Learn to hack: Difference between revisions

This page aims to compile high quality resources for hackers. All books listed on this page can be found on Library Genesis and Z-Library.

Make sure that you follow good OPSEC when carrying out your operations! See OPSEC

General Resources

Resources that assume little to no background knowledge:

• https://www.hoppersroppers.org/training.html
• https://tryhackme.com/

Resources that assume minimal tech background:

• (book) Penetration Testing: A Hands-On Introduction to Hacking
• Bassterlord Networking Manual (translated): https://papers.vx-underground.org/papers/VXUG/Mirrors/BassterlordNetworkingManual.pdf

Resources that assume a tech or hacking background:

• (book) The Hacker Playbook 3
• books by Sparc Flow
• Hack Back! A DIY Guide
• https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
  • translated: https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/639/original/Conti_playbook_translated.pdf

Practice labs:

• https://www.hackthebox.com/
• https://www.pentesteracademy.com/
• https://lab.pentestit.ru/
• https://overthewire.org/wargames/

Appsec:

• https://github.com/paragonie/awesome-appsec

General references

General resources you may find useful for learning. see General

OWASP Top 10 is a broad consensus about the most critical security risks to web applications.

Red Team Tools for post exploitation (Windows)

Find common vulnerabilities and misconfigurations in a windows environment to escalate your privileges: winPEAS

Red Team Tools for post exploitation (Linux)

Rooting: Rooting linux

Recommended reading - Library

See below recommended reading Books that will aid you in your learning. Some books may seem "outdated" however they are still great books to learn from for new and aspiring hackers.

• (Book) The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition
• (Book) Hacking: The Art of Exploitation, 2nd Edition 2nd Edition
• (Book) Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation 1st Edition
• (Book) Intrusion Detection Honeypots: Detection through Deception
• (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities
• (Book) Hacking APIs: Breaking Web Application Programming Interfaces
• (Book) Real-World Bug Hunting: A Field Guide to Web Hacking
• (Book) Hands on Hacking: Become an Expert at Next Gen Penetration Testing and Purple Teaming 1st Edition
• (Book) The Hacker Playbook 3: Practical Guide To Penetration Testing
• (Book) Black Hat Python, 2nd Edition: Python Programming for Hackers and Pentesters

Active Directory

Active Directory General Tools & resources you may find useful for learning. see Active Directory

Tools

• https://mpgn.gitbook.io/crackmapexec/
• https://www.secureauth.com/labs/open-source-tools/impacket/
• https://github.com/dirkjanm/mitm6
• https://github.com/lgandx/Responder
• https://github.com/FuzzySecurity/StandIn
• https://www.joeware.net/freetools/tools/adfind/
• https://github.com/CravateRouge/bloodyAD
• https://github.com/blacklanternsecurity/MANSPIDER
• https://github.com/login-securite/DonPAPI
• Powerview/Sharpview
• Bloodhound/Sharphound

Office 365 & Azure

• Extremely in-depth technical info on everything https://o365blog.com/
• https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html
• https://blog.xpnsec.com/azuread-connect-for-redteam/
• AAD Connect Cloud Sync: as local admin impersonate or retrieve managed password of the provagentgMSA account to dcsync.
  • see: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#reading-gmsa-password
• https://www.blackhillsinfosec.com/webcast-getting-started-in-pentesting-the-cloud-azure/
• https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md
• https://www.inversecos.com/

Tools

• https://github.com/nyxgeek/o365recon
• https://github.com/dirkjanm/ROADtools
• https://github.com/fox-it/adconnectdump
• https://github.com/LMGsec/o365creeper
• https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
• https://github.com/rvrsh3ll/TokenTactics
• https://github.com/nyxgeek/onedrive_user_enum
• https://github.com/dafthack/MSOLSpray
• https://github.com/dafthack/MFASweep

GSuite

https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite

C2 Frameworks

• https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc

Antivirus & EDR Evasion

• https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
• https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/
• https://s3cur3th1ssh1t.github.io/Powershell-and-the-.NET-AMSI-Interface/
• https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/
• https://blog.securityevaluators.com/creating-av-resistant-malware-part-1-7604b83ea0c0
• https://www.ired.team/offensive-security/defense-evasion
• https://www.youtube.com/watch?v=UO3PjJIiBIE
• https://github.com/matterpreter/DefenderCheck
• https://github.com/RythmStick/AMSITrigger
• https://amsi.fail

VMware

• Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
• VMware Workspace ONE Access and Identity Manager RCE via SSTI. CVE-2022-22954: Unauthenticated server-side template injection. Mass Exploit

RocketChat

• Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy

Microsoft Exchange

ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.

• ProxyShell: https://github.com/dmaasland/proxyshell-poc
• Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
• ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
• ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
• Polymorphic webshells: https://github.com/grCod/poly
• ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
• Export all mailboxes: foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\127.0.0.1\C$\Folder\$($mbx.Alias).pst"}
• Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain
• Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto

Initial Access

There are many ways to get a foothold into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted penetration test and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards.

For more information on gaining a foothold, see Initial Access Tactics, techniques and procedures

Scanning and Recon

For scanning and Recon tools. see Scanning and Recon

Search Engines

Search engines are a useful tool for gathering information and intelligence from publicly available sources. Some are paid and some are not. Make sure to operate good OPSEC whenever placing a purchase for any service that will be used in your recon on a target.

For more information on recommended search engines, see Search Engines Resources

Web Crawlers

• https://github.com/jaeles-project/gospider
• https://github.com/hakluke/hakrawler

Wordlists

To aid in your content discovery and password attacks

• https://wordlists.assetnote.io/
• https://github.com/danielmiessler/SecLists
• https://github.com/ameenmaali/wordlistgen

OSINT

Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly available sources.

For more information on recommended tools and resources, see OSINT Tools and Resources

API Hacking

• https://github.com/arainho/awesome-api-security
• OWASP API Security

practice

• https://github.com/Checkmarx/capital

IoT Hacking

• https://github.com/V33RU/IoTSecurity101

Intercepting Proxies

These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications.

• https://portswigger.net/burp
• https://www.zaproxy.org/
• https://mitmproxy.org/

Operational security

Operational security (Opsec) is crucial for protecting oneself from surveillance and maintaining anonymity while conducting hacktivist activities.

Recommended Measures

Any illegal hacktivity should be done from an encrypted and separate computer or virtual machine, with all traffic over Tor.

For more information on recommended measures, see Opsec Measures

Secure Messaging

Best practice for secure messaging includes using connections over Tor and end-to-end encryption for messages.

Recommended Applications

For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For email use PGP for encryption. For file sharing use onionshare.

For more information on recommended applications, see Secure Messaging Applications