SUMMARY.md

Table of contents

• 🏠 Home

🌐 RECON

• 📡 Passive (OSINT)
  • ⏩ Metadata
  • ⏩ Social Platforms
    • Email
    • Tumbler
    • Redit
    • Github
    • Tinder
    • TikTok
    • Snapchat
    • Instagram
    • Facebook
    • Twitter
    • Google
    • LinkedIn
• 📡 Active
  • ⏩ Host Discovery / Network Mapping
  • ⏩ nmap cheat sheet
  • ⏩ masscan cheat sheet
• 📡 Web Recon
  • ⏩ Web Server Discovery
  • ⏩ Hidden Hosts
  • ⏩ Directories & Subdomains
  • ⏩ SSL Certs
  • ⏩ CMS
  • ⏩ WAF Detection
• 📡 Firewall Evasion

📗 Web Attacks

• 🟢 Server Side
  • 🟩 Authentication Mechanisms
  • 🟩 Access Control (Authorization)
  • 🟩 Directory Traversal
  • 🟩 OS Command Injection
  • 🟩 Server-Side Request Forgery (SSRF)
  • 🟩 XML External Entity (XXE) Injection
  • 🟩 File Upload
  • 🔧 SQL Injection
  • 🟩 Information Disclosure
  • 🟩 Business Logic
• 🟢 Client Side
  • 🟩 Cross-site request forgery (CSRF)
  • 🔧 Cross-site scripting (XSS)

📒 Network attacks

• 🟡 Network Services
  • 🟨 Brute Force
  • 🟨 DNS
  • 🟨 IPv6
  • 🟨 FTP
  • 🟨 SSH
  • 🟨 SMB
  • 🟨 SNMP
  • 🟨 SMTP
  • 🟨 POP3
  • 🟨 IMAP
  • 🟨 MSSQL
  • 🟨 MySQL
  • 🟨 MSRPC / RPCbind
  • 🟨 LDAP
  • 🟨 NTP
  • 🟨 NFS
  • 🟨 Telnet
  • 🟨 WebDAV
  • 🟨 RDP
  • 🟨 RSIP
  • 🟨 Rlogin
  • 🟨 VPNs
  • 🟨 Echo
  • 🔧 RTP
  • 🔧 VOIP
    • SIP
• 🟡 Network Devices
  • 🟨 IPv6 Attacks
    • Neighbor Impersonation
    • Router Advertisement Flooding
  • 🟨 Switch Attacks
    • Cisco Exploitation
    • STP Spoofing
    • VLAN Hopping
    • MAC Flood
  • 🟨 Router Attacks
    • Router Exploitation
    • HSRP Hijacking
    • 🔧 RIP Spoofing
    • 🔧 OSPF Attacks
    • 🔧 VRRP MitM
  • 🟨 NAC Bypass
    • Captive Portal
    • 802.1X / EAP Bypass
  • 🟨 Printer Exploitation
• 🟡 MITM & Poisoning
  • 🟨 Bettercap
  • 🟨 HTTPS Downgrade / HSTS Bypass
  • 🟨 Session Hijackings
  • 🟨 Malicious Update
  • 🟨 RDP Downgrade
  • 🟨 DNS Spoofing
  • 🟨 NTP Spoofing
  • 🟨 ARP Spoofing
  • 🟨 DHCP Poisoning
  • 🟨 DHCPv6 Spoofing
  • 🟨 SSDP Spoofing
  • 🟨 WSUS Spoofing
  • 🟨 ADIDNS Poisoning
  • 🟨 WPAD Abuse
• 🟡 Wireless Attacks
  • 🟨 Protocol Concepts
  • 🟨 Basics
  • 🟨 Attacks
• 🟡 Sniffing
  • 🟨 Wireshark
  • 🟨 tcpdump
• 🟡 Denial of Service

📕 Red Team

• 🔴 Windows
  • ⭕ Security Concepts
    • Windows Security Components
    • Active Directory Components
    • Kerberos
    • Loggon Sessions and Access Tokens
    • Permissions and Access Control
    • Windows Registry
    • Object Management
  • ⭕ Physical Attack
  • ⭕ Enumeration
  • ⭕ Privilege Escalation
    • DLL Hijacking
      • Phantom DLL Hijacking / Replacement
      • Search Order Hijacking ( Preloading )
      • DLL Side-Loading
    • Service Misconfigurations
      • Weak Registry Permissions
      • Insecure Service Executables
      • Insecure Permission
      • Unquoted Service Path
    • Creating a New Service (admin to system)
    • Registry
      • AlwaysInstallElevated
      • AutoRuns
    • Scheduled Tasks
    • Mass Roll-outs
    • Startup Apps
    • Installed Applications
    • Loopback Services
    • Insecure GUI APPs
    • Potatos
    • Printspoofer / SEImpersonate
    • PSEXEC (admin to system)
  • ⭕ Credential Dumping
  • ⭕ Persistence
    • Invisible Account Forger
    • Add User
    • Scheduled Tasks
    • Run Registry Keys
    • Logon Scripts
    • Screensavers Hijack
    • Powershell Profiles & Modules
    • Service Creation/Modification
    • Shortcut Modification
    • Startup Folder
    • RDP backdoors
    • COM Hijacking
• 🔴 Active Directory
  • ⭕ Domain Enumeration
  • ⭕ Tools & Frameworks
    • Evil-WinRM
    • CME cheat sheet
    • SharpSploit
    • impacket cheat sheet
    • DeathStar
  • ⭕ Exploitation
    • LLMNR Poisoning
    • SMB/NTLM Relay
    • DNS Takeover + LDAP Relay
    • Cracking Hashes
    • Password spraying
    • ADCS + PetitPotam NTLM Relay
    • EternalBlue
    • ZeroLogon
    • MS Exchange ProxyShell
    • MS Exchange ProxyLogon
    • Java JBOSS
  • ⭕ Privilege Escalation
    • Token Impersonation
    • DNS Admins
    • AD CS Abuse
    • ACL Abuse
      • GenericAll
      • Write Property
      • Self-membership
      • ForceChangePassword
      • Managed Security Groups
      • Exchange Windows Permissions
    • Group Policy Objects (GPOs)
    • Custom SSPs
    • PrintNightmare
  • ⭕ Lateral Movement
    • RDP Password Decryption
    • RDP Session Hijacking
    • headless RDP with SharpRDP
    • Domain Shares
    • SCF File Attacks
    • Pass the Hash / Password
    • Overpass the Hash / Pass the Key
    • Pass The Ticket
    • Kerberosting / AS-REP Rosting
    • Kerberos Delegation
  • ⭕ Credential Dumping
    • CredSSP / TSPKG
    • Wdigest Clear Text
    • DPAPI secrets
    • SAM & Registry
    • NTDS.dit & vshadow
    • comsvcs.dll
    • Meterpreter
    • Procdump & LSASS
    • AD User Comments
    • SYSVOL & Group Policy Preferences
    • LAPS Passwords
    • GSMA Passwords
    • HiveNightmare
    • Mimikatz Cheat sheet
    • Other Tools / Techniques
  • ⭕ Persistence
    • Certificates
    • DCSync
    • DCShadow
    • Silver Ticket
    • Golden Ticket
    • Skeleton Key
    • WMI
    • PowerShell Remoting
    • Remote Registry
    • Rights Abuse
    • AdminSDHolder
    • DSRM
    • Kerberos Checksum Validation ( MS14-068 )
• 🔴 Linux
  • ⭕ Physical Attacks
  • ⭕ Enumeration
  • ⭕ Privilege Escalation
    • SUID / SGID abuse
    • /etc/shadow & /etc/passwd
    • cron/crontab abuse
    • Sudo Abuse
    • Capabilities Abuse
    • Environment Variables
      • LD_LIBRARY_PATH
      • LD_PRELOAD
    • Shared Object Injection
    • NFS
    • man CE Pager Argument
    • MySQL UDF
    • UDEVD
    • STDIN/STDOUT
    • Unix Socket Exploitation
    • Dirty Pipe
    • Docker
      • SUID Docker
  • ⭕ Lateral Movement
    • Infecting Running Processes
    • VIM Config File Keylogger
    • SSH Hijacking
    • Samba Secrets to Domain Admin
    • Hiding Processes
    • Simple User-mode Rootkits
    • Vino VNC Server
  • ⭕ Credential Dumping
    • Swap Dump
    • mimipinguin
    • unshadow
    • 3snake
  • ⭕ Persistence
    • Startup User File Backdoor
    • PHP Backdoor
    • Apache mod_rootme
    • Startup Service Backdoor
    • xdg Backdoor
    • rootbash SUID
    • apt Backdoor
    • Driver Backdoor
    • Core Pattern
    • dash Backdoor
    • Creating an SUID Binary
    • Systemd netcat bind shell
    • Xinetd UDP portnock
    • openSSL reverse shell
    • motd Backdoor
    • Auth Log Backdoor
    • RSYSLOG Backdoor
    • sshd Backdoor
    • VIM Config Backdoor
    • .bashrc Backdoor
    • Adding a Root user
    • Crontab Reverse Shell
    • SSH persistence password-less
  • ⭕ Covering Tracks
• 🔴 Command & Control (C2)
  • ⭕ Cobalt Strike
  • ⭕ Metasploit
  • ⭕ Empire & Starkiller
  • ⭕ Covenant
• 🔴 Shells and Payloads
  • ⭕ Shell Escape / Interactive Shell
  • ⭕ LOL Binaries
  • ⭕ msfvenom
  • ⭕ SharpShooter & Ivy
  • ⭕ Other Payloads
• 🔴 Payload Delivery
  • ⭕ Powershell Reflective DLL Load
  • ⭕ HTML Smuggling
  • ⭕ Office Macros
  • ⭕ DDE Auto - Word/Excel
  • ⭕ .SLK Excel
  • ⭕ XLM Macro 4.0
  • ⭕ LNK
  • ⭕ embedded OLE + LNK objects
  • ⭕ JScript
  • ⭕ HTA
  • ⭕ VBS
  • ⭕ VBA
  • ⭕ RTF
  • ⭕ REG
  • ⭕ MSI / MSIEXEC
  • ⭕ IQY
  • ⭕ CHM / HHC
  • ⭕ SCR
• 🔴 Pivoting
  • ⭕ SSH Forwarding
  • ⭕ Socat Stealth Port Forward
  • ⭕ Socat Reverse Shell Relay
  • ⭕ HTTP Tunneling
  • ⭕ ICMP Tunneling
  • ⭕ DNS Tunneling
  • ⭕ Metasploit Pivoting
  • ⭕ Cobalt Strike Pivoteing
  • ⭕ VPN Tunneling
  • ⭕ Other Tools
• 🔴 Exfiltration / File Transfer
  • ⭕ Encode / Decode Files
  • ⭕ TCP / UDP
  • ⭕ DNS
  • ⭕ SSH
  • ⭕ ICMP
  • ⭕ SMB
  • ⭕ FTP
  • ⭕ HTTP
  • ⭕ Other Methods
• 🔴 Password Attacks
  • ⭕ Online Attacks
  • ⭕ Offline Attack
  • ⭕ Word List
  • ⭕ Cheat Sheet
• 🔴 Defense Evasion
  • ⭕ Basic Tricks
  • 🔧 Powershell Tricks
  • ⭕ Disabling Defenses
  • ⭕ UAC Bypass
  • ⭕ Process Migration
  • ⭕ Dechaining Macros
  • ⭕ VBA Sandbox Evasion
  • ⭕ Binary Properties & Code Signing
  • ⭕ AMSI Bypass
  • ⭕ SRP & AppLocker Bypass
  • ⭕ GPO Bypass

💀 Malware Development

• ☠ Evasion Concepts Primer
• ☠ Shellcode Placement
• ☠ Shellcode Encoding & Encryption
• ☠ Code Obfuscation
  • ⚪ Function Call Obfuscation

📘 Blue Team

• 🔵 Threat Modeling / Hunting / Intelligence
• 🔵 Linux Hardening
  • 🔹 OS Security
    • Update Strategy
    • Service Management
    • Physical Security
    • Grub Hardening
    • Kernel Parameters
    • Process Isolation
  • 🔹 Accounts & Passwords
    • Users & Groups
    • Password Security & Sudoers
  • 🔹 Access Control & Ownership
  • 🔹 File System Security
  • 🔹 Integrity Check
  • 🔹 Sandboxing
  • 🔹 Network
  • 🔹 iptables
    • Rule Sets
  • 🔹 Service Hardening
    • BIND9
    • vsftpd
    • Nginx
    • Apache
    • SSH
  • 🔹 System Audit
  • 🔹 Logging
    • auditd
  • 🔹 Encryption
• 🔵 Security Architecture
  • 🔹 Layered Security

🟪 Purple Teaming

• 🟣 Adversary Emulation

🟧 programming

• 🟠 C Programming
  • 🔸 Basic Structure
  • 🔸 GCC Compiler
  • 🔸 Preprocessors
  • 🔸 Data Types
  • 🔸 Type Qualifiers
  • 🔸 Pointers
  • 🔸 Dynamic Memory Allocation
  • 🔸 Loops
  • 🔸 Conditional Statements
  • 🔸 Functions
  • 🔸 Input / Output
  • 🔸 Macros
  • 🔸 Files
  • 🔸 Strings Manipulation
  • 🔸 Bit Manipulation
  • 🔸 Data Structures
    • Arrays
    • Structures
    • Unions
  • 🔸 Abstract Data Types
    • Stack
    • Queue
    • Linked List
      • Singly Linked List
      • Doubly Linked List
  • 🔸 Libraries & Linking
  • 🔸 Error Recovery
• 🔧 Assembly ( NASM )
  • Intel IA-32 Environment
  • Basic Structure
  • Variables and Data Types
  • Most-used Instructions
  • input / output

🟫 Miscellaneous

• 🟤 GNU Screen / tmux
• 🟤 SSH Tricks
• 🟤 Cats
  • netcat
  • ncat
  • pwncat
  • socat
  • 🔧 powercat
• 🟤 Curl
• 🟤 Cross-compiling Binaries