Learn to hack
Make sure that you follow good OPSEC when carrying out your operations! See OPSEC
Resources that assume little to no background knowledge:
Resources that assume minimal tech background:
- (book) Penetration Testing: A Hands-On Introduction to Hacking
- Bassterlord Networking Manual (translated) (Focuses on exploiting and hacking into networks via Forti SSL VPN)
- Bassterlord Networking Manual v2.0 (translated) (Focuses on VPN brute forcing)
- Translated: Conti playbook
- LockBit 3.0 CobaltStrike: LockBit 3.0 Guide
Resources that assume a tech or hacking background:
- (book) The Hacker Playbook 3
- Hack Back! A DIY Guide
- Flexispy Hack Back
- Liberty Counsel Hack Back
- Catalan Police Union Hack Back
- Pronico Hack Back
The Bug Hunters Methodology:
- Application Analysis: https://youtu.be/FqnSAa2KmBI
- The Bug Hunter's Methodology v4.0: https://youtu.be/p4JgIu1mceI?si=jXcYksd4UqodZDBF
Malware, a collection of malware source code and binaries:
General resources you may find useful for learning.
Recommended Reading - The Library
Operational security (OPSEC) is crucial for protecting oneself from surveillance and maintaining anonymity while conducting hacktivist operations.
Any illegal hacktivity should be done from an encrypted and separate computer or virtual machine, with all traffic router over Tor.
For more information on recommended operational security measures, see Opsec Measures
Best practice for secure messaging includes proxying connections over Tor and using end-to-end encryption for messages.
For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For e-mail use PGP for encryption. For file sharing use onionshare.
For more information on recommended applications, see Secure Messaging Applications
There are many ways to gain initial access into a targets network, from phishing, buying credential access, buying infected machines in corporate networks, password spraying, performing a targeted penetration test and spray and pray scanning for vulnerabilities and hacking in. Here we list some resources in these regards.
Common Initial Access TTPs
For more information on gaining a foothold, see Initial Access Tactics, techniques and procedures
Attacking Common Services
Your targets will likely use many services either externally or internally, this could be SSH, RDP, SMB, etc. It's important to know their common misconfigurations, attack vectors, their attack surface and how to hack these various protocols which may serve as the initial access vector. Here we cover various tools, techniques, common misconfigurations, tips and tricks and we cover both internal and external (publicly accessible) networks.
Scanning and Recon
Search engines are a useful tool for gathering information and intelligence from publicly available sources. Some are paid and some are free. Make sure to operate good OPSEC whenever placing a purchase for any service that will be used in your recon on a target.
For more information on recommended search engines, see Search Engines Resources
Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly available sources.
For more information on recommended tools and resources, see OSINT Tools and Resources
Once you've found a weakness in your targets infrastructure and have been able to gain initial access you'll want to keep it and avoid detection to maintain your access to your targets network for as long as possible.
For Windows post exploitation, Active Directory and networking hacking, Lateral movement techniques, privilege escalation, defensive and offensive techniques:
See Hacking Windows
For performing Linux post exploitation, gaining persistence, evading detection, privilege escalation and more:
See Hacking Linux
One of the main objectives for a hacktivist is that of exfiltrating data, company secrets and if your motivations is that of revealing corruption then this step is of the most importance.
See Data Exfiltration for techniques and methods for exfiltrating data out of your targets network.
There may be times during a hacktivist operation when you come to the end of your hack, you've fully compromised your target, exfiltrated everything you can/want and now before finally leaving the network and leaking all the targets secrets online you want to cause chaos and destruction. As was seen by Guacamaya where they used
sdelete64.exe -accepteula -r -s C:\* to wipe systems attached to Pronicos domain you might also want to do the same for Linux and Windows systems in your operations, maybe you want to recursively print a text file with your manifesto across a system/network, encrypt files beyond recovery or just delete everything.
See Chaos and Destruction for different ways to achieve this!
Web Application Hacking
Application Programming Interfaces (APIs) are the plumbing of today’s financial services and FinTech infrastructure, enabling FinTechs to embed banking into their apps and banks to offer a more unified experience to their customers demanding more from their bank (Knight). APIs can be exploited to aid in data exfiltration and taking advantage of an existing service.
See Hacking APIs!
Hacking The Cloud
More and more of corporate networks are moving away from on-prem to in the cloud. Learning how to hack the cloud infrastructure of your target is a valuable skill and as time progresses more and more networks will migrate towards the cloud.
See Cloud Hacking
As was seen by Phineas Fisher, highly motivated hacktivists who seek to hack their targets by any means necessary should consider 0-day research and exploit development, reverse engineering applications and services that their target may be running to gain an initial foothold and perform post exploitation.
- Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
- VMware Workspace ONE Access and Identity Manager RCE via SSTI. CVE-2022-22954: Unauthenticated server-side template injection. Mass Exploit
- Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.
- ProxyShell: https://github.com/dmaasland/proxyshell-poc
- Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
- ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
- ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
- Polymorphic webshells: https://github.com/grCod/poly
- ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
- Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com/FDlucifer/Proxy-Attackchain
- Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto