Learn to hack: Difference between revisions

From Enlace Hacktivista
Jump to navigation Jump to search
No edit summary
 
(221 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This page aims to compile high quality resources for hackers. All books listed on this page can be found on [https://libgen.fun/ Library Genesis] and [https://z-lib.org/ Z-Library]
This page aims to compile high quality resources for hackers for both the experienced and inexperienced. All books listed on this page can be [https://libgen.lc found] on [https://libgen.fun/ Library Genesis].


== General Resources ==  
Make sure that you follow good OPSEC when carrying out your operations! See [https://enlacehacktivista.org/index.php?title=Learn_to_hack#Operational_security OPSEC]
 
== General Resources ==


Resources that assume little to no background knowledge:
Resources that assume little to no background knowledge:
Line 9: Line 11:
Resources that assume minimal tech background:
Resources that assume minimal tech background:
* (book) Penetration Testing: A Hands-On Introduction to Hacking
* (book) Penetration Testing: A Hands-On Introduction to Hacking
* Bassterlord Networking Manual (translated): https://papers.vx-underground.org/papers/VXUG/Mirrors/BassterlordNetworkingManual.pdf
* [https://web.archive.org/web/20230531145531/https://papers.vx-underground.org/papers/Malware%20Defense/Malware%20Analysis%202021/2021-08-31%20-%20Bassterlord%20%28FishEye%29%20Networking%20Manual%20%28X%29.pdf Bassterlord Networking Manual (translated)] (Focuses on [https://enlacehacktivista.org/index.php?title=Fortinet_SSL_VPN_Path_Traversal exploiting and hacking into networks via Forti SSL VPN])
* [https://web.archive.org/web/20230531144434if_/https://cdn-151.anonfiles.com/vcD868ubz5/08a9b897-1685544763/BasterLord+-+Network+manual+v2.0.pdf Bassterlord Networking Manual v2.0 (translated)] (Focuses on [[VPN brute forcing]])
* Translated: [https://web.archive.org/web/20230404175503if_/https://cdn-150.anonfiles.com/satbX2i8z2/75a3be58-1680631481/Conti_playbook_translated.pdf Conti playbook]
* LockBit 3.0 CobaltStrike: [https://web.archive.org/web/20230701141731if_/https://cdn-147.anonfiles.com/s1cbD0z3z3/4536e4f8-1688221595/LockBit-CobaltStrike.pdf LockBit 3.0 Guide]


Resources that assume a tech or hacking background:
Resources that assume a tech or hacking background:
* (book) The Hacker Playbook 3
* (book) The Hacker Playbook 3
* books by [https://b-ok.cc/g/Sparc%20Flow Sparc Flow]
* [[Hack Back! A DIY Guide]]
* [[Hack Back! A DIY Guide]]
* https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
* https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
** translated: https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/639/original/Conti_playbook_translated.pdf
* [https://enlacehacktivista.org/images/8/8f/Flexispy.txt Flexispy Hack Back]
* [https://enlacehacktivista.org/libertycounsel.txt Liberty Counsel Hack Back]
* [https://youtu.be/kCLDqvDnGzA Catalan Police Union Hack Back]
* https://book.hacktricks.xyz
* [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T Pronico Hack Back]
* https://github.com/Correia-jpv/fucking-the-book-of-secret-knowledge
* https://github.com/0xPugazh/One-Liners


The Bug Hunters Methodology:
* https://github.com/jhaddix/tbhm
* Application Analysis: https://youtu.be/FqnSAa2KmBI
* The Bug Hunter's Methodology v4.0: https://youtu.be/p4JgIu1mceI?si=jXcYksd4UqodZDBF
Practice labs:
Practice labs:
* https://www.hackthebox.com/
* https://www.hackthebox.com
* https://www.pentesteracademy.com/
* https://academy.hackthebox.com
* https://lab.pentestit.ru/
* https://www.pentesteracademy.com
* https://overthewire.org/wargames/
* https://lab.pentestit.ru
* https://overthewire.org/wargames
* https://www.vulnhub.com/
 
Appsec:
* https://github.com/paragonie/awesome-appsec
 
Malware, a collection of malware source code and binaries:
* https://github.com/vxunderground/MalwareSourceCode
* https://github.com/ytisf/theZoo/tree/master/malware
 
=== General references ===
 
General resources you may find useful for learning.
 
See [[General References]]
 
[https://owasp.org/www-project-top-ten/ OWASP Top 10] is a broad consensus about the most critical security risks to web applications. See TryHackMe's [https://tryhackme.com/room/owasptop10 room] for practical OWASP Top 10 learning and their [https://tryhackme.com/room/owaspjuiceshop Juice Shop].
 
== Recommended Reading - The Library ==
See recommended reading [https://libgen.fun books] that will aid you in your learning. See [[recommended reading in the library]]
 
* [https://theanarchistlibrary.org/special/index The Anarchist Library] ([http://libraryqxxiqakubqv3dc2bend2koqsndbwox2johfywcatxie26bsad.onion/special/index Tor])
* Phrack: http://phrack.org
 
== Operational security ==
 
Operational security (OPSEC) is crucial for protecting oneself from surveillance and maintaining anonymity while conducting hacktivist operations.
 
=== Recommended Measures ===
 
Any illegal hacktivity should be done from an encrypted and separate computer or virtual machine, with all traffic router over Tor.
 
For more information on recommended operational security measures, see [[Opsec Measures]]
 
=== Secure Messaging ===
 
Best practice for secure messaging includes proxying connections over Tor and using end-to-end encryption for messages.
 
==== Recommended Applications ====
 
For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For e-mail use PGP for encryption. For file sharing use onionshare.
 
For more information on recommended applications, see [[Secure Messaging Applications]]
 
== Initial Access ==
 
There are many ways to gain [https://attack.mitre.org/tactics/TA0001/ initial access] into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted [https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets penetration test] and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards.
 
=== Common Initial Access TTPs ===
 
For more information on gaining a foothold, see [[Initial Access Tactics, techniques and procedures]]
 
=== Attacking Common Services ===
Your targets will likely use many services either externally or internally, this could be SSH, RDP, SMB, etc. It's important to know their common misconfigurations, attack vectors, their attack surface and how to hack these various protocols which may serve as the initial access vector. Here we cover various tools, techniques, common misconfigurations, tips and tricks and we cover both internal and external (publicly accessible) networks.
 
See [[Common Service Attacks]]
 
=== Scanning and Recon ===
 
For [https://attack.mitre.org/tactics/TA0043 scanning and recon] tools, see [[Scanning and Recon]]. Make sure to make use of your tool's documentation and read the help menu (-hh/-h/--help).
 
=== Search Engines ===
 
Search engines are a useful tool for gathering information and intelligence from publicly available sources. Some are paid and some are free. Make sure to operate good OPSEC whenever placing a purchase for any service that will be used in your recon on a target.
 
For more information on recommended search engines, see [[Search Engines Resources]]
 
=== OSINT ===
 
Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly available sources.


General references:
For more information on recommended tools and resources, see [[OSINT Tools and Resources]]
* https://www.ired.team
* http://pwnwiki.io
* https://dmcxblue.gitbook.io/red-team-notes-2-0
* https://github.com/swisskyrepo/PayloadsAllTheThings / https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/
* https://github.com/S3cur3Th1sSh1t/Pentest-Tools
* https://github.com/offensive-security/exploitdb
* https://github.com/payloadbox
* Collection of malware source code: https://github.com/vxunderground/MalwareSourceCode
* https://github.com/jhaddix/tbhm
* https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters
* https://www.metasploit.com
* https://github.com/emilyanncr/Windows-Post-Exploitation
* https://github.com/infosecn1nja/Red-Teaming-Toolkit
* https://github.com/edoardottt/awesome-hacker-search-engines
* https://github.com/Hack-with-Github/Awesome-Hacking
* https://github.com/LOLBAS-Project/LOLBAS
* https://docs.anarchy-farm.com
* https://book.hacktricks.xyz
* https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
* https://github.com/0dayCTF/reverse-shell-generator
* https://0xsp.com/offensive/red-teaming-toolkit-collection/
* https://pwncat.org/
* https://gtfobins.github.io/


== Active Directory ==
== Persistence ==
Once you've found a weakness in your targets infrastructure and have been able to gain [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures initial access] you'll want to keep it and avoid detection to maintain your access to your targets network for as long as possible.


* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md An excellent practical reference]
See [[Persistence]].
* [https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet A practical reference focused on powershell]
* https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
* https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html
* https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
* https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
* https://wadcoms.github.io/
* https://www.blackhillsinfosec.com/webcast-attack-tactics-5-zero-to-hero-attack/
* https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
* https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
* https://en.hackndo.com/ntlm-relay/
* https://s3cur3th1ssh1t.github.io/The-most-common-on-premise-vulnerabilities-and-misconfigurations/
* A very thorough technical background: https://zer1t0.gitlab.io/posts/attacking_ad/
* kerberos background: https://www.tarlogic.com/blog/how-kerberos-works/
* A good overview of different lateral movement techniques: https://hackmag.com/security/lateral-guide/
* https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#active-directory-exploitation-cheat-sheet


=== Tools ===
== Post exploitation ==
* https://mpgn.gitbook.io/crackmapexec/
* https://www.secureauth.com/labs/open-source-tools/impacket/
* https://github.com/dirkjanm/mitm6
* https://github.com/lgandx/Responder
* https://github.com/FuzzySecurity/StandIn
* https://www.joeware.net/freetools/tools/adfind/
* https://github.com/CravateRouge/bloodyAD
* https://github.com/blacklanternsecurity/MANSPIDER
* https://github.com/login-securite/DonPAPI
* Powerview/Sharpview
* Bloodhound/Sharphound


== Office 365 & Azure ==
=== Windows ===
* Extremely in-depth technical info on everything https://o365blog.com/
For Windows post exploitation, Active Directory and networking hacking, Lateral movement techniques, privilege escalation, defensive and offensive techniques:
* https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html
* https://blog.xpnsec.com/azuread-connect-for-redteam/
* AAD Connect Cloud Sync: as local admin impersonate or retrieve managed password of the provagentgMSA account to dcsync.
** see: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#reading-gmsa-password
* https://www.blackhillsinfosec.com/webcast-getting-started-in-pentesting-the-cloud-azure/
* https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md
* https://www.inversecos.com/


=== Tools ===
See [[Hacking Windows]]
* https://github.com/nyxgeek/o365recon
* https://github.com/dirkjanm/ROADtools
* https://github.com/fox-it/adconnectdump
* https://github.com/LMGsec/o365creeper
* https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
* https://github.com/rvrsh3ll/TokenTactics
* https://github.com/nyxgeek/onedrive_user_enum
* https://github.com/dafthack/MSOLSpray
* https://github.com/dafthack/MFASweep


== GSuite ==
=== Linux ===
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
For performing Linux post exploitation, gaining persistence, evading detection, privilege escalation and more:


== C2 Frameworks ==
See [[Hacking Linux]]


* https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc
== Exfiltration ==
One of the main objectives for a hacktivist is that of exfiltrating data, company secrets and if your motivations is that of revealing corruption then this step is of the most importance.


== Antivirus & EDR Evasion ==
See [[Data Exfiltration]] for techniques and methods for exfiltrating data out of your targets network.


* https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
== Destruction ==
* https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/
There may be times during a hacktivist operation when you come to the end of your hack, you've fully compromised your target, exfiltrated everything you can/want and now before finally leaving the network and leaking all the targets secrets online you want to cause chaos and destruction. [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T As was seen by Guacamaya] where they used <code>sdelete64.exe -accepteula -r -s C:\*</code> to wipe systems attached to Pronicos domain you might also want to do the same for Linux and Windows systems in your operations, maybe you want to recursively print a text file with your manifesto across a system/network, encrypt files beyond recovery or just delete everything.
* https://s3cur3th1ssh1t.github.io/Powershell-and-the-.NET-AMSI-Interface/
* https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/
* https://blog.securityevaluators.com/creating-av-resistant-malware-part-1-7604b83ea0c0
* https://www.ired.team/offensive-security/defense-evasion
* https://www.youtube.com/watch?v=UO3PjJIiBIE
* https://github.com/matterpreter/DefenderCheck
* https://github.com/RythmStick/AMSITrigger
* https://amsi.fail


== VMware ==
See [[Chaos and Destruction]] for different ways to achieve this!
* Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
* VMware Workspace ONE Access and Identity Manager RCE via SSTI. [https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis CVE-2022-22954:] Unauthenticated server-side template injection. [https://github.com/tunelko/CVE-2022-22954-PoC Mass Exploit]


== RocketChat ==
== Hacking Misc ==
* Account hijacking and RCE as admin: [https://web.archive.org/web/20210805092939/https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy]


== Microsoft Exchange ==
=== Web Application Hacking ===


ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.
See [[Hacking Web Applications]]


* ProxyShell:  https://github.com/dmaasland/proxyshell-poc
=== API Hacking ===
* Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
Application Programming Interfaces (APIs) are the plumbing of today’s financial services and FinTech infrastructure, enabling FinTechs to embed banking into their apps and banks to offer a more unified experience to their customers demanding more from their bank ([https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf Knight]). [https://owasp.org/www-project-api-security APIs can be exploited] to aid in data exfiltration and taking advantage of an existing service.
* ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
* ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
* Polymorphic webshells: https://github.com/grCod/poly
* ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
* Export all mailboxes: <code>foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\127.0.0.1\C$\Folder\$($mbx.Alias).pst"}</code>
* Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain
* Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto


== Initial Access ==
See [[Hacking APIs]]!


=== Phishing ===
=== IoT Hacking ===
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://github.com/V33RU/IoTSecurity101
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/


=== Password spraying ===
=== Hacking The Cloud ===
* https://github.com/dafthack/MSOLSpray
More and more of corporate networks are moving away from on-prem to in the cloud. Learning how to [https://hackingthe.cloud hack the cloud infrastructure] of your target is a valuable skill and as time progresses more and more networks will migrate towards the cloud.
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying/
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/x90skysn3k/brutespray


=== Buying Access ===
See [[Cloud Hacking]]
* https://genesis.market/


=== CVE POCs ===
=== Reverse Engineering ===
* https://github.com/nomi-sec/PoC-in-GitHub
As was seen by [https://enlacehacktivista.org/index.php?title=Hack_Back!_A_DIY_Guide Phineas Fisher], highly motivated hacktivists who seek to hack their targets by any means necessary should consider 0-day research and exploit development, reverse engineering applications and services that their target may be running to gain an initial foothold and perform post exploitation.


== Scanning and Recon ==
See [[Reverse Engineering]]
* https://github.com/robertdavidgraham/masscan
* https://github.com/projectdiscovery/naabu
* https://github.com/OWASP/Amass
* https://www.shodan.io/
* https://www.zoomeye.org/
* https://search.censys.io/
* https://hunter.io/
* https://fullhunt.io/
* https://www.onyphe.io/
* https://binaryedge.io/
* https://ivre.rocks/
* https://vulners.com/
* https://pulsedive.com/
* https://www.exploit-db.com
* https://github.com/six2dez/reconftw
* https://github.com/lanmaster53/recon-ng
* https://github.com/jaeles-project/jaeles
* https://github.com/1N3/Sn1per
* https://github.com/projectdiscovery/nuclei
* https://github.com/wpscanteam/wpscan
* https://github.com/OWASP/joomscan
* https://github.com/immunIT/drupwn
* https://github.com/Tuhinshubhra/RED_HAWK
* https://github.com/root-tanishq/userefuzz


=== Web Crawlers ===
== Product-specific Hacking ==
* https://github.com/jaeles-project/gospider
* https://github.com/hakluke/hakrawler


== Wordlists ==
=== Google Workspace ===
* https://wordlists.assetnote.io/
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
* https://github.com/danielmiessler/SecLists
* https://github.com/ameenmaali/wordlistgen


== OSINT ==
=== VMware ===
Open-source intelligence Tools/Resources
* Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
* https://osintframework.com/
* VMware Workspace ONE Access and Identity Manager RCE via SSTI. [https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis CVE-2022-22954:] Unauthenticated server-side template injection. [https://github.com/tunelko/CVE-2022-22954-PoC Mass Exploit]
* https://www.tracelabs.org/initiatives/osint-vm
* https://github.com/jivoi/awesome-osint
* [https://start.me/p/ZME8nR/osint osintframework.de]
* https://www.maltego.com/
* https://github.com/vysecurity/LinkedInt
* https://www.osintdojo.com/
* https://inteltechniques.com/
* https://github.com/uosint-project/uosint


== API Hacking ==
=== Rocket.Chat ===
* https://github.com/arainho/awesome-api-security
* Account hijacking and RCE as admin: [https://web.archive.org/web/20210805092939/https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy]


== Intercepting Proxies ==
=== Microsoft Exchange ===
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications.
* https://portswigger.net/burp
* https://www.zaproxy.org/
* https://mitmproxy.org/


== Opsec ==
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.
Any illegal activity should be done from an encrypted and separate computer or virtual machine, with all traffic over Tor.
* https://www.qubes-os.org/
* https://www.whonix.org/
* https://tails.boum.org/
* The whonix wiki has lots of great info on anonymity even if you're not using whonix: https://www.whonix.org/wiki/Documentation
* https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
* https://veracrypt.fr/
* https://www.torproject.org/
* Disable javascript (set Security Level to "Safest" in Tor Browser)


== Secure Messaging ==
* ProxyShell:  https://github.com/dmaasland/proxyshell-poc
Best practise is for your connections to go over Tor and for your messages to be end-to-end encrypted. For Jabber/XMPP make sure to enable OTR or OMEMO encryption. For email use PGP for encryption. For file sharing use onionshare.
* Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
* [https://tails.boum.org/ Tails] comes with onionshare for file sharing, pidgin with OTR for encrypted chat, and thunderbird with GPG for encrypted email
* ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
* Probably the most mature jabber client with a focus on security and privacy is [https://coy.im/ CoyIM]
* ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
* https://cwtch.im/
* Polymorphic webshells: https://github.com/grCod/poly
* https://www.thunderbird.net/ A email client with built-in support for [https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq PGP encryption]
* ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
* https://onionshare.org/
* Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain
* See [https://www.whonix.org/wiki/Chat the whonix wiki] for a more detailed comparison of secure messaging software
* Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto

Latest revision as of 22:37, 21 November 2023

This page aims to compile high quality resources for hackers for both the experienced and inexperienced. All books listed on this page can be found on Library Genesis.

Make sure that you follow good OPSEC when carrying out your operations! See OPSEC

General Resources

Resources that assume little to no background knowledge:

Resources that assume minimal tech background:

Resources that assume a tech or hacking background:

The Bug Hunters Methodology:

Practice labs:

Appsec:

Malware, a collection of malware source code and binaries:

General references

General resources you may find useful for learning.

See General References

OWASP Top 10 is a broad consensus about the most critical security risks to web applications. See TryHackMe's room for practical OWASP Top 10 learning and their Juice Shop.

Recommended Reading - The Library

See recommended reading books that will aid you in your learning. See recommended reading in the library

Operational security

Operational security (OPSEC) is crucial for protecting oneself from surveillance and maintaining anonymity while conducting hacktivist operations.

Recommended Measures

Any illegal hacktivity should be done from an encrypted and separate computer or virtual machine, with all traffic router over Tor.

For more information on recommended operational security measures, see Opsec Measures

Secure Messaging

Best practice for secure messaging includes proxying connections over Tor and using end-to-end encryption for messages.

Recommended Applications

For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For e-mail use PGP for encryption. For file sharing use onionshare.

For more information on recommended applications, see Secure Messaging Applications

Initial Access

There are many ways to gain initial access into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted penetration test and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards.

Common Initial Access TTPs

For more information on gaining a foothold, see Initial Access Tactics, techniques and procedures

Attacking Common Services

Your targets will likely use many services either externally or internally, this could be SSH, RDP, SMB, etc. It's important to know their common misconfigurations, attack vectors, their attack surface and how to hack these various protocols which may serve as the initial access vector. Here we cover various tools, techniques, common misconfigurations, tips and tricks and we cover both internal and external (publicly accessible) networks.

See Common Service Attacks

Scanning and Recon

For scanning and recon tools, see Scanning and Recon. Make sure to make use of your tool's documentation and read the help menu (-hh/-h/--help).

Search Engines

Search engines are a useful tool for gathering information and intelligence from publicly available sources. Some are paid and some are free. Make sure to operate good OPSEC whenever placing a purchase for any service that will be used in your recon on a target.

For more information on recommended search engines, see Search Engines Resources

OSINT

Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly available sources.

For more information on recommended tools and resources, see OSINT Tools and Resources

Persistence

Once you've found a weakness in your targets infrastructure and have been able to gain initial access you'll want to keep it and avoid detection to maintain your access to your targets network for as long as possible.

See Persistence.

Post exploitation

Windows

For Windows post exploitation, Active Directory and networking hacking, Lateral movement techniques, privilege escalation, defensive and offensive techniques:

See Hacking Windows

Linux

For performing Linux post exploitation, gaining persistence, evading detection, privilege escalation and more:

See Hacking Linux

Exfiltration

One of the main objectives for a hacktivist is that of exfiltrating data, company secrets and if your motivations is that of revealing corruption then this step is of the most importance.

See Data Exfiltration for techniques and methods for exfiltrating data out of your targets network.

Destruction

There may be times during a hacktivist operation when you come to the end of your hack, you've fully compromised your target, exfiltrated everything you can/want and now before finally leaving the network and leaking all the targets secrets online you want to cause chaos and destruction. As was seen by Guacamaya where they used sdelete64.exe -accepteula -r -s C:\* to wipe systems attached to Pronicos domain you might also want to do the same for Linux and Windows systems in your operations, maybe you want to recursively print a text file with your manifesto across a system/network, encrypt files beyond recovery or just delete everything.

See Chaos and Destruction for different ways to achieve this!

Hacking Misc

Web Application Hacking

See Hacking Web Applications

API Hacking

Application Programming Interfaces (APIs) are the plumbing of today’s financial services and FinTech infrastructure, enabling FinTechs to embed banking into their apps and banks to offer a more unified experience to their customers demanding more from their bank (Knight). APIs can be exploited to aid in data exfiltration and taking advantage of an existing service.

See Hacking APIs!

IoT Hacking

Hacking The Cloud

More and more of corporate networks are moving away from on-prem to in the cloud. Learning how to hack the cloud infrastructure of your target is a valuable skill and as time progresses more and more networks will migrate towards the cloud.

See Cloud Hacking

Reverse Engineering

As was seen by Phineas Fisher, highly motivated hacktivists who seek to hack their targets by any means necessary should consider 0-day research and exploit development, reverse engineering applications and services that their target may be running to gain an initial foothold and perform post exploitation.

See Reverse Engineering

Product-specific Hacking

Google Workspace

https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite

VMware

Rocket.Chat

Microsoft Exchange

ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.