The Hacker Recipes
238 pages
Access controls
Access controls Theory In their research papers , Will Schroeder and Lee Christensen found multiple vectors of domain es…
Certificate authority
Certificate authority Theory Certificate Authority misconfiguration In their research papers , Will Schroeder and Lee Ch…
Certificate templates
Certificate templates Theory Template theory AD CS Enterprise CAs issue certificates with settings defined by AD objects…
Certifried
Certifried Theory Certifried (CVE-2022-26923) is a vulnerability discovered by Oliver Lyak on AD CS that lets a domain-j…
Unsigned endpoints
Unsigned endpoints Theory In their research papers , Will Schroeder and Lee Christensen found a domain escalation vector…
MachineAccountQuota
MachineAccountQuota Theory MachineAccountQuota (MAQ) is a domain level attribute that by default permits unprivileged us…
Pre-Windows 2000 computers
Pre-Windows 2000 computers Theory When a new computer account is configured as "pre-Windows 2000 computer", its password…
RODC
RODC Theory The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that d…
Security groups
Security groups Theory In the Windows Server operating system, there are several built-in accounts and security groups t…
Password guessing
Password guessing Theory There are scenarios where testers need to operate credential guessing for lateral movement, pri…
Spraying
Spraying Credential spraying is a technique that attackers use to try a few passwords (or keys) against a set of usernam…
Stuffing
Stuffing When credentials are found (through dumping or cracking for instance), attackers can try to use them to obtain …
Cracking
Cracking Theory Attacking Active Directory domains often leads to obtaining password interesting, but either hashed or e…
Cached Kerberos tickets
Cached Kerberos tickets Theory Kerberos tickets can be cached on systems to allow for faster authentication without requ…
DCSync
DCSync Theory DCSync is a technique that uses Windows Domain Controller's API to simulate the replication process from a…
DPAPI secrets
DPAPI secrets Theory The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various a…
Group Policy Preferences
Group Policy Preferences Theory Windows systems come with a built-in Administrator (with an RID of 500) that most organi…
In-memory secrets
In-memory secrets Theory Just like the LSASS process on Windows systems allowing for LSASS dumping , some programs somet…
Kerberos key list
Kerberos key list Theory It is possible to retrieve the long term secret of a user (e.g. NT hash) by sending a TGS-REQ (…
Local files
🛠️ Local files…
LSASS secrets
LSASS secrets Theory The Local Security Authority Subsystem Service (LSASS) is a Windows service responsible for enforci…
Network protocols
Network protocols Theory Plaintext protocols (like HTTP, FTP, SNMP, SMTP) are widely used within organizations. Being ab…
Network shares
Network shares Theory In organization networks, it is common to find passwords in random files (logs, config files, pers…
NTDS secrets
NTDS secrets NTDS (Windows NT Directory Services) is the directory services used by Microsoft Windows NT to locate, mana…
Password managers
🛠️ Password managers…
SAM & LSA secrets
SAM & LSA secrets Theory In Windows environments, passwords are stored in a hashed format in registry hives like SAM…
Web browsers
Web browsers Theory Just like other common programs and applications, most web browsers offer "credential saving" featur…
Windows Credential Manager
🛠️ Windows Credential Manager Theory Windows Credential Manager is a built-in feature that securely stores sensitive log…
Impersonation
Impersonation When credentials are found (through dumping or cracking for instance), attackers try to use them to obtain…
Shuffling
Shuffling When credentials are found (through dumping or cracking for instance), attackers try to use them to obtain acc…
AddMember
AddMember This abuse can be carried out when controlling an object that has a GenericAll , GenericWrite , Self , AllExte…
ForceChangePassword
ForceChangePassword This abuse can be carried out when controlling an object that has a GenericAll , AllExtendedRights o…
Grant ownership
Grant ownership t has the following command-line arguments.This abuse can be carried out when controlling an object that…
Grant rights
Grant rights This abuse can be carried out when controlling an object that has WriteDacl over another object. The attack…
Logon script
Logon script 📝 Note It is worth noting that during lab testing, I couldn't find a way to practice this scenario. Since I…
ReadGMSAPassword
ReadGMSAPassword This abuse stands out a bit from other abuse cases. It can be carried out when controlling an object th…
ReadLAPSPassword
ReadLAPSPassword This abuse can be carried out when controlling an object that has GenericAll or AllExtendedRights (or c…
Rights on RODC object
Rights on RODC object With administrative control over the RODC computer object in the Active Directory, there is a path…
Targeted Kerberoasting
Targeted Kerberoasting This abuse can be carried out when controlling an object that has a GenericAll , GenericWrite , W…
PrivExchange
🛠️ PrivExchange PushSubscription + ACE abuse…
ProxyLogon
🛠️ ProxyLogon…
ProxyShell
🛠️ ProxyShell…
Group policies
Group policies Theory "Group Policy" is a management feature of Active Directory. It allows admins to manage computers a…
ASREProast
ASREProast Theory The Kerberos authentication protocol works with tickets in order to grant access. A ST (Service Ticket…
ASREQroast
ASREQroast Theory The Kerberos authentication protocol works with tickets in order to grant access. A ST (Service Ticket…
Bronze Bit
Bronze Bit Theory When abusing Kerberos delegations, S4U extensions usually come into play. One of those extensions is S…
(KCD) Constrained
(KCD) Constrained Theory If a service account, configured with constrained delegation to another service, is compromised…
(RBCD) Resource-based constrained
(RBCD) Resource-based constrained Theory If an account, having the capability to edit the msDS-AllowedToActOnBehalfOfOth…
S4U2self abuse
S4U2self abuse Theory The following recipe shows how to abuse S4U2self for Local Privilege Escalation, or for stealthier…
(KUD) Unconstrained
(KUD) Unconstrained Theory If an account (user or computer), with unconstrained delegations privileges, is compromised, …
Diamond tickets
Diamond tickets Theory Golden and Silver tickets can usually be detected by probes that monitor the service ticket reque…
Golden tickets
Golden tickets Theory The long-term key of the krbtgt account can be used to forge a special TGT (Ticket Granting Ticket…
MS14-068
MS14-068 Theory This vulnerability allows attackers to forge a TGT with high privileges (i.e. with a modified PAC statin…
RODC Golden tickets
RODC Golden tickets Theory With administrative access to an RODC , it is possible to dump all the cached credentials, in…
Sapphire tickets
Sapphire tickets Theory Sapphire tickets are similar to Diamond tickets in the way the ticket is not forged, but instead…
Silver tickets
Silver tickets Theory The long-term key of a service account can be used to forge a Service ticket that can later be use…
Kerberoast
Kerberoast Theory When asking the KDC (Key Distribution Center) for a Service Ticket (ST), the requesting user needs to …
Overpass the hash
Overpass the hash This technique is a form of pass the key . Kerberos offers 4 different key types: DES, RC4, AES-128 an…
Pass the Certificate
Pass the Certificate Theory The Kerberos authentication protocol works with tickets in order to grant access. An ST (Ser…
Pre-auth bruteforce
Pre-auth bruteforce Theory The Kerberos authentication protocol works with tickets in order to grant access. A ST (Servi…
Pass the cache
Pass the cache This technique is equivalent to pass the ticket. Instead of using Kerberos tickets from, or found on, Win…
Pass the key
Pass the key Theory The Kerberos authentication protocol works with tickets in order to grant access. A Service Ticket (…
Pass the ticket
Pass the ticket Theory There are ways to come across ( cached Kerberos tickets ) or forge ( overpass the hash , silver t…
Kerberos relay
Kerberos relay Theory Under certain conditions, an attacker can relay Kerberos authentication to targets of his choosing…
sAMAccountName spoofing
sAMAccountName spoofing Theory In November 2021, two vulnerabilities caught the attention of many security researchers a…
Shadow Credentials
Shadow Credentials Theory The Kerberos authentication protocol works with tickets in order to grant access. An ST (Servi…
SPN-jacking
SPN-jacking Theory This attack combines Kerberos Constrained delegation abuse and DACL abuse . A service configured for …
Timeroasting
Timeroasting Theory Timeroasting is an attack technique that abuses Microsoft's proprietary NTP extension to extract pas…
UnPAC the hash
UnPAC the hash Theory When using PKINIT to obtain a TGT (Ticket Granting Ticket), the KDC (Key Distribution Center) incl…
ADIDNS poisoning
ADIDNS poisoning Theory In order to function properly, Active Directory services need DNS. In that matter, Active Direct…
ARP poisoning
ARP poisoning Theory The ARP (Address Resolution Protocol) is used to link IPv4 addresses with MAC addresses, allowing m…
DHCP poisoning
DHCP poisoning Theory When a workstation reboots or plugs into a network, a broadcast DHCP request is emitted. It's goal…
DHCPv6 spoofing
DHCPv6 spoofing Theory DHCPv6 spoofing and poisoning By default on Windows environments, IPv6 is enabled and has priorit…
DNS spoofing
DNS spoofing Theory DNS is not multicast or broadcast like LLMNR, NBT-NS or mDNS . In order to answer DNS requests, atta…
ICMP Redirect
🛠️ ICMP Redirect python3 tools/Icmp-Redirect.py --interface eth0 --ip $my_ip --gateway $gateway --target $target --route…
Living off the land
🛠️ Living off the land ⚠️ Warning This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in th…
LLMNR, NBT-NS, mDNS spoofing
LLMNR, NBT-NS, mDNS spoofing In some environments (like Windows ones), multicast name resolution protocols are enabled b…
MS-DFSNM abuse (DFSCoerce)
MS-DFSNM abuse (DFSCoerce) Theory MS-DFSNM is Microsoft's Distributed File System Namespace Management protocol. It prov…
MS-EFSR abuse (PetitPotam)
MS-EFSR abuse (PetitPotam) Theory MS-EFSR is Microsoft's Encrypting File System Remote protocol. It performs maintenance…
MS-FSRVP abuse (ShadowCoerce)
MS-FSRVP abuse (ShadowCoerce) Theory MS-FSRVP is Microsoft's File Server Remote VSS Protocol. It's used for creating sha…
MS-RPRN abuse (PrinterBug)
MS-RPRN abuse (PrinterBug) Theory Microsoft’s Print Spooler is a service handling the print jobs and other various tasks…
NBT Name Overwrite
🛠️ NBT Name Overwrite https://twitter.com/PythonResponder/status/1379251124985851904…
PushSubscription abuse
PushSubscription abuse Theory "PushSubscription" is an API on Exchange Web Services that allows to subscribe to push not…
WebClient abuse (WebDAV)
WebClient abuse (WebDAV) Theory Web Distributed Authoring and Versioning (WebDAV) is an extension to Hypertext Transfer …
WPAD spoofing
WPAD spoofing Theory A proxy can be used to handle clients requests (for example to access the Internet). In a network i…
WSUS spoofing
WSUS spoofing Theory WSUS (Windows Server Update Services) allow administrators to centralize the management and deploym…
ZeroLogon
ZeroLogon Theory Netlogon is a service verifying logon requests, registering, authenticating, and locating domain contro…
Capture
Capture Theory After successfully forcing a victim to authenticate with LM or NTLM to an attacker's server, the attacker…
Pass the hash
Pass the hash Theory An attacker knowing a user's NT hash can use it to authenticate over NTLM (pass-the-hash) (or indir…
NTLM relay
NTLM relay Theory After successfully forcing a victim to authenticate with LM or NTLM to an attacker's server, the attac…
PrinterBug
PrinterBug This vulnerability allows low-privileged users to coerce authentications from machines that run the Print Spo…
PrintNightmare
PrintNightmare Theory The print spooler The Print Spooler is a Microsoft built-in service that manages printing jobs. It…
AdminService API
AdminService API Theory It appears that, with SCCM administrative rights, it is possible to directly interact with the A…
Applications and scripts deployment
Applications and scripts deployment Theory With administrative rights on the primary site server, applications and scrip…
Admin & Special Account Enumeration
Admin & Special Account Enumeration Theory Administrative privileges over the SCCM Management Point (MP) are require…
SCCM Hierarchy takeover
SCCM Hierarchy takeover Theory As indicated by Chris Thompson in his article SCCM Hierarchy Takeover , by default, when …
Client Push account authentication coercion
Client Push account authentication coercion Theory If SCCM is deployed via Client Push Accounts, it is possible, from a …
Credential harvesting
Credential harvesting Theory For more details on this subject, see this Synacktiv article . This blogpost also contains …
SCCM site takeover
SCCM site takeover Theory Some SCCM configurations make it possible to abuse the permissions of the site server / passiv…
Pass the Certificate
Pass the Certificate 📝 Note This technique extends the notion of [Pass the Certificate](/page/hacker-recipes/ad/movement…
Access controls
Access controls Theory In their research papers , Will Schroeder and Lee Christensen identified a set of vectors of doma…
Certificate authority
Certificate authority Theory In their research papers , Will Schroeder and Lee Christensen identified 2 domain persisten…
Golden certificate
Golden certificate Theory Golden certificates usually refer to one of two types of attacks. Forge certificate and sign t…
AdminSDHolder
AdminSDHolder Theory AdminSdHolder protects domain objects against permission changes. "AdminSdHolder" either refers to …
Access controls
🛠️ Access controls https://www.slideshare.net/harmj0y/an-ace-in-the-hole-stealthy-host-persistence-via-security-descript…
DSRM Persistence
DSRM Persistence Theory The Directory Services Restore Mode (DSRM) is a special mode available on every Domain Controlle…
GoldenGMSA
GoldenGMSA Theory What is a gMSA account? Within an Active Directory environment, service accounts are often created and…
Delegation to KRBTGT
Delegation to KRBTGT Theory The idea behind this technique is to configure resource-based constrained delegation on the …
Forged tickets
Forged tickets Silver, Golden, Diamond and Sapphire tickets are similar variants of forged Kerberos tickets, for differe…
Shadow Principals (PAM)
Shadow Principals (PAM) Theory When a Bastion Forest is compromised, there are multiple ways to obtain persistence on th…
SID History
SID History Theory The SID (Security Identifier) is a unique identifier that is assigned to each security principal (e.g…
DHCP
DHCP When connecting a computer to most enterprise networks, if the Dynamic Host Configuration Protocol (DHCP) is enable…
DNS
DNS Finding Domain Controllers AD-DS (Active Directory Domain Services) rely on DNS SRV RR (service location resource re…
enum4linux ⚙️
enum4linux ⚙️ The Perl script enum4linux.pl is a powerful tool able to operate recon techniques for LDAP , NBT-NS and MS…
LDAP
LDAP A lot of information on an AD domain can be obtained through LDAP. Most of the information can only be obtained wit…
MS-RPC
MS-RPC Theory MS-RPC (Microsoft Remote Procedure Call) is a protocol that allows requesting service from a program on an…
NBT-NS
NBT-NS Just like DNS, the NTB-NS (NetBIOS name service) protocol is used to translate names to IP addresses. By default,…
Password policy
Password policy When attacking Active Directory domains, directly targeting accounts is usually a great start. It could …
Port scanning
Port scanning In an Active Directory domain, domain controllers can be easily spotted depending on what services they ho…
Responder ⚙️
Responder ⚙️ Responder (Python) is a great tool for LLMNR, NBTNS, MDNS poisoning and WPAD spoofing but it can also be us…
Dropper
🛠️ Dropper ⚠️ Warning This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the category n…
Loader
🛠️ Loader ⚠️ Warning This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the category na…
Obfuscation
🛠️ Obfuscation ⚠️ Warning This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the catego…
Process injection
🛠️ Process injection ⚠️ Warning This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the …
Stealth with C2
🛠️ Stealth with C2 ⚠️ Warning This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the ca…
(EDR) Endpoint Detection and Response
🛠️ (EDR) Endpoint Detection and Response indirect syscall, ETW…
Initial access (phishing)
Initial access (phishing)…
Port forwarding
🛠️ Port forwarding ⚠️ Warning This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the ca…
SOCKS proxy
🛠️ SOCKS proxy Theory SOCKS (SOCKet Secure) is a network protocol that allows users to route network traffic to a server…
Capabilities
🛠️ Capabilities Theory Linux capabilities are a way to improve permission granularity in unix-like systems. It allows to…
Living off the land
🛠️ Living off the land Theory Living of the Land is a well known privilege escalation technique, where an attacker will …
Network secrets
🛠️ Network secrets cf. AD > Movement > Cred > Dump > Network secrets…
SUDO
SUDO Theory sudo (Super User DO) is a program for UNIX-like computer operating systems that allows users to run programs…
SUID/SGID binaries
SUID/SGID binaries Theory On UNIX-like systems, binaries have permissions, just like any other file. Some of them often …
Account privileges
🛠️ Account privileges https://twitter.com/fr0gger_/status/1379465943965909000/photo/1…
Credential dumping
🛠️ Credential dumping link to some AD cred dump techniques…
Kernel exploitation
🛠️ Kernel exploitation…
Living off the land
🛠️ Living off the land Theory Living of the Land is a well known privilege escalation technique, where an attacker will …
Network secrets
🛠️ Network secrets cf. AD > Movement > Cred > Dump > Network secrets…
Runas saved creds
🛠️ Runas saved creds…
Scheduled tasks
🛠️ Scheduled tasks…
Unattend files
Unattend files…
Unquoted path
🛠️ Unquoted path Services and scheduled tasks can be vulnerable…
Vulnerable drivers
🛠️ Vulnerable drivers…
Weak service permissions
🛠️ Weak service permissions Theory File permissions in Windows define who is allowed to access, modify, or execute files…
Windows Subsystem for Linux
🛠️ Windows Subsystem for Linux…
DNS
🛠️ DNS Theory The Domain Name System (DNS) is a fundamental protocol of the Internet that translates human-readable doma…
FTP
🛠️ FTP Theory The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of files between a c…
HTTP
🛠️ HTTP…
Kerberos
🛠️ Kerberos…
LDAP
🛠️ LDAP…
MSSQL
🛠️ MSSQL…
MySQL
🛠️ MySQL…
NFS
🛠️ NFS Theory NFS or Network File system allows a client to access files over a network in the same way they would acces…
RDP
🛠️ RDP…
RTSP
🛠️ RTSP…
SMB
🛠️ SMB Theory SMB (Server Message Block) is a protocol running on port 445/tcp. It is used to share access to files, pri…
SSH
🛠️ SSH Theory The SSH protocol (Secure Shell) is used to login from one machine to another securely. It offers several o…
Telnet
🛠️ Telnet Theory Telnet (teletype network) is a network protocol used to gain access to a virtual terminal in local or i…
WinRM
🛠️ WinRM…
Hosts discovery
🛠️ Hosts discovery Theory When targeting machines connected to a network, identifying which hosts are up and running (an…
Port scanning
Port scanning Theory When targeting machines connected to a network, identifying which services are running and accessib…
Emails
Emails Theory Searching for emails is a common part of an external pentest and could also be useful for internal pentest…
Web infrastructure
Web infrastructure Theory Practice shodan : net:"SUBNET/MASK" - org:"company name" zoomeye : IP/MASK fofa.so Get the DNS…
GEOINT
GEOINT Theory Geospacial intelligence (GEOINT) is intelligence by analyzing geospacial maps and images about the human a…
OSINT
OSINT Theory When it comes to social engineering, gathering information about the target is crucial, especially if you t…
Android Debug Bridge ⚙️
Android Debug Bridge ⚙️ Theory Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate wit…
APK transform
APK transform Theory An .APK file (e.g. Android Package) is a compressed collection of files (i.e. a package) for Androi…
Magisk
Magisk Theory Magisk is a suite of open source software for customizing Android, supporting devices higher than Android …
Android
Android Auditing Android apps usually requires to be able to capture and handles requests generated by the phone (e.g. t…
Certificate pinning
Certificate pinning bypass (need jailbroken) https://github.com/nabla-c0d3/ssl-kill-switch2 https://portswigger.net/burp…
Untitled
Untitled…
Locks
Locks generate STL files for keys https://keygen.co/ decode key https://github.com/MaximeBeasse/KeyDecoder…
Network Access Control
Network Access Control Theory NAC (Network Access Control) acts as a kind of a gatekeeper to the local network infrastru…
Airstrike attack
Airstrike attack https://shenaniganslabs.io/2021/04/13/Airstrike.html…
BIOS security
BIOS security…
Encryption
Encryption Bitpixie To bypass BitLocker, a proof-of-concept can be used called 'bitpixie': https://github.com/andigandhi…
HID injection
HID injection…
Keylogging
Keylogging…
Banana & chocolate cake
🍌 Banana & chocolate cake Theory The banana, chocolate, oatmeal and peanut butter cake is the ultimate reward after …
Burger du seigneur
🍔 Burger du seigneur Theory El famoso "Burger de seigneur" is the ultimate meal after successfully completing an engagem…
Omelette du fromage
🍳 Omelette du fromage Theory The French dish "Omelette du fromage" is famously known for its ability to convey strength …
The Pancakes of Heaven
🥞 The Pancakes of Heaven Theory Those who made it here are one of the luckiest. The legend says that hackers who ate the…
About us
About us Last updated: December 11, 2024 Field Details Business name Monkey 513 SIRET 932 547 367 00015 Legal form SASU …
Privacy Policy
Privacy Policy Last updated: December 11, 2024 This Privacy Policy describes Our policies and procedures on the collecti…
Terms and conditions
Terms and conditions Last updated: December 11, 2024 Interpretation and definitions Interpretation These terms and condi…
Bluetooth
Bluetooth…
Darkside
Darkside…
Default keys
Default keys…
Nested
Nested nested, hardnested, static nested…
Wireless keyboard/mouse
Wireless keyboard/mouse //TODO : attacsks on non-bluetooth wireless keyboard/mouse : mousejacking vulnerabilities class …
Account deletion
🛠️ Account deletion Theory Removing an account is a sensitive action that should be taken into consideration. Practice S…
Logging in
🛠️ Logging in Theory link default passwords Authentication issues are important to take into consideration. A login page…
Password change
Password change Websites that manage user accounts usually offer a "password change" feature. This offers attackers an i…
Password reset
🛠️ Password reset Theory Websites that manage user accounts usually have a "forgot password" or "reset password" feature…
Security policies
Security policies Theory Passwords are strings used to authenticate a user or services. They are very important and mus…
Account creation
Account creation Theory When creating an account the presence of a captcha is important. It helps to differentiate a rea…
Default credentials
Default credentials Theory Default credentials are a really simple and extremely common way to get initial access to a s…
Denial of Service (DoS)
🛠️ Denial of Service (DoS) Theory There are two distinct types of denial of service: Denial of Service (DoS): using a si…
CSP (Content Security Policy)
🛠️ CSP (Content Security Policy) Theory Content-Security-Policy (CSP) is the name of a HTTP response header that modern …
MIME type sniffing
MIME type sniffing MIME type sniffing is an operation conducted by many browsers. Each browser behaves differently on th…
HTTP methods
HTTP methods Theory Verb tampering Some websites filter access to resources but fail at filtering out all HTTP methods. …
HTTP response splitting
HTTP response splitting Theory The HTTP protocol uses CRLF sequences to end headers, lines and so on. When input vectors…
OAuth 2.0
🛠️ OAuth 2.0 Theory OAuth 2.0 is a widely used framework across websites on the internet. It provides authorization.\ Ex…
Insecure Cookies
Insecure Cookies Theory Most web applications use cookies for stateful authentication and access control. Some implement…
API
API Theory The API pentesting methodology begins with reconnaissance, where information is gathered about the API, inclu…
Arbitrary file download
🛠️ Arbitrary file download talk about functions like download.php?id=123.php talk about null byte, directory traversal I…
CRLF injection
🛠️ CRLF injection Theory CRLF represents termination of line: CR = Carriage Return ( \r ) LF = Line Feed ( \n ) Windows …
CSRF (Cross-Site Request Forgery)
CSRF (Cross-Site Request Forgery) Theory A Cross-Site Request Forgery (a.k.a. CSRF, pronounced "C surf"', a.k.a. XSRF) a…
Directory traversal
🛠️ Directory traversal Theory Directory traversal (or Path traversal) is a vulnerability that allows an individual to re…
file upload
file upload Image Upload 💡 Tip The prerequisite for this method is to be able to [upload a file](/page/hacker-recipes/we…
logs poisoning
logs poisoning ⚠️ Warning Log files may be stored in different locations depending on the operating system/distribution.…
PHP session
PHP session When a web server wants to handle sessions, it can use PHP session cookies ( PHPSESSID ). Finding where the …
PHP wrappers and streams
PHP wrappers and streams ::: details data:// The attribute allow_url_include must be set. This configuration can be chec…
phpinfo
phpinfo 💡 Tip The prerequisites for this method are : * having `file_uploads=on` set in the PHP configuration file * hav…
/proc
/proc ::: details /proc/self/environ Testers can abuse a process created due to a request. The payload is injected in th…
RFI to RCE
RFI to RCE via HTTP The tester can host an arbitrary PHP code and access it through the HTTP protocol # Create phpinfo.p…
HTTP parameter pollution
HTTP parameter pollution Theory A query parameter allows a client to refine researches on a website. It is composed of a…
IDOR (Insecure Direct Object Reference)
IDOR (Insecure Direct Object Reference) Theory When web applications badly implement access objects directly (files, dat…
Insecure deserialization
🛠️ Insecure deserialization Theory Many web applications manage data and rely on (de)serialization for formatting when s…
Insecure JSON Web Tokens
Insecure JSON Web Tokens Theory Some web applications rely on JSON Web Tokens (JWTs) for stateless authentication and ac…
Null-byte injection
🛠️ Null-byte injection Theory Null byte is a bypass technique for sending data that would be filtered otherwise. It reli…
Open redirect
Open redirect Theory Many web applications make redirections based on parameters that users can easily control, like GET…
SQL injection
SQL injection Theory Many web applications use one or multiple databases to manage data. In order to dynamically edit th…
SSTI (Server-Side Template Injection)
🛠️ SSTI (Server-Side Template Injection) Theory Some web applications rely on template engines to offer dynamic content.…
Unrestricted file upload
Unrestricted file upload Theory Many web applications manage files and allow users to upload and download pictures, docu…
XSS (Cross-Site Scripting)
XSS (Cross-Site Scripting) Theory Many web applications have input vectors that users can interact with. When those inpu…
Content Management System (CMS)
Content Management System (CMS) Theory A Content Management System (CMS) is a type of software widely used for websites …
Comments and metadata
Comments and metadata Theory When requesting a web application, the server usually sends code (in HTML, CSS, Javascript.…
Directory fuzzing
Directory fuzzing Theory While Crawling allows testers to build the indexed architecture of website, this technique can'…
Subdomains enumeration
Subdomains enumeration Theory When conducting penetration tests on a website, or on a *.domain.com scope, finding subdom…
Error messages
Error messages Theory It is common to browse websites that leak information regarding the technologies they use in vario…
HTTP response headers
HTTP response headers Theory HTTP messages (requests and responses) always contain a line, header fields, an empty line …
Known vulnerabilities
Known vulnerabilities Theory This step ends the reconnaissance phase. The previous steps were aimed at gaining knowledge…
Site crawling
Site crawling Theory When requesting a web application, the server usually sends code (in HTML, CSS, Javascript, ...) in…
Subdomain & vhost fuzzing
Subdomain & vhost fuzzing Theory A web server can host multiple websites for multiple domain names (websites). In or…
Web Application Firewall (WAF)
Web Application Firewall (WAF) Theory Many web applications stand behind a WAF (Web Application Firewall) that aim the p…
Other technologies
Other technologies Theory A web application usually relies on multiple components which compose the attack surface among…