hacktricks
  • 👾Welcome!
    • HackTricks
  • 🤩Generic Methodologies & Resources
    • Pentesting Methodology
    • External Recon Methodology
      • Wide Source Code Search
      • Github Dorks & Leaks
    • Pentesting Network
      • DHCPv6
      • EIGRP Attacks
      • GLBP & HSRP Attacks
      • IDS and IPS Evasion
      • Lateral VLAN Segmentation Bypass
      • Network Protocols Explained (ESP)
      • Nmap Summary (ESP)
      • Pentesting IPv6
      • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
      • Spoofing SSDP and UPnP Devices with EvilSSDP
    • Pentesting Wifi
      • Evil Twin EAP-TLS
    • Phishing Methodology
      • Clone a Website
      • Detecting Phishing
      • Phishing Files & Documents
    • Basic Forensic Methodology
      • Baseline Monitoring
      • Anti-Forensic Techniques
      • Docker Forensics
      • Image Acquisition & Mount
      • Linux Forensics
      • Malware Analysis
      • Memory dump analysis
        • Volatility - CheatSheet
      • Partitions/File Systems/Carving
        • File/Data Carving & Recovery Tools
      • Pcap Inspection
        • DNSCat pcap analysis
        • Suricata & Iptables cheatsheet
        • USB Keystrokes
        • Wifi Pcap Analysis
        • Wireshark tricks
      • Specific Software/File-Type Tricks
        • Decompile compiled python binaries (exe, elf) - Retreive from .pyc
        • Browser Artifacts
        • Deofuscation vbs (cscript.exe)
        • Local Cloud Storage
        • Office file analysis
        • PDF File analysis
        • PNG tricks
        • Video and Audio file analysis
        • ZIPs tricks
      • Windows Artifacts
        • Interesting Windows Registry Keys
    • Brute Force - CheatSheet
    • Python Sandbox Escape & Pyscript
      • Bypass Python sandboxes
        • LOAD_NAME / LOAD_CONST opcode OOB Read
      • Class Pollution (Python's Prototype Pollution)
      • Python Internal Read Gadgets
      • Pyscript
      • venv
      • Web Requests
      • Bruteforce hash (few chars)
      • Basic Python
    • Exfiltration
    • Tunneling and Port Forwarding
    • Threat Modeling
    • Search Exploits
    • Shells (Linux, Windows, MSFVenom)
      • MSFVenom - CheatSheet
      • Shells - Windows
      • Shells - Linux
      • Full TTYs
  • 🐧Linux Hardening
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
      • Arbitrary File Write to Root
      • Cisco - vmanage
      • Containerd (ctr) Privilege Escalation
      • D-Bus Enumeration & Command Injection Privilege Escalation
      • Docker Security
        • Abusing Docker Socket for Privilege Escalation
        • AppArmor
        • AuthZ& AuthN - Docker Access Authorization Plugin
        • CGroups
        • Docker --privileged
        • Docker Breakout / Privilege Escalation
          • release_agent exploit - Relative Paths to PIDs
          • Docker release_agent cgroups escape
          • Sensitive Mounts
        • Namespaces
          • CGroup Namespace
          • IPC Namespace
          • PID Namespace
          • Mount Namespace
          • Network Namespace
          • Time Namespace
          • User Namespace
          • UTS Namespace
        • Seccomp
        • Weaponizing Distroless
      • Escaping from Jails
      • euid, ruid, suid
      • Interesting Groups - Linux Privesc
        • lxd/lxc Group - Privilege escalation
      • Logstash
      • ld.so privesc exploit example
      • Linux Active Directory
      • Linux Capabilities
      • NFS no_root_squash/no_all_squash misconfiguration PE
      • Node inspector/CEF debug abuse
      • Payloads to execute
      • RunC Privilege Escalation
      • SELinux
      • Socket Command Injection
      • Splunk LPE and Persistence
      • SSH Forward Agent exploitation
      • Wildcards Spare tricks
    • Useful Linux Commands
    • Bypass Linux Restrictions
      • Bypass FS protections: read-only / no-exec / Distroless
        • DDexec / EverythingExec
    • Linux Environment Variables
    • Linux Post-Exploitation
      • PAM - Pluggable Authentication Modules
    • FreeIPA Pentesting
  • 🍏MacOS Hardening
    • macOS Security & Privilege Escalation
      • macOS Apps - Inspecting, debugging and Fuzzing
        • Introduction to x64
        • Introduction to ARM64v8
      • macOS AppleFS
      • macOS Bypassing Firewalls
      • macOS Defensive Apps
      • macOS GCD - Grand Central Dispatch
      • macOS Kernel & System Extensions
        • macOS IOKit
        • macOS Kernel Extensions
        • macOS Kernel Vulnerabilities
        • macOS System Extensions
      • macOS Network Services & Protocols
      • macOS File Extension & URL scheme app handlers
      • macOS Files, Folders, Binaries & Memory
        • macOS Bundles
        • macOS Installers Abuse
        • macOS Memory Dumping
        • macOS Sensitive Locations & Interesting Daemons
        • macOS Universal binaries & Mach-O Format
      • macOS Objective-C
      • macOS Privilege Escalation
      • macOS Process Abuse
        • macOS Dirty NIB
        • macOS Chromium Injection
        • macOS Electron Applications Injection
        • macOS Function Hooking
        • macOS IPC - Inter Process Communication
          • macOS MIG - Mach Interface Generator
          • macOS XPC
            • macOS XPC Authorization
            • macOS XPC Connecting Process Check
              • macOS PID Reuse
              • macOS xpc_connection_get_audit_token Attack
          • macOS Thread Injection via Task port
        • macOS Java Applications Injection
        • macOS Library Injection
          • macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
          • macOS Dyld Process
        • macOS Perl Applications Injection
        • macOS Python Applications Injection
        • macOS Ruby Applications Injection
        • macOS .Net Applications Injection
      • macOS Security Protections
        • macOS Gatekeeper / Quarantine / XProtect
        • macOS Launch/Environment Constraints & Trust Cache
        • macOS Sandbox
          • macOS Default Sandbox Debug
          • macOS Sandbox Debug & Bypass
            • macOS Office Sandbox Bypasses
        • macOS SIP
        • macOS TCC
          • macOS Apple Events
          • macOS TCC Bypasses
            • macOS Apple Scripts
          • macOS TCC Payloads
        • macOS Dangerous Entitlements & TCC perms
        • macOS FS Tricks
          • macOS xattr-acls extra stuff
      • macOS Users
    • macOS Red Teaming
      • macOS MDM
        • Enrolling Devices in Other Organisations
        • macOS Serial Number
      • macOS Keychain
    • macOS Useful Commands
    • macOS Auto Start
  • 🪟Windows Hardening
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
      • Abusing Tokens
      • Access Tokens
      • ACLs - DACLs/SACLs/ACEs
      • AppendData/AddSubdirectory permission over service registry
      • Create MSI with WIX
      • COM Hijacking
      • Dll Hijacking
        • Writable Sys Path +Dll Hijacking Privesc
      • DPAPI - Extracting Passwords
      • From High Integrity to SYSTEM with Name Pipes
      • Integrity Levels
      • JuicyPotato
      • Leaked Handle Exploitation
      • MSI Wrapper
      • Named Pipe Client Impersonation
      • Privilege Escalation with Autoruns
      • RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
      • SeDebug + SeImpersonate copy token
      • SeImpersonate from High To System
      • Windows C Payloads
    • Active Directory Methodology
      • Abusing Active Directory ACLs/ACEs
        • Shadow Credentials
      • AD Certificates
        • AD CS Account Persistence
        • AD CS Domain Escalation
        • AD CS Domain Persistence
        • AD CS Certificate Theft
      • AD information in printers
      • AD DNS Records
      • ASREPRoast
      • BloodHound & Other AD Enum Tools
      • Constrained Delegation
      • Custom SSP
      • DCShadow
      • DCSync
      • Diamond Ticket
      • DSRM Credentials
      • External Forest Domain - OneWay (Inbound) or bidirectional
      • External Forest Domain - One-Way (Outbound)
      • Golden Ticket
      • Kerberoast
      • Kerberos Authentication
      • Kerberos Double Hop Problem
      • LAPS
      • MSSQL AD Abuse
      • Over Pass the Hash/Pass the Key
      • Pass the Ticket
      • Password Spraying / Brute Force
      • PrintNightmare
      • Force NTLM Privileged Authentication
      • Privileged Groups
      • RDP Sessions Abuse
      • Resource-based Constrained Delegation
      • Security Descriptors
      • SID-History Injection
      • Silver Ticket
      • Skeleton Key
      • Unconstrained Delegation
    • Windows Security Controls
      • UAC - User Account Control
    • NTLM
      • Places to steal NTLM creds
    • Lateral Movement
      • AtExec / SchtasksExec
      • DCOM Exec
      • PsExec/Winexec/ScExec
      • SmbExec/ScExec
      • WinRM
      • WmicExec
    • Pivoting to the Cloud
    • Stealing Windows Credentials
      • Windows Credentials Protections
      • Mimikatz
      • WTS Impersonator
    • Basic Win CMD for Pentesters
    • Basic PowerShell for Pentesters
      • PowerView/SharpView
    • Antivirus (AV) Bypass
  • 📱Mobile Pentesting
    • Android APK Checklist
    • Android Applications Pentesting
      • Android Applications Basics
      • Android Task Hijacking
      • ADB Commands
      • APK decompilers
      • AVD - Android Virtual Device
      • Bypass Biometric Authentication (Android)
      • content:// protocol
      • Drozer Tutorial
        • Exploiting Content Providers
      • Exploiting a debuggeable application
      • Frida Tutorial
        • Frida Tutorial 1
        • Frida Tutorial 2
        • Frida Tutorial 3
        • Objection Tutorial
      • Google CTF 2018 - Shall We Play a Game?
      • Install Burp Certificate
      • Intent Injection
      • Make APK Accept CA Certificate
      • Manual DeObfuscation
      • React Native Application
      • Reversing Native Libraries
      • Smali - Decompiling/[Modifying]/Compiling
      • Spoofing your location in Play Store
      • Tapjacking
      • Webview Attacks
    • iOS Pentesting Checklist
    • iOS Pentesting
      • iOS App Extensions
      • iOS Basics
      • iOS Basic Testing Operations
      • iOS Burp Suite Configuration
      • iOS Custom URI Handlers / Deeplinks / Custom Schemes
      • iOS Extracting Entitlements From Compiled Application
      • iOS Frida Configuration
      • iOS Hooking With Objection
      • iOS Protocol Handlers
      • iOS Serialisation and Encoding
      • iOS Testing Environment
      • iOS UIActivity Sharing
      • iOS Universal Links
      • iOS UIPasteboard
      • iOS WebViews
    • Cordova Apps
    • Xamarin Apps
  • 👽Network Services Pentesting
    • Pentesting JDWP - Java Debug Wire Protocol
    • Pentesting Printers
    • Pentesting SAP
    • Pentesting VoIP
      • Basic VoIP Protocols
        • SIP (Session Initiation Protocol)
    • Pentesting Remote GdbServer
    • 7/tcp/udp - Pentesting Echo
    • 21 - Pentesting FTP
      • FTP Bounce attack - Scan
      • FTP Bounce - Download 2ºFTP file
    • 22 - Pentesting SSH/SFTP
    • 23 - Pentesting Telnet
    • 25,465,587 - Pentesting SMTP/s
      • SMTP Smuggling
      • SMTP - Commands
    • 43 - Pentesting WHOIS
    • 49 - Pentesting TACACS+
    • 53 - Pentesting DNS
    • 69/UDP TFTP/Bittorrent-tracker
    • 79 - Pentesting Finger
    • 80,443 - Pentesting Web Methodology
      • 403 & 401 Bypasses
      • AEM - Adobe Experience Cloud
      • Angular
      • Apache
      • Artifactory Hacking guide
      • Bolt CMS
      • Buckets
        • Firebase Database
      • CGI
      • DotNetNuke (DNN)
      • Drupal
      • Electron Desktop Apps
        • Electron contextIsolation RCE via preload code
        • Electron contextIsolation RCE via Electron internal code
        • Electron contextIsolation RCE via IPC
      • Flask
      • NodeJS Express
      • Git
      • Golang
      • GWT - Google Web Toolkit
      • Grafana
      • GraphQL
      • H2 - Java SQL database
      • IIS - Internet Information Services
      • ImageMagick Security
      • JBOSS
      • JIRA
      • Joomla
      • JSP
      • Laravel
      • Moodle
      • Nginx
      • PHP Tricks
        • PHP - Useful Functions & disable_functions/open_basedir bypass
          • disable_functions bypass - php-fpm/FastCGI
          • disable_functions bypass - dl function
          • disable_functions bypass - PHP 7.0-7.4 (*nix only)
          • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
          • disable_functions - PHP 5.x Shellshock Exploit
          • disable_functions - PHP 5.2.4 ionCube extension Exploit
          • disable_functions bypass - PHP <= 5.2.9 on windows
          • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
          • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
          • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
          • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
          • disable_functions bypass - PHP 5.2 - FOpen Exploit
          • disable_functions bypass - via mem
          • disable_functions bypass - mod_cgi
          • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
        • PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
        • PHP SSRF
      • Python
      • Rocket Chat
      • Special HTTP headers
      • Source code Review / SAST Tools
      • Spring Actuators
      • Symfony
      • Tomcat
        • Basic Tomcat Info
      • Uncovering CloudFlare
      • VMWare (ESX, VCenter...)
      • WAF Bypass
      • Web API Pentesting
      • WebDav
      • Werkzeug / Flask Debug
      • Wordpress
    • 88tcp/udp - Pentesting Kerberos
      • Harvesting tickets from Windows
      • Harvesting tickets from Linux
    • 110,995 - Pentesting POP
    • 111/TCP/UDP - Pentesting Portmapper
    • 113 - Pentesting Ident
    • 123/udp - Pentesting NTP
    • 135, 593 - Pentesting MSRPC
    • 137,138,139 - Pentesting NetBios
    • 139,445 - Pentesting SMB
      • rpcclient enumeration
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
      • Cisco SNMP
      • SNMP RCE
    • 194,6667,6660-7000 - Pentesting IRC
    • 264 - Pentesting Check Point FireWall-1
    • 389, 636, 3268, 3269 - Pentesting LDAP
    • 500/udp - Pentesting IPsec/IKE VPN
    • 502 - Pentesting Modbus
    • 512 - Pentesting Rexec
    • 513 - Pentesting Rlogin
    • 514 - Pentesting Rsh
    • 515 - Pentesting Line Printer Daemon (LPD)
    • 548 - Pentesting Apple Filing Protocol (AFP)
    • 554,8554 - Pentesting RTSP
    • 623/UDP/TCP - IPMI
    • 631 - Internet Printing Protocol(IPP)
    • 700 - Pentesting EPP
    • 873 - Pentesting Rsync
    • 1026 - Pentesting Rusersd
    • 1080 - Pentesting Socks
    • 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
    • 1414 - Pentesting IBM MQ
    • 1433 - Pentesting MSSQL - Microsoft SQL Server
      • Types of MSSQL Users
    • 1521,1522-1529 - Pentesting Oracle TNS Listener
    • 1723 - Pentesting PPTP
    • 1883 - Pentesting MQTT (Mosquitto)
    • 2049 - Pentesting NFS Service
    • 2301,2381 - Pentesting Compaq/HP Insight Manager
    • 2375, 2376 Pentesting Docker
    • 3128 - Pentesting Squid
    • 3260 - Pentesting ISCSI
    • 3299 - Pentesting SAPRouter
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 3632 - Pentesting distcc
    • 3690 - Pentesting Subversion (svn server)
    • 3702/UDP - Pentesting WS-Discovery
    • 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
    • 4786 - Cisco Smart Install
    • 4840 - OPC Unified Architecture
    • 5000 - Pentesting Docker Registry
    • 5353/UDP Multicast DNS (mDNS) and DNS-SD
    • 5432,5433 - Pentesting Postgresql
    • 5439 - Pentesting Redshift
    • 5555 - Android Debug Bridge
    • 5601 - Pentesting Kibana
    • 5671,5672 - Pentesting AMQP
    • 5800,5801,5900,5901 - Pentesting VNC
    • 5984,6984 - Pentesting CouchDB
    • 5985,5986 - Pentesting WinRM
    • 5985,5986 - Pentesting OMI
    • 6000 - Pentesting X11
    • 6379 - Pentesting Redis
    • 8009 - Pentesting Apache JServ Protocol (AJP)
    • 8086 - Pentesting InfluxDB
    • 8089 - Pentesting Splunkd
    • 8333,18333,38333,18444 - Pentesting Bitcoin
    • 9000 - Pentesting FastCGI
    • 9001 - Pentesting HSQLDB
    • 9042/9160 - Pentesting Cassandra
    • 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
    • 9200 - Pentesting Elasticsearch
    • 10000 - Pentesting Network Data Management Protocol (ndmp)
    • 11211 - Pentesting Memcache
      • Memcache Commands
    • 15672 - Pentesting RabbitMQ Management
    • 24007,24008,24009,49152 - Pentesting GlusterFS
    • 27017,27018 - Pentesting MongoDB
    • 44134 - Pentesting Tiller (Helm)
    • 44818/UDP/TCP - Pentesting EthernetIP
    • 47808/udp - Pentesting BACNet
    • 50030,50060,50070,50075,50090 - Pentesting Hadoop
  • 🕸️Pentesting Web
    • Web Vulnerabilities Methodology
    • Reflecting Techniques - PoCs and Polygloths CheatSheet
      • Web Vulns List
    • 2FA/OTP Bypass
    • Account Takeover
    • Browser Extension Pentesting Methodology
      • BrowExt - ClickJacking
      • BrowExt - permissions & host_permissions
      • BrowExt - XSS Example
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
      • Cache Poisoning to DoS
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Client Side Path Traversal
    • Command Injection
    • Content Security Policy (CSP) Bypass
      • CSP bypass: self + 'unsafe-inline' with Iframes
    • Cookies Hacking
      • Cookie Tossing
      • Cookie Jar Overflow
      • Cookie Bomb
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • CSRF (Cross Site Request Forgery)
    • Dangling Markup - HTML scriptless injection
      • SS-Leaks
    • Dependency Confusion
    • Deserialization
      • NodeJS - __proto__ & prototype Pollution
        • Client Side Prototype Pollution
        • Express Prototype Pollution Gadgets
        • Prototype Pollution to RCE
      • Java JSF ViewState (.faces) Deserialization
      • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
      • Basic Java Deserialization (ObjectInputStream, readObject)
      • PHP - Deserialization + Autoload Classes
      • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
      • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
      • Exploiting __VIEWSTATE knowing the secrets
      • Exploiting __VIEWSTATE without knowing the secrets
      • Python Yaml Deserialization
      • JNDI - Java Naming and Directory Interface & Log4Shell
    • Domain/Subdomain takeover
    • Email Injections
    • File Inclusion/Path traversal
      • phar:// deserialization
      • LFI2RCE via PHP Filters
      • LFI2RCE via Nginx temp files
      • LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
      • LFI2RCE via Segmentation Fault
      • LFI2RCE via phpinfo()
      • LFI2RCE Via temp file uploads
      • LFI2RCE via Eternal waiting
      • LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
    • File Upload
      • PDF Upload - XXE and CORS bypass
    • Formula/CSV/Doc/LaTeX/GhostScript Injection
    • gRPC-Web Pentest
    • HTTP Connection Contamination
    • HTTP Connection Request Smuggling
    • HTTP Request Smuggling / HTTP Desync Attack
      • Browser HTTP Request Smuggling
      • Request Smuggling in HTTP/2 Downgrades
    • HTTP Response Smuggling / Desync
    • Upgrade Header Smuggling
    • hop-by-hop headers
    • IDOR
    • Integer Overflow
    • JWT Vulnerabilities (Json Web Tokens)
    • LDAP Injection
    • Login Bypass
      • Login bypass List
    • NoSQL injection
    • OAuth to Account takeover
    • Open Redirect
    • Parameter Pollution
    • Phone Number Injections
    • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - 1
      • Bypassing SOP with Iframes - 2
      • Steal postmessage modifying iframe location
    • Proxy / WAF Protections Bypass
    • Race Condition
    • Rate Limit Bypass
    • Registration & Takeover Vulnerabilities
    • Regular expression Denial of Service - ReDoS
    • Reset/Forgotten Password Bypass
    • SAML Attacks
      • SAML Basics
    • Server Side Inclusion/Edge Side Inclusion Injection
    • SQL Injection
      • MS Access SQL Injection
      • MSSQL Injection
      • MySQL injection
        • MySQL File priv to SSRF/RCE
      • Oracle injection
      • Cypher Injection (neo4j)
      • PostgreSQL injection
        • dblink/lo_import data exfiltration
        • PL/pgSQL Password Bruteforce
        • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
        • Big Binary Files Upload (PostgreSQL)
        • RCE with PostgreSQL Languages
        • RCE with PostgreSQL Extensions
      • SQLMap - Cheetsheat
        • Second Order Injection - SQLMap
    • SSRF (Server Side Request Forgery)
      • URL Format Bypass
      • SSRF Vulnerable Platforms
      • Cloud SSRF
    • SSTI (Server Side Template Injection)
      • EL - Expression Language
      • Jinja2 SSTI
    • Reverse Tab Nabbing
    • Unicode Injection
      • Unicode Normalization
    • WebSocket Attacks
    • Web Tool - WFuzz
    • XPATH injection
    • XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
    • XXE - XEE - XML External Entity
    • XSS (Cross Site Scripting)
      • Abusing Service Workers
      • Chrome Cache to XSS
      • Debugging Client Side JS
      • Dom Clobbering
      • DOM Invader
      • DOM XSS
      • Iframes in XSS, CSP and SOP
      • JS Hoisting
      • Misc JS Tricks & Relevant Info
      • PDF Injection
      • Server Side XSS (Dynamic PDF)
      • Shadow DOM
      • SOME - Same Origin Method Execution
      • Sniff Leak
      • Steal Info JS
      • XSS in Markdown
    • XSSI (Cross-Site Script Inclusion)
    • XS-Search/XS-Leaks
      • Connection Pool Examples
      • Connection Pool by Destination Example
      • Cookie Bomb + Onerror XS Leak
      • URL Max Length - Client Side
      • performance.now example
      • performance.now + Force heavy task
      • Event Loop Blocking + Lazy images
      • JavaScript Execution XS Leak
      • CSS Injection
        • CSS Injection Code
  • ⛈️Cloud Security
    • Pentesting Kubernetes
    • Pentesting Cloud (AWS, GCP, Az...)
    • Pentesting CI/CD (Github, Jenkins, Terraform...)
  • 😎Hardware/Physical Access
    • Physical Attacks
    • Escaping from KIOSKs
    • Firmware Analysis
      • Bootloader testing
      • Firmware Integrity
  • 🎯Binary Exploitation
    • Basic Binary Exploitation Methodology
      • ELF Basic Information
      • Exploiting Tools
        • PwnTools
    • Stack Overflow
      • Pointer Redirecting
      • Ret2win
        • Ret2win - arm64
      • Stack Shellcode
        • Stack Shellcode - arm64
      • Stack Pivoting - EBP2Ret - EBP chaining
      • Uninitialized Variables
    • ROP - Return Oriented Programing
      • BROP - Blind Return Oriented Programming
      • Ret2csu
      • Ret2dlresolve
      • Ret2esp / Ret2reg
      • Ret2lib
        • Leaking libc address with ROP
          • Leaking libc - template
        • One Gadget
        • Ret2lib + Printf leak - arm64
      • Ret2syscall
        • Ret2syscall - ARM64
      • Ret2vDSO
      • SROP - Sigreturn-Oriented Programming
        • SROP - ARM64
    • Array Indexing
    • Integer Overflow
    • Format Strings
      • Format Strings - Arbitrary Read Example
      • Format Strings Template
    • Heap
      • Use After Free
      • Heap Overflow
    • Common Binary Exploitation Protections & Bypasses
      • ASLR
        • Ret2plt
        • Ret2ret & Reo2pop
      • CET & Shadow Stack
      • Libc Protections
      • Memory Tagging Extension (MTE)
      • No-exec / NX
      • PIE
        • BF Addresses in the Stack
      • Relro
      • Stack Canaries
        • BF Forked & Threaded Stack Canaries
        • Print Stack Canary
    • Write What Where 2 Exec
      • WWW2Exec - atexit()
      • WWW2Exec - .dtors & .fini_array
      • WWW2Exec - GOT/PLT
      • WWW2Exec - __malloc_hook
    • Common Exploiting Problems
    • Windows Exploiting (Basic Guide - OSCP lvl)
    • Linux Exploiting (Basic) (SPA)
  • 🔩Reversing
    • Reversing Tools & Basic Methods
      • Angr
        • Angr - Examples
      • Z3 - Satisfiability Modulo Theories (SMT)
      • Cheat Engine
      • Blobrunner
    • Common API used in Malware
    • Word Macros
  • 🔮Crypto & Stego
    • Cryptographic/Compression Algorithms
      • Unpacking binaries
    • Certificates
    • Cipher Block Chaining CBC-MAC
    • Crypto CTFs Tricks
    • Electronic Code Book (ECB)
    • Hash Length Extension Attack
    • Padding Oracle
    • RC4 - Encrypt&Decrypt
    • Stego Tricks
    • Esoteric languages
    • Blockchain & Crypto Currencies
  • 🦂C2
    • Salseo
    • ICMPsh
    • Cobalt Strike
  • ✍️TODO
    • Other Big References
    • Rust Basics
    • More Tools
    • MISC
    • Pentesting DNS
    • Hardware Hacking
      • I2C
      • UART
      • Radio
      • JTAG
      • SPI
    • Radio Hacking
      • Pentesting RFID
      • Infrared
      • Sub-GHz RF
      • iButton
      • Flipper Zero
        • FZ - NFC
        • FZ - Sub-GHz
        • FZ - Infrared
        • FZ - iButton
        • FZ - 125kHz RFID
      • Proxmark 3
      • FISSURE - The RF Framework
      • Low-Power Wide Area Network
      • Pentesting BLE - Bluetooth Low Energy
    • Industrial Control Systems Hacking
    • Burp Suite
    • Other Web Tricks
    • Interesting HTTP
    • Emails Vulnerabilities
    • Android Forensics
    • TR-069
    • 6881/udp - Pentesting BitTorrent
    • Online Platforms with API
    • Stealing Sensitive Information Disclosure from a Web
    • Post Exploitation
    • Cookies Policy
由 GitBook 提供支持
在本页
  • 方法论
  • 生成类似的域名或购买可信任的域名
  • 域名变体技术
  • 位翻转
  • 购买可信任的域名
  • 发现电子邮件
  • 配置GoPhish
  • 安装
  • 配置
  • 配置邮件服务器和域名
  • 等待并保持合法性
  • 配置反向DNS(rDNS)记录
  • 发件人策略框架(SPF)记录
  • 基于域的消息认证、报告和合规性(DMARC)记录
  • DomainKeys Identified Mail (DKIM)
  • 测试您的电子邮件配置分数
  • 从 Spamhouse 黑名单中移除
  • 从 Microsoft 黑名单中移除
  • 创建并启动 GoPhish 攻击活动
  • 发送配置
  • 邮件模板
  • 着陆页面
  • 用户和组
  • 活动
  • 网站克隆
  • 带后门的文档和文件
  • 钓鱼MFA
  • 通过代理MitM
  • 通过VNC
  • 检测检测
  • 评估钓鱼
  • 参考资料
  1. Generic Methodologies & Resources

Phishing Methodology

上一页Evil Twin EAP-TLS下一页Clone a Website

最后更新于1年前

从零开始学习AWS黑客技术,成为专家 !

支持HackTricks的其他方式:

  • 如果您想看到您的公司在HackTricks中做广告或下载PDF格式的HackTricks,请查看!

  • 获取

  • 探索,我们的独家

  • 加入 💬 或 或 关注我们的Twitter 🐦 。

  • 通过向和 github仓库提交PR来分享您的黑客技巧。

方法论

  1. 侦察受害者

  2. 选择受害者域名。

  3. 进行一些基本的网络枚举,搜索受害者使用的登录门户,并决定你将冒充哪一个。

  4. 使用一些OSINT来查找电子邮件。

  5. 准备环境

  6. 购买用于钓鱼评估的域名

  7. 配置与邮件服务相关的记录(SPF、DMARC、DKIM、rDNS)

  8. 使用gophish配置VPS

  9. 准备活动

  10. 准备电子邮件模板

  11. 准备用于窃取凭据的网页

  12. 启动活动!

生成类似的域名或购买可信任的域名

域名变体技术

  • 关键词:域名包含原始域名的重要关键词(例如,zelster.com-management.com)。

  • 连字符子域:将子域的点换成连字符(例如,www-zelster.com)。

  • 新TLD:使用新TLD的相同域名(例如,zelster.org)

  • 同形字符:用看起来相似的字母替换域名中的一个字母(例如,zelfser.com)。

  • 转位:在域名中交换两个字母(例如,zelsetr.com)。

  • 单数/复数形式:在域名末尾添加或删除“s”(例如,zeltsers.com)。

  • 省略:从域名中删除一个字母(例如,zelser.com)。

  • 重复:在域名中重复一个字母(例如,zeltsser.com)。

  • 替换:类似于同形字符,但不那么隐蔽。用另一个字母替换域名中的一个字母,可能是键盘上原始字母附近的字母(例如,zektser.com)。

  • 子域:在域名中引入一个点(例如,ze.lster.com)。

  • 插入:在域名中插入一个字母(例如,zerltser.com)。

  • 缺失点:将TLD附加到域名中。 (例如,zelstercom.com)

自动工具

网站

位翻转

由于各种因素(如太阳耀斑、宇宙射线或硬件错误),存储或通信中的一些位可能会自动翻转。

当这个概念应用于DNS请求时,DNS服务器收到的域名可能与最初请求的域名不同。

例如,在域名“windows.com”中进行单个位修改可能会将其更改为“windnws.com”。

攻击者可能会利用这一点注册多个位翻转域,这些域与受害者的域名相似。他们的目的是将合法用户重定向到自己的基础设施。

购买可信任的域名

发现电子邮件

配置GoPhish

安装

下载并解压缩到/opt/gophish内,并执行/opt/gophish/gophish 您将在输出中获得端口3333上管理员用户的密码。因此,请访问该端口并使用这些凭据更改管理员密码。您可能需要将该端口隧道转发到本地:

ssh -L 3333:127.0.0.1:3333 <user>@<ip>

配置

TLS 证书配置

在这一步之前,您应该已经购买了要使用的域名,并且它必须指向您正在配置gophish的VPS的IP。

DOMAIN="<domain>"
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
sudo apt install snapd
sudo snap install core
sudo snap refresh core
sudo apt-get remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
certbot certonly --standalone -d "$DOMAIN"
mkdir /opt/gophish/ssl_keys
cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" /opt/gophish/ssl_keys/key.pem
cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" /opt/gophish/ssl_keys/key.crt​

邮件配置

开始安装:apt-get install postfix

然后将域添加到以下文件:

  • /etc/postfix/virtual_domains

  • /etc/postfix/transport

  • /etc/postfix/virtual_regexp

还要更改 /etc/postfix/main.cf 中以下变量的值

myhostname = <domain> mydestination = $myhostname, <domain>, localhost.com, localhost

最后修改文件 /etc/hostname 和 /etc/mailname 为您的域名,然后 重新启动您的 VPS。

现在,创建一个指向 VPS 的 DNS A 记录 mail.<domain>,以及一个指向 mail.<domain> 的 DNS MX 记录

现在让我们测试发送电子邮件:

apt install mailutils
echo "This is the body of the email" | mail -s "This is the subject line" test@email.com

Gophish配置

停止gophish的执行,然后进行配置。 将/opt/gophish/config.json修改为以下内容(注意使用https):

{
"admin_server": {
"listen_url": "127.0.0.1:3333",
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
},
"phish_server": {
"listen_url": "0.0.0.0:443",
"use_tls": true,
"cert_path": "/opt/gophish/ssl_keys/key.crt",
"key_path": "/opt/gophish/ssl_keys/key.pem"
},
"db_name": "sqlite3",
"db_path": "gophish.db",
"migrations_prefix": "db/db_",
"contact_address": "",
"logging": {
"filename": "",
"level": ""
}
}

配置gophish服务

为了创建gophish服务,使其可以自动启动并作为一个服务进行管理,您可以创建文件/etc/init.d/gophish,内容如下:

#!/bin/bash
# /etc/init.d/gophish
# initialization file for stop/start of gophish application server
#
# chkconfig: - 64 36
# description: stops/starts gophish application server
# processname:gophish
# config:/opt/gophish/config.json
# From https://github.com/gophish/gophish/issues/586

# define script variables

processName=Gophish
process=gophish
appDirectory=/opt/gophish
logfile=/var/log/gophish/gophish.log
errfile=/var/log/gophish/gophish.error

start() {
echo 'Starting '${processName}'...'
cd ${appDirectory}
nohup ./$process >>$logfile 2>>$errfile &
sleep 1
}

stop() {
echo 'Stopping '${processName}'...'
pid=$(/bin/pidof ${process})
kill ${pid}
sleep 1
}

status() {
pid=$(/bin/pidof ${process})
if [["$pid" != ""| "$pid" != "" ]]; then
echo ${processName}' is running...'
else
echo ${processName}' is not running...'
fi
}

case $1 in
start|stop|status) "$1" ;;
esac

完成配置服务并进行检查:

mkdir /var/log/gophish
chmod +x /etc/init.d/gophish
update-rc.d gophish defaults
#Check the service
service gophish start
service gophish status
ss -l | grep "3333\|443"
service gophish stop

配置邮件服务器和域名

等待并保持合法性

域名越老,被识别为垃圾邮件的可能性就越小。因此,在进行钓鱼评估之前,您应该尽可能等待(至少1周)。此外,如果您发布关于声誉良好领域的页面,获得的声誉会更好。

请注意,即使您需要等待一周,您现在也可以完成所有配置。

配置反向DNS(rDNS)记录

设置一个将VPS的IP地址解析为域名的rDNS(PTR)记录。

发件人策略框架(SPF)记录

这是必须设置在域名的TXT记录中的内容:

v=spf1 mx a ip4:ip.ip.ip.ip ?all

基于域的消息认证、报告和合规性(DMARC)记录

您必须创建一个新的DNS TXT记录,将主机名_dmarc.<domain>指向以下内容:

v=DMARC1; p=none

DomainKeys Identified Mail (DKIM)

您需要连接DKIM密钥生成的两个B64值:

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0wPibdqPtzYk81njjQCrChIcHzxOp8a1wjbsoNtka2X9QXCZs+iXkvw++QsWDtdYu3q0Ofnr0Yd/TmG/Y2bBGoEgeE+YTUG2aEgw8Xx42NLJq2D1pB2lRQPW4IxefROnXu5HfKSm7dyzML1gZ1U0pR5X4IZCH0wOPhIq326QjxJZm79E1nTh3xj" "Y9N/Dt3+fVnIbMupzXE216TdFuifKM6Tl6O/axNsbswMS1TH812euno8xRpsdXJzFlB9q3VbMkVWig4P538mHolGzudEBg563vv66U8D7uuzGYxYT4WS8NVm3QBMg0QKPWZaKp+bADLkOSB9J2nUpk4Aj9KB5swIDAQAB

测试您的电子邮件配置分数

echo "This is the body of the email" | mail -s "This is the subject line" test-iimosa79z@srv1.mail-tester.com

您还可以通过向check-auth@verifier.port25.com发送电子邮件来检查您的电子邮件配置,并阅读响应(为此,您需要打开端口25,并在文件/var/mail/root中查看响应,如果您以root用户发送电子邮件)。 检查您是否通过了所有测试:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

您还可以发送消息到您控制的 Gmail,并在您的 Gmail 收件箱中检查电子邮件的标头,dkim=pass 应出现在 Authentication-Results 标头字段中。

Authentication-Results: mx.google.com;
spf=pass (google.com: domain of contact@example.com designates --- as permitted sender) smtp.mail=contact@example.com;
dkim=pass header.i=@example.com;

从 Spamhouse 黑名单中移除

从 Microsoft 黑名单中移除

创建并启动 GoPhish 攻击活动

发送配置

  • 设置一个用于识别的名称作为发件人配置

  • 决定从哪个账户发送钓鱼邮件。建议使用:noreply, support, servicedesk, salesforce...

  • 您可以留空用户名和密码,但请确保勾选“忽略证书错误”

建议使用“发送测试邮件”功能测试一切是否正常。 我建议将测试邮件发送到 10min 邮箱地址,以避免在测试中被列入黑名单。

邮件模板

  • 设置一个用于识别的名称作为模板

  • 然后编写一个主题(不要太奇怪,只需是您期望在常规邮件中看到的内容)

  • 确保已勾选“添加跟踪图片”

  • 编写邮件模板(您可以使用变量,如以下示例中所示):

<html>
<head>
<title></title>
</head>
<body>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Verdana&quot;,sans-serif;color:black">Dear {{.FirstName}} {{.LastName}},</span></p>
<br />
Note: We require all user to login an a very suspicios page before the end of the week, thanks!<br />
<br />
Regards,</span></p>

WRITE HERE SOME SIGNATURE OF SOMEONE FROM THE COMPANY

<p>{{.Tracker}}</p>
</body>
</html>

注意:为了增加电子邮件的可信度,建议使用客户的某个签名。建议:

  • 发送电子邮件到一个不存在的地址,并检查响应中是否有签名。

  • 搜索像info@ex.com或press@ex.com或public@ex.com这样的公共电子邮件,并发送电子邮件等待响应。

  • 尝试联系一些已发现的有效电子邮件,并等待响应。

着陆页面

  • 编写一个名称

  • 编写网页的HTML代码。请注意,您可以导入网页。

  • 标记捕获提交的数据和捕获密码

  • 设置重定向

通常,您需要修改页面的HTML代码并在本地进行一些测试(可能使用一些Apache服务器)直到您满意为止。然后,将HTML代码写入框中。 请注意,如果您需要为HTML使用一些静态资源(也许是一些CSS和JS页面),您可以将它们保存在_/opt/gophish/static/endpoint_,然后从_static/<filename>_访问它们

用户和组

  • 设置一个名称

  • 导入数据(请注意,为了使用示例模板,您需要每个用户的名字、姓氏和电子邮件地址)

活动

最后,创建一个活动,选择一个名称,电子邮件模板,着陆页面,URL,发送配置文件和组。请注意,URL将是发送给受害者的链接

请注意,发送配置文件允许发送测试电子邮件,以查看最终钓鱼电子邮件的外观:

我建议将测试电子邮件发送到10分钟邮件地址,以避免在测试中被列入黑名单。

一切准备就绪后,启动活动!

网站克隆

如果出于任何原因您想克隆网站,请查看以下页面:

带后门的文档和文件

在一些钓鱼评估中(主要用于红队),您可能还想发送包含某种后门的文件(也许是一个C2,或者可能只是会触发身份验证的东西)。 查看以下页面以获取一些示例:

钓鱼MFA

通过代理MitM

前面的攻击相当聪明,因为您正在伪造一个真实网站并收集用户设置的信息。不幸的是,如果用户没有输入正确的密码,或者如果您伪造的应用程序配置了2FA,这些信息将无法让您冒充被欺骗的用户。

  1. 您冒充真实网页的登录表单。

  2. 用户将其凭据发送到您的伪造页面,工具将这些凭据发送到真实网页,检查凭据是否有效。

  3. 如果帐户配置了2FA,MitM页面将要求输入,一旦用户输入,工具将其发送到真实网页。

  4. 一旦用户经过身份验证,您(作为攻击者)将捕获到凭据、2FA、cookie和工具执行MitM期间的任何交互的任何信息。

通过VNC

检测检测

但是,还有其他方法可以知道受害者是否在野外主动寻找可疑的钓鱼活动,如下所述:

您可以购买一个与受害者域名非常相似的域名,或者为您控制的域名的子域生成一个包含受害者域名关键字的证书。如果受害者与它们进行任何形式的DNS或HTTP交互,您将知道他正在主动寻找可疑的域名,您需要非常隐秘。

评估钓鱼

参考资料

欲了解更多信息,请阅读

您可以在上搜索一个过期的域名来使用。 为了确保您即将购买的过期域名具有良好的SEO,您可以查看它在以下网站中的分类:

(100%免费)

(100%免费)

为了发现更多有效的电子邮件地址或验证已经发现的电子邮件地址,您可以尝试暴力破解受害者的smtp服务器。。 此外,不要忘记,如果用户使用任何网页门户访问他们的邮件,您可以检查该门户是否容易受到用户名暴力破解的攻击,并在可能的情况下利用该漏洞。

您可以从下载。

您必须为新域名配置SPF记录。如果您不知道什么是SPF记录,请。

您可以使用生成您的SPF策略(使用VPS机器的IP)。

您必须为新域配置DMARC记录。如果您不知道什么是DMARC记录。

您必须为新域配置DKIM。如果您不知道什么是DMARC记录。

本教程基于:

您可以使用进行测试 只需访问该页面并向他们提供的地址发送电子邮件:

页面 可以告诉您您的域名是否被 Spamhouse 阻止。您可以在以下网址请求将您的域名/IP 移除:

您可以在 请求将您的域名/IP 移除。

电子邮件模板还允许附加文件进行发送。如果您还想使用一些特别制作的文件/文档来窃取NTLM挑战,请阅读。

对于重定向,您可以将用户重定向到受害者的合法主网页,或将其重定向到_/static/migration.html_,例如,放置一些旋转的轮子()5秒钟,然后指示过程成功。

这就是像、和这样的工具派上用场的地方。这些工具将允许您生成类似MitM的攻击。基本上,攻击的工作方式如下:

如果不是将受害者发送到一个看起来与原始页面相同的恶意页面,而是将其发送到一个连接到真实网页的浏览器的VNC会话,会怎样?您将能够看到他的操作,窃取密码、使用的MFA、cookie... 您可以使用

显然,要知道自己是否被发现是最好的方法之一是在黑名单中搜索您的域名。如果它被列出,那么您的域名以某种方式被检测为可疑。 检查您的域名是否出现在任何黑名单中的一种简单方法是使用

使用来评估您的电子邮件是否会被放入垃圾邮件文件夹,或者是否会被阻止或成功发送。

从零开始学习AWS黑客技术,成为专家 !

支持HackTricks的其他方式:

如果您想在HackTricks中看到您的公司广告或下载PDF版本的HackTricks,请查看!

获取

发现,我们的独家收藏品

加入 💬 或 或在Twitter 🐦 上关注我们。

通过向和 github仓库提交PR来分享您的黑客技巧。

🤩
htARTE(HackTricks AWS Red Team Expert)
订阅计划
官方PEASS & HackTricks周边产品
PEASS家族
NFTs
Discord群
电报群
@hacktricks_live
HackTricks
HackTricks Cloud
dnstwist
urlcrazy
https://dnstwist.it/
https://dnstwister.report/
https://www.internetmarketingninjas.com/tools/free-tools/domain-typo-generator/
https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/
https://www.expireddomains.net/
http://www.fortiguard.com/webfilter
https://urlfiltering.paloaltonetworks.com/query/
https://github.com/laramies/theHarvester
https://phonebook.cz/
https://maildb.io/
https://hunter.io/
https://anymailfinder.com/
https://github.com/gophish/gophish/releases/tag/v0.11.0
https://www.spfwizard.net/
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
https://www.mail-tester.com/
www.mail-tester.com
https://www.spamhaus.org/lookup/
https://sender.office.com/
此页面
https://loading.io/
Clone a Website
Phishing Files & Documents
evilginx2
CredSniper
muraena
EvilnVNC
https://malwareworld.com/
Detecting Phishing
Phishious
https://zeltser.com/domain-name-variations-in-phishing/
https://0xpatrik.com/phishing-domains/
https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
htARTE(HackTricks AWS红队专家)
订阅计划
官方PEASS & HackTricks周边产品
PEASS家族
NFTs
Discord群
电报群
@hacktricks_live
HackTricks
HackTricks Cloud
了解如何验证/发现电子邮件地址
阅读此页面
阅读此页面
阅读此页面