Learn to hack: Difference between revisions
mNo edit summary |
m (Trying to improve flow of contents) |
||
Line 3: | Line 3: | ||
Make sure that you follow good OPSEC when carrying out your operations! See [https://enlacehacktivista.org/index.php?title=Learn_to_hack#Operational_security OPSEC] | Make sure that you follow good OPSEC when carrying out your operations! See [https://enlacehacktivista.org/index.php?title=Learn_to_hack#Operational_security OPSEC] | ||
= General Resources = | |||
Resources that assume little to no background knowledge: | Resources that assume little to no background knowledge: | ||
Line 34: | Line 34: | ||
Appsec: | Appsec: | ||
* https://github.com/paragonie/awesome-appsec | * https://github.com/paragonie/awesome-appsec | ||
Malware, a collection of malware source code and binaries: | |||
* https://github.com/vxunderground/MalwareSourceCode | |||
* https://github.com/ytisf/theZoo/tree/master/malware | |||
== General references == | == General references == | ||
Line 41: | Line 45: | ||
[https://owasp.org/www-project-top-ten/ OWASP Top 10] is a broad consensus about the most critical security risks to web applications. See TryHackMe's [https://tryhackme.com/room/owasptop10 room] for practical OWASP Top 10 learning and their [https://tryhackme.com/room/owaspjuiceshop Juice Shop]. | [https://owasp.org/www-project-top-ten/ OWASP Top 10] is a broad consensus about the most critical security risks to web applications. See TryHackMe's [https://tryhackme.com/room/owasptop10 room] for practical OWASP Top 10 learning and their [https://tryhackme.com/room/owaspjuiceshop Juice Shop]. | ||
== Recommended | == Recommended Reading - The Library == | ||
See recommended reading [https://libgen.fun books] that will aid you in your learning. See [[recommended reading in the library]] | See recommended reading [https://libgen.fun books] that will aid you in your learning. See [[recommended reading in the library]] | ||
== | = Operational security = | ||
Operational security (OPSEC) is crucial for protecting oneself from surveillance and maintaining anonymity while conducting hacktivist operations. | |||
== Recommended Measures == | |||
Any illegal hacktivity should be done from an encrypted and separate computer or virtual machine, with all traffic router over Tor. | |||
For more information on recommended operational security measures, see [[Opsec Measures]] | |||
== Secure Messaging == | |||
Best practice for secure messaging includes proxying connections over Tor and using end-to-end encryption for messages. | |||
=== Recommended Applications === | |||
For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For email use PGP for encryption. For file sharing use onionshare. | |||
For more information on recommended applications, see [[Secure Messaging Applications]] | |||
= Initial Access = | |||
There are many ways to get a foothold into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted penetration test and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards. | |||
For more information on gaining a foothold, see [[Initial Access Tactics, techniques and procedures]] | |||
== Scanning and Recon == | |||
For scanning and recon tools, see [[Scanning and Recon]]. Make sure to make use of your tool's documentation and read the help menu (-hh/-h/--help). | |||
== Search Engines == | |||
Search engines are a useful tool for gathering information and intelligence from publicly available sources. Some are paid and some are free. Make sure to operate good OPSEC whenever placing a purchase for any service that will be used in your recon on a target. | |||
For more information on recommended search engines, see [[Search Engines Resources]] | |||
== | == OSINT == | ||
Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly available sources. | |||
For more information on recommended tools and resources, see [[OSINT Tools and Resources]] | |||
= Post exploitation = | |||
== C2 Frameworks == | == C2 Frameworks == | ||
[https://www.thec2matrix.com/matrix C2 Matrix] | [https://www.thec2matrix.com/matrix C2 Matrix] | ||
* https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc | * https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc | ||
== Windows == | |||
= | |||
Find common vulnerabilities and misconfigurations in a windows environment to escalate your privileges: [https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS winPEAS] | Find common vulnerabilities and misconfigurations in a windows environment to escalate your privileges: [https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS winPEAS] | ||
* https://lolbas-project.github.io | * https://lolbas-project.github.io | ||
Line 88: | Line 104: | ||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md Windows - Using credentials] | * [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md Windows - Using credentials] | ||
=== Active Directory === | |||
Active Directory General Tools & resources you may find useful for learning. | Active Directory General Tools & resources you may find useful for learning. | ||
Line 95: | Line 110: | ||
See [[Active Directory]] for learning resources and tools. | See [[Active Directory]] for learning resources and tools. | ||
== | == Linux == | ||
* Rooting: [[Rooting linux]] | * Rooting: [[Rooting linux]] | ||
* [[Stabilizing reverse shells]] | * [[Stabilizing reverse shells]] | ||
Line 123: | Line 138: | ||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - AMSI Bypass.md] | * [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - AMSI Bypass.md] | ||
= | = Office 365 & Azure = | ||
* Extremely in-depth technical info on everything https://o365blog.com | |||
* https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html | |||
* https://blog.xpnsec.com/azuread-connect-for-redteam | |||
* AAD Connect Cloud Sync: as local admin impersonate or retrieve managed password of the provagentgMSA account to dcsync. | |||
** see: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#reading-gmsa-password | |||
* https://www.blackhillsinfosec.com/webcast-getting-started-in-pentesting-the-cloud-azure | |||
* https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md | |||
* https://www.inversecos.com | |||
== Tools == | |||
* https://github.com/nyxgeek/o365recon | |||
* https://github.com/dirkjanm/ROADtools | |||
* https://github.com/fox-it/adconnectdump | |||
* https://github.com/LMGsec/o365creeper | |||
* https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html | |||
* https://github.com/rvrsh3ll/TokenTactics | |||
* https://github.com/nyxgeek/onedrive_user_enum | |||
* https://github.com/dafthack/MSOLSpray | |||
* https://github.com/dafthack/MFASweep | |||
= Hacking Misc = | |||
== API Hacking == | |||
Application Programming Interfaces (APIs) are the plumbing of today’s financial services and FinTech infrastructure, enabling FinTechs to embed banking into their apps and banks to offer a more unified experience to their customers demanding more from their bank ([https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf Knight]). [https://owasp.org/www-project-api-security APIs can be exploited] and aid in data exfiltration and taking advantage of an existing service. | |||
See [[Hacking APIs]] | |||
== IoT Hacking == | |||
= | |||
= | |||
* https://github.com/V33RU/IoTSecurity101 | * https://github.com/V33RU/IoTSecurity101 | ||
= | == GSuite == | ||
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite | |||
= VMware = | == VMware == | ||
* Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md | * Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md | ||
* VMware Workspace ONE Access and Identity Manager RCE via SSTI. [https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis CVE-2022-22954:] Unauthenticated server-side template injection. [https://github.com/tunelko/CVE-2022-22954-PoC Mass Exploit] | * VMware Workspace ONE Access and Identity Manager RCE via SSTI. [https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis CVE-2022-22954:] Unauthenticated server-side template injection. [https://github.com/tunelko/CVE-2022-22954-PoC Mass Exploit] | ||
= RocketChat = | == RocketChat == | ||
* Account hijacking and RCE as admin: [https://web.archive.org/web/20210805092939/https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy] | * Account hijacking and RCE as admin: [https://web.archive.org/web/20210805092939/https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy] | ||
= Microsoft Exchange = | == Microsoft Exchange == | ||
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits. | ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits. | ||
Line 199: | Line 192: | ||
* Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain | * Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain | ||
* Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto | * Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto | ||
Revision as of 18:21, 26 July 2023
This page aims to compile high quality resources for hackers for both the experienced and inexperienced. All books listed on this page can be found on Library Genesis.
Make sure that you follow good OPSEC when carrying out your operations! See OPSEC
General Resources
Resources that assume little to no background knowledge:
Resources that assume minimal tech background:
- (book) Penetration Testing: A Hands-On Introduction to Hacking
- Bassterlord Networking Manual (translated)
- Bassterlord Networking Manual v2.0 (translated)
- Translated: Conti playbook
- LockBit 3.0 CobaltStrike: LockBit 3.0 Guide
Resources that assume a tech or hacking background:
- (book) The Hacker Playbook 3
- Hack Back! A DIY Guide
- https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
- Tips, Tricks & Hacks Cheat Sheet: https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet
- Flexispy HackBack
- Liberty Counsel HackBack
- https://book.hacktricks.xyz
Practice labs:
- https://www.hackthebox.com
- https://academy.hackthebox.com
- https://www.pentesteracademy.com
- https://lab.pentestit.ru
- https://overthewire.org/wargames
Appsec:
Malware, a collection of malware source code and binaries:
- https://github.com/vxunderground/MalwareSourceCode
- https://github.com/ytisf/theZoo/tree/master/malware
General references
General resources you may find useful for learning. see General
OWASP Top 10 is a broad consensus about the most critical security risks to web applications. See TryHackMe's room for practical OWASP Top 10 learning and their Juice Shop.
Recommended Reading - The Library
See recommended reading books that will aid you in your learning. See recommended reading in the library
Operational security
Operational security (OPSEC) is crucial for protecting oneself from surveillance and maintaining anonymity while conducting hacktivist operations.
Recommended Measures
Any illegal hacktivity should be done from an encrypted and separate computer or virtual machine, with all traffic router over Tor.
For more information on recommended operational security measures, see Opsec Measures
Secure Messaging
Best practice for secure messaging includes proxying connections over Tor and using end-to-end encryption for messages.
Recommended Applications
For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For email use PGP for encryption. For file sharing use onionshare.
For more information on recommended applications, see Secure Messaging Applications
Initial Access
There are many ways to get a foothold into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted penetration test and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards.
For more information on gaining a foothold, see Initial Access Tactics, techniques and procedures
Scanning and Recon
For scanning and recon tools, see Scanning and Recon. Make sure to make use of your tool's documentation and read the help menu (-hh/-h/--help).
Search Engines
Search engines are a useful tool for gathering information and intelligence from publicly available sources. Some are paid and some are free. Make sure to operate good OPSEC whenever placing a purchase for any service that will be used in your recon on a target.
For more information on recommended search engines, see Search Engines Resources
OSINT
Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly available sources.
For more information on recommended tools and resources, see OSINT Tools and Resources
Post exploitation
C2 Frameworks
Windows
Find common vulnerabilities and misconfigurations in a windows environment to escalate your privileges: winPEAS
Living off the land. Evading detection with Sysinternals
- https://live.sysinternals.com (\\live.sysinternals.com\tools)
- mimikatz: https://github.com/gentilkiwi/mimikatz/releases
- https://github.com/fortra/impacket
- Disable Defender
- Windows - Using credentials
Active Directory
Active Directory General Tools & resources you may find useful for learning.
See Active Directory for learning resources and tools.
Linux
Backdoors
- Gsocket: https://github.com/hackerschoice/gsocket
- PHP: https://github.com/epinna/weevely3
- Reverse Shell Generator: https://www.revshells.com
- Meterpreter: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#meterpreter-shell
- Blog: https://dhilipsanjay.gitbook.io/ctfs/tryhackme/tryhackme/linuxbackdoors
- Database: https://www.adminer.org
Antivirus & EDR Evasion
- https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
- https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/
- https://s3cur3th1ssh1t.github.io/Powershell-and-the-.NET-AMSI-Interface/
- https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/
- https://blog.securityevaluators.com/creating-av-resistant-malware-part-1-7604b83ea0c0
- https://www.ired.team/offensive-security/defense-evasion
- https://www.youtube.com/watch?v=UO3PjJIiBIE
- https://github.com/matterpreter/DefenderCheck
- https://github.com/RythmStick/AMSITrigger
- https://amsi.fail
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - AMSI Bypass.md
Office 365 & Azure
- Extremely in-depth technical info on everything https://o365blog.com
- https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html
- https://blog.xpnsec.com/azuread-connect-for-redteam
- AAD Connect Cloud Sync: as local admin impersonate or retrieve managed password of the provagentgMSA account to dcsync.
- https://www.blackhillsinfosec.com/webcast-getting-started-in-pentesting-the-cloud-azure
- https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md
- https://www.inversecos.com
Tools
- https://github.com/nyxgeek/o365recon
- https://github.com/dirkjanm/ROADtools
- https://github.com/fox-it/adconnectdump
- https://github.com/LMGsec/o365creeper
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/rvrsh3ll/TokenTactics
- https://github.com/nyxgeek/onedrive_user_enum
- https://github.com/dafthack/MSOLSpray
- https://github.com/dafthack/MFASweep
Hacking Misc
API Hacking
Application Programming Interfaces (APIs) are the plumbing of today’s financial services and FinTech infrastructure, enabling FinTechs to embed banking into their apps and banks to offer a more unified experience to their customers demanding more from their bank (Knight). APIs can be exploited and aid in data exfiltration and taking advantage of an existing service.
See Hacking APIs
IoT Hacking
GSuite
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
VMware
- Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
- VMware Workspace ONE Access and Identity Manager RCE via SSTI. CVE-2022-22954: Unauthenticated server-side template injection. Mass Exploit
RocketChat
- Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy
Microsoft Exchange
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.
- ProxyShell: https://github.com/dmaasland/proxyshell-poc
- Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
- ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
- ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
- Polymorphic webshells: https://github.com/grCod/poly
- ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
- Export all mailboxes:
foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\127.0.0.1\C$\Folder\$($mbx.Alias).pst"}
- Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain
- Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto