfGv7FQdow/ | |
| - Google - https://transparencyreport.google.com/https/certificates | |
| - CTSearch - https://github.com/llamasoft/CTSearch | |
| - Easy site: https://findsubdomains.com/ | |
| - amass - https://github.com/caffix/amass | |
| - List - https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 | |
| - Automation | |
| - Spartan - https://github.com/Mad-robot/Spartan | |
| - Vulnerability Scanning | |
| - CeleryStalk - https://github.com/sethsec/celerystalk | |
| - Masscan - https://github.com/robertdavidgraham/masscan | |
| - Unicornscan - http://sectools.org/tool/unicornscan/ | |
| - Git Repo | |
| - https://github.com/koto/gitpillage | |
| - OneTwoPunch | |
| - Combines nmap and unicorn scan https://github.com/superkojiman/onetwopunch/blob/master/onetwopunch.sh | |
| - SQL Vulnerability Scanning | |
| - sqlmap - https://github.com/sqlmapproject/sqlmap | |
| - Intro - https://vavkamil.cz/2019/10/09/understanding-the-full-potential-of-sqlmap-during-bug-bounty-hunting/ | |
| - Advanced - http://www.thegreycorner.com/2017/01/exploiting-difficult-sql-injection.html | |
| - sqlmate - https://github.com/UltimateHackers/sqlmate | |
| - sqliv - https://github.com/Hadesy2k/sqliv | |
| - Whitewidow - https://github.com/WhitewidowScanner/whitewidow | |
| - NoSQL Vulnerability Scanning | |
| - Framework - https://github.com/torque59/Nosql-Exploitation-Framework | |
| - Wireless | |
| - Client Sniffing - https://pen-testing.sans.org/blog/2011/10/13/special-request-wireless-client-sniffing-with-scapy | |
| - AWS | |
| - Fingerprinting - https://andresriancho.github.io/nimbostratus/ | |
| - AWSBucketDump - https://github.com/jordanpotti/AWSBucketDump | |
| - S3 Buckets - https://github.com/bbb31/slurp | |
| - Visualize - https://duo.com/blog/introducing-cloudmapper-an-aws-visualization-tool | |
| - Exploitation | |
| - External | |
| - IPv6 | |
| - IPv6 Attack Toolkit - https://github.com/vanhauser-thc/thc-ipv6 | |
| - Attack Windows | |
| - Full Guides | |
| - http://resources.infosecinstitute.com/wp-content/uploads/Network-Fingerprinting-and-Exploitation1.pdf | |
| - Attack Linux | |
| - Full Guides | |
| - http://resources.infosecinstitute.com/wp-content/uploads/Network-Fingerprinting-and-Exploitation1.pdf | |
| - Attack Web Applications | |
| - Wiki - https://appsecwiki.com/#/ | |
| - Recon | |
| - https://medium.com/securityescape/recon-my-way-82b7e5f62e21 | |
| - Full Attack Frameworks/Scanners | |
| - Offensive Web Testing Framework - https://owtf.github.io/ | |
| - Web2attack - https://github.com/santatic/web2attack | |
| - Wordpress Exploitation Framework | |
| - https://github.com/rastating/wordpress-exploit-framework | |
| - WPForce - https://github.com/n00py/WPForce | |
| - Cheatsheet - https://github.com/ethicalhack3r/wordpress_plugin_security_testing_cheat_sheet | |
| - EaST - Exploits And Security Tool Framework | |
| - https://github.com/C0reL0ader/EaST | |
| - TIDoS - https://github.com/the-Infected-Drake/TIDoS-Framework | |
| - Wordpress | |
| - Vuln Scanner - https://github.com/m4ll0k/WPSeku | |
| - Burp Extension - https://github.com/kacperszurek/burp_wp | |
| - Steal HTTP/S Session Cookies | |
| - https://github.com/EnableSecurity/surfjack | |
| - Automatic XSS Payload Generator | |
| - XSSLess - https://github.com/mandatoryprogrammer/xssless | |
| - XSStrike - https://github.com/UltimateHackers/XSStrike | |
| - XSS Scanner | |
| - xsscrapy - https://github.com/DanMcInerney/xsscrapy | |
| - Burp XSS Plugin | |
| - https://github.com/elkokc/reflector | |
| - XSS/Bypass Techniques | |
| - Exploiting XSS and CSRF | |
| - http://apprize.info/linux/penetration/7.html | |
| - Beat XSS Filters | |
| - http://brutelogic.com.br/blog/the-easiest-way-to-bypass-xss-mitigations/ | |
| - XSS Cheatsheet | |
| - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet | |
| - http://brutelogic.com.br/blog/cheat-sheet/ | |
| - CSRF/Bypass Techniques | |
| - https://haiderm.com/10-methods-to-bypass-cross-site-request-forgery-csrf/ | |
| - http://apprize.info/linux/penetration/7.html | |
| - Attack WAF | |
| - Wiki - https://github.com/0xInfection/Awesome-WAF | |
| - Lightbulb - https://github.com/lightbulb-framework/lightbulb-framework | |
| - WAFNinja - https://github.com/khalilbijjou/WAFNinja | |
| - My Guide: http://pastebin.com/bUrGCYxE | |
| - WAF Bypass | |
| - http://securityidiots.com/Web-Pentest/WAF-Bypass/waf-bypass-guide-part-1.html | |
| - WAF Payloads - https://github.com/swisskyrepo/PayloadsAllTheThings | |
| - Attack BASIC Auth | |
| - Burp - http://www.smeegesec.com/2012/02/attacking-basic-authentication-with.html | |
| - Ncrack (supports multiple protocols) - https://nmap.org/ncrack/ | |
| - Crossdomain.xml | |
| - https://github.com/sethsec/crossdomain-exploitation-framework | |
| - https://github.com/gursev/flash-xdomain-xploit | |
| - https://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html | |
| - https://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html | |
| - Attack Web Vulnerabilities | |
| - Full Guide | |
| - https://docs.google.com/document/d/101EsKlu41ICdeE7mEv189SS8wMtcdXfRtua0ClYjP1M/edit | |
| - Command Injection | |
| - Framework - https://github.com/commixproject/commix | |
| - Payloads - https://github.com/PortSwigger/command-injection-attacker | |
| - Directory Traversal - https://github.com/jcesarstef/dotdotslash | |
| - LDAP Injection | |
| - https://pen-testing.sans.org/blog/2017/11/27/understanding-and-exploiting-web-based-ldap | |
| - LFI | |
| - https://github.com/rtcrowley/fi-cyberspace-scan | |
| - psychoPATH (LFI) - https://github.com/PentestLtd/psychoPATH | |
| - LFI Suite - https://github.com/D35m0nd142/LFISuite | |
| - HTTP PUT - http://www.smeegesec.com/2014/10/detecting-and-exploiting-http-put-method.html | |
| - Methodologies | |
| - https://blog.zsec.uk/ltr101-methodologies/ | |
| - https://www.slideshare.net/bugcrowd/ekoparty-2017-the-bug-hunters-methodology | |
| - Attack Browsers | |
| - Solid Wiki - https://www.it-sec-catalog.info/browser_exploitation.html | |
| - Attack OWA/Exchange | |
| - Malicious Outlook Rules - https://silentbreaksecurity.com/malicious-outlook-rules/ | |
| - Ruler - Abuse Exchange services - https://github.com/sensepost/ruler | |
| - MailSniper - Search users mailbox - http://www.blackhillsinfosec.com/?p=5296 | |
| - Attack Routers | |
| - Router Exploitation Framework | |
| - https://github.com/reverse-shell/routersploit | |
| - Using Burp | |
| - https://www.cybrary.it/0p3n/pentesting-routers-1-dictionary-attack-burp-suite/ | |
| - Attack Databases | |
| - MongoDB | |
| - Mongo Audit - https://github.com/stampery/mongoaudit | |
| - SAP/ERP | |
| - SAP - https://erpscan.com/tag/sap-penetration-testing/ | |
| - NoSQL | |
| - Framework - https://github.com/torque59/Nosql-Exploitation-Framework | |
| - Attack RDP | |
| - MitM RDP Connections | |
| - https://github.com/SySS-Research/Seth | |
| - Attack AWS | |
| - Framework - https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/ | |
| - Finding Vulns - https://rhinosecuritylabs.com/password/aws-security-vulnerabilities-and-the-attackers-perspective/ | |
| - More - https://rhinosecuritylabs.com/penetration-testing/penetration-testing-aws-storage/ | |
| - Security Primer - https://cloudonaut.io/aws-security-primer/ | |
| - Attack Printers | |
| - Wiki - http://hacking-printers.net/wiki/index.php/Main_Page | |
| - Toolkit - https://github.com/RUB-NDS/PRET | |
| - Attack Apache | |
| - Struts - https://github.com/s1kr10s/Struts2Shell | |
