README

1. notes

• Footprinting/Attacking Common Services
  • Footprinting Principles
  • Nmap
  • Metasploit
  • Host-based Enumeration
    • FTP
    • SMB
    • NFS
    • DNS
    • Emails
      • Attacking Email Services
      • Connecting to IMAP and SMTP using Evolution
      • SMTP
      • IMAP and POP3
    • SNMP
    • Databases
      • MySQL
      • MSSQL
    • Oracle TNS
  • Linux
    • Infiltrating Linux
    • Linux Remote Management Protocol
      • SSH
      • rsync
      • R-Services
  • Windows
    • Infiltrating Windows
      os detection; banner grabbing; payloads
    • Windows Remote Management Protocol
      • RDP
      • WinRM
      • WMI
• Pivoting, Tunneling, and Port Forwarding
  • Pivoting Tunneling
• Web Enumeration
  • Web Enumeration
    passive subdomain enum; subdomain bruteforcing using gobuster dns; Shodan passive discovery of ports, devices & IoT; whatweb
  • Cloud Resources
    Amazon s3 buckets, Azure Blobs, etc through Google Dorking and passive subdomain discovery
  • DNS
    Dig different types of DNS records; Zone transfer vulnerability; subdomain bruteforcing using DNSenum
  • Virtual Hosts
    types of virtual hosts; subdomain bruteforcing using gobuster vhost
  • WHOIS
  • Web Server Scanner - Nikto
  • WAF wafw00f
  • Well Known URIs
  • Creepy Crawlies
  • Dorking
  • Internet Archive's Wayback Machine
  • Automated Reconnaissance
• Web Attacks
  • HTTP Verb Tampering
    altering HTTP methods (GET, POST, PUT, HEAD, etc) to get pass security filters
  • IDOR
    automate fuzzing IDOR; encrypted/hashed IDOR; IDOR in APIs; chaining IDORs
  • XXE Injection
    file disclosure & RCE
  • SQLMap
• Password Attack
  • John The Ripper
  • CrackMapExec
  • Cracking Network Services
    WinRM; SSH; FTP; RDP; SMB
  • Password Mutations
    brute force using specific patterns w/ hashcat
  • Default Credentials Cheatsheet
  • Cracking Files
    • Protected Files
      cracking encrypted SSH private keys, PDFs, Documents
    • Protected Archives
      cracking zip rar files
  • Linux Local Password Attacks
    • Linux Authentication
      /etc/passwd & /etc/passwd & Opasswd; cracking passwd.bak & shadow.bak
    • Linux Credential Hunting
      hunting for credentials everywhere in the system
  • Windows Local Password Attacks
    • Windows Authentication
    • Windows Credential Hunting
      find cleartext credentials somewhere on the system
    • Checking Domain
      checking the domain the system belongs to in AD
    • Windows Lateral Movement
      • Attacking SAM
        dump SAM/LSA hashes; crack offline
      • Attacking LSASS
        dump LSASS; crack offline
      • Attacking Active Directory and NTDS
        username/password spraying; extract NTDS.dit to compromise accounts on the domain controller
      • PtH
        Pass the Hash; login by hash instead of password
      • PtT from Windows
        Pass the Ticket; Exploit Kerberos tickets .kirbi for lateral movement; we can also dump the keys for PtH attack
      • PtT from Linux
        if Linux machine connected to Active Directory, which often uses Kerberos; and we have admin rights, we can use keytab and ccache files to move laterally
        • Linux Attack Tools with Kerberos
          to use linux attack tools such as evil-winrm in an AD environment, we need to configure a few things
• Shell
  • Shell
    reverse shell; bind shell; web shell
• File Transfer
  • Windows File Transfer
    Base64; PowerShell WebClient; IEX fileless downloads; SMB downloads; FTP downloads; file uploads
  • Linux File Transfer
    Base64; Wget, cURL; fileless transfer; scp; bash
  • File Transfer with Code
    transfer files with installed programming languages in the system
  • Miscellaneous File Transfer Methods
    use Netcat and Ncat to transfer files; use WinRM on PowerShell to transfer files in case HTTP/HTTPS/SMB are all unavailable; Use RDP on PowerShell to transfer files
  • Protected File Transfer
    when files are sensitive, transfer files in a secure manner
  • Detection and Evasion
    file transfer user agents may alert IDS; alter user agent to prevent IDS; use LOLBins and GTFObins to explore file transfer options using existing commands
• Privilege Escalation
  • Linux
    • Linux Privilege Escalation
    • GTFOBins
  • Windows
    • Windows Privilege Escalation
• Networking
  • Network Types
  • Network Traffic Analysis
  • Wireshark
• Vulnerability Assessment
  • Nessus
  • OpenVAS
• Miscellaneous

2. labs

pwned labs

• starting point
  • archetype
  • oopsie
  • vaccine
  • unified
• Academy
  • gettingstarted
  • Footprinting Lab Easy
  • Footprinting Lab Medium
  • Footprinting Lab Hard
  • acs easy lab
  • acs medium lab
  • acs hard lab
  • web attacks skills assesment
• Easy
  • Shocker

3. Tags.md

keywords for labs

notes: enrolled in HTB Academy CPTS path on Oct 30, 2024

2024-12-20: 28.00%

2025-01-04: 38.29%

2025-01-18: 47.25%

-- 100 commits in pentesting repo on Dec 1, 2024 --

-- 200 commits in pentesting repo on Jan 15, 2025 --