Learn to hack: Difference between revisions
m (→Initial Access) |
m (→Initial Access) |
||
Line 149: | Line 149: | ||
== Initial Access == | == Initial Access == | ||
There are many ways to get a foothold into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, performing a targeted penetration test and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards. | There are many ways to get a foothold into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted penetration test and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards. | ||
For more information on gaining a foothold, see [[Initial Access Tactics, techniques and procedures]] | For more information on gaining a foothold, see [[Initial Access Tactics, techniques and procedures]] |
Revision as of 13:58, 15 January 2023
This page aims to compile high quality resources for hackers. All books listed on this page can be found on Library Genesis and Z-Library
General Resources
Resources that assume little to no background knowledge:
Resources that assume minimal tech background:
- (book) Penetration Testing: A Hands-On Introduction to Hacking
- Bassterlord Networking Manual (translated): https://papers.vx-underground.org/papers/VXUG/Mirrors/BassterlordNetworkingManual.pdf
Resources that assume a tech or hacking background:
- (book) The Hacker Playbook 3
- books by Sparc Flow
- Hack Back! A DIY Guide
- https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
Practice labs:
- https://www.hackthebox.com/
- https://www.pentesteracademy.com/
- https://lab.pentestit.ru/
- https://overthewire.org/wargames/
General references:
- https://www.ired.team
- http://pwnwiki.io
- https://dmcxblue.gitbook.io/red-team-notes-2-0
- https://github.com/swisskyrepo/PayloadsAllTheThings
- https://github.com/S3cur3Th1sSh1t/Pentest-Tools
- https://github.com/offensive-security/exploitdb
- https://github.com/payloadbox
- Collection of malware source code: https://github.com/vxunderground/MalwareSourceCode
- https://github.com/jhaddix/tbhm
- https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters
- https://www.metasploit.com
- https://github.com/emilyanncr/Windows-Post-Exploitation
- https://github.com/infosecn1nja/Red-Teaming-Toolkit
- https://github.com/edoardottt/awesome-hacker-search-engines
- https://github.com/Hack-with-Github/Awesome-Hacking
- https://github.com/LOLBAS-Project/LOLBAS
- https://docs.anarchy-farm.com
- https://book.hacktricks.xyz
- https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
- https://github.com/0dayCTF/reverse-shell-generator
- https://0xsp.com/offensive/red-teaming-toolkit-collection/
- https://pwncat.org/
- https://gtfobins.github.io/
- https://codex-7.gitbook.io/
- https://github.com/qazbnm456/awesome-web-security
- https://githubmemory.com/repo/Qing-Q/awesome-hacking-lists
- https://github.com/A-poc/RedTeam-Tools
Active Directory
- An excellent practical reference
- A practical reference focused on powershell
- https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
- https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html
- https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- https://wadcoms.github.io/
- https://www.blackhillsinfosec.com/webcast-attack-tactics-5-zero-to-hero-attack/
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
- https://en.hackndo.com/ntlm-relay/
- https://s3cur3th1ssh1t.github.io/The-most-common-on-premise-vulnerabilities-and-misconfigurations/
- A very thorough technical background: https://zer1t0.gitlab.io/posts/attacking_ad/
- kerberos background: https://www.tarlogic.com/blog/how-kerberos-works/
- A good overview of different lateral movement techniques: https://hackmag.com/security/lateral-guide/
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#active-directory-exploitation-cheat-sheet
Tools
- https://mpgn.gitbook.io/crackmapexec/
- https://www.secureauth.com/labs/open-source-tools/impacket/
- https://github.com/dirkjanm/mitm6
- https://github.com/lgandx/Responder
- https://github.com/FuzzySecurity/StandIn
- https://www.joeware.net/freetools/tools/adfind/
- https://github.com/CravateRouge/bloodyAD
- https://github.com/blacklanternsecurity/MANSPIDER
- https://github.com/login-securite/DonPAPI
- Powerview/Sharpview
- Bloodhound/Sharphound
Office 365 & Azure
- Extremely in-depth technical info on everything https://o365blog.com/
- https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html
- https://blog.xpnsec.com/azuread-connect-for-redteam/
- AAD Connect Cloud Sync: as local admin impersonate or retrieve managed password of the provagentgMSA account to dcsync.
- https://www.blackhillsinfosec.com/webcast-getting-started-in-pentesting-the-cloud-azure/
- https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md
- https://www.inversecos.com/
Tools
- https://github.com/nyxgeek/o365recon
- https://github.com/dirkjanm/ROADtools
- https://github.com/fox-it/adconnectdump
- https://github.com/LMGsec/o365creeper
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/rvrsh3ll/TokenTactics
- https://github.com/nyxgeek/onedrive_user_enum
- https://github.com/dafthack/MSOLSpray
- https://github.com/dafthack/MFASweep
GSuite
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
C2 Frameworks
Antivirus & EDR Evasion
- https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
- https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/
- https://s3cur3th1ssh1t.github.io/Powershell-and-the-.NET-AMSI-Interface/
- https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/
- https://blog.securityevaluators.com/creating-av-resistant-malware-part-1-7604b83ea0c0
- https://www.ired.team/offensive-security/defense-evasion
- https://www.youtube.com/watch?v=UO3PjJIiBIE
- https://github.com/matterpreter/DefenderCheck
- https://github.com/RythmStick/AMSITrigger
- https://amsi.fail
VMware
- Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
- VMware Workspace ONE Access and Identity Manager RCE via SSTI. CVE-2022-22954: Unauthenticated server-side template injection. Mass Exploit
RocketChat
- Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy
Microsoft Exchange
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.
- ProxyShell: https://github.com/dmaasland/proxyshell-poc
- Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
- ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
- ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
- Polymorphic webshells: https://github.com/grCod/poly
- ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
- Export all mailboxes:
foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\127.0.0.1\C$\Folder\$($mbx.Alias).pst"}
- Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain
- Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto
Initial Access
There are many ways to get a foothold into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted penetration test and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards.
For more information on gaining a foothold, see Initial Access Tactics, techniques and procedures
Scanning and Recon
- https://github.com/robertdavidgraham/masscan
- https://github.com/projectdiscovery/naabu
- https://github.com/OWASP/Amass
- https://github.com/six2dez/reconftw
- https://github.com/lanmaster53/recon-ng
- https://github.com/jaeles-project/jaeles
- https://github.com/1N3/Sn1per
- https://github.com/projectdiscovery/nuclei
- https://github.com/wpscanteam/wpscan
- https://github.com/OWASP/joomscan
- https://github.com/immunIT/drupwn
- https://github.com/Tuhinshubhra/RED_HAWK
- https://github.com/root-tanishq/userefuzz
Search Engines
Search engines are a useful tool for gathering information and intelligence from publicly available sources. Some are paid and some are not. Make sure to operate good OPSEC whenever placing a purchase for any service that will be used in your recon on a target.
For more information on recommended search engines, see Search Engines Resources
Web Crawlers
Wordlists
- https://wordlists.assetnote.io/
- https://github.com/danielmiessler/SecLists
- https://github.com/ameenmaali/wordlistgen
OSINT
Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly available sources to be used in an intelligence context.
For more information on recommended tools and resources, see OSINT Tools and Resources
API Hacking
Intercepting Proxies
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications.
Opsec
Operational security (Opsec) is crucial for protecting oneself from surveillance and maintaining anonymity while conducting illegal activities.
Recommended Measures
Any illegal activity should be done from an encrypted and separate computer or virtual machine, with all traffic over Tor.
For more information on recommended measures, see Opsec Measures
Secure Messaging
Best practice for secure messaging includes using connections over Tor and end-to-end encryption for messages.
Recommended Applications
For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For email use PGP for encryption. For file sharing use onionshare.
For more information on recommended applications, see Secure Messaging Applications