SUMMARY.md

Table of contents

• Introduction

Active Directory

• Reconnaissance
  • DHCP
  • DNS
  • NBT-NS
  • Responder ⚙️
  • Port scanning
  • LDAP
  • BloodHound ⚙️
  • MS-RPC
  • enum4linux ⚙️
  • Password policy
• Movement
  • Credentials
    • Dumping
      • SAM & LSA secrets
      • DPAPI secrets
      • NTDS secrets
      • LSASS secrets
      • DCSync
      • Group Policy Preferences
      • Network shares
      • Network protocols
      • Web browsers
      • In-memory secrets
      • Kerberos key list
      • 🛠️ Cached Kerberos tickets
      • 🛠️ Windows Credential Manager
      • 🛠️ Local files
      • 🛠️ Password managers
    • Cracking
    • Bruteforcing
      • Guessing
      • Spraying
      • Stuffing
    • Shuffling
    • Impersonation
  • MITM and coerced auths
    • ARP poisoning
    • DNS spoofing
    • DHCP poisoning
    • DHCPv6 spoofing
    • WSUS spoofing
    • LLMNR, NBT-NS, mDNS spoofing
    • ADIDNS poisoning
    • WPAD spoofing
    • MS-EFSR abuse (PetitPotam)
    • MS-RPRN abuse (PrinterBug)
    • MS-FSRVP abuse (ShadowCoerce)
    • MS-DFSNM abuse (DFSCoerce)
    • PushSubscription abuse
    • WebClient abuse (WebDAV)
    • 🛠️ NBT Name Overwrite
    • 🛠️ ICMP Redirect
    • 🛠️ Living off the land
  • NTLM
    • Capture
    • Relay
    • Pass the hash
  • Kerberos
    • Pre-auth bruteforce
    • Pass the key
    • Overpass the hash
    • Pass the ticket
    • Pass the cache
    • Forged tickets
      • Silver tickets
      • Golden tickets
      • Diamond tickets
      • Sapphire tickets
      • RODC Golden tickets
      • MS14-068
    • ASREQroast
    • ASREProast
    • Kerberoast
    • Delegations
      • (KUD) Unconstrained
      • (KCD) Constrained
      • (RBCD) Resource-based constrained
      • S4U2self abuse
      • Bronze Bit
    • Shadow Credentials
    • UnPAC the hash
    • Pass the Certificate
    • sAMAccountName spoofing
    • SPN-jacking
  • DACL abuse
    • AddMember
    • ForceChangePassword
    • Targeted Kerberoasting
    • ReadLAPSPassword
    • ReadGMSAPassword
    • Grant ownership
    • Grant rights
    • Logon script
    • Rights on RODC object
  • Group policies
  • 🛠️ Trusts
  • Netlogon
    • ZeroLogon
  • Certificate Services (AD-CS)
    • Certificate templates
    • CA configuration
    • Access controls
    • Web endpoints
    • Certifried
  • SCCM / MECM
  • Exchange services
    • 🛠️ PrivExchange
    • 🛠️ ProxyLogon
    • 🛠️ ProxyShell
  • Print Spooler Service
    • PrinterBug
    • PrintNightmare
  • Built-ins & settings
    • Security groups
    • MachineAccountQuota
    • Pre-Windows 2000 computers
    • RODC
• Persistence
  • Silver & Golden tickets
  • 🛠️ Golden certificate
  • GoldenGMSA
  • Skeleton key
  • AdminSDHolder
  • Delegation to KRBTGT
  • SID History
  • 🛠️ DC Shadow
  • 🛠️ CA Shadow
  • 🛠️ Access controls

Web services

• Reconnaissance
  • HTTP response headers
  • Comments and metadata
  • Error messages
  • Site crawling
  • Directory fuzzing
  • Subdomains enumeration
  • Virtual host fuzzing
  • Web Application Firewall (WAF)
  • Content Management System (CMS)
  • Other technologies
  • Known vulnerabilities
• Configuration
  • Default credentials
  • HTTP methods
  • HTTP request smuggling
  • HTTP security headers
    • Clickjacking
    • MIME type sniffing
    • 🛠️ CORS (Cross-Origin Resource Sharing)
    • 🛠️ CSP (Content Security Policy)
  • Denial of Service (DoS)
  • 🛠️ OAuth 2.0
• Accounts and sessions
  • Security policies
  • Password change
  • 🛠️ Password reset
  • Account creation
  • 🛠️ Account deletion
  • 🛠️ Logging in
• User inputs
  • File inclusion
    • LFI to RCE
      • logs poisoning
      • phpinfo
      • file upload
      • PHP wrappers and streams
      • PHP session
      • /proc
    • RFI to RCE
  • Unrestricted file upload
  • SQL injection
  • XSS (Cross-Site Scripting)
  • CSRF (Cross-Site Request Forgery)
  • SSRF (Server-Side Request Forgery)
  • IDOR (Insecure Direct Object Reference)
  • ORED Open redirect
  • Content-Type juggling
  • XXE injection
  • Insecure JSON Web Tokens
  • Insecure Cookies
  • HTTP response splitting
  • 🛠️ HTTP parameter pollution
  • 🛠️ SSTI (Server-Side Template Injection)
  • 🛠️ Insecure deserialization
  • 🛠️ CRLF injection
  • 🛠️ Arbitrary file download
  • 🛠️ Directory traversal
  • 🛠️ Null-byte injection

Systems & services

• Reconnaissance
  • 🛠️ Hosts discovery
  • Port scanning
• Initial access (protocols)
  • 🛠️ FTP
  • 🛠️ SSH
  • 🛠️ Telnet
  • 🛠️ DNS
  • 🛠️ HTTP
  • 🛠️ Kerberos
  • 🛠️ LDAP
  • 🛠️ SMB
  • 🛠️ RTSP
  • 🛠️ MSSQL
  • 🛠️ NFS
  • 🛠️ MySQL
  • 🛠️ RDP
  • 🛠️ WinRM
• Initial access (phishing)
• Privilege escalation
  • Windows
    • 🛠️ Credential dumping
    • 🛠️ Unquoted path
    • 🛠️ Scheduled tasks
    • 🛠️ Weak service permissions
    • 🛠️ Vulnerable drivers
    • 🛠️ Account privileges
    • 🛠️ Kernel exploitation
    • 🛠️ Windows Subsystem for Linux
    • 🛠️ Runas saved creds
    • Unattend files
    • 🛠️ Network secrets
    • 🛠️ Living off the land
  • UNIX-like
    • SUDO
    • SUID/SGID binaries
    • 🛠️ Capabilities
    • 🛠️ Network secrets
    • 🛠️ Living off the land
• Pivoting
  • 🛠️ Port forwarding
  • 🛠️ SOCKS proxy

Evasion

• (AV) Anti-Virus
  • 🛠️ Loader
  • 🛠️ Dropper
  • 🛠️ Obfuscation
  • 🛠️ Process injection
  • 🛠️ Stealth with C2
• 🛠️ (EDR) Endpoint Detection and Response

🛠️ Physical

• Locks
• Networking
  • Network Access Control
• Machines
  • HID injection
  • Keylogging
  • BIOS security
  • Encryption
  • Airstrike attack
• Super secret zones
  • 🍌 Banana & chocolate cake
  • 🍳 Omelette du fromage
  • 🍔 Burger du seigneur
  • 🥞 The Pancakes of Heaven

🛠️ Intelligence gathering

• CYBINT
  • Emails
  • Web infrastructure
• OSINT
• GEOINT

🛠️ RADIO

• RFID
  • Mifare Classic
    • Default keys
    • Darkside
    • Nested
• Bluetooth
• Wi-Fi
  • 🛠️ WEP
  • 🛠️ WPA2
  • 🛠️ WPS
• Wireless keyboard/mouse

🛠️ mobile apps

• Android
  • Android Debug Bridge ⚙️
  • APK transform
• iOS
  • Certificate pinning