| - Web Vulnerability Scanners | |
| - Burp - https://portswigger.net/burp/ | |
| - Collection of Extensions - https://twitter.com/Alra3ees/status/1038838385106976769 | |
| - Tips - https://www.coalfire.com/The-Coalfire-Blog/June-2018/ProTips-Testing-Applications-Using-Burp-and-More | |
| - https://paper.dropbox.com/doc/Day-of-Shecurity-2018-F4R9A8LTNLIF4JXUoMO5j | |
| - Author's Guide: http://pastebin.com/nNHYP9Jd | |
| - Hunt for Vulns - https://github.com/bugcrowd/HUNT | |
| - Enumerate Application Endpoints - https://github.com/aur3lius-dev/SpyDir/ | |
| - https://blog.zsec.uk/ltr101-burp-suite-intro/ | |
| - http://www.lanmaster53.com/burp-visual-aids/ | |
| - https://github.com/allfro/BurpKit | |
| - https://github.com/federicodotta/Java-Deserialization-Scanner | |
| - https://github.com/pathetiq/BurpSmartBuster | |
| - Wapiti http://wapiti.sourceforge.net/ | |
| - w3af - http://w3af.org/ | |
| - Nikto - https://cirt.net/Nikto2 | |
| - Nikto Inside Browser - http://blog.websecurify.com/2017/05/nikto-in-your-browser.html | |
| - Nginx scanner - https://github.com/yandex/gixy | |
| - pyfiscan - https://github.com/fgeek/pyfiscan | |
| - v3n0M - https://github.com/v3n0m-Scanner/V3n0M-Scanner | |
| - BlackWidow - https://github.com/1N3/BlackWidow | |
| - Command Line Tools | |
| - CMSmap | |
| - https://github.com/Dionach/CMSmap | |
| - WPscan | |
| - https://wpscan.org/ | |
| - Joomscan | |
| - https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project | |
| - Wireless Exploitation | |
| - Wireless Testing | |
| - Nzyme - https://wtf.horse/2017/10/02/introducing-nzyme-wifi-802-11-frame-recording-and-forensics/ | |
| - Wireless Pentesting w/Docker - https://foxglovesecurity.com/2016/02/24/when-whales-fly-building-a-wireless-pentest-environment-using-docker/ | |
| - Evil Twin | |
| - https://haxf4rall.com/2017/11/23/eaphammer-toolkit-for-performing-targeted-evil-twin-attacks/ | |
| - AirVentriloquest - Aircrack patch for WPA/2 packet injection | |
| - https://github.com/Caesurus/airventriloquist | |
| - Fluxion - MiTM WPA/2 Networks | |
| - https://github.com/deltaxflux/fluxion | |
| - WifiPhisher - MiTM Rogue AP | |
| - https://github.com/sophron/wifiphisher | |
| - PRISM - MiTM Rogue AP | |
| - https://github.com/1N3/PRISM-AP | |
| - MiTM Router | |
| - https://github.com/brannondorsey/mitm-router | |
| - EvilNGINX - https://github.com/kgretzky/evilginx | |
| - https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/ | |
| - Crack WPA/2 | |
| - Automate - https://github.com/tehw0lf/airbash | |
| - http://blog.x1622.com/2017/01/how-to-crack-wlan-wpawpa2-pre-shared.html | |
| - BoopSuite - https://github.com/M1ND-B3ND3R/BoopSuite | |
| - Roguesploit - https://h0nus.github.io/RogueSploit/ | |
| - Attack Mobile (Cellular) Networks | |
| - SiGploit - https://github.com/SigPloiter/SigPloit | |
| - ss7MAPer - https://insinuator.net/2016/02/ss7maper-a-ss7-pen-testing-toolkit/ | |
| - Internal | |
| - IPv6 | |
| - IPv6 Attack Toolkit - https://github.com/vanhauser-thc/thc-ipv6 | |
| - Bypass - https://github.com/milo2012/ipv4Bypass | |
| - MiTM6 - https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/ | |
| - SuddenSix - https://github.com/Neohapsis/suddensix | |
| - LAN Attacks | |
| - LOLBAS - Living Off The Land Binaries And Scripts | |
| - Full - https://github.com/api0cradle/LOLBAS | |
| - ADS | |
| - Execute - https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ | |
| - Execute - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f | |
| - More - https://blog.varonis.com/the-malware-hiding-in-your-windows-system32-folder-part-iii-certutil-and-alternate-data-streams/ | |
| - Intro - https://liberty-shell.com/sec/2018/10/20/living-off-the-land/ | |
| - Web Page - https://lolbas-project.github.io/ | |
| - Full - https://github.com/api0cradle/LOLBAS | |
| - Attack Windows | |
| - Cheatsheet | |
| - https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html | |
| - Attack Active Directory | |
| - Wiki - https://adsecurity.org/ | |
| - DCShadow - https://blog.alsid.eu/dcshadow-explained-4510f52fc19d | |
| - Workflow - https://github.com/infosecn1nja/AD-Attack-Defense | |
| - Presentations/Slides | |
| - https://adsecurity.org/wp-content/uploads/2018/05/2018-NolaCon-Metcalf-ActiveDirectorySecurityTheJourney.pdf | |
| - https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments | |
| - Persistence/Evasion | |
| - Persistence | |
| - https://adsecurity.org/?p=1929 | |
| - Scripts - https://github.com/TestingPens/MalwarePersistenceScripts | |
| - Both - https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/ | |
| - Blood Hound - https://github.com/adaptivethreat/BloodHound | |
| - Automating - https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html | |
| - NTLM Relaying - https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html | |
| - Automate Blood Hound - https://github.com/mdsecactivebreach/ANGRYPUPPY | |
| - Extending - https://speakerdeck.com/porterhau5/extending-bloodhound-for-red-teamers | |
| - Guide - https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf | |
| - CrackMapExec - https://github.com/byt3bl33d3r/CrackMapExec | |
| - Intro - https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html | |
| - Use case - https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html | |
| - EmPyre - http://www.rvrsh3ll.net/blog/empyre/empyre-engaging-active-directory/ | |
| - Attack Methods -> Domain Admin | |
| - https://adsecurity.org/?p=2362 | |
| - Attacking Domain Trusts | |
| - https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944 | |
| - Misc Tools/Scripts | |
| - https://github.com/hausec/ADAPE-Script | |
| - https://github.com/DanMcInerney/icebreaker | |
| - https://github.com/0xdea/tactical-exploitation | |
| - Attack Kerberos | |
| - Protocol Info - https://adsecurity.org/?p=227 | |
| - Attacking Kerberos | |
| - https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf | |
| - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html | |
| - https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments | |
| - https://www.tarlogic.com/en/blog/how-to-attack-kerberos/ | |
| - Attack Kerberos w/o Mimikatz | |
| - http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ | |
| - Roasting AS-REPS | |
| - http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ | |
| - Kerberos Party Tricks | |
| - http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws | |
| - Attack Group Policy | |
| - Find Vulnerabilities | |
| - Using Powershell - https://github.com/l0ss/Grouper | |
| - Group Policy Preference Passwords | |
| - https://www.gracefulsecurity.com/privesc-group-policy-preference-passwords/ | |
| - Attack SQL Server | |
| - PowerUpSQL - https://github.com/NetSPI/PowerUpSQL | |
| - Attack MSSQL | |
| - MSDAT - https://github.com/quentinhardy/msdat | |
| - Server Agent Jobs - https://www.optiv.com/blog/mssql-agent-jobs-for-command-execution | |
| - Attack WSUS | |
| - WSUXploit - https://github.com/pimps/wsuxploit | |
| - Python | |
| - Command Line (Python Interpreter) | |
| - Scapy advanced network attacks | |
| - https://packetstormsecurity.com/files/36839/blackmagic.txt.html | |
| - Local Python Server | |
| - Serve Shells/Exploits | |
| - Python -M SimpleHTTPServer <port> | |
| - Python TTY Reverse Shell IPv6 | |
| - https://eelsivart.blogspot.com/2015/02/python-tty-reverse-shell-over-ipv6-one.html | |
| - Metasploit In-Memory Python Interpreter | |
| - https://github.com/rapid7/metasploit-framework/wiki/Python-Extension | |
| - Attack Tools | |
| - Responder - https://github.com/SpiderLabs/Responder | |
| - SOCKS - https://www.coresecurity.com/blog/playing-relayed-credentials | |
| - Impacket - https://github.com/CoreSecurity/impacket | |
| - SMBExec - https://github.com/pentestgeek/smbexec | |
| - SMBSpider | |
| - https://github.com/altjx/ipwn#user-content-smbspider | |
| - RedSnarf - https://github.com/nccgroup/redsnarf | |
| - Basic AUTH credential harvesting | |
| - https://github.com/ryhanson/phishery | |
| - WCE | |
| - http://www.ampliasecurity.com/research/windows-credentials-editor/ | |
| - Metasploit In-Memory Python Interpreter | |
| - https://github.com/rapid7/metasploit-framework/wiki/Python-Extension | |
| - Packet Crafting | |
| - Scapy | |
| - https://thesprawl.org/research/scapy/ | |
| - Impacket | |
| - https://www.coresecurity.com/corelabs-research/open-source-tools/impacket | |
| - Powershell | |
| - PowerSploit - https://github.com/PowerShellMafia/PowerSploit | |
| - More - https://www.hackingloops.com/powersploit-quick-shell-for-penetration-testing/ | |
| - EmPyre - http://www.rvrsh3ll.net/blog/empyre/empyre-engaging-active-directory/ | |
| - Bypass UAC - https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC | |
| - | |
| - Network Protocol Vulns - https://bitbucket.org/Super68/networkrecon/ | |
| - PsExec | |
| - http://techgenix.com/PsExec-Nasty-Things-It-Can-Do/ | |
| - Lateral Movement | |
| - DCOM Lateral Movement - https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ | |
| - WMI - https://conference.hitb.org/hitbsecconf2018ams/materials/D2T1%2520-%2520Philip%2520Tsukerman%2520-%2520Expanding%2520Your%2520WMI%2520Lateral%2520Movement%2520Arsenal.pdf | |
| - Various Techniques - https://bitrot.sh/cheatsheet/14-12-2017-pivoting/ | |
| - Piv - thttp://www.fuzzysecurity.com/tutorials/25.html | |
| - Attack Printers | |
| - Wiki - http://hacking-printers.net/wiki/index.php/Main_Page | |
| - Toolkit - https://github.com/RUB-NDS/PRET | |
| - Attack Protocols | |
| - NFS - https://pentestacademy.wordpress.com/2017/09/20/nfs/ | |
| - TFTP - https://github.com/EnableSecurity/tftptheft | |
| - SIP - https://github.com/EnableSecurity/sipvicious | |
| - SNMP - https://github.com/SECFORCE/SNMP-Brute | |
| - LDAP - https://github.com/ropnop/windapsearch | |
| - https://github.com/dirkjanm/ldapdomaindump | |
| - Attack RDP | |
| - MiTM RDP Connections | |
| - https://github.com/SySS-Research/Seth | |
| - Attack ICS/SCADA | |
| - Framework - https://github.com/dark-lbp/isf | |
| - Map/Display - https://github.com/iadgov/GRASSMARLIN | |
| - Resources - https://github.com/hslatman/awesome-industrial-control-system-security | |
| - Privilege Escalation | |
| - Windows | |
| - Start Here - https://rmusser.net/docs/Privilege%20Escalation%20&%20Post-Exploitation.html#privescwin | |
| - https://guif.re/windowseop | |
| - Guide - https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ | |
| - https://github.com/AlessandroZ/BeRoot/tree/master/Windows | |
| - Powershell & C# - https://decoder.cloud/2018/02/02/getting-system/ | |
| - NTLM Relay/NBNS Spoofing - https://foxglovesecurity.com/2016/01/16/hot-potato/ | |
| - Linux/Unix | |
| - Tons - https://rmusser.net/docs/Privilege%20Escalation%20&%20Post-Exploitation.html#linpriv | |
| - Various exploits - https://github.com/FuzzySecurity/Unix-PrivEsc | |
| - LinEnum- https://github.com/rebootuser/LinEnum | |
| - Unix-privesc-check - http://pentestmonkey.net/tools/audit/unix-privesc-check | |
| - https://github.com/AlessandroZ/BeRoot/tree/master/Linux | |
| - Priv Esc/Enumeration - https://www.rebootuser.com/?p=1623 | |
| - Linux_Exploit_Suggester - https://github.com/PenturaLabs/Linux_Exploit_Suggester | |
| - Local Root Exploits - https://github.com/EnigmaDimitri/LARE | |
| - Auto Root Exploit - https://github.com/nilotpalbiswas/Auto-Root-Exploit | |
| - Misc - https://rmusser.net/docs/Privilege%20Escalation%20&%20Post-Exploitation.html | |
| - Lateral Movement/Pivoting | |
| - Lateral Movement | |
| - SSH Pivoting | |
| - Jump Host - https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Jump_Hosts_--_Passing_Through_a_Gateway_or_Two | |
| - Tunneling - https://www.taos.com/advanced-ssh-tunneling/ | |
| - SOCKS | |
| - NTLMRelayx - https://www.coresecurity.com/blog/playing-relayed-credentials | |
| - DCOM Lateral Movement - https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ | |
| - WMI - https://conference.hitb.org/hitbsecconf2018ams/materials/D2T1%2520-%2520Philip%2520Tsukerman%2520-%2520Expanding%2520Your%2520WMI%2520Lateral%2520Movement%2520Arsenal.pdf | |
| - SMB | |
| - https://blog.ropnop.com/using-credentials-to-own-windows-boxes/ | |
| - Various Techniques - https://bitrot.sh/cheatsheet/14-12-2017-pivoting/ | |
| - https://nullsweep.com/pivot-cheatsheet-for-pentesters/ | |
| - Pivt - http://www.fuzzysecurity.com/tutorials/25.html | |
| - Port Forwarding | |
| - Windows - http://woshub.com/port-forwarding-in-windows/ | |
| - https://justpentest.blogspot.in/2015/07/port-forwarding-and-pivoting.html | |
| - MiTM | |
| - Frameworks | |
| - Bettercap | |
| - https://miloserdov.org/?p=1112 | |
| - MITMf - https://github.com/byt3bl33d3r/MITMf | |
| - Xerosploit - https://github.com/LionSec/xerosploit | |
| - EvilNGINX - https://github.com/kgretzky/evilginx | |
| - https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/ | |
| - snuff - https://github.com/superkojiman/snuff | |
| - Extract Juicy Stuff | |
| - https://github.com/lgandx/PCredz | |
| - Bypass AV/IDS/App Whitelisting/UAC | |
| - Bypass AV | |
| - CertUtil - https://www.coalfire.com/The-Coalfire-Blog/May-2018/PowerShell-In-Memory-Injection-Using-CertUtil-exe | |
| - OWASP ZSC - https://www.hackers-arise.com/single-post/2017/05/03/How-to-Evade-AV-with-OWASP-ZSC-Part-1 | |
| - Run Mimikatz - http://www.blackhillsinfosec.com/?p=5555 | |
| - Bypass Digital Signatures | |
| - Hijack - https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ | |
| - Bypass Sysinternals | |
| - Using Env. Variables - http://www.hexacorn.com/blog/2018/01/04/yet-another-way-to-hide-from-sysinternals-tools/ | |
| - Egressing Bluecoat with CobaltStrike | |
| - https://cybersyndicates.com/2016/12/egressing-bluecoat-with-cobaltstike-letsencrypt/ | |
| - Beaconpire | |
| - https://bluescreenofjeff.com/2016-11-29-beaconpire-cobalt-strike-and-empire-interoperability-with-aggressor-script/ | |
| - Bypass App Whitelisting | |
| - InstallUtil - https://www.blackhillsinfosec.com/how-to-bypass-application-whitelisting-av/ | |
| - RSCI - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ | |
| - "Fileless" UAC Bypass | |
| - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ | |
| - Download/Execute Code via Command Line | |
| - Windows - https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ | |
| - https://www.greyhathacker.net/?p=500 | |
| - Code Caves/Payload Injection | |
| - Cave Miner - https://github.com/Antonin-Deniau/cave_miner | |
| - Misc | |
| - Embed PS inside image - https://github.com/peewpw/Invoke-PSImage | |
| - Reverse Shells | |
| - Reverse ICMP Shell - https://github.com/commonexploits/icmpsh | |
| - Windows - https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ | |
| - http://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html | |
| - https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ | |
| - http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet | |
| - https://highon.coffee/blog/reverse-shell-cheat-sheet/ | |
| - Attack Routers | |
| - Router Exploitation Framework | |
| - https://github.com/reverse-shell/routersploit | |
| - Using Burp | |
| - https://www.cybrary.it/0p3n/pentesting-routers-1-dictionary-attack-burp-suite/ | |
| - AIX | |
| - https://thevivi.net/2017/03/19/aix-for-penetration-testers/ | |
| - Physical Attacks | |
| - NFC | |
| - Intro - https://salmg.net/2017/09/12/intro-to-analyze-nfc-contactless-cards/ | |
| - Bruteforcing - https://salmg.net/2017/09/29/nfc-contactless-cards-brute-forcing-processing-options/ | |
| - IoT | |
| - List of Hacks - https://github.com/nebgnahz/awesome-iot-hacks | |
| - Find Exploits | |
| - Web | |
| - Shodan - https://exploits.shodan.io/welcome | |
| - Exploit-db - https://www.exploit-db.com/ | |
| - From command line: https://www.exploit-db.com/searchsploit/ | |
| - 0Day - https://0day.today/ | |
| - Packet Storm - https://packetstormsecurity.com/files/tags/exploit | |
| - SecurityFocus - http://www.securityfocus.com/bid | |
| - SecurityTracker - http://securitytracker.com/ | |
| - Sploitus - https://sploitus.com/ | |
| - EaST Framework Exploits - http://eastexploits.com/ | |
| - SecList - http://seclist.us/category/exploits | |
| - VulnDB - https://vuldb.com/ | |
| - Vulners - https://vulners.com/#help | |
| - X-Force - https://exchange.xforce.ibmcloud.com/new | |
| - By Kernel Version - http://www.kmbl.us/les/working.php | |
| - CVE | |
| - PoC | |
| - List - https://github.com/qazbnm456/awesome-cve-poc | |
| - JS - https://github.com/tunz/js-vuln-db | |
| - NMap | |
| - https://github.com/Papitux/SlackStuff/tree/master/nmap-vulscan | |
| - Scan systems with NMap, parse output to: CVE's, CWE's and DPE's | |
| - https://github.com/NorthernSec/CVE-Scan | |
| - Import, manage, and search with a local MongoDB instance | |
| - https://github.com/cve-search/cve-search | |
| - Post-Exploitation | |
| - Attack Linux | |
| - LOLBAS - Living Off The Land Binaries And Scripts | |
| - Full - https://github.com/api0cradle/LOLBAS | |
| - Command Line Password Sniffing | |
| - Inspect Swap Space - https://github.com/sevagas/swap_digger | |
| - Tcpdump | |
| - https://neverendingsecurity.wordpress.com/2015/03/14/tcpdump-tutorial-sniffing-and-analysing-packets-from-the-commandline/ | |
| - https://danielmiessler.com/study/tcpdump/ | |
| - tcpdump -i eth0 port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep --i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=||name=|name:|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line- | |
| - Ngrep | |
| - ngrep -q -W byline "GET|POST HTTP" | |
| - Dsniff - https://github.com/tecknicaltom/dsniff | |
| - Netsh Trace (Windows only) - https://isc.sans.edu/diary/19409 | |
| - Network Authentication Cracking Tool - https://nmap.org/ncrack/ | |
| - Attack Windows | |
| - LOLBAS - Living Off The Land Binaries And Scripts | |
| - Full - https://github.com/api0cradle/LOLBAS | |
| - BYOL - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html | |
| - WMImplant - https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction/ | |
| - Stealing/Cracking Passwords/Hashes | |
| - Steal | |
| - NTLM Sources | |
| - Various - https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/ | |
| - HTML - https://github.com/ShikariSenpai/Leak-NTLM-hash-via-HTML | |
| - PDF - https://github.com/rmdavy/badodf/ | |
| - Steal Stored Passwords | |
| - BrowserGather (PS) - https://github.com/sekirkity/BrowserGather | |
| - LaZagne (Python) - https://github.com/AlessandroZ/LaZagne | |
| - From dump files - https://github.com/AlessandroZ/LaZagneForensic | |
| - WCE -http://www.ampliasecurity.com/research/windows-credentials-editor/ | |
| - Extract Hashes from AD - https://blog.didierstevens.com/2016/07/13/ | |
| - SCF/SMB | |
| - http://www.sysadminjd.com/adv170014-ntlm-sso-exploitation-guide/ | |
| - PDF - https://github.com/rmdavy/badodf/ | |
| - Network Authentication Cracking Tool - https://nmap.org/ncrack/ | |
| - pysecdump - https://github.com/pentestmonkey/pysecdump | |
| - Windows Creds - https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ | |
| - Network Password Recovery - http://www.nirsoft.net/utils/network_password_recovery.html | |
| - Crack | |
| - Crack Reg Creds - https://github.com/Neohapsis/creddump7 | |
| - Weak AD Creds - http://flemmingriis.com/get-badpasswords/ | |
| - https://github.com/ZilentJack/Get-bADpasswords | |
| - Windows Password Audit - https://blog.joelj.org/windows-password-audit-with-kali-linux/ | |
| - pysecdump - https://blog.didierstevens.com/2016/07/30/video-ntds-dit-extract-hashes-with-secretsdump-py/ | |
| - Hashcat - https://samsclass.info/123/proj10/px16-hashcat-win.htm | |
| - Network Authentication Cracking Tool - https://nmap.org/ncrack/ | |
| - Common Commands | |
| - http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html | |
| - Attack Mac | |
| - Empyre | |
| - http://www.harmj0y.net/blog/empyre/building-an-empyre-with-python/ | |
| - Attack Specific Software/Tools | |
| - Privilege Escalation | |
| - Splunk | |
| - http://threat.tevora.com/penetration-testing-with-splunk-leveraging-splunk-admin-credentials-to-own-the-enterprise/ | |
| - Extract Passwords | |
| - From Chrome - http://sekirkity.com/browsergather-part-1-fileless-chrome-credential-extraction-with-powershell/ | |
| - Various Software http://www.darknet.org.uk/2017/03/sessiongopher-session-extraction-tool/ | |
| - From Localhost - https://gist.github.com/SadProcessor/3c82c6d568f54d04199752d32db27ca3 | |
| - From Memory - https://github.com/giMini/PowerMemory | |
| - Password/Hash Cracking | |
| - Wordlists | |
| - https://github.com/praetorian-inc/Hob0Rules | |
| - https://github.com/praetorian-inc/Hob0Rules | |
| - https://weakpass.com/ | |
| - https://github.com/NotSoSecure/password_cracking_rules | |
| - https://github.com/berzerk0/Probable-Wordlists | |
| - https://weakpass.com/ | |
| - https://github.com/Mebus/cupp | |
| - http://wiki.securityweekly.com/wiki/index.php/Episode129 | |
| - https://adaywithtape.blogspot.com.au/2011/05/creating-wordlists-with-crunch-v30.html | |
| - https://wiki.skullsecurity.org/Passwords | |
| - https://box.init6.me/data/public/2042a9 | |
| - Password/Hash Cracking | |
| - Guides | |
| - Build Cracking Rig | |
| - http://www.netmux.com/blog/portable-cracking-rig | |
| - http://www.netmux.com/blog/how-to-build-a-password-cracking-rig | |
| - https://securimancy.com/password-cracking-rig/ | |
| - Cisco ASA | |
| - https://www.attackdebris.com/?p=451 | |
| - Cracking 12 Character Passwords | |
| - http://www.netmux.com/blog/cracking-12-character-above-passwords | |
| - Efficient Cracking | |
| - https://www.youtube.com/watch?v=76yTAPaFwM4 | |
| - Tools | |
| - PACK (crack/obtain stats/) - https://thesprawl.org/projects/pack/ | |
| - Hashcat - https://hashcat.net/hashcat/ | |
| - https://samsclass.info/123/proj10/px16-hashcat-win.htm | |
| - Windows Password Audit - https://blog.joelj.org/windows-password-audit-with-kali-linux/ | |
| - pysecdump - https://blog.didierstevens.com/2016/07/30/video-ntds-dit-extract-hashes-with-secretsdump-py/ | |
| - GPU Cracking | |
| - https://www.trustedsec.com/june-2016/introduction-gpu-password-cracking-owning-linkedin-password-dump/ | |
| - ZIP Cracking - https://blog.didierstevens.com/2017/05/11/crack-a-zip-password-and-fly-to-dubai/ | |
| - LUKS Cracking - https://blog.pnb.io/2018/02/bruteforcing-linux-full-disk-encryption.html | |
| - Keyboard Walk Cracking - https://github.com/Rich5/Keyboard-Walk-Generators | |
| - KeychainCracker - https://github.com/macmade/KeychainCracker | |
| - Web Services | |
| - CrackStation - https://crackstation.net/ | |
| - HashKiller - https://forum.hashkiller.co.uk/default.aspx | |
| - Attack Frameworks/Tools | |
| - PowerSploit - https://github.com/PowerShellMafia/PowerSploit | |
| - Empire - http://www.powershellempire.com/ | |
| - Armitage - http://www.fastandeasyhacking.com/manual | |
| - http://blog.cobaltstrike.com/2016/05/25/raffis-abridged-guide-to-cobalt-strike/ | |
| - Pwnd(dot)sh - https://github.com/SafeBreach-Labs/pwndsh | |
| - CrackMapExec | |
| - https://github.com/byt3bl33d3r/CrackMapExec/wiki | |
| - Intro - https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html | |
| - Use case - https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html | |
| - MITMf - https://github.com/byt3bl33d3r/MITMf | |
| - EvilNGINX - https://github.com/kgretzky/evilginx | |
| - https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/ | |
| - Generate Backdoors | |
| - FatRat - https://github.com/Screetsec/TheFatRatt | |
| - Privilege Escalation - Excellent Wiki - http://pwnwiki.io/#!index.md | |
| - Kernel Exploitation | |
| - KernelPOP - https://github.com/spencerdodd/kernelpop | |
| - Windows | |
| - Wiki - http://pwnwiki.io/#!privesc/windows/index.md | |
| - Guide - https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ | |
| - Windows Exploit Suggester - https://github.com/GDSSecurity/Windows-Exploit-Suggester | |
| - More Exploit Suggester - https://github.com/411Hall/JAWS | |
| - WinPWNage - https://github.com/rootm0s/WinPwnage | |
| - SMB | |
| - Relay Attacks/Spoofing | |
| - Hot Potato - https://foxglovesecurity.com/2016/01/16/hot-potato/ | |
| - Chuckle | |
| - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/november/introducing-chuckle-and-the-importance-of-smb-signing/ | |
| - More - https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python | |
| - RDP | |
| - https://onedrive.live.com/view.aspx?resid=F32A9F4F1477E49!109&ithint=file%2cdocx&app=Word&authkey=!ANzQTrmsTXSK9FM | |
| - Sherlock - https://github.com/rasta-mouse/Sherlock | |
| - Standalone Executable | |
| - https://github.com/pentestmonkey/windows-privesc-check | |
| - Windows Missing Patches - https://pentestlab.blog/2017/04/24/windows-kernel-exploits/ | |
| - Various techniques/commands | |
| - Guide - https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ | |
| - Privesc - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc | |
| - Powershell & C# - https://decoder.cloud/2018/02/02/getting-system/ | |
| - https://helix.stormhub.org/data/Advanced%20Topics%20in%20Security/Lecture%20slides/Lecture%2010%20-%20Privilege%20Escalation.pdf | |
| - http://resources.infosecinstitute.com/wp-content/uploads/Post-Exploitation-without-Automated-Tools1.pdf | |
| - http://www.slideshare.net/riyazwalikar/windows-privilege-escalation | |
| - Linux/Unix | |
| - Various exploits - https://github.com/FuzzySecurity/Unix-PrivEsc | |
| - Linux Kernel Exploitation Techniques - https://github.com/xairy/linux-kernel-exploitation | |
| - Wiki - http://pwnwiki.io/#!privesc/linux/index.md | |
| - LinEnum- https://github.com/rebootuser/LinEnum | |
| - Unix-privesc-check - http://pentestmonkey.net/tools/audit/unix-privesc-check | |
| - Priv Esc/Enumeration - https://www.rebootuser.com/?p=1623 | |
| - Basic Linux Privilege Escalation | |
| - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ | |
| - Linux_Exploit_Suggester | |
| - https://github.com/PenturaLabs/Linux_Exploit_Suggester | |
| - Various techniques/commands | |
| - https://helix.stormhub.org/data/Advanced%20Topics%20in%20Security/Lecture%20slides/Lecture%2010%20-%20Privilege%20Escalation.pdf | |
| - https://room362.com/post/2011/2011-09-06-post-exploitation-command-lists/ | |
| - Exfiltration | |
| - Detection Capabilities | |
| - Egress-Assess | |
| - https://github.com/ChrisTruncer/Egress-Assess | |
| - Outbound Port Detection (find unfiltered outbound connections) | |
| - http://www.floyd.ch/?p=352 | |
| - Network Exfiltration | |
| - DNS | |
| - Best - https://github.com/TryCatchHCF/PacketWhisper | |
| - dnsteal - https://github.com/m57/dnsteal | |
| - DNS exfil with SQLi | |
| - https://pentest.blog/data-ex-filtration-with-dns-in-sqli-attacks/ | |
| - RDP | |
| - https://github.com/pentestpartners/PTP-RAT | |
| - ICMP | |
| - https://www.blackhillsinfosec.com/how-to-c2-over-icmp/ | |
| - Steg | |
| - https://github.com/maxfierke/fincher | |
| - Command Line | |
| - https://twitter.com/0rbz_/status/1079511612678119424 | |
| - Wireless Exfiltration | |
| - BSSID - https://www.peerlyst.com/posts/transferring-backdoor-payloads-with-bssid-by-wireless-traffic-damon-mohammadbagher | |
| - Mobile | |
| - Static | |
| - Source Code Review | |
| - https://pentesterlab.com/exercises/codereview/course | |
| - https://github.com/wireghoul/graudit | |
| - Dynamic | |
| - https://github.com/sensepost/objection | |
| - Forensic | |
| - Learning Resources | |
| - Blogs | |
| - Mubix - https://room362.com/ | |
| - OJ's Perspective - http://buffered.io/ | |
| - Carnal0wnage - http://carnal0wnage.attackresearch.com/ | |
| - Corelan - https://www.corelan.be/ | |
| - Daniel Miessler https://danielmiessler.com/information-security/ | |
| - NetSec Addict - http://netsec.ws/ | |
| - SecList - http://seclist.us/ | |
| - Notepad - https://bobloblaw.gitbooks.io/security/content/ | |
| - "Getting Started" | |
| - IT/General | |
| - Good - https://malicious.link/start/ | |
| - Security | |
| - http://www.pentester.tips/gettingstarted.html | |
| - https://bobloblaw.gitbooks.io/security/content/ | |
| - https://www.reddit.com/r/HowToHack/comments/2c8d1p/free_online_ethical_hacking_courses/ | |
| - Networking | |
| - http://networkingprogramming.com/1024x768/index.html | |
| - OSCP/OSCE | |
| - Reviews | |
| - https://justpentest.blogspot.com/2015/11/myOSCPreview.html | |
| - http://buffered.io/posts/oscp-and-me/ | |
| - https://pinkysplanet.net/reflection-on-passing-the-oscp/ | |
| - https://jivoi.github.io/2015/06/19/oscp-prepare/ | |
| - https://gnashsec.blogspot.com/2015/07/my-experience-with-pwk-and-oscp.html | |
| - https://www.jimwilbur.com/2017/07/oscp-review/ | |
| - Guides/Templates | |
| - Linux - https://github.com/xapax/oscp/blob/master/linux-template.md | |
| - Windows - https://github.com/xapax/oscp/blob/master/windows-template.md | |
| - https://github.com/BC93/msf_rc | |
| - OSCE | |
| - https://coffeegist.com/security/my-osce-review/ | |
| - Video Series/Channels | |
| - LiveOverflow - https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w | |
| - Pentestit - https://www.youtube.com/user/PentestITLab/videos | |
| - Hacking Labs/VMs | |
| - Microsoft Provided VMs | |
| - https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ | |
| - Web Apps | |
| - Web Security Labs - http://www.cis.syr.edu/~wedu/seed/web_security.html | |
| - 40 Vulnerable Sites | |
| - https://www.bonkersabouttech.com/security/40-plus-list-of-intentionally-vulnerable-websites-to-practice-your-hacking-skills/392 | |
| - DVWS - https://github.com/interference-security/DVWS | |
| - oxfat - https://0xf.at/ | |
| - Find more here | |
| - http://pastebin.com/0jC1BUiv | |
| - https://skydogcon.blogspot.com/p/learning-resources.html | |
| - https://blogs.sans.org/pen-testing/files/2013/06/PosterSide1.png | |
| - http://www.amanhardikar.com/mindmaps/practice-links.html | |
| - Specific Topic Learning | |
| - Web Application Security | |
| - Solid Methodology - http://blog.zsec.uk/ltr101-method-to-madness/ | |
| - Introduction (left hand side) - http://securityidiots.com/index.html | |
| - XSS | |
| - Start here - http://brutelogic.com.br/blog/xss101/ | |
| - Then here - https://excess-xss.com/ | |
| - Practice XSS - https://xss-game.appspot.com/level1 | |
| - VM - https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/ | |
| - SQLi (SQL Injection) | |
| - http://attack.samsclass.info/sqlol-raw/search-raw.htm | |
| - https://spaceraccoon.dev/same-same-but-different-discovering-sql-injections-incrementally-with | |
| - Various Web Exploits - https://google-gruyere.appspot.com/part1 | |
| - Wiki - https://appsecwiki.com/#/ | |
| - Deserialization | |
| - Using Python - https://dan.lousqui.fr/explaining-and-exploiting-deserialization-vulnerability-with-python-en.html | |
| - Java - https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/ | |
| - Incident Response | |
| - Tools and Resources | |
| - https://github.com/meirwah/awesome-incident-response | |
| - Scripting/Coding | |
| - All Languages - http://programming-motherfucker.com/become.html#Python | |
| - Shellcoding | |
| - https://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/ | |
| - http://www.vividmachines.com/shellcode/shellcode.html | |
| - | |
| - Python | |
| - GO | |
| - https://github.com/parsiya/Hacking-with-Go | |
| - https://www.devdungeon.com/content/packet-capture-injection-and-analysis-gopacket | |
| - https://www.owasp.org/images/f/f3/OWASP_FFM_40_Offensive_Go_Kevin_Ott.pdf | |
| - Scapy - http://thesprawl.org/research/scapy/ | |
| - https://bt3gl.github.io/black-hat-python-infinite-possibilities-with-the-scapy-module.html | |
| - Full Python Course - https://www.codecademy.com/learn/python | |
| - http://programming-motherfucker.com/become.html#Python | |
| - Bash - https://www.shellscript.sh/ | |
| - Powershell | |
| - Underthewire - http://www.underthewire.tech/ | |
| - Exploit Development/Exploitation | |
| - Resources - https://www.peerlyst.com/posts/the-best-resources-for-learning-exploit-development | |
| - Lots of Resources - http://www.pentest.guru/index.php/2016/01/28/best-books-tutorials-and-courses-to-learn-about-exploit-development/ | |
| - Exploit Development - https://samsclass.info/127/127_S18.shtml | |
| - Modern Binary Exploitation - https://github.com/RPISEC/MBE | |
| - https://microcorruption.com/ | |
| - https://guyinatuxedo.github.io/index.html | |
| - https://mjali.com/2020/01/21/binary-exploitation-series-part-1/ | |
| - https://blog.xenoscr.net/Finding-EIP/ | |
| - Linux (x86) Exploit Development - https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/ | |
| - https://www.youtube.com/watch?v=YGs-O0EBsbQ | |
| - https://www.fuzzysecurity.com/tutorials.html | |
| - http://opensecuritytraining.info/Training.html | |
| - http://phrack.org/issues/69/8.html | |
| - https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ | |
| - https://github.com/demi6od/Smashing_The_Browser | |
| - Crypto | |
| - CryptoPals Challenges | |
| - https://cryptopals.com/ | |
| - BreakCyphers | |
| - https://littlemaninmyhead.wordpress.com/2015/09/28/so-you-want-to-learn-to-break-ciphers/ | |
| - Rainbow Tables | |
| - http://kestas.kuliukas.com/RainbowTables/ | |
| - YARA | |
| - Intro - https://www.alienvault.com/blogs/security-essentials/explain-yara-rules-to-me | |
| - Documentation - https://yara.readthedocs.io/en/v3.6.0/ | |
| - Malware Analysis/Reversing | |
| - Start Here - https://github.com/tylerph3/awesome-reversing | |
| - Reversing on Windows - https://suszter.com/ReversingOnWindows | |
| - University Course - https://github.com/RPISEC/Malware | |
| - Ray's World - http://rayseyfarth.com/ | |
| - Amanda - http://amanda.secured.org/how-to-start-reverse-engineering-malware/ | |
| - Reversing Hero - https://www.reversinghero.com/ | |
| - Malware Traffic Analysis - https://github.com/MalwareReverseBrasil/maltran | |
| - Practice Phishing | |
| - Morning Catch - http://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/ | |
| - Free University Courses | |
| - https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html | |
| - Challenges | |
| - SANS Holiday Hack Challenge - https://holidayhackchallenge.com/2016/ | |
| - Before 2014 - https://pen-testing.sans.org/holiday-challenge/2014 | |
| - PCAP Challenges | |
| - https://github.com/aeibrahim/wireshark_challenge | |
| - https://www.honeynet.org/challenges | |
| - Fun Reading List | |
| - http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html | |
| - Honeypots | |
| - AWS - https://medium.com/@sudojune/deploying-a-honeypot-on-aws-5bb414753f32 | |
| - Repos/Collection of Tools | |
| - Large Toolset - https://awesomehacking.org/ | |
| - Large repo (many topics) | |
| - Similar to this - http://cyborg.ztrela.com/tools/ | |
| - https://github.com/wtsxDev/Penetration-Testing | |
| - https://github.com/nixawk/pentest-wiki | |
| - https://github.com/Hack-with-Github/Awesome-Hacking | |
| - https://github.com/vitalysim/Awesome-Hacking-Resources | |
| - Penetration Testing Tools | |
| - Tons - https://github.com/enaqx/awesome-pentest | |
| - Tons - https://gexos.github.io/Hacking-Tools-Repository/ | |
| - Tons - https://github.com/Aptive/penetration-testing-tools | |
| - Tons - https://github.com/wtsxDev/Penetration-Testing | |
| - More! - https://blackarch.org/tools.html | |
| - Python | |
| - Intro - https://github.com/PacktPublishing/Python-Journey-from-Novice-to-Expert | |
| - Penetration Testing Tools - https://github.com/dloss/python-pentest-tools | |
| - Python Forensics - https://github.com/PacktPublishing/Learning-Python-for-Forensics | |
| - Reverse Engineering - https://github.com/tylerph3/awesome-reversing | |
| - Rootkits | |
| - List - https://github.com/maldevel/RootKits-List-Download | |
| - Complete Courses/Videos/Guides/Books | |
| - Existing Full Guides (fantastic!) | |
| - Pentest Wiki - https://github.com/nixawk/pentest-wiki | |
| - Awesome Pentest - https://github.com/enaqx/awesome-pentest | |
| - https://www.it-sec-catalog.info/ | |
| - CTF | |
| - Field Guide - https://trailofbits.github.io/ctf/ | |
| - Author's Guide - http://pastebin.com/DrsetKc8 | |
| - CTF Practice/Archives | |
| - Github - https://github.com/ctfs | |
| - Shell-Storm - http://shell-storm.org/repo/CTF/ | |
| - W3Challs - https://w3challs.com/ | |
| - Old Defcon - http://nopsr.us/ | |
| - Web Focused - https://chall.stypr.com/ | |
| - CTF Resources | |
| - http://resources.infosecinstitute.com/tools-of-trade-and-resources-to-prepare-in-a-hacker-ctf-competition-or-challenge/ | |
| - Attack | |
| - IPv6 | |
| - http://haxpo.nl/materials/haxpo2015ams/D3%20-%20R.%20Schaefer%20and%20J.%20Salazar%20-%20Pentesting%20in%20the%20Age%20of%20IPv6.pdf | |
| - Windows | |
| - Zero to Domain | |
| - http://www.computerworld.com/article/2843632/security0/scenario-based-pen-testing-from-zero-to-domain-admin-with-no-missing-patches-required.html | |
| - Network Fingerprinting and Exploitation | |
| - http://resources.infosecinstitute.com/wp-content/uploads/Network-Fingerprinting-and-Exploitation1.pdf | |
| - Linux | |
| - Network Fingerprinting and Exploitation - | |
| - http://resources.infosecinstitute.com/wp-content/uploads/Network-Fingerprinting-and-Exploitation1.pdf | |
| - Blackbox | |
| - http://www.carnal0wnage.com/papers/Big-Bang-Theory-Pentest-HighSec-Enviro-Gates-McCray.pdf | |
| - https://gbhackers.com/external-black-box-penetration-testing/ | |
| - Defend | |
| - IDS Guide - https://www.hurricanelabs.com/images/idsguide.pdf | |
| - Courses | |
| - Metasploit Unleashed - https://www.offensive-security.com/metasploit-unleashed/ | |
| - Pen Testing - https://www.cybrary.it/course/advanced-penetration-testing/ | |
| - Linux (x86) Exploit Development - https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/ | |
| - Exploit Development - https://samsclass.info/127/127_S18.shtml | |
| - Reversing Hero - https://www.reversinghero.com/ | |
| - Reverse Engineering - http://martin.uy/blog/projects/reverse-engineering/ | |
| - https://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/ | |
| - Shellcoding - http://www.vividmachines.com/shellcode/shellcode.html | |
| - https://slaeryan.github.io/posts/slae-assignment1-blogpost.html | |
| - Videos | |
| - Advanced Threat Tactics | |
| - http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/ | |
| - Crypto | |
| - Animated Crypto Series -https://vimeo.com/album/4229550 | |
| - Books | |
| - Advanced Penetration Testing for Highly Secured Environments | |
| - LARGE (!) PDF - https://news.asis.io/sites/default/files/%E2%80%8Cbook.pdf | |
| - Multiple pentesting books - http://www.arthur-training.com/Downloads/ITT/ | |
| - How-To | |
| - Python IP Sniffer - https://askldjd.com/2014/01/15/a-reasonably-fast-python-ip-sniffer/ | |
| - Evil Access Point - https://www.sensepost.com/blog/2013/rogue-access-points-a-how-to/ | |
| - DNS Phishing in Public Hotspots - https://www.exploit-db.com/docs/20875.pdf | |
| - Various topics - https://bobloblaw.gitbooks.io/security/content/ | |
| - Misc. Resources | |
| - Lectures/VMs/Videos (tons) - http://www.arthur-training.com/Downloads | |
| - Cheatsheets | |
| - Cheatsheet God - https://github.com/OlivierLaflamme/Cheatsheet-God | |
| - Various Pentesting Tools | |
| - https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/ | |
| - Lots | |
| - Survival Guide - https://nofile.io/f/ZjOqK6KD7us/Pentesters-Survival-Guide.pdf | |
| - Windows | |
| - https://techincidents.com/penetration-testing-cheat-sheet/ | |
| - Powershell | |
| - Mics Scripts - https://github.com/rvrsh3ll/Misc-Powershell-Scripts | |
| - Tricks - https://decoder.cloud/2017/01/26/dirty-tricks-with-powershell/ | |
| - https://ramblingcookiemonster.github.io/images/Cheat-Sheets/powershell-cheat-sheet.pdf | |
| - SQL | |
| - SQLite3 - http://atta.cked.me/home/sqlite3injectioncheatsheet | |
| - Python | |
| - https://www.cheatography.com/davechild/cheat-sheets/python/ | |
| - 2 - https://realpython.com/files/python_cheat_sheet_v1.pdf | |
| - 3 - https://perso.limsi.fr/pointal/_media/python:cours:mementopython3-english.pdf | |
| - Shells - http://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html | |
| - Netcat | |
| - https://neverendingsecurity.wordpress.com/2015/04/13/netcat-commands-cheatsheet/ | |
| - https://www.securitaus.org/netcat/pentest/2016/05/23/netcat-cheat-sheet.html | |
| - Tcpdump | |
| - https://danielmiessler.com/study/tcpdump/ | |
| - http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/ | |
| - http://packetlife.net/media/library/12/tcpdump.pdf | |
| - Wordpress | |
| - https://github.com/ethicalhack3r/wordpress_plugin_security_testing_cheat_sheet | |
| - Protocols | |
| - DNS | |
| - Over HTTPS - https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ | |
| - Collections of Cheatsheets | |
| - https://www.peerlyst.com/posts/the-complete-list-of-infosec-related-cheat-sheets-claus-cramon | |
| - https://github.com/jshaw87/Cheatsheets | |
| - http://packetlife.net/library/cheat-sheets/ | |
| - http://www.danielowen.com/2017/01/01/sans-cheat-sheets/ | |
| - SANS - https://pen-testing.sans.org/resources/downloads | |
| - Detection/Remediation/Defending | |
| - Detecting Meterpreter | |
| - https://www.sans.org/reading-room/whitepapers/forensics/analysis-meterpreter-post-exploitation-35537 | |
| - Detecting Backdoors | |
| - https://www.rawhex.com/2016/03/a-guide-to-recognising-backdoors-using-metasploitable-2/ | |
| - Detecting Malicious VBA Macros | |
| - https://github.com/decalage2/oletools/wiki/mraptor | |
| - Zero to Hero (Internal) | |
| - Target: Windows | |
| - Attack Active Directory | |
| - Wiki - https://adsecurity.org/ | |
| - DCShadow - https://blog.alsid.eu/dcshadow-explained-4510f52fc19d | |
| - Blood Hound - https://github.com/adaptivethreat/BloodHound | |
| - Automating - https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html | |
| - NTLM Relaying - https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html | |
| - Automate Blood Hound - https://github.com/mdsecactivebreach/ANGRYPUPPY | |
| - Extending - https://speakerdeck.com/porterhau5/extending-bloodhound-for-red-teamers | |
| - Guide - https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf | |
| - CrackMapExec - https://github.com/byt3bl33d3r/CrackMapExec | |
| - Intro - https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html | |
| - Use case - https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html | |
| - EmPyre - http://www.rvrsh3ll.net/blog/empyre/empyre-engaging-active-directory/ | |
| - Audit AD - https://github.com/l0ss/Grouper2 | |
| - Red Teaming AD (PDF) | |
| - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf | |
| - https://adsecurity.org/wp-content/uploads/2018/05/2018-NolaCon-Metcalf-ActiveDirectorySecurityTheJourney.pdf | |
| - Attack Methods -> Domain Admin | |
| - https://adsecurity.org/?p=2362 | |
| - Attacking Domain Trusts | |
| - https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944 | |
| - Misc Tools/Scripts | |
| - LOLBAS - Living Off The Land Binaries And Scripts | |
| - Full - https://github.com/api0cradle/LOLBAS | |
| - https://github.com/0xdea/tactical-exploitation | |
| - Attack Kerberos | |
| - Protocol Info - https://adsecurity.org/?p=227 | |
| - Attacking Kerberos | |
| - http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html?m=1 | |
| - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html | |
| - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html | |
| - https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf | |
| - Attack Kerberos w/o Mimikatz | |
| - http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ | |
| - Roasting AS-REPS | |
| - http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ | |
| - Kerberos Party Tricks | |
| - http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws | |
| - Persistence | |
| - AD Persistence | |
| - Sneaky Tricks - https://adsecurity.org/?p=1929 | |
| - Domain Computer Accounts | |
| - Enumerate Domain/Domain Controllers | |
| - `wmic computersystem get domain` | |
| - `echo %LOGONSERVER%` | |
| - `echo %COMPUTERNAME%.%USERDNSDOMAIN%` | |
| - nslookup, ping domain_name, etc | |
| - Enumerate Users/Services | |
| - Enumerate usernames | |
| - https://github.com/skorov/ridrelay | |
| - enum4linux | |
| - https://highon.coffee/blog/enum4linux-cheat-sheet/ | |
| - Extract machine usernames (user$) from above | |
| - Masscan all "user$.domain_name" for open ports | |
| - masscan --rate 100000 -e eth0 --ports<port range> --open-only <SCAN RANGE> | |
| - Common ports: 21, 22, 23, 25, 53, 80, 443, 445, 3389, etc | |
| - Reference: https://github.com/robertdavidgraham/masscan | |
| - Nmap all "user$.domain_name" for open ports | |
| - Nmap all "user$.domain_name" for open ports/services | |
| - Tuned Nmap | |
| - nmap -Pn -n -A -T4 --top-ports=1000 --max-rtt-timeouts=500ms --initial-rtt-timeout=200ms --min-rtt-timeout=2--ms --open --stats-every 5s <IP/Range> | |
| - LLMNR/NetBios-NS spoofing | |
| - Responder | |
| - If SMB signing is disabled | |
| - https://g-laurent.blogspot.com/2016/10/introducing-responder-multirelay-10.html | |
| - Metasploit | |
| - Spoof | |
| - auxiliary/spoof/llmnr/llmnr_response | |
| - auxiliary/spoof/nbns/nbns_response | |
| - Capture | |
| - auxiliary/server/capture/smb | |
| - auxiliary/server/capture/http_ntlm | |
| - set JOHNPWFILE /tmp/smbhashes.john | |
| - Reference | |
| - https://www.gracefulsecurity.com/stealing-accounts-llmnr-and-nbt-ns-poisoning/ | |
| - https://www.pentestpartners.com/blog/how-to-get-windows-to-give-you-credentials-through-llmnr/ | |
| - GPO | |
| - CPasswords | |
| - GP3Finder - https://bitbucket.org/grimhacker/gpppfinder | |
| - `gp3finder -A -t DOMAIN_CONTROLLER -u DOMAINUSER` | |
| - Locate SYSVOL | |
| - \\domain_controller\SYSVOL\DOMAIN_NAME\Policies | |
| - Metasploit GPP Module | |
| - Decrypt GPP Password | |
| - PowerSploit - Get-GPPPassword | |
| - Detailed Group Policy Information | |
| - `gpresult [/x], [/h] <FILENAME> | |
| - Reference: https://technet.microsoft.com/en-us/library/cc733160(v=ws.11).aspx | |
| - Privilege Escalation | |
| - Windows | |
| - Helpful - https://www.gracefulsecurity.com/privilege-escalation-in-windows-domains/ | |
| - Powershell & C# - https://decoder.cloud/2018/02/02/getting-system/ | |
| - Mimikatz - https://www.gracefulsecurity.com/privesc-dumping-passwords-in-plaintext-mimikatz/ | |
| - Incognito - https://www.gracefulsecurity.com/privesc-stealing-windows-access-tokens-incognito/ | |
| - Zero to Hero (External) | |
| - Get Subdomains | |
| - Tool List - https://docs.google.com/document/d/1eVPh6jNn3jZbnHZitevbSSe9GDoi7PmrolfGv7FQdow/ | |
| - CTSearch - https://github.com/llamasoft/CTSearch | |
| - Fuzz Web Apps | |
| - FuzzDB - https://github.com/fuzzdb-project/fuzzdb/ | |
| - Burp | |
| - https://www.gracefulsecurity.com/introduction-to-burp-suite-pro/ | |
| - ZAP | |
| - Guide | |
| - http://www.carnal0wnage.com/papers/Big-Bang-Theory-Pentest-HighSec-Enviro-Gates-McCray.pdf | |
| - Red Team | |
| - Tools | |
| - Toolkit | |
| - Red Teaming Toolkit - https://github.com/infosecn1nja/Red-Teaming-Toolkit | |
| - User Emulation - https://github.com/SpiderLabs/sheepl | |
| - Wiki | |
| - Wiki - https://github.com/yeyintminthuhtut/Awesome-Red-Teaming | |
| - Infrastructure wiki - https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki | |
| - Phases | |
| - http://redteams.net/blog/2017/phases-of-a-red-team-assessment-revisited | |
| - Attacking (Tips and Tricks) | |
| - Tips Wiki | |
| - https://threatintel.eu/2017/06/03/red-teaming-tips-by-vincent-yiu/ | |
| - Attack Perimeter | |
| - Mail/Phishing | |
| - Bypass spam filters - https://silentbreaksecurity.com/bypassing-mail-filters/ | |
| - USB Phishing | |
| - http://blog.sevagas.com/?Advanced-USB-key-phishing | |
| - Pivoting | |
| - https://artkond.com/2017/03/23/pivoting-guide/ | |
| - https://nullsweep.com/pivot-cheatsheet-for-pentesters/ | |
| - Attacking AD | |
| - Solid Overview | |
| - RedTeaming AD (PDF) - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf | |
| - Kerberos | |
| - http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html?m=1 | |
| - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html | |
| - Evasion/Persistence | |
| - https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/ | |
| - Scripts - https://github.com/TestingPens/MalwarePersistenceScripts | |
| - Backdooring AD | |
| - https://jumpespjump.blogspot.lu/2015/03/thousand-ways-to-backdoor-windows.html | |
| - LOL - Living Off The Land | |
| - Intro - https://liberty-shell.com/sec/2018/10/20/living-off-the-land/ | |
| - Web Page - https://lolbas-project.github.io/ | |
| - Full - https://github.com/api0cradle/LOLBAS | |
| - Expired Domains | |
| - https://www.expireddomains.net/ | |
| - Subdomain Takeover | |
| - Sub0ver - https://github.com/Ice3man543/SubOver | |
| - Guide - https://0xpatrik.com/subdomain-takeover-basics/ | |
| - SubFinder - https://github.com/subfinder/subfinder | |
| - Browser Exploitation | |
| - Wiki - https://www.it-sec-catalog.info/browser_exploitation.html | |
| - OPSEC | |
| - VPN | |
| - https://sec.alexflor.es/post/vm_gateway/ | |
| - Guides | |
| - Social Engineering (Interactive/Personal) | |
| - Payloads | |
| - https://github.com/t3ntman/Social-Engineering-Payloads | |
| - Gaining Foothold (File) | |
| - UNC - https://1337red.wordpress.com/2018/01/27/remote-se-101-workshop/ | |
| - HTA - http://blog.sevagas.com/?Hacking-around-HTA-files | |
| - Office Docs - https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-1-of-2/ | |
| - Phishing Pretext - https://github.com/L4bF0x/PhishingPretexts | |
| - Line-Interruption Method - http://textfiles.com/uploads/line-interruption.txt | |
| - Blackbox Testing | |
| - Ringzer0 Guide - https://ringzer0team.com/d/A-Journey-Into-a-RedTeam-2018.pdf | |
| - https://gbhackers.com/external-black-box-penetration-testing/ | |
| - Setting up Infrastructure | |
| - Empire Infrastructure - https://bneg.io/2017/11/06/automated-empire-infrastructure/ | |
| - AD Lab - https://twitter.com/curi0usJack/status/979760475520020483 | |
| - C2 (Digital Ocean) - https://www.blackhillsinfosec.com/build-c2-infrastructure-digital-ocean-part-1/ | |
| - Guide - https://silentbreaksecurity.com/modern-red-team-infrastructure/ | |
| - Automation | |
| - Twitter Link - https://twitter.com/ZeArioch/status/975998092335026176 | |
| - Talks | |
| - DEFCON - https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf | |
| - RFID/Badge Cloning | |
| - Android App - https://walrus.app/docs/getting-started/ | |
| - Frameworks | |
| - Cobalt Strike | |
| - Field Manual - https://github.com/001SPARTaN/csfm | |
| - Atomic Red Team | |
| - Detection Tests - https://github.com/redcanaryco/atomic-red-team | |
| - Usage - https://www.youtube.com/watch?v=iNl_rltYmoo | |
| - Virtual Attack Lab | |
| - Build | |
| - Build Active Directory | |
| - Planning Guides | |
| - https://r0ttenbeef.github.io/Active-Directory-Local-Lab-Environment-Setup/ | |
| - https://adsecurity.org/?p=2653 | |
| - https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html | |
| - https://scriptdotsh.com/index.php/2018/08/26/active-directory-penetration-dojo-setup-of-ad-penetration-lab-part-2/ | |
| - https://7ms.us/7ms-224-diy-500-pentesting-lab-part-1/ | |
| - https://thebackroomtech.com/2018/04/17/installing-and-configuring-active-directory-domain-services-on-windows-server-2016/ | |
| - Using Powershell | |
| - https://github.com/OneLogicalMyth/Automated-AD-Setup | |
| - https://sethsec.blogspot.com/2017/05/pentest-home-lab-0x0-building-virtual.html | |
| - https://github.com/outflanknl/Invoke-ADLabDeployer | |
| - Users - https://github.com/curi0usJack/ADImporter | |
| - Users - https://stealingthe.network/rapidly-creating-fake-users-in-your-lab-ad-using-youzer/ | |
| - Home Lab | |
| - https://7ms.us/7ms-224-diy-500-pentesting-lab-part-1/ | |
| - Slides - https://docs.google.com/presentation/d/1V-mWiyaJ3I6HhXRxH1M5ityWYRqb5PoNHwvWSZaOr_E/edit#slide=id.g184aa9ce45_0_35 | |
| - Attack/Red | |
| - ATT&CK | |
| - Automate - https://github.com/redcanaryco/atomic-red-team/tree/master/Automation | |
| - Defend/Blue | |
| - Analysis | |
| - Cuckoo | |
| - Install - https://blog.nviso.be/2018/04/12/painless-cuckoo-sandbox-installation/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment