HackTricks
970 pages
HackTricks
HackTricks Hacktricks logos & motion design by @ppieranacho . Run HackTricks Locally # Download latest version of ha…
HackTricks Values & FAQ
HackTricks Values & FAQ {{#include ../banners/hacktricks-training.md}} HackTricks Values 💡 Tip These are the **value…
About the author
About the author {{#include ../banners/hacktricks-training.md}} Hello!! Credits for techniques from other researchers be…
Pentesting Methodology
Pentesting Methodology {{#include ../banners/hacktricks-training.md}} Pentesting Methodology Hacktricks logos designed b…
Fuzzing Methodology
Fuzzing Methodology {{#include ../banners/hacktricks-training.md}} Mutational Grammar Fuzzing: Coverage vs. Semantics In…
External Recon Methodology
External Recon Methodology {{#include ../../banners/hacktricks-training.md}} Assets discoveries So you were said that ev…
Database leaks
Database leaks {{#include ../../banners/hacktricks-training.md}} Data Breach Search Engines greynoise - Search for IPs, …
Wide Source Code Search
Wide Source Code Search {{#include ../../banners/hacktricks-training.md}} The goal of this page is to enumerate platform…
Github Dorks & Leaks
Github Dorks & Leaks {{#include ../../banners/hacktricks-training.md}} Tools to find secrets in git repos and file s…
Pentesting Network
Pentesting Network {{#include ../../banners/hacktricks-training.md}} Discovering hosts from the outside This is going to…
DHCPv6
DHCPv6 {{#include ../../banners/hacktricks-training.md}} DHCPv6 vs. DHCPv4 Message Types Comparison A comparative view o…
EIGRP Attacks
EIGRP Attacks {{#include ../../banners/hacktricks-training.md}} This is a summary of the attacks exposed in https://medi…
GLBP & HSRP Attacks
GLBP & HSRP Attacks {{#include ../../banners/hacktricks-training.md}} FHRP Hijacking Overview Insights into FHRP FHR…
IDS/IPS Evasion Techniques
IDS/IPS Evasion Techniques {{#include ../../banners/hacktricks-training.md}} TTL Manipulation Send some packets with a T…
Lateral VLAN Segmentation Bypass
Lateral VLAN Segmentation Bypass {{#include ../../banners/hacktricks-training.md}} If direct access to a switch is avail…
Network Protocols
Network Protocols {{#include ../../banners/hacktricks-training.md}} Multicast DNS (mDNS) The mDNS protocol is designed f…
Nmap Summary (ESP)
Nmap Summary (ESP) {{#include ../../banners/hacktricks-training.md}} nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24 Para…
Pentesting IPv6
Pentesting IPv6 {{#include ../../banners/hacktricks-training.md}} IPv6 Basic theory Networks IPv6 addresses are structur…
Telecom Network Exploitation (GTP / Roaming Environments)
Telecom Network Exploitation (GTP / Roaming Environments) {{#include ../../banners/hacktricks-training.md}} 📝 Note Mobil…
WebRTC DoS
WebRTC DoS {{#include ../../banners/hacktricks-training.md}} This issue was found in this blog post: https://www.rtcsec.…
Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks {{#include ../../banners/hacktricks-training.md}} Network Pr…
Spoofing SSDP and UPnP Devices with EvilSSDP
Spoofing SSDP and UPnP Devices with EvilSSDP {{#include ../../banners/hacktricks-training.md}} Check https://www.hacking…
Pentesting Wifi
Pentesting Wifi {{#include ../../banners/hacktricks-training.md}} Wifi basic commands ip link show #List available inter…
Enable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips)
Enable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips) {{#include ../../banners/hacktricks-traini…
Evil Twin EAP-TLS
Evil Twin EAP-TLS {{#include ../../banners/hacktricks-training.md}} EAP-TLS is the common "secure" choice for WPA2/3-Ent…
Phishing Methodology
Phishing Methodology {{#include ../../banners/hacktricks-training.md}} Methodology Recon the victim Select the victim do…
AI Agent Abuse: Local AI CLI Tools & MCP (Claude/Gemini/Codex/Warp)
AI Agent Abuse: Local AI CLI Tools & MCP (Claude/Gemini/Codex/Warp) {{#include ../../banners/hacktricks-training.md}…
AI Agent Mode Phishing: Abusing Hosted Agent Browsers (AI‑in‑the‑Middle)
AI Agent Mode Phishing: Abusing Hosted Agent Browsers (AI‑in‑the‑Middle) {{#include ../../banners/hacktricks-training.md…
Clipboard Hijacking (Pastejacking) Attacks
Clipboard Hijacking (Pastejacking) Attacks {{#include ../../banners/hacktricks-training.md}} "Never paste anything you d…
Cloning a Website
Cloning a Website {{#include ../../banners/hacktricks-training.md}} For a phishing assessment sometimes it might be usef…
Detecting Phishing
Detecting Phishing {{#include ../../banners/hacktricks-training.md}} Introduction To detect a phishing attempt it's impo…
Discord Invite Hijacking
Discord Invite Hijacking {{#include ../../banners/hacktricks-training.md}} Discord’s invite system vulnerability allows …
Homograph / Homoglyph Attacks in Phishing
Homograph / Homoglyph Attacks in Phishing {{#include ../../banners/hacktricks-training.md}} Overview A homograph (aka ho…
Mobile Phishing & Malicious App Distribution (Android & iOS)
Mobile Phishing & Malicious App Distribution (Android & iOS) {{#include ../../banners/hacktricks-training.md}} ℹ…
Phishing Files & Documents
Phishing Files & Documents {{#include ../../banners/hacktricks-training.md}} Office Documents Microsoft Word perform…
Basic Forensic Methodology
Basic Forensic Methodology {{#include ../../banners/hacktricks-training.md}} Creating and Mounting an Image {{#ref}} ../…
AdaptixC2 Configuration Extraction and TTPs
AdaptixC2 Configuration Extraction and TTPs {{#include ../../banners/hacktricks-training.md}} AdaptixC2 is a modular, op…
File Integrity Monitoring
File Integrity Monitoring {{#include ../../banners/hacktricks-training.md}} Baseline A baseline consists of taking a sna…
Anti-Forensic Techniques
Anti-Forensic Techniques {{#include ../../banners/hacktricks-training.md}} Timestamps An attacker may be interested in c…
Docker Forensics
Docker Forensics {{#include ../../banners/hacktricks-training.md}} Container modification There are suspicions that some…
Image Acquisition & Mount
Image Acquisition & Mount {{#include ../../banners/hacktricks-training.md}} Acquisition Always acquire read-only and…
iOS Backup Forensics (Messaging‑centric triage)
iOS Backup Forensics (Messaging‑centric triage) {{#include ../../banners/hacktricks-training.md}} This page describes pr…
Linux Forensics
Linux Forensics {{#include ../../banners/hacktricks-training.md}} Initial Information Gathering Basic Information First …
Malware Analysis
Malware Analysis {{#include ../../banners/hacktricks-training.md}} Forensics CheatSheets https://www.jaiminton.com/cheat…
Memory dump analysis
Memory dump analysis {{#include ../../../banners/hacktricks-training.md}} Start Start searching for malware inside the p…
Volatility - CheatSheet
Volatility - CheatSheet {{#include ../../../banners/hacktricks-training.md}} If you need a tool that automates memory …
Partitions/File Systems/Carving
Partitions/File Systems/Carving {{#include ../../../banners/hacktricks-training.md}} Partitions A hard drive or an SSD d…
File/Data Carving & Recovery Tools
File/Data Carving & Recovery Tools {{#include ../../../banners/hacktricks-training.md}} Carving & Recovery tools…
Pcap Inspection
Pcap Inspection {{#include ../../../banners/hacktricks-training.md}} 💡 Tip A note about **PCAP** vs **PCAPNG**: there ar…
DNSCat pcap analysis
DNSCat pcap analysis {{#include ../../../banners/hacktricks-training.md}} If you have pcap with data being exfiltrated b…
Suricata & Iptables cheatsheet
Suricata & Iptables cheatsheet {{#include ../../../banners/hacktricks-training.md}} Iptables Chains In iptables, lis…
USB Keystrokes
USB Keystrokes {{#include ../../../banners/hacktricks-training.md}} If you have a pcap containing the communication via …
Wifi Pcap Analysis
Wifi Pcap Analysis {{#include ../../../banners/hacktricks-training.md}} Check BSSIDs When you receive a capture whose pr…
Wireshark tricks
Wireshark tricks {{#include ../../../banners/hacktricks-training.md}} Improve your Wireshark skills Tutorials The follow…
Specific Software/File Type Tricks
Specific Software/File Type Tricks {{#include ../../../banners/hacktricks-training.md}} Here you can find interesting tr…
Decompile compiled python binaries (exe, elf) - Retreive from .pyc
Decompile compiled python binaries (exe, elf) - Retreive from .pyc {{#include ../../../banners/hacktricks-training.md}} …
Browser Artifacts
Browser Artifacts {{#include ../../../banners/hacktricks-training.md}} Browsers Artifacts Browser artifacts include vari…
Desobfuscation Techniques for VBS Files
Desobfuscation Techniques for VBS Files {{#include ../../../banners/hacktricks-training.md}} Some things that could be u…
Discord Cache Forensics (Chromium Simple Cache)
Discord Cache Forensics (Chromium Simple Cache) {{#include ../../../banners/hacktricks-training.md}} This page summarize…
Local Cloud Storage
Local Cloud Storage {{#include ../../../banners/hacktricks-training.md}} OneDrive In Windows, you can find the OneDrive …
Mach-O Entitlements Extraction & IPSW Indexing
Mach-O Entitlements Extraction & IPSW Indexing {{#include ../../../banners/hacktricks-training.md}} Overview This pa…
Office file analysis
Office file analysis {{#include ../../../banners/hacktricks-training.md}} For further information check https://trailofb…
PDF File analysis
PDF File analysis {{#include ../../../banners/hacktricks-training.md}} For further details check: https://trailofbits.gi…
PNG Tricks
PNG Tricks {{#include ../../../banners/hacktricks-training.md}} PNG files are highly regarded in CTF challenges for thei…
Structural File‑Format Exploit Detection (0‑Click Chains)
Structural File‑Format Exploit Detection (0‑Click Chains) {{#include ../../../banners/hacktricks-training.md}} This page…
SVG/Font Glyph Analysis & Web DRM Deobfuscation (Raster Hashing + SSIM)
SVG/Font Glyph Analysis & Web DRM Deobfuscation (Raster Hashing + SSIM) {{#include ../../../banners/hacktricks-train…
Video and Audio File Analysis
Video and Audio File Analysis {{#include ../../../banners/hacktricks-training.md}} Audio and video file manipulation is …
ZIPs tricks
ZIPs tricks {{#include ../../../banners/hacktricks-training.md}} Command-line tools for managing zip files are essential…
Windows Artifacts
Windows Artifacts {{#include ../../../banners/hacktricks-training.md}} Generic Windows Artifacts Windows 10 Notification…
Interesting Windows Registry Keys
Interesting Windows Registry Keys {{#include ../../../banners/hacktricks-training.md}} Windows Version and Owner Info Lo…
Python Sandbox Escape & Pyscript
Python Sandbox Escape & Pyscript {{#include ../../banners/hacktricks-training.md}} Interesting pages to check: Pyscr…
Bypass Python sandboxes
Bypass Python sandboxes {{#include ../../../banners/hacktricks-training.md}} These are some tricks to bypass python sand…
Js2Py sandbox escape (CVE-2024-28397)
Js2Py sandbox escape (CVE-2024-28397) {{#include ../../../banners/hacktricks-training.md}} Js2Py translates JavaScript i…
LOAD_NAME / LOAD_CONST opcode OOB Read
LOAD_NAME / LOAD_CONST opcode OOB Read {{#include ../../../banners/hacktricks-training.md}} This info was taken from thi…
ReportLab/xhtml2pdf [[[...]]] expression-evaluation RCE (CVE-2023-33733)
ReportLab/xhtml2pdf [[[...]]] expression-evaluation RCE (CVE-2023-33733) {{#include ../../../banners/hacktricks-training…
Class Pollution (Python's Prototype Pollution)
Class Pollution (Python's Prototype Pollution) {{#include ../../banners/hacktricks-training.md}} Basic Example Check how…
Keras Model Deserialization RCE and Gadget Hunting
Keras Model Deserialization RCE and Gadget Hunting {{#include ../../banners/hacktricks-training.md}} This page summarize…
Python Internal Read Gadgets
Python Internal Read Gadgets {{#include ../../banners/hacktricks-training.md}} Basic Information Different vulnerabiliti…
Pyscript
Pyscript {{#include ../../banners/hacktricks-training.md}} PyScript Pentesting Guide PyScript is a new framework develop…
venv
venv {{#include ../../banners/hacktricks-training.md}} sudo apt-get install python3-venv #Now, go to the folder you want…
Web Requests
Web Requests {{#include ../../banners/hacktricks-training.md}} Python Requests import requests url = "http://exampl…
Bruteforce Hash Few Chars
Bruteforce Hash Few Chars {{#include ../../banners/hacktricks-training.md}} import hashlib target = '2f2e2e' #/.…
Basic Python
Basic Python {{#include ../../banners/hacktricks-training.md}} Python Basics Useful information list(xrange()) == range(…
Delivery Receipt Side-Channel Attacks in E2EE Messengers
Delivery Receipt Side-Channel Attacks in E2EE Messengers {{#include ../banners/hacktricks-training.md}} Delivery receipt…
Threat Modeling
Threat Modeling {{#include ../banners/hacktricks-training.md}} Threat Modeling Welcome to HackTricks' comprehensive guid…
Blockchain and Crypto-Currencies
Blockchain and Crypto-Currencies {{#include ../../banners/hacktricks-training.md}} Basic Concepts Smart Contracts are de…
DeFi/AMM Exploitation: Uniswap v4 Hook Precision/Rounding Abuse
DeFi/AMM Exploitation: Uniswap v4 Hook Precision/Rounding Abuse {{#include ../../banners/hacktricks-training.md}} This p…
DeFi AMM Accounting Bugs & Virtual Balance Cache Exploitation
DeFi AMM Accounting Bugs & Virtual Balance Cache Exploitation {{#include ../../banners/hacktricks-training.md}} Over…
Mutation Testing for Smart Contracts (slither-mutate, mewt, MuTON)
Mutation Testing for Smart Contracts (slither-mutate, mewt, MuTON) {{#include ../../banners/hacktricks-training.md}} Mut…
ERC-4337 Smart Account Security Pitfalls
ERC-4337 Smart Account Security Pitfalls {{#include ../../banners/hacktricks-training.md}} ERC-4337 account abstraction …
Value-Centric Web3 Red Teaming (MITRE AADAPT)
Value-Centric Web3 Red Teaming (MITRE AADAPT) {{#include ../../banners/hacktricks-training.md}} The MITRE Adversarial Ac…
Web3 Signing Workflow Compromise & Safe Delegatecall Proxy Takeover
Web3 Signing Workflow Compromise & Safe Delegatecall Proxy Takeover {{#include ../../banners/hacktricks-training.md}…
Bypass Lua sandboxes (embedded VMs, game clients)
Bypass Lua sandboxes (embedded VMs, game clients) {{#include ../../../banners/hacktricks-training.md}} This page collect…
Archive Extraction Path Traversal ("Zip-Slip" / WinRAR CVE-2025-8088)
Archive Extraction Path Traversal ("Zip-Slip" / WinRAR CVE-2025-8088) {{#include ../banners/hacktricks-training.md}} Ove…
Brute Force - CheatSheet
Brute Force - CheatSheet {{#include ../banners/hacktricks-training.md}} Default Credentials Search in google for default…
eSIM / Java Card VM Exploitation
eSIM / Java Card VM Exploitation {{#include ../banners/hacktricks-training.md}} Overview Embedded SIMs (eSIMs) are imple…
Exfiltration
Exfiltration {{#include ../banners/hacktricks-training.md}} 💡 Tip For an end-to-end example of staging loot in `C:\Users…
Reverse Shells
Reverse Shells {{#include ../../banners/hacktricks-training.md}} Shells - Linux Shells - Windows MSFVenom - CheatSheet F…
MSFVenom - CheatSheet
MSFVenom - CheatSheet {{#include ../../banners/hacktricks-training.md}} Basic msfvenom msfvenom -p <PAYLOAD> -e &l…
Shells - Windows
Shells - Windows {{#include ../../banners/hacktricks-training.md}} Lolbas The page lolbas-project.github.io is for Windo…
Shells - Linux
Shells - Linux {{#include ../../banners/hacktricks-training.md}} If you have questions about any of these shells you cou…
Expose local to the internet
Expose local to the internet {{#include ../../banners/hacktricks-training.md}} The goal of this page is to propose alter…
Full TTYs
Full TTYs {{#include ../../banners/hacktricks-training.md}} Full TTY Note that the shell you set in the SHELL variable m…
Search Exploits
Search Exploits {{#include ../banners/hacktricks-training.md}} Browser Always search in "google" or others: \ [version] …
Tunneling and Port Forwarding
Tunneling and Port Forwarding {{#include ../banners/hacktricks-training.md}} Nmap tip ⚠️ Warning **ICMP** and **SYN** sc…
Linux Basics
Linux Basics {{#include ../banners/hacktricks-training.md}}…
Checklist - Linux Privilege Escalation
Checklist - Linux Privilege Escalation {{#include ../banners/hacktricks-training.md}} Best tool to look for Linux local …
Linux Privilege Escalation
Linux Privilege Escalation {{#include ../../banners/hacktricks-training.md}} System Information OS info Let's start gain…
Android Rooting Frameworks (KernelSU/Magisk) Manager Auth Bypass & Syscall Hook Abuse
Android Rooting Frameworks (KernelSU/Magisk) Manager Auth Bypass & Syscall Hook Abuse {{#include ../../banners/hackt…
VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244)
VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244) {{#include ../../banners/…
Arbitrary File Write to Root
Arbitrary File Write to Root {{#include ../../banners/hacktricks-training.md}} /etc/ld.so.preload This file behaves like…
Cisco - vmanage
Cisco - vmanage {{#include ../../banners/hacktricks-training.md}} Path 1 (Example from https://www.synacktiv.com/en/publ…
Containerd (ctr) Privilege Escalation
Containerd (ctr) Privilege Escalation {{#include ../../banners/hacktricks-training.md}} Basic information Go to the foll…
D-Bus Enumeration & Command Injection Privilege Escalation
D-Bus Enumeration & Command Injection Privilege Escalation {{#include ../../banners/hacktricks-training.md}} GUI enu…
Container Security
Container Security {{#include ../../../banners/hacktricks-training.md}} What A Container Actually Is A practical way to …
Container Runtimes, Engines, Builders, And Sandboxes
Container Runtimes, Engines, Builders, And Sandboxes {{#include ../../../banners/hacktricks-training.md}} One of the big…
Runtime API And Daemon Exposure
Runtime API And Daemon Exposure {{#include ../../../banners/hacktricks-training.md}} Overview Many real container compro…
Runtime Authorization Plugins
Runtime Authorization Plugins {{#include ../../../banners/hacktricks-training.md}} Overview Runtime authorization plugin…
Image Security, Signing, And Secrets
Image Security, Signing, And Secrets {{#include ../../../banners/hacktricks-training.md}} Overview Container security st…
Assessment And Hardening
Assessment And Hardening {{#include ../../../banners/hacktricks-training.md}} Overview A good container assessment shoul…
Sensitive Host Mounts
Sensitive Host Mounts {{#include ../../../banners/hacktricks-training.md}} Overview Host mounts are one of the most impo…
Escaping From `--privileged` Containers
Escaping From --privileged Containers {{#include ../../../banners/hacktricks-training.md}} Overview A container started …
Distroless Containers
Distroless Containers {{#include ../../../banners/hacktricks-training.md}} Overview A distroless container image is an i…
Container Protections Overview
Container Protections Overview {{#include ../../../../banners/hacktricks-training.md}} The most important idea in contai…
AppArmor
AppArmor {{#include ../../../../banners/hacktricks-training.md}} Overview AppArmor is a Mandatory Access Control system …
Linux Capabilities In Containers
Linux Capabilities In Containers {{#include ../../../../banners/hacktricks-training.md}} Overview Linux capabilities are…
cgroups
cgroups {{#include ../../../../banners/hacktricks-training.md}} Overview Linux control groups are the kernel mechanism u…
Masked Paths
Masked Paths {{#include ../../../../banners/hacktricks-training.md}} Masked paths are runtime protections that hide espe…
`no_new_privs`
no_new_privs {{#include ../../../../banners/hacktricks-training.md}} no_new_privs is a kernel hardening feature that pre…
Read-Only System Paths
Read-Only System Paths {{#include ../../../../banners/hacktricks-training.md}} Read-only system paths are a separate pro…
seccomp
seccomp {{#include ../../../../banners/hacktricks-training.md}} Overview seccomp is the mechanism that lets the kernel a…
SELinux
SELinux {{#include ../../../../banners/hacktricks-training.md}} Overview SELinux is a label-based Mandatory Access Contr…
Namespaces
Namespaces {{#include ../../../../../banners/hacktricks-training.md}} Namespaces are the kernel feature that makes a con…
cgroup Namespace
cgroup Namespace {{#include ../../../../../banners/hacktricks-training.md}} Overview The cgroup namespace does not repla…
IPC Namespace
IPC Namespace {{#include ../../../../../banners/hacktricks-training.md}} Overview The IPC namespace isolates System V IP…
PID Namespace
PID Namespace {{#include ../../../../../banners/hacktricks-training.md}} Overview The PID namespace controls how process…
Mount Namespace
Mount Namespace {{#include ../../../../../banners/hacktricks-training.md}} Overview The mount namespace controls the mou…
Network Namespace
Network Namespace {{#include ../../../../../banners/hacktricks-training.md}} Overview The network namespace isolates net…
Time Namespace
Time Namespace {{#include ../../../../../banners/hacktricks-training.md}} Overview The time namespace virtualizes select…
User Namespace
User Namespace {{#include ../../../../../banners/hacktricks-training.md}} Overview The user namespace changes the meanin…
UTS Namespace
UTS Namespace {{#include ../../../../../banners/hacktricks-training.md}} Overview The UTS namespace isolates the hostnam…
Escaping from Jails
Escaping from Jails {{#include ../../banners/hacktricks-training.md}} GTFOBins Search in https://gtfobins.github.io/ if …
POSIX CPU Timers TOCTOU race (CVE-2025-38352)
POSIX CPU Timers TOCTOU race (CVE-2025-38352) {{#include ../../../banners/hacktricks-training.md}} This page documents a…
euid, ruid, suid
euid, ruid, suid {{#include ../../banners/hacktricks-training.md}} User Identification Variables ruid : The real user ID…
Interesting Groups - Linux Privesc
Interesting Groups - Linux Privesc {{#include ../../../banners/hacktricks-training.md}} Sudo/Admin Groups PE - Method 1 …
lxd/lxc Group - Privilege escalation
lxd/lxc Group - Privilege escalation {{#include ../../../banners/hacktricks-training.md}} If you belong to lxd or lxc gr…
Logstash Privilege Escalation
Logstash Privilege Escalation {{#include ../../banners/hacktricks-training.md}} Logstash Logstash is used to gather, tra…
ld.so privesc exploit example
ld.so privesc exploit example {{#include ../../banners/hacktricks-training.md}} Prepare the environment In the following…
Linux Active Directory
Linux Active Directory {{#include ../../banners/hacktricks-training.md}} A linux machine can also be present inside an A…
Linux Capabilities
Linux Capabilities {{#include ../../banners/hacktricks-training.md}} Linux Capabilities Linux capabilities divide root p…
NFS No Root Squash Misconfiguration Privilege Escalation
NFS No Root Squash Misconfiguration Privilege Escalation {{#include ../../banners/hacktricks-training.md}} Squashing Bas…
Node inspector/CEF debug abuse
Node inspector/CEF debug abuse {{#include ../../banners/hacktricks-training.md}} Basic Information From the docs : When …
Payloads to execute
Payloads to execute {{#include ../../banners/hacktricks-training.md}} Bash cp /bin/bash /tmp/b && chmod +s /tmp/…
RunC Privilege Escalation
RunC Privilege Escalation {{#include ../../banners/hacktricks-training.md}} Basic information If you want to learn more …
SELinux
SELinux {{#include ../../banners/hacktricks-training.md}} SELinux is a label-based Mandatory Access Control (MAC) system…
Socket Command Injection
Socket Command Injection {{#include ../../banners/hacktricks-training.md}} Socket binding example with Python In the fol…
Splunk LPE and Persistence
Splunk LPE and Persistence {{#include ../../banners/hacktricks-training.md}} If enumerating a machine internally or exte…
SSH Agent Forwarding Exploitation
SSH Agent Forwarding Exploitation {{#include ../../banners/hacktricks-training.md}} Summary What can you do if you disco…
Wildcards Spare Tricks
Wildcards Spare Tricks {{#include ../../banners/hacktricks-training.md}} Wildcard (aka glob ) argument injection happens…
Useful Linux Commands
Useful Linux Commands {{#include ../banners/hacktricks-training.md}} Common Bash #Exfiltration using Base64 base64 -w 0 …
Bypass Linux Restrictions
Bypass Linux Restrictions {{#include ../../banners/hacktricks-training.md}} Common Limitations Bypasses Reverse Shell # …
Bypass FS protections: read-only / no-exec / Distroless
Bypass FS protections: read-only / no-exec / Distroless {{#include ../../../banners/hacktricks-training.md}} Videos In t…
DDexec / EverythingExec
DDexec / EverythingExec {{#include ../../../banners/hacktricks-training.md}} Context In Linux in order to run a program …
Linux Environment Variables
Linux Environment Variables {{#include ../banners/hacktricks-training.md}} Global variables The global variables will be…
Linux Post-Exploitation
Linux Post-Exploitation {{#include ../../banners/hacktricks-training.md}} Sniffing Logon Passwords with PAM Let's config…
PAM - Pluggable Authentication Modules
PAM - Pluggable Authentication Modules {{#include ../../banners/hacktricks-training.md}} Basic Information PAM (Pluggabl…
FreeIPA Pentesting
FreeIPA Pentesting {{#include ../banners/hacktricks-training.md}} Basic Information FreeIPA is an open-source alternativ…
macOS Security & Privilege Escalation
macOS Security & Privilege Escalation {{#include ../../banners/hacktricks-training.md}} Basic MacOS If you are not f…
macOS Apps - Inspecting, debugging and Fuzzing
macOS Apps - Inspecting, debugging and Fuzzing {{#include ../../../banners/hacktricks-training.md}} Static Analysis otoo…
Objects in memory
Objects in memory {{#include ../../../banners/hacktricks-training.md}} CFRuntimeClass CF* objects come from CoreFoundati…
Introduction to x64
Introduction to x64 {{#include ../../../banners/hacktricks-training.md}} Introduction to x64 x64, also known as x86-64, …
Introduction to ARM64v8
Introduction to ARM64v8 {{#include ../../../banners/hacktricks-training.md}} Exception Levels - EL (ARM64v8) In ARMv8 ar…
macOS AppleFS
macOS AppleFS {{#include ../../banners/hacktricks-training.md}} Apple Propietary File System (APFS) Apple File System (A…
macOS Bypassing Firewalls
macOS Bypassing Firewalls {{#include ../../banners/hacktricks-training.md}} Found techniques The following techniques we…
macOS Defensive Apps
macOS Defensive Apps {{#include ../../banners/hacktricks-training.md}} Firewalls Little Snitch : It will monitor every c…
macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES {{#include ../../banners/hacktricks-training.md}} DYLD_INSERT_LIBRARIES…
macOS GCD - Grand Central Dispatch
macOS GCD - Grand Central Dispatch {{#include ../../banners/hacktricks-training.md}} Basic Information Grand Central Dis…
macOS Kernel & System Extensions
macOS Kernel & System Extensions {{#include ../../../banners/hacktricks-training.md}} XNU Kernel The core of macOS i…
macOS IOKit
macOS IOKit {{#include ../../../banners/hacktricks-training.md}} Basic Information The I/O Kit is an open-source, object…
macOS Kernel Extensions & Kernelcaches
macOS Kernel Extensions & Kernelcaches {{#include ../../../banners/hacktricks-training.md}} Basic Information Kernel…
macOS Kernel Vulnerabilities
macOS Kernel Vulnerabilities {{#include ../../../banners/hacktricks-training.md}} Pwning OTA In this report are explaine…
macOS System Extensions
macOS System Extensions {{#include ../../../banners/hacktricks-training.md}} System Extensions / Endpoint Security Frame…
macOS NVRAM
macOS NVRAM {{#include ../../../banners/hacktricks-training.md}} Basic Information NVRAM (Non-Volatile Random-Access Mem…
macOS Network Services & Protocols
macOS Network Services & Protocols {{#include ../../banners/hacktricks-training.md}} Remote Access Services These ar…
macOS File Extension & URL scheme app handlers
macOS File Extension & URL scheme app handlers {{#include ../../banners/hacktricks-training.md}} LaunchServices Data…
macOS Files, Folders, Binaries & Memory
macOS Files, Folders, Binaries & Memory {{#include ../../../banners/hacktricks-training.md}} File hierarchy layout /…
macOS Bundles
macOS Bundles {{#include ../../../banners/hacktricks-training.md}} Basic Information Bundles in macOS serve as container…
macOS Installers Abuse
macOS Installers Abuse {{#include ../../../banners/hacktricks-training.md}} Pkg Basic Information A macOS installer pack…
macOS Memory Dumping
macOS Memory Dumping {{#include ../../../banners/hacktricks-training.md}} Memory Artifacts Swap Files Swap files, such a…
macOS Sensitive Locations & Interesting Daemons
macOS Sensitive Locations & Interesting Daemons {{#include ../../../banners/hacktricks-training.md}} Passwords Shado…
macOS Universal binaries & Mach-O Format
macOS Universal binaries & Mach-O Format {{#include ../../../banners/hacktricks-training.md}} Basic Information Mac …
macOS Objective-C
macOS Objective-C {{#include ../../banners/hacktricks-training.md}} Objective-C ⚠️ Caution Note that programs written in…
macOS Privilege Escalation
macOS Privilege Escalation {{#include ../../banners/hacktricks-training.md}} TCC Privilege Escalation If you came here l…
macOS Process Abuse
macOS Process Abuse {{#include ../../../banners/hacktricks-training.md}} Processes Basic Information A process is an ins…
macOS Dirty NIB
macOS Dirty NIB {{#include ../../../banners/hacktricks-training.md}} Dirty NIB refers to abusing Interface Builder files…
macOS Chromium Injection
macOS Chromium Injection {{#include ../../../banners/hacktricks-training.md}} Basic Information Chromium-based browsers …
macOS Electron Applications Injection
macOS Electron Applications Injection {{#include ../../../banners/hacktricks-training.md}} Basic Information If you don'…
macOS Function Hooking
macOS Function Hooking {{#include ../../../banners/hacktricks-training.md}} Function Interposing Create a dylib with an …
macOS IPC - Inter Process Communication
macOS IPC - Inter Process Communication {{#include ../../../../banners/hacktricks-training.md}} Mach messaging via Ports…
macOS MIG - Mach Interface Generator
macOS MIG - Mach Interface Generator {{#include ../../../../banners/hacktricks-training.md}} Basic Information MIG was c…
macOS XPC
macOS XPC {{#include ../../../../../banners/hacktricks-training.md}} Basic Information XPC, which stands for XNU (the ke…
macOS XPC Authorization
macOS XPC Authorization {{#include ../../../../../banners/hacktricks-training.md}} XPC Authorization Apple also proposes…
macOS XPC Connecting Process Check
macOS XPC Connecting Process Check {{#include ../../../../../../banners/hacktricks-training.md}} XPC Connecting Process …
macOS PID Reuse
macOS PID Reuse {{#include ../../../../../../banners/hacktricks-training.md}} PID Reuse When a macOS XPC service is chec…
macOS xpc_connection_get_audit_token Attack
macOS xpc_connection_get_audit_token Attack {{#include ../../../../../../banners/hacktricks-training.md}} For further in…
macOS Thread Injection via Task port
macOS Thread Injection via Task port {{#include ../../../../banners/hacktricks-training.md}} Code https://github.com/baz…
macOS Java Applications Injection
macOS Java Applications Injection {{#include ../../../banners/hacktricks-training.md}} Enumeration Find Java application…
macOS Library Injection
macOS Library Injection {{#include ../../../../banners/hacktricks-training.md}} ⚠️ Caution The code of **dyld is open so…
macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES {{#include ../../../../banners/hacktricks-training.md}} DYLD_INSERT_LIB…
macOS Dyld Process
macOS Dyld Process {{#include ../../../../banners/hacktricks-training.md}} Basic Information The real entrypoint of a Ma…
macOS Perl Applications Injection
macOS Perl Applications Injection {{#include ../../../banners/hacktricks-training.md}} Via PERL5OPT & PERL5LIB env v…
macOS Python Applications Injection
macOS Python Applications Injection {{#include ../../../banners/hacktricks-training.md}} Via PYTHONWARNINGS and BROWSER …
macOS Ruby Applications Injection
macOS Ruby Applications Injection {{#include ../../../banners/hacktricks-training.md}} RUBYOPT Using this env variable i…
macOS .Net Applications Injection
macOS .Net Applications Injection {{#include ../../../banners/hacktricks-training.md}} This is a summary of the post htt…
macOS Quick Look Generators
macOS Quick Look Generators {{#include ../../../banners/hacktricks-training.md}} Basic Information Quick Look is macOS's…
macOS Automator, Preference Panes & NSServices Abuse
macOS Automator, Preference Panes & NSServices Abuse {{#include ../../../banners/hacktricks-training.md}} Automator …
macOS XPC Mach Services Abuse
macOS XPC Mach Services Abuse {{#include ../../../banners/hacktricks-training.md}} Basic Information XPC (Cross-Process …
macOS Security Protections
macOS Security Protections {{#include ../../../banners/hacktricks-training.md}} Gatekeeper Gatekeeper is usually used to…
macOS Gatekeeper / Quarantine / XProtect
macOS Gatekeeper / Quarantine / XProtect {{#include ../../../banners/hacktricks-training.md}} Gatekeeper Gatekeeper is a…
macOS Launch/Environment Constraints & Trust Cache
macOS Launch/Environment Constraints & Trust Cache {{#include ../../../banners/hacktricks-training.md}} Basic Inform…
macOS Sandbox
macOS Sandbox {{#include ../../../../banners/hacktricks-training.md}} Basic Information MacOS Sandbox (initially called …
macOS Default Sandbox Debug
macOS Default Sandbox Debug {{#include ../../../../banners/hacktricks-training.md}} In this page you can find how to cre…
macOS Sandbox Debug & Bypass
macOS Sandbox Debug & Bypass {{#include ../../../../../banners/hacktricks-training.md}} Sandbox loading process In t…
macOS Office Sandbox Bypasses
macOS Office Sandbox Bypasses {{#include ../../../../../banners/hacktricks-training.md}} Word Sandbox bypass via Launch …
macOS Authorizations DB & Authd
macOS Authorizations DB & Authd {{#include ../../../banners/hacktricks-training.md}} Athorizarions DB The database l…
macOS SIP
macOS SIP {{#include ../../../banners/hacktricks-training.md}} Basic Information System Integrity Protection (SIP) in ma…
macOS TCC
macOS TCC {{#include ../../../../banners/hacktricks-training.md}} Basic Information TCC (Transparency, Consent, and Cont…
macOS Apple Events
macOS Apple Events {{#include ../../../../banners/hacktricks-training.md}} Basic Information Apple Events are a feature …
macOS TCC Bypasses
macOS TCC Bypasses {{#include ../../../../../banners/hacktricks-training.md}} By functionality Write Bypass This is not …
macOS Apple Scripts
macOS Apple Scripts {{#include ../../../../../banners/hacktricks-training.md}} Apple Scripts It's a scripting language u…
macOS TCC Payloads
macOS TCC Payloads {{#include ../../../../banners/hacktricks-training.md}} Desktop Entitlement : None TCC : kTCCServiceS…
macOS Credential & Data Theft via TCC Permissions
macOS Credential & Data Theft via TCC Permissions {{#include ../../../../banners/hacktricks-training.md}} Overview m…
macOS Dangerous Entitlements & TCC perms
macOS Dangerous Entitlements & TCC perms {{#include ../../../banners/hacktricks-training.md}} ⚠️ Warning Note that e…
macOS - AMFI - AppleMobileFileIntegrity
macOS - AMFI - AppleMobileFileIntegrity {{#include ../../../banners/hacktricks-training.md}} AppleMobileFileIntegrity.ke…
macOS MACF
macOS MACF {{#include ../../../banners/hacktricks-training.md}} Basic Information MACF stands for Mandatory Access Contr…
macOS Code Signing
macOS Code Signing {{#include ../../../banners/hacktricks-training.md}} Basic Information {{#ref}} ../../../generic-meth…
macOS Code Signing Weaknesses & Sandbox Escapes
macOS Code Signing Weaknesses & Sandbox Escapes {{#include ../../../banners/hacktricks-training.md}} Ad-Hoc Signed B…
macOS Sealed System Volume & DataVault
macOS Sealed System Volume & DataVault {{#include ../../../banners/hacktricks-training.md}} Sealed System Volume (SS…
macOS Input Monitoring, Screen Capture & Accessibility Abuse
macOS Input Monitoring, Screen Capture & Accessibility Abuse {{#include ../../../banners/hacktricks-training.md}} Ov…
macOS FS Tricks
macOS FS Tricks {{#include ../../../../banners/hacktricks-training.md}} POSIX permissions combinations Permissions in a …
macOS xattr-acls extra stuff
macOS xattr-acls extra stuff {{#include ../../../../banners/hacktricks-training.md}} rm -rf /tmp/test* echo test >/tm…
macOS Users & External Accounts
macOS Users & External Accounts {{#include ../../banners/hacktricks-training.md}} Common Users Daemon : User reserve…
macOS Red Teaming
macOS Red Teaming {{#include ../../banners/hacktricks-training.md}} Abusing MDMs JAMF Pro: jamf checkJSSConnection Kandj…
macOS MDM
macOS MDM {{#include ../../../banners/hacktricks-training.md}} To learn about macOS MDMs check: https://www.youtube.com/…
Enrolling Devices in Other Organisations
Enrolling Devices in Other Organisations {{#include ../../../banners/hacktricks-training.md}} Intro As previously commen…
macOS Serial Number
macOS Serial Number {{#include ../../../banners/hacktricks-training.md}} Basic Information Apple devices post-2010 have …
macOS Keychain
macOS Keychain {{#include ../../banners/hacktricks-training.md}} Main Keychains The User Keychain ( ~/Library/Keychains/…
macOS Useful Commands
macOS Useful Commands {{#include ../banners/hacktricks-training.md}} MacOS Automatic Enumeration Tools MacPEAS : https:/…
macOS Auto Start
macOS Auto Start {{#include ../banners/hacktricks-training.md}} This section is heavily based on the blog series Beyond …
Windows Security Controls
Windows Security Controls {{#include ../banners/hacktricks-training.md}} AppLocker Policy An application whitelist is a …
Checklist - Local Windows Privilege Escalation
Checklist - Local Windows Privilege Escalation {{#include ../banners/hacktricks-training.md}} Best tool to look for Wind…
Windows Local Privilege Escalation
Windows Local Privilege Escalation {{#include ../../banners/hacktricks-training.md}} Best tool to look for Windows local…
Abusing Enterprise Auto-Updaters and Privileged IPC (e.g., Netskope, ASUS & MSI)
Abusing Enterprise Auto-Updaters and Privileged IPC (e.g., Netskope, ASUS & MSI) {{#include ../../banners/hacktricks…
Windows kernel EoP: Token stealing with arbitrary kernel R/W
Windows kernel EoP: Token stealing with arbitrary kernel R/W {{#include ../../banners/hacktricks-training.md}} Overview …
Kernel Race Condition Exploitation via Object Manager Slow Paths
Kernel Race Condition Exploitation via Object Manager Slow Paths {{#include ../../banners/hacktricks-training.md}} Why s…
Notepad++ Plugin Autoload Persistence & Execution
Notepad++ Plugin Autoload Persistence & Execution {{#include ../../banners/hacktricks-training.md}} Notepad++ will a…
Abusing Tokens
Abusing Tokens {{#include ../../banners/hacktricks-training.md}} Tokens If you don't know what are Windows Access Tokens…
Access Tokens
Access Tokens {{#include ../../banners/hacktricks-training.md}} Access Tokens Each user logged onto the system holds an …
ACLs - DACLs/SACLs/ACEs
ACLs - DACLs/SACLs/ACEs {{#include ../../banners/hacktricks-training.md}} Access Control List (ACL) An Access Control Li…
AppendData/AddSubdirectory Permission over Service Registry
AppendData/AddSubdirectory Permission over Service Registry {{#include ../../banners/hacktricks-training.md}} The origin…
Creating Malicious MSI and Getting Root
Creating Malicious MSI and Getting Root {{#include ../../banners/hacktricks-training.md}} The creation of the MSI instal…
COM Hijacking
COM Hijacking {{#include ../../banners/hacktricks-training.md}} Searching non-existent COM components As the values of H…
Dll Hijacking
Dll Hijacking {{#include ../../../banners/hacktricks-training.md}} Basic Information DLL Hijacking involves manipulating…
Advanced DLL Side-Loading With HTML-Embedded Payload Staging
Advanced DLL Side-Loading With HTML-Embedded Payload Staging {{#include ../../../banners/hacktricks-training.md}} Tradec…
Writable Sys Path +Dll Hijacking Privesc
Writable Sys Path +Dll Hijacking Privesc {{#include ../../../banners/hacktricks-training.md}} Introduction If you found …
DPAPI - Extracting Passwords
DPAPI - Extracting Passwords {{#include ../../banners/hacktricks-training.md}} What is DPAPI The Data Protection API (DP…
From High Integrity to SYSTEM with Name Pipes
From High Integrity to SYSTEM with Name Pipes {{#include ../../banners/hacktricks-training.md}} Code flow: Create a new …
Integrity Levels
Integrity Levels {{#include ../../banners/hacktricks-training.md}} Integrity Levels In Windows Vista and later versions,…
JuicyPotato
JuicyPotato {{#include ../../banners/hacktricks-training.md}} [!WARNING] > JuicyPotato is legacy. It generally works …
Leaked Handle Exploitation
Leaked Handle Exploitation {{#include ../../banners/hacktricks-training.md}} Introduction Handles in a process allow to …
MSI Wrapper
MSI Wrapper {{#include ../../banners/hacktricks-training.md}} Download the free version app from https://www.exemsi.com/…
Named Pipe Client Impersonation
Named Pipe Client Impersonation {{#include ../../banners/hacktricks-training.md}} Named Pipe client impersonation is a l…
Privilege Escalation with Autoruns
Privilege Escalation with Autoruns {{#include ../../banners/hacktricks-training.md}} WMIC Wmic can be used to run progra…
RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato {{#include ../../banners/hacktricks-training.md}} ⚠️ Warning **Juic…
SeDebug + SeImpersonate - Copy Token
SeDebug + SeImpersonate - Copy Token {{#include ../../banners/hacktricks-training.md}} The following code exploits the p…
SeImpersonate from High To System
SeImpersonate from High To System {{#include ../../banners/hacktricks-training.md}} Code The following code from here . …
SeManageVolumePrivilege: Raw volume access for arbitrary file read
SeManageVolumePrivilege: Raw volume access for arbitrary file read {{#include ../../banners/hacktricks-training.md}} Ove…
Windows Service Triggers: Enumeration and Abuse
Windows Service Triggers: Enumeration and Abuse {{#include ../../banners/hacktricks-training.md}} Windows Service Trigge…
Telephony tapsrv Arbitrary DWORD Write to RCE (TAPI Server Mode)
Telephony tapsrv Arbitrary DWORD Write to RCE (TAPI Server Mode) {{#include ../../banners/hacktricks-training.md}} When …
Secure Desktop Accessibility Registry Propagation LPE (RegPwn)
Secure Desktop Accessibility Registry Propagation LPE (RegPwn) {{#include ../../banners/hacktricks-training.md}} Overvie…
Admin Protection Bypasses via UIAccess
Admin Protection Bypasses via UIAccess {{#include ../../banners/hacktricks-training.md}} Overview Windows AppInfo expose…
Windows C Payloads
Windows C Payloads {{#include ../../banners/hacktricks-training.md}} This page collects small, self-contained C snippets…
Active Directory Methodology
Active Directory Methodology {{#include ../../banners/hacktricks-training.md}} Basic overview Active Directory serves as…
Abusing Active Directory ACLs/ACEs
Abusing Active Directory ACLs/ACEs {{#include ../../../banners/hacktricks-training.md}} This page is mostly a summary of…
Abusing Active Directory ACLs/ACEs
Abusing Active Directory ACLs/ACEs {{#include ../../../banners/hacktricks-training.md}} Overview Delegated Managed Servi…
Shadow Credentials
Shadow Credentials {{#include ../../../banners/hacktricks-training.md}} Intro Check the original post for all the inform…
AD Certificates
AD Certificates {{#include ../../../banners/hacktricks-training.md}} Introduction Components of a Certificate The Subjec…
AD CS Account Persistence
AD CS Account Persistence {{#include ../../../banners/hacktricks-training.md}} This is a small summary of the account pe…
AD CS Domain Escalation
AD CS Domain Escalation {{#include ../../../banners/hacktricks-training.md}} This is a summary of escalation technique s…
AD CS Domain Persistence
AD CS Domain Persistence {{#include ../../../banners/hacktricks-training.md}} This is a summary of the domain persistenc…
AD CS Certificate Theft
AD CS Certificate Theft {{#include ../../../banners/hacktricks-training.md}} This is a small summary of the Theft chapte…
AD Dynamic Objects (dynamicObject) Anti-Forensics
AD Dynamic Objects (dynamicObject) Anti-Forensics {{#include ../../banners/hacktricks-training.md}} Mechanics & Dete…
Information in Printers
Information in Printers {{#include ../../banners/hacktricks-training.md}} There are several blogs in the Internet which …
AD DNS Records
AD DNS Records {{#include ../../banners/hacktricks-training.md}} By default any user in Active Directory can enumerate a…
Active Directory Web Services (ADWS) Enumeration & Stealth Collection
Active Directory Web Services (ADWS) Enumeration & Stealth Collection {{#include ../../banners/hacktricks-training.m…
ASREPRoast
ASREPRoast {{#include ../../banners/hacktricks-training.md}} ASREPRoast ASREPRoast is a security attack that exploits us…
BadSuccessor: Privilege Escalation via Delegated MSA Migration Abuse
BadSuccessor: Privilege Escalation via Delegated MSA Migration Abuse {{#include ../../banners/hacktricks-training.md}} O…
BloodHound & Other Active Directory Enumeration Tools
BloodHound & Other Active Directory Enumeration Tools {{#include ../../banners/hacktricks-training.md}} {{#ref}} adw…
Constrained Delegation
Constrained Delegation {{#include ../../banners/hacktricks-training.md}} Constrained Delegation Using this a Domain admi…
Custom SSP
Custom SSP {{#include ../../banners/hacktricks-training.md}} Custom SSP Learn what is a SSP (Security Support Provider) …
DCShadow
DCShadow {{#include ../../banners/hacktricks-training.md}} Basic Information It registers a new Domain Controller in the…
DCSync
DCSync {{#include ../../banners/hacktricks-training.md}} DCSync The DCSync permission implies having these permissions o…
Diamond Ticket
Diamond Ticket {{#include ../../banners/hacktricks-training.md}} Diamond Ticket Like a golden ticket , a diamond ticket …
DSRM Credentials
DSRM Credentials {{#include ../../banners/hacktricks-training.md}} Basic Information There is a local administrator acco…
External Forest Domain - OneWay (Inbound) or bidirectional
External Forest Domain - OneWay (Inbound) or bidirectional {{#include ../../banners/hacktricks-training.md}} In this sce…
External Forest Domain - One-Way (Outbound)
External Forest Domain - One-Way (Outbound) {{#include ../../banners/hacktricks-training.md}} In this scenario your doma…
Golden gMSA/dMSA Attack (Offline Derivation of Managed Service Account Passwords)
Golden gMSA/dMSA Attack (Offline Derivation of Managed Service Account Passwords) {{#include ../../banners/hacktricks-tr…
Golden Ticket
Golden Ticket {{#include ../../banners/hacktricks-training.md}} Golden ticket A Golden Ticket attack consist on the crea…
Kerberoast
Kerberoast {{#include ../../banners/hacktricks-training.md}} Kerberoast Kerberoasting focuses on the acquisition of TGS …
Kerberos Authentication
Kerberos Authentication {{#include ../../banners/hacktricks-training.md}} Check the amazing post from: https://www.tarlo…
Kerberos Double Hop Problem
Kerberos Double Hop Problem {{#include ../../banners/hacktricks-training.md}} Introduction The Kerberos "Double Hop" pro…
Lansweeper Abuse: Credential Harvesting, Secrets Decryption, and Deployment RCE
Lansweeper Abuse: Credential Harvesting, Secrets Decryption, and Deployment RCE {{#include ../../banners/hacktricks-trai…
LAPS
LAPS {{#include ../../banners/hacktricks-training.md}} Basic Information There are currently 2 LAPS flavours you can enc…
MSSQL AD Abuse
MSSQL AD Abuse {{#include ../../banners/hacktricks-training.md}} MSSQL Enumeration / Discovery Python The MSSQLPwner too…
LDAP Signing & Channel Binding Hardening
LDAP Signing & Channel Binding Hardening {{#include ../../banners/hacktricks-training.md}} Why it matters LDAP relay…
Over Pass the Hash/Pass the Key
Over Pass the Hash/Pass the Key {{#include ../../banners/hacktricks-training.md}} Overpass The Hash/Pass The Key (PTK) T…
Pass the Ticket
Pass the Ticket {{#include ../../banners/hacktricks-training.md}} Pass The Ticket (PTT) In the Pass The Ticket (PTT) att…
Password Spraying / Brute Force
Password Spraying / Brute Force {{#include ../../banners/hacktricks-training.md}} Password Spraying Once you have found …
PrintNightmare (Windows Print Spooler RCE/LPE)
PrintNightmare (Windows Print Spooler RCE/LPE) {{#include ../../banners/hacktricks-training.md}} PrintNightmare is the c…
Force NTLM Privileged Authentication
Force NTLM Privileged Authentication {{#include ../../banners/hacktricks-training.md}} SharpSystemTriggers SharpSystemTr…
Privileged Groups
Privileged Groups {{#include ../../banners/hacktricks-training.md}} Well Known groups with administration privileges Adm…
RDP Sessions Abuse
RDP Sessions Abuse {{#include ../../banners/hacktricks-training.md}} RDP Process Injection If the external group has RDP…
Resource-based Constrained Delegation
Resource-based Constrained Delegation {{#include ../../banners/hacktricks-training.md}} Basics of Resource-based Constra…
SCCM Management Point NTLM Relay to SQL – OSD Policy Secret Extraction
SCCM Management Point NTLM Relay to SQL – OSD Policy Secret Extraction {{#include ../../banners/hacktricks-training.md}}…
Security Descriptors
Security Descriptors {{#include ../../banners/hacktricks-training.md}} Security Descriptors From the docs : Security Des…
SID-History Injection
SID-History Injection {{#include ../../banners/hacktricks-training.md}} SID History Injection Attack The focus of the SI…
Silver Ticket
Silver Ticket {{#include ../../banners/hacktricks-training.md}} Silver ticket The Silver Ticket attack involves the expl…
Skeleton Key
Skeleton Key {{#include ../../banners/hacktricks-training.md}} Skeleton Key Attack The Skeleton Key attack is a techniqu…
TimeRoasting
TimeRoasting {{#include ../../banners/hacktricks-training.md}} TimeRoasting abuses the legacy MS-SNTP authentication ext…
Unconstrained Delegation
Unconstrained Delegation {{#include ../../banners/hacktricks-training.md}} Unconstrained delegation This a feature that …
UAC - User Account Control
UAC - User Account Control {{#include ../../banners/hacktricks-training.md}} UAC User Account Control (UAC) is a feature…
NTLM
NTLM {{#include ../../banners/hacktricks-training.md}} Basic Information In environments where Windows XP and Server 200…
Places to steal NTLM creds
Places to steal NTLM creds {{#include ../../banners/hacktricks-training.md}} Check all the great ideas from https://osan…
Lateral Movement
Lateral Movement {{#include ../../banners/hacktricks-training.md}} There are different different ways to execute command…
AtExec / SchtasksExec
AtExec / SchtasksExec {{#include ../../banners/hacktricks-training.md}} How Does it works At allows to schedule tasks in…
DCOM Exec
DCOM Exec {{#include ../../banners/hacktricks-training.md}} DCOM lateral movement is attractive because it reuses existi…
PsExec/Winexec/ScExec/SMBExec
PsExec/Winexec/ScExec/SMBExec {{#include ../../banners/hacktricks-training.md}} How do they work These techniques abuse …
RDPexec
RDPexec {{#include ../../banners/hacktricks-training.md}} How it Works RDPexec is basically to execute commands login in…
DCOM Exec
DCOM Exec {{#include ../../banners/hacktricks-training.md}} SCM SCMExec is a technique to execute commands on remote sys…
WinRM
WinRM {{#include ../../banners/hacktricks-training.md}} WinRM is one of the most convenient lateral movement transports …
WmiExec
WmiExec {{#include ../../banners/hacktricks-training.md}} How It Works Explained Processes can be opened on hosts where …
Stealing Windows Credentials
Stealing Windows Credentials {{#include ../../banners/hacktricks-training.md}} Credentials Mimikatz #Elevate Privileges …
Windows Credentials Protections
Windows Credentials Protections {{#include ../../banners/hacktricks-training.md}} WDigest The WDigest protocol, introduc…
Mimikatz
Mimikatz {{#include ../../banners/hacktricks-training.md}} This page is based on one from adsecurity.org . Check the ori…
WTS Impersonator
WTS Impersonator {{#include ../../banners/hacktricks-training.md}} The WTS Impersonator tool exploits the "\pipe\LSM_API…
Windows Registry Hive Exploitation Primitives
Windows Registry Hive Exploitation Primitives {{#include ../../banners/hacktricks-training.md}} Why hive corruption is s…
Basic Win CMD for Pentesters
Basic Win CMD for Pentesters {{#include ../banners/hacktricks-training.md}} System info Version and Patches info wmic os…
Basic PowerShell for Pentesters
Basic PowerShell for Pentesters {{#include ../../banners/hacktricks-training.md}} Default PowerShell locations C: \w ind…
PowerView/SharpView
PowerView/SharpView {{#include ../../banners/hacktricks-training.md}} The most up-to-date version of PowerView will alwa…
Antivirus (AV) Bypass
Antivirus (AV) Bypass {{#include ../banners/hacktricks-training.md}} This page was initially written by @m2rc_p ! Stop D…
Cobalt Strike
Cobalt Strike {{#include ../banners/hacktricks-training.md}} Listeners C2 Listeners Cobalt Strike -> Listeners -> …
Mythic
Mythic {{#include ../banners/hacktricks-training.md}} What is Mythic? Mythic is an open-source, modular command and cont…
Windows Protocol Handler / ShellExecute Abuse (Markdown Renderers)
Windows Protocol Handler / ShellExecute Abuse (Markdown Renderers) {{#include ../banners/hacktricks-training.md}} Modern…
Android APK Checklist
Android APK Checklist {{#include ../banners/hacktricks-training.md}} Learn Android fundamentals [ ] Basics [ ] Dalvik &a…
Android Applications Pentesting
Android Applications Pentesting {{#include ../