Learn to hack
Jump to navigation
Jump to search
This page aims to compile high quality resources for hackers. All books listed on this page can be found on Library Genesis and Z-Library
General Resources
Resources that assume little to no background knowledge:
Resources that assume minimal tech background:
- (book) Penetration Testing: A Hands-On Introduction to Hacking
- Bassterlord Networking Manual (translated): https://papers.vx-underground.org/papers/VXUG/Mirrors/BassterlordNetworkingManual.pdf
Resources that assume a tech or hacking background:
- (book) The Hacker Playbook 3
- books by Sparc Flow
- Hack Back! A DIY Guide
- https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak
Practice labs:
- https://www.hackthebox.com/
- https://www.pentesteracademy.com/
- https://lab.pentestit.ru/
- https://overthewire.org/wargames/
General references:
- https://www.ired.team/
- http://pwnwiki.io/
- https://dmcxblue.gitbook.io/red-team-notes-2-0/
- https://github.com/swisskyrepo/PayloadsAllTheThings
- https://github.com/S3cur3Th1sSh1t/Pentest-Tools
Active Directory
- An excellent practical reference
- A practical reference focused on powershell
- https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
- https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html
- https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- https://wadcoms.github.io/
- https://www.blackhillsinfosec.com/webcast-attack-tactics-5-zero-to-hero-attack/
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
- https://en.hackndo.com/ntlm-relay/
- https://s3cur3th1ssh1t.github.io/The-most-common-on-premise-vulnerabilities-and-misconfigurations/
- A very thorough technical background: https://zer1t0.gitlab.io/posts/attacking_ad/
- kerberos background: https://www.tarlogic.com/blog/how-kerberos-works/
- A good overview of different lateral movement techniques: https://hackmag.com/security/lateral-guide/
Tools
- https://mpgn.gitbook.io/crackmapexec/
- https://www.secureauth.com/labs/open-source-tools/impacket/
- https://github.com/dirkjanm/mitm6
- https://github.com/lgandx/Responder
- https://github.com/FuzzySecurity/StandIn
- https://www.joeware.net/freetools/tools/adfind/
- https://github.com/CravateRouge/bloodyAD
- https://github.com/blacklanternsecurity/MANSPIDER
- https://github.com/login-securite/DonPAPI
- Powerview/Sharpview
- Bloodhound/Sharphound
Office 365 & Azure
- Extremely in-depth technical info on everything https://o365blog.com/
- https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html
- https://blog.xpnsec.com/azuread-connect-for-redteam/
- AAD Connect Cloud Sync: as local admin impersonate or retrieve managed password of the provagentgMSA account to dcsync.
- https://www.blackhillsinfosec.com/webcast-getting-started-in-pentesting-the-cloud-azure/
- https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md
- https://www.inversecos.com/
Tools
- https://github.com/nyxgeek/o365recon
- https://github.com/dirkjanm/ROADtools
- https://github.com/fox-it/adconnectdump
- https://github.com/LMGsec/o365creeper
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/rvrsh3ll/TokenTactics
- https://github.com/nyxgeek/onedrive_user_enum
- https://github.com/dafthack/MSOLSpray
- https://github.com/dafthack/MFASweep
GSuite
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
C2 Frameworks
Antivirus & EDR Evasion
- https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
- https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/
- https://s3cur3th1ssh1t.github.io/Powershell-and-the-.NET-AMSI-Interface/
- https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/
- https://blog.securityevaluators.com/creating-av-resistant-malware-part-1-7604b83ea0c0
- https://www.ired.team/offensive-security/defense-evasion
- https://www.youtube.com/watch?v=UO3PjJIiBIE
- https://github.com/matterpreter/DefenderCheck
- https://github.com/RythmStick/AMSITrigger
- https://amsi.fail
VMware
- Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md
RocketChat
- Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spanish-consultancy
Microsoft Exchange
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public exploits.
- ProxyShell: https://github.com/dmaasland/proxyshell-poc
- ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
- ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland/0720891aaf6dec8d3b42a5b92c8d6f94
- Polymorphic webshells: https://github.com/grCod/poly
- ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-WJB/Exchange_SSRF
- Export all mailboxes:
foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\127.0.0.1\C$\Folder\$($mbx.Alias).pst"}
Initial Access
Phishing
- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
- https://medium.com/maltrak/com-objects-p-2-your-stealthy-fileless-attack-bf78318d9165
- https://infosecwriteups.com/recipe-for-a-successful-phishing-campaign-part-1-2-dc23d927ec55
- https://www.xanthus.io/mastering-the-simulated-phishing-attack
- https://github.com/Arno0x/EmbedInHTML
- https://github.com/L4bF0x/PhishingPretexts
- http://lockboxx.blogspot.com/2018/12/gophish-evilginx2-for-phishing.html
- https://book.hacktricks.xyz/phishing-methodology
- https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective
- https://delta.navisec.io/a-pentesters-guide-part-4-grabbing-hashes-and-forging-external-footholds/
- https://www.rootshellsecurity.net/ntlm_theft-a-tool-for-file-based-forced-ntlm-hash-disclosure/
Password spraying
- https://github.com/dafthack/MSOLSpray
- https://pentestlab.blog/2019/09/05/microsoft-exchange-password-spraying/
- https://github.com/blacklanternsecurity/TREVORspray
Scanning and Recon
- https://github.com/robertdavidgraham/masscan
- https://github.com/projectdiscovery/naabu
- https://github.com/OWASP/Amass
- https://www.shodan.io/
- https://www.zoomeye.org/
- https://github.com/six2dez/reconftw
- https://search.censys.io/
- https://github.com/lanmaster53/recon-ng
Opsec
- https://www.qubes-os.org/
- https://www.whonix.org/
- https://tails.boum.org/
- The whonix wiki has lots of great info on anonymity even if you're not using whonix: https://www.whonix.org/wiki/Documentation
- https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
- https://veracrypt.fr/