2. 👾 Welcome!
  3. HackTricks
  4. HackTricks Values & FAQ
  5. About the author
  7. 🤩 Generic Methodologies & Resources
  8. Pentesting Methodology
  9. External Recon Methodology
    1. Wide Source Code Search
    2. Github Dorks & Leaks
  11. Pentesting Network
    1. DHCPv6
    2. EIGRP Attacks
    3. GLBP & HSRP Attacks
    4. IDS and IPS Evasion
    5. Lateral VLAN Segmentation Bypass
    6. Network Protocols Explained (ESP)
    7. Nmap Summary (ESP)
    8. Pentesting IPv6
    9. WebRTC DoS
    10. Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
    11. Spoofing SSDP and UPnP Devices with EvilSSDP
  13. Pentesting Wifi
    1. Evil Twin EAP-TLS
  15. Phishing Methodology
    1. Clone a Website
    2. Detecting Phishing
    3. Phishing Files & Documents
  17. Basic Forensic Methodology
    1. Baseline Monitoring
    2. Anti-Forensic Techniques
    3. Docker Forensics
    4. Image Acquisition & Mount
    5. Linux Forensics
    6. Malware Analysis
    7. Memory dump analysis
      1. Volatility - CheatSheet
    9. Partitions/File Systems/Carving
      1. File/Data Carving & Recovery Tools
    11. Pcap Inspection
      1. DNSCat pcap analysis
      2. Suricata & Iptables cheatsheet
      3. USB Keystrokes
      4. Wifi Pcap Analysis
      5. Wireshark tricks
    13. Specific Software/File-Type Tricks
      1. Decompile compiled python binaries (exe, elf) - Retreive from .pyc
      2. Browser Artifacts
      3. Deofuscation vbs (cscript.exe)
      4. Local Cloud Storage
      5. Office file analysis
      6. PDF File analysis
      7. PNG tricks
      8. Video and Audio file analysis
      9. ZIPs tricks
    15. Windows Artifacts
      1. Interesting Windows Registry Keys
  19. Python Sandbox Escape & Pyscript
    1. Bypass Python sandboxes
      1. LOAD_NAME / LOAD_CONST opcode OOB Read
    3. Class Pollution (Python's Prototype Pollution)
    4. Python Internal Read Gadgets
    5. Pyscript
    6. venv
    7. Web Requests
    8. Bruteforce hash (few chars)
    9. Basic Python
  21. Threat Modeling
  23. 🧙‍♂️ Generic Hacking
  24. Brute Force - CheatSheet
  25. Exfiltration
  26. Reverse Shells (Linux, Windows, MSFVenom)
    1. MSFVenom - CheatSheet
    2. Reverse Shells - Windows
    3. Reverse Shells - Linux
    4. Expose local to the internet
    5. Full TTYs
  28. Search Exploits
  29. Tunneling and Port Forwarding
  31. 🐧 Linux Hardening
  32. Checklist - Linux Privilege Escalation
  33. Linux Privilege Escalation
    1. Arbitrary File Write to Root
    2. Cisco - vmanage
    3. Containerd (ctr) Privilege Escalation
    4. D-Bus Enumeration & Command Injection Privilege Escalation
    5. Docker Security
      1. Abusing Docker Socket for Privilege Escalation
      2. AppArmor
      3. AuthZ& AuthN - Docker Access Authorization Plugin
      4. CGroups
      5. Docker --privileged
      6. Docker Breakout / Privilege Escalation
        1. release_agent exploit - Relative Paths to PIDs
        2. Docker release_agent cgroups escape
        3. Sensitive Mounts
      8. Namespaces
        1. CGroup Namespace
        2. IPC Namespace
        3. PID Namespace
        4. Mount Namespace
        5. Network Namespace
        6. Time Namespace
        7. User Namespace
        8. UTS Namespace
      10. Seccomp
      11. Weaponizing Distroless
    7. Escaping from Jails
    8. euid, ruid, suid
    9. Interesting Groups - Linux Privesc
      1. lxd/lxc Group - Privilege escalation
    11. Logstash
    12. ld.so privesc exploit example
    13. Linux Active Directory
    14. Linux Capabilities
    15. NFS no_root_squash/no_all_squash misconfiguration PE
    16. Node inspector/CEF debug abuse
    17. Payloads to execute
    18. RunC Privilege Escalation
    19. SELinux
    20. Socket Command Injection
    21. Splunk LPE and Persistence
    22. SSH Forward Agent exploitation
    23. Wildcards Spare tricks
  35. Useful Linux Commands
  36. Bypass Linux Restrictions
    1. Bypass FS protections: read-only / no-exec / Distroless
      1. DDexec / EverythingExec
  38. Linux Environment Variables
  39. Linux Post-Exploitation
    1. PAM - Pluggable Authentication Modules
  41. FreeIPA Pentesting
  43. 🍏 MacOS Hardening
  44. macOS Security & Privilege Escalation
    1. macOS Apps - Inspecting, debugging and Fuzzing
      1. Objects in memory
      2. Introduction to x64
      3. Introduction to ARM64v8
    3. macOS AppleFS
    4. macOS Bypassing Firewalls
    5. macOS Defensive Apps
    6. macOS GCD - Grand Central Dispatch
    7. macOS Kernel & System Extensions
      1. macOS IOKit
      2. macOS Kernel Extensions & Debugging
      3. macOS Kernel Vulnerabilities
      4. macOS System Extensions
    9. macOS Network Services & Protocols
    10. macOS File Extension & URL scheme app handlers
    11. macOS Files, Folders, Binaries & Memory
      1. macOS Bundles
      2. macOS Installers Abuse
      3. macOS Memory Dumping
      4. macOS Sensitive Locations & Interesting Daemons
      5. macOS Universal binaries & Mach-O Format
    13. macOS Objective-C
    14. macOS Privilege Escalation
    15. macOS Process Abuse
      1. macOS Dirty NIB
      2. macOS Chromium Injection
      3. macOS Electron Applications Injection
      4. macOS Function Hooking
      5. macOS IPC - Inter Process Communication
        1. macOS MIG - Mach Interface Generator
        2. macOS XPC
          1. macOS XPC Authorization
          2. macOS XPC Connecting Process Check
            1. macOS PID Reuse
            2. macOS xpc_connection_get_audit_token Attack
        4. macOS Thread Injection via Task port
      7. macOS Java Applications Injection
      8. macOS Library Injection
        1. macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
        2. macOS Dyld Process
      10. macOS Perl Applications Injection
      11. macOS Python Applications Injection
      12. macOS Ruby Applications Injection
      13. macOS .Net Applications Injection
    17. macOS Security Protections
      1. macOS Gatekeeper / Quarantine / XProtect
      2. macOS Launch/Environment Constraints & Trust Cache
      3. macOS Sandbox
        1. macOS Default Sandbox Debug
        2. macOS Sandbox Debug & Bypass
          1. macOS Office Sandbox Bypasses
      5. macOS Authorizations DB & Authd
      6. macOS SIP
      7. macOS TCC
        1. macOS Apple Events
        2. macOS TCC Bypasses
          1. macOS Apple Scripts
        4. macOS TCC Payloads
      9. macOS Dangerous Entitlements & TCC perms
      10. macOS - AMFI - AppleMobileFileIntegrity
      11. macOS MACF - Mandatory Access Control Framework
      12. macOS Code Signing
      13. macOS FS Tricks
        1. macOS xattr-acls extra stuff
    19. macOS Users & External Accounts
  46. macOS Red Teaming
    1. macOS MDM
      1. Enrolling Devices in Other Organisations
      2. macOS Serial Number
    3. macOS Keychain
  48. macOS Useful Commands
  49. macOS Auto Start
  51. 🪟 Windows Hardening
  52. Checklist - Local Windows Privilege Escalation
  53. Windows Local Privilege Escalation
    1. Abusing Tokens
    2. Access Tokens
    3. ACLs - DACLs/SACLs/ACEs
    4. AppendData/AddSubdirectory permission over service registry
    5. Create MSI with WIX
    6. COM Hijacking
    7. Dll Hijacking
      1. Writable Sys Path +Dll Hijacking Privesc
    9. DPAPI - Extracting Passwords
    10. From High Integrity to SYSTEM with Name Pipes
    11. Integrity Levels
    12. JuicyPotato
    13. Leaked Handle Exploitation
    14. MSI Wrapper
    15. Named Pipe Client Impersonation
    16. Privilege Escalation with Autoruns
    17. RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
    18. SeDebug + SeImpersonate copy token
    19. SeImpersonate from High To System
    20. Windows C Payloads
  55. Active Directory Methodology
    1. Abusing Active Directory ACLs/ACEs
      1. Shadow Credentials
    3. AD Certificates
      1. AD CS Account Persistence
      2. AD CS Domain Escalation
      3. AD CS Domain Persistence
      4. AD CS Certificate Theft
    5. AD information in printers
    6. AD DNS Records
    7. ASREPRoast
    8. BloodHound & Other AD Enum Tools
    9. Constrained Delegation
    10. Custom SSP
    11. DCShadow
    12. DCSync
    13. Diamond Ticket
    14. DSRM Credentials
    15. External Forest Domain - OneWay (Inbound) or bidirectional
    16. External Forest Domain - One-Way (Outbound)
    17. Golden Ticket
    18. Kerberoast
    19. Kerberos Authentication
    20. Kerberos Double Hop Problem
    21. LAPS
    22. MSSQL AD Abuse
    23. Over Pass the Hash/Pass the Key
    24. Pass the Ticket
    25. Password Spraying / Brute Force
    26. PrintNightmare
    27. Force NTLM Privileged Authentication
    28. Privileged Groups
    29. RDP Sessions Abuse
    30. Resource-based Constrained Delegation
    31. Security Descriptors
    32. SID-History Injection
    33. Silver Ticket
    34. Skeleton Key
    35. Unconstrained Delegation
  57. Windows Security Controls
    1. UAC - User Account Control
  59. NTLM
    1. Places to steal NTLM creds
  61. Lateral Movement
    1. AtExec / SchtasksExec
    2. DCOM Exec
    3. PsExec/Winexec/ScExec
    4. RDPexec
    5. SCMexec
    6. WinRM
    7. WmiExec
  63. Pivoting to the Cloud$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/index.html$$
  64. Stealing Windows Credentials
    1. Windows Credentials Protections
    2. Mimikatz
    3. WTS Impersonator
  66. Basic Win CMD for Pentesters
  67. Basic PowerShell for Pentesters
    1. PowerView/SharpView
  69. Antivirus (AV) Bypass
  70. Cobalt Strike
  71. Mythic
  73. 📱 Mobile Pentesting
  74. Android APK Checklist
  75. Android Applications Pentesting
    1. Android Applications Basics
    2. Android Task Hijacking
    3. ADB Commands
    4. APK decompilers
    5. AVD - Android Virtual Device
    6. Bypass Biometric Authentication (Android)
    7. content:// protocol
    8. Drozer Tutorial
      1. Exploiting Content Providers
    10. Exploiting a debuggeable application
    11. Frida Tutorial
      1. Frida Tutorial 1
      2. Frida Tutorial 2
      3. Frida Tutorial 3
      4. Objection Tutorial
    13. Google CTF 2018 - Shall We Play a Game?
    14. Install Burp Certificate
    15. Intent Injection
    16. Make APK Accept CA Certificate
    17. Manual DeObfuscation
    18. React Native Application
    19. Reversing Native Libraries
    20. Smali - Decompiling/[Modifying]/Compiling
    21. Spoofing your location in Play Store
    22. Tapjacking
    23. Webview Attacks
  77. iOS Pentesting Checklist
  78. iOS Pentesting
    1. iOS App Extensions
    2. iOS Basics
    3. iOS Basic Testing Operations
    4. iOS Burp Suite Configuration
    5. iOS Custom URI Handlers / Deeplinks / Custom Schemes
    6. iOS Extracting Entitlements From Compiled Application
    7. iOS Frida Configuration
    8. iOS Hooking With Objection
    9. iOS Protocol Handlers
    10. iOS Serialisation and Encoding
    11. iOS Testing Environment
    12. iOS UIActivity Sharing
    13. iOS Universal Links
    14. iOS UIPasteboard
    15. iOS WebViews
  80. Cordova Apps
  81. Xamarin Apps
  83. 👽 Network Services Pentesting
  84. Pentesting JDWP - Java Debug Wire Protocol
  85. Pentesting Printers$$external:http://hacking-printers.net/wiki/index.php/Main_Page$$
  86. Pentesting SAP
  87. Pentesting VoIP
    1. Basic VoIP Protocols
      1. SIP (Session Initiation Protocol)
  89. Pentesting Remote GdbServer
  90. 7/tcp/udp - Pentesting Echo
  91. 21 - Pentesting FTP
    1. FTP Bounce attack - Scan
    2. FTP Bounce - Download 2ºFTP file
  93. 22 - Pentesting SSH/SFTP
  94. 23 - Pentesting Telnet
  95. 25,465,587 - Pentesting SMTP/s
    1. SMTP Smuggling
    2. SMTP - Commands
  97. 43 - Pentesting WHOIS
  98. 49 - Pentesting TACACS+
  99. 53 - Pentesting DNS
  100. 69/UDP TFTP/Bittorrent-tracker
  101. 79 - Pentesting Finger
  102. 80,443 - Pentesting Web Methodology
    1. 403 & 401 Bypasses
    2. AEM - Adobe Experience Cloud
    3. Angular
    4. Apache
    5. Artifactory Hacking guide
    6. Bolt CMS
    7. Buckets
      1. Firebase Database
    9. CGI
    10. DotNetNuke (DNN)
    11. Drupal
      1. Drupal RCE
    13. Electron Desktop Apps
      1. Electron contextIsolation RCE via preload code
      2. Electron contextIsolation RCE via Electron internal code
      3. Electron contextIsolation RCE via IPC
    15. Flask
    16. NextJS
    17. NodeJS Express
    18. Git
    19. Golang
    20. GWT - Google Web Toolkit
    21. Grafana
    22. GraphQL
    23. H2 - Java SQL database
    24. IIS - Internet Information Services
    25. ImageMagick Security
    26. JBOSS
    27. Jira & Confluence
    28. Joomla
    29. JSP
    30. Laravel
    31. Moodle
    32. Nginx
    33. NextJS
    34. PHP Tricks
      1. PHP - Useful Functions & disable_functions/open_basedir bypass
        1. disable_functions bypass - php-fpm/FastCGI
        2. disable_functions bypass - dl function
        3. disable_functions bypass - PHP 7.0-7.4 (-nix only)
        4. disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
        5. disable_functions - PHP 5.x Shellshock Exploit
        6. disable_functions - PHP 5.2.4 ionCube extension Exploit
        7. disable_functions bypass - PHP <= 5.2.9 on windows
        8. disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
        9. disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
        10. disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
        11. disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
        12. disable_functions bypass - PHP 5.2 - FOpen Exploit
        13. disable_functions bypass - via mem
        14. disable_functions bypass - mod_cgi
        15. disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      3. PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
      4. PHP SSRF
    36. PrestaShop
    37. Python
    38. Rocket Chat
    39. Special HTTP headers$$external:network-services-pentesting/pentesting-web/special-http-headers.md$$
    40. Source code Review / SAST Tools
    41. Spring Actuators
    42. Symfony
    43. Tomcat
    44. Uncovering CloudFlare
    45. VMWare (ESX, VCenter...)
    46. Web API Pentesting
    47. WebDav
    48. Werkzeug / Flask Debug
    49. Wordpress
  104. 88tcp/udp - Pentesting Kerberos
    1. Harvesting tickets from Windows
    2. Harvesting tickets from Linux
  106. 110,995 - Pentesting POP
  107. 111/TCP/UDP - Pentesting Portmapper
  108. 113 - Pentesting Ident
  109. 123/udp - Pentesting NTP
  110. 135, 593 - Pentesting MSRPC
  111. 137,138,139 - Pentesting NetBios
  112. 139,445 - Pentesting SMB
    1. rpcclient enumeration
  114. 143,993 - Pentesting IMAP
  115. 161,162,10161,10162/udp - Pentesting SNMP
    1. Cisco SNMP
    2. SNMP RCE
  117. 194,6667,6660-7000 - Pentesting IRC
  118. 264 - Pentesting Check Point FireWall-1
  119. 389, 636, 3268, 3269 - Pentesting LDAP
  120. 500/udp - Pentesting IPsec/IKE VPN
  121. 502 - Pentesting Modbus
  122. 512 - Pentesting Rexec
  123. 513 - Pentesting Rlogin
  124. 514 - Pentesting Rsh
  125. 515 - Pentesting Line Printer Daemon (LPD)
  126. 548 - Pentesting Apple Filing Protocol (AFP)
  127. 554,8554 - Pentesting RTSP
  128. 623/UDP/TCP - IPMI
  129. 631 - Internet Printing Protocol(IPP)
  130. 700 - Pentesting EPP
  131. 873 - Pentesting Rsync
  132. 1026 - Pentesting Rusersd
  133. 1080 - Pentesting Socks
  134. 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
  135. 1414 - Pentesting IBM MQ
  136. 1433 - Pentesting MSSQL - Microsoft SQL Server
    1. Types of MSSQL Users
  138. 1521,1522-1529 - Pentesting Oracle TNS Listener
  139. 1723 - Pentesting PPTP
  140. 1883 - Pentesting MQTT (Mosquitto)
  141. 2049 - Pentesting NFS Service
  142. 2301,2381 - Pentesting Compaq/HP Insight Manager
  143. 2375, 2376 Pentesting Docker
  144. 3128 - Pentesting Squid
  145. 3260 - Pentesting ISCSI
  146. 3299 - Pentesting SAPRouter
  147. 3306 - Pentesting Mysql
  148. 3389 - Pentesting RDP
  149. 3632 - Pentesting distcc
  150. 3690 - Pentesting Subversion (svn server)
  151. 3702/UDP - Pentesting WS-Discovery
  152. 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
  153. 4786 - Cisco Smart Install
  154. 4840 - OPC Unified Architecture
  155. 5000 - Pentesting Docker Registry
  156. 5353/UDP Multicast DNS (mDNS) and DNS-SD
  157. 5432,5433 - Pentesting Postgresql
  158. 5439 - Pentesting Redshift
  159. 5555 - Android Debug Bridge
  160. 5601 - Pentesting Kibana
  161. 5671,5672 - Pentesting AMQP
  162. 5800,5801,5900,5901 - Pentesting VNC
  163. 5984,6984 - Pentesting CouchDB
  164. 5985,5986 - Pentesting WinRM
  165. 5985,5986 - Pentesting OMI
  166. 6000 - Pentesting X11
  167. 6379 - Pentesting Redis
  168. 8009 - Pentesting Apache JServ Protocol (AJP)
  169. 8086 - Pentesting InfluxDB
  170. 8089 - Pentesting Splunkd
  171. 8333,18333,38333,18444 - Pentesting Bitcoin
  172. 9000 - Pentesting FastCGI
  173. 9001 - Pentesting HSQLDB
  174. 9042/9160 - Pentesting Cassandra
  175. 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
  176. 9200 - Pentesting Elasticsearch
  177. 10000 - Pentesting Network Data Management Protocol (ndmp)
  178. 11211 - Pentesting Memcache
    1. Memcache Commands
  180. 15672 - Pentesting RabbitMQ Management
  181. 24007,24008,24009,49152 - Pentesting GlusterFS
  182. 27017,27018 - Pentesting MongoDB
  183. 44134 - Pentesting Tiller (Helm)
  184. 44818/UDP/TCP - Pentesting EthernetIP
  185. 47808/udp - Pentesting BACNet
  186. 50030,50060,50070,50075,50090 - Pentesting Hadoop
  188. 🕸️ Pentesting Web
  189. Web Vulnerabilities Methodology
  190. Reflecting Techniques - PoCs and Polygloths CheatSheet
    1. Web Vulns List
  192. 2FA/MFA/OTP Bypass
  193. Account Takeover
  194. Browser Extension Pentesting Methodology
    1. BrowExt - ClickJacking
    2. BrowExt - permissions & host_permissions
    3. BrowExt - XSS Example
  196. Bypass Payment Process
  197. Captcha Bypass
  198. Cache Poisoning and Cache Deception
    1. Cache Poisoning via URL discrepancies
    2. Cache Poisoning to DoS
  200. Clickjacking
  201. Client Side Template Injection (CSTI)
  202. Client Side Path Traversal
  203. Command Injection
  204. Content Security Policy (CSP) Bypass
    1. CSP bypass: self + 'unsafe-inline' with Iframes
  206. Cookies Hacking
    1. Cookie Tossing
    2. Cookie Jar Overflow
    3. Cookie Bomb
  208. CORS - Misconfigurations & Bypass
  209. CRLF (%0D%0A) Injection
  210. CSRF (Cross Site Request Forgery)
  211. Dangling Markup - HTML scriptless injection
    1. SS-Leaks
  213. DApps - Decentralized Applications
  214. Dependency Confusion
  215. Deserialization
    1. NodeJS - __proto__ & prototype Pollution
      1. Client Side Prototype Pollution
      2. Express Prototype Pollution Gadgets
      3. Prototype Pollution to RCE
    3. Java JSF ViewState (.faces) Deserialization
    4. Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    5. Basic Java Deserialization (ObjectInputStream, readObject)
    6. PHP - Deserialization + Autoload Classes
    7. CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    8. Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    9. Exploiting __VIEWSTATE knowing the secrets
    10. Exploiting __VIEWSTATE without knowing the secrets
    11. Python Yaml Deserialization
    12. JNDI - Java Naming and Directory Interface & Log4Shell
    13. Ruby Class Pollution
  217. Domain/Subdomain takeover
  218. Email Injections
  219. File Inclusion/Path traversal
    1. phar:// deserialization
    2. LFI2RCE via PHP Filters
    3. LFI2RCE via Nginx temp files
    4. LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
    5. LFI2RCE via Segmentation Fault
    6. LFI2RCE via phpinfo()
    7. LFI2RCE Via temp file uploads
    8. LFI2RCE via Eternal waiting
    9. LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
  221. File Upload
    1. PDF Upload - XXE and CORS bypass
  223. Formula/CSV/Doc/LaTeX/GhostScript Injection
  224. gRPC-Web Pentest
  225. HTTP Connection Contamination
  226. HTTP Connection Request Smuggling
  227. HTTP Request Smuggling / HTTP Desync Attack
    1. Browser HTTP Request Smuggling
    2. Request Smuggling in HTTP/2 Downgrades
  229. HTTP Response Smuggling / Desync
  230. Upgrade Header Smuggling
  231. hop-by-hop headers
  232. IDOR
  233. JWT Vulnerabilities (Json Web Tokens)
  234. LDAP Injection
  235. Login Bypass
    1. Login bypass List
  237. NoSQL injection
  238. OAuth to Account takeover
  239. Open Redirect
  240. ORM Injection
  241. Parameter Pollution | JSON Injection
  242. Phone Number Injections
  243. PostMessage Vulnerabilities
    1. Blocking main page to steal postmessage
    2. Bypassing SOP with Iframes - 1
    3. Bypassing SOP with Iframes - 2
    4. Steal postmessage modifying iframe location
  245. Proxy / WAF Protections Bypass
  246. Race Condition
  247. Rate Limit Bypass
  248. Registration & Takeover Vulnerabilities
  249. Regular expression Denial of Service - ReDoS
  250. Reset/Forgotten Password Bypass
  251. Reverse Tab Nabbing
  252. RSQL Injection
  253. SAML Attacks
    1. SAML Basics
  255. Server Side Inclusion/Edge Side Inclusion Injection
  256. SQL Injection
    1. MS Access SQL Injection
    2. MSSQL Injection
    3. MySQL injection
      1. MySQL File priv to SSRF/RCE
    5. Oracle injection
    6. Cypher Injection (neo4j)
    7. PostgreSQL injection
      1. dblink/lo_import data exfiltration
      2. PL/pgSQL Password Bruteforce
      3. Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
      4. Big Binary Files Upload (PostgreSQL)
      5. RCE with PostgreSQL Languages
      6. RCE with PostgreSQL Extensions
    9. SQLMap - CheatSheet
      1. Second Order Injection - SQLMap
  258. SSRF (Server Side Request Forgery)
    1. URL Format Bypass
    2. SSRF Vulnerable Platforms
    3. Cloud SSRF
  260. SSTI (Server Side Template Injection)
    1. EL - Expression Language
    2. Jinja2 SSTI
  262. Timing Attacks
  263. Unicode Injection
    1. Unicode Normalization
  265. UUID Insecurities
  266. WebSocket Attacks
  267. Web Tool - WFuzz
  268. XPATH injection
  269. XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
  270. XXE - XEE - XML External Entity
  271. XSS (Cross Site Scripting)
    1. Abusing Service Workers
    2. Chrome Cache to XSS
    3. Debugging Client Side JS
    4. Dom Clobbering
    5. DOM Invader
    6. DOM XSS
    7. Iframes in XSS, CSP and SOP
    8. Integer Overflow
    9. JS Hoisting
    10. Misc JS Tricks & Relevant Info
    11. PDF Injection
    12. Server Side XSS (Dynamic PDF)
    13. Shadow DOM
    14. SOME - Same Origin Method Execution
    15. Sniff Leak
    16. Steal Info JS
    17. XSS in Markdown
  273. XSSI (Cross-Site Script Inclusion)
  274. XS-Search/XS-Leaks
    1. Connection Pool Examples
    2. Connection Pool by Destination Example
    3. Cookie Bomb + Onerror XS Leak
    4. URL Max Length - Client Side
    5. performance.now example
    6. performance.now + Force heavy task
    7. Event Loop Blocking + Lazy images
    8. JavaScript Execution XS Leak
    9. CSS Injection
      1. CSS Injection Code
  276. Iframe Traps
  278. ⛈️ Cloud Security
  279. Pentesting Kubernetes$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/index.html$$
  280. Pentesting Cloud (AWS, GCP, Az...)$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/pentesting-cloud-methodology.html$$
  281. Pentesting CI/CD (Github, Jenkins, Terraform...)$$external:https://cloud.hacktricks.wiki/en/pentesting-ci-cd/pentesting-ci-cd-methodology.html$$
  283. 😎 Hardware/Physical Access
  284. Physical Attacks
  285. Escaping from KIOSKs
  286. Firmware Analysis
    1. Bootloader testing
    2. Firmware Integrity
  289. 🎯 Binary Exploitation
  290. Basic Stack Binary Exploitation Methodology
    1. ELF Basic Information
    2. Exploiting Tools
      1. PwnTools
  292. Stack Overflow
    1. Pointer Redirecting
    2. Ret2win
      1. Ret2win - arm64
    4. Stack Shellcode
      1. Stack Shellcode - arm64
    6. Stack Pivoting - EBP2Ret - EBP chaining
    7. Uninitialized Variables
  294. ROP - Return Oriented Programing
    1. BROP - Blind Return Oriented Programming
    2. Ret2csu
    3. Ret2dlresolve
    4. Ret2esp / Ret2reg
    5. Ret2lib
      1. Leaking libc address with ROP
        1. Leaking libc - template
      3. One Gadget
      4. Ret2lib + Printf leak - arm64
    7. Ret2syscall
      1. Ret2syscall - ARM64
    9. Ret2vDSO
    10. SROP - Sigreturn-Oriented Programming
      1. SROP - ARM64
  296. Array Indexing
  297. Integer Overflow
  298. Format Strings
    1. Format Strings - Arbitrary Read Example
    2. Format Strings Template
  300. Libc Heap
    1. Bins & Memory Allocations
    2. Heap Memory Functions
      1. free
      2. malloc & sysmalloc
      3. unlink
      4. Heap Functions Security Checks
    4. Use After Free
      1. First Fit
    6. Double Free
    7. Overwriting a freed chunk
    8. Heap Overflow
    9. Unlink Attack
    10. Fast Bin Attack
    11. Unsorted Bin Attack
    12. Large Bin Attack
    13. Tcache Bin Attack
    14. Off by one overflow
    15. House of Spirit
    16. House of Lore | Small bin Attack
    17. House of Einherjar
    18. House of Force
    19. House of Orange
    20. House of Rabbit
    21. House of Roman
  302. Common Binary Exploitation Protections & Bypasses
    1. ASLR
      1. Ret2plt
      2. Ret2ret & Reo2pop
    3. CET & Shadow Stack
    4. Libc Protections
    5. Memory Tagging Extension (MTE)
    6. No-exec / NX
    7. PIE
      1. BF Addresses in the Stack
    9. Relro
    10. Stack Canaries
      1. BF Forked & Threaded Stack Canaries
      2. Print Stack Canary
  304. Write What Where 2 Exec
    1. WWW2Exec - atexit()
    2. WWW2Exec - .dtors & .fini_array
    3. WWW2Exec - GOT/PLT
    4. WWW2Exec - __malloc_hook & __free_hook
  306. Common Exploiting Problems
  307. Windows Exploiting (Basic Guide - OSCP lvl)
  308. iOS Exploiting
  310. 🔩 Reversing
  311. Reversing Tools & Basic Methods
    1. Angr
      1. Angr - Examples
    3. Z3 - Satisfiability Modulo Theories (SMT)
    4. Cheat Engine
    5. Blobrunner
  313. Common API used in Malware
  314. Word Macros
  316. 🔮 Crypto & Stego
  317. Cryptographic/Compression Algorithms
    1. Unpacking binaries
  319. Certificates
  320. Cipher Block Chaining CBC-MAC
  321. Crypto CTFs Tricks
  322. Electronic Code Book (ECB)
  323. Hash Length Extension Attack
  324. Padding Oracle
  325. RC4 - Encrypt&Decrypt
  326. Stego Tricks
  327. Esoteric languages
  328. Blockchain & Crypto Currencies
  330. ✍️ TODO
  331. Other Big References
  332. Rust Basics
  333. More Tools
  334. MISC
  335. Pentesting DNS
  336. Hardware Hacking
    1. I2C
    2. UART
    3. Radio
    4. JTAG
    5. SPI
  338. Industrial Control Systems Hacking
    1. Modbus Protocol
  340. Radio Hacking
    1. Pentesting RFID
    2. Infrared
    3. Sub-GHz RF
    4. iButton
    5. Flipper Zero
      1. FZ - NFC
      2. FZ - Sub-GHz
      3. FZ - Infrared
      4. FZ - iButton
      5. FZ - 125kHz RFID
    7. Proxmark 3
    8. FISSURE - The RF Framework
    9. Low-Power Wide Area Network
    10. Pentesting BLE - Bluetooth Low Energy
  342. Test LLMs
  343. LLM Training
    1. 0. Basic LLM Concepts
    2. 1. Tokenizing
    3. 2. Data Sampling
    4. 3. Token Embeddings
    5. 4. Attention Mechanisms
    6. 5. LLM Architecture
    7. 6. Pre-training & Loading models
    8. 7.0. LoRA Improvements in fine-tuning
    9. 7.1. Fine-Tuning for Classification
    10. 7.2. Fine-Tuning to follow instructions
  345. Burp Suite
  346. Other Web Tricks
  347. Interesting HTTP$$external:todo/interesting-http.md$$
  348. Android Forensics
  349. TR-069
  350. 6881/udp - Pentesting BitTorrent
  351. Online Platforms with API
  352. Stealing Sensitive Information Disclosure from a Web
  353. Post Exploitation
  354. Investment Terms
  355. Cookies Policy