Learn to hack: Difference between revisions
Jump to navigation
Jump to search
Amongomous (talk | contribs) |
Amongomous (talk | contribs) No edit summary |
||
| Line 107: | Line 107: | ||
== RocketChat == | == RocketChat == | ||
* Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy | * Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy | ||
== Microsoft Exchange == | |||
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits. | |||
* ProxyShell: https://github.com/dmaasland/proxyshell-poc | |||
* ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md | |||
* ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94 | |||
* Polymorphic webshells: https://github.com/grCod/poly | |||
* ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF | |||
* Export all mailboxes: <code>foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\127.0.0.1\C$\Folder\$($mbx.Alias).pst"}</code> | |||
== Initial Access == | == Initial Access == | ||
Revision as of 15:13, 7 March 2022
This page aims to compile high quality resources for hackers. All books listed on this page can be found on Library Genesis and Z-Library
General Resources
Resources that assume little to no background knowledge:
Resources that assume minimal tech background:
- (book) Penetration Testing: A Hands-On Introduction to Hacking
- Bassterlord Networking Manual (translated): https://papers.vx-underground.org/papers/VXUG/Mirrors/BassterlordNetworkingManual.pdf
Resources that assume a tech or hacking background:
- (book) The Hacker Playbook 3
- books by Sparc Flow
- Hack Back! A DIY Guide
- https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
Practice labs:
- https://www.hackthebox.com/
- https://www.pentesteracademy.com/
- https://lab.pentestit.ru/
- https://overthewire.org/wargames/
General references:
- https://www.ired.team/
- http://pwnwiki.io/
- https://dmcxblue.gitbook.io/red-team-notes-2-0/
- https://github.com/swisskyrepo/PayloadsAllTheThings
- https://github.com/S3cur3Th1sSh1t/Pentest-Tools
Active Directory
- An excellent practical reference
- A practical reference focused on powershell
- https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
- https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html
- https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- https://wadcoms.github.io/
- https://www.blackhillsinfosec.com/webcast-attack-tactics-5-zero-to-hero-attack/
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
- https://s3cur3th1ssh1t.github.io/The-most-common-on-premise-vulnerabilities-and-misconfigurations/
- A very thorough technical background: https://zer1t0.gitlab.io/posts/attacking_ad/
- kerberos background: https://www.tarlogic.com/blog/how-kerberos-works/
- A good overview of different lateral movement techniques: https://hackmag.com/security/lateral-guide/
Tools
- https://mpgn.gitbook.io/crackmapexec/
- https://www.secureauth.com/labs/open-source-tools/impacket/
- https://github.com/dirkjanm/mitm6
- https://github.com/lgandx/Responder
- https://github.com/FuzzySecurity/StandIn
- https://www.joeware.net/freetools/tools/adfind/
- https://github.com/CravateRouge/bloodyAD
- https://github.com/blacklanternsecurity/MANSPIDER
- https://github.com/login-securite/DonPAPI
- Powerview/Sharpview
- Bloodhound/Sharphound
Office 365 & Azure
- Extremely in-depth technical info on everything https://o365blog.com/
- https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html
- https://blog.xpnsec.com/azuread-connect-for-redteam/
- AAD Connect Cloud Sync: as local admin impersonate or retrieve managed password of the provagentgMSA account to dcsync.
- https://www.blackhillsinfosec.com/webcast-getting-started-in-pentesting-the-cloud-azure/
- https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md
- https://www.inversecos.com/
Tools
- https://github.com/nyxgeek/o365recon
- https://github.com/dirkjanm/ROADtools
- https://github.com/fox-it/adconnectdump
- https://github.com/LMGsec/o365creeper
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/rvrsh3ll/TokenTactics
- https://github.com/nyxgeek/onedrive_user_enum
- https://github.com/dafthack/MSOLSpray
- https://github.com/dafthack/MFASweep
GSuite
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
C2 Frameworks
Antivirus & EDR Evasion
- https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
- https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/
- https://s3cur3th1ssh1t.github.io/Powershell-and-the-.NET-AMSI-Interface/
- https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/
- https://blog.securityevaluators.com/creating-av-resistant-malware-part-1-7604b83ea0c0
- https://www.ired.team/offensive-security/defense-evasion
- https://www.youtube.com/watch?v=UO3PjJIiBIE
- https://github.com/matterpreter/DefenderCheck
- https://github.com/RythmStick/AMSITrigger
- https://amsi.fail
VMware
- Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
RocketChat
- Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy
Microsoft Exchange
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.
- ProxyShell: https://github.com/dmaasland/proxyshell-poc
- ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
- ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
- Polymorphic webshells: https://github.com/grCod/poly
- ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
- Export all mailboxes:
foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\127.0.0.1\C$\Folder\$($mbx.Alias).pst"}
Initial Access
Phishing
- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
- https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
- https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
- https://www.xanthus.io/mastering-the-simulated-phishing-attack
- https://github.com/Arno0x/EmbedInHTML
- https://github.com/L4bF0x/PhishingPretexts
- http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
- https://book.hacktricks.xyz/phishing-methodology
- https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
Password spraying
- https://github.com/dafthack/MSOLSpray
- https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying/
- https://github.com/blacklanternsecurity/TREVORspray
Scanning and Recon
- https://github.com/robertdavidgraham/masscan
- https://github.com/projectdiscovery/naabu
- https://github.com/OWASP/Amass
- https://www.shodan.io/
- https://www.zoomeye.org/
Opsec
- https://www.qubes-os.org/
- https://www.whonix.org/
- https://tails.boum.org/
- The whonix wiki has lots of great info on anonymity even if you're not using whonix: https://www.whonix.org/wiki/Documentation
- https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
- https://veracrypt.fr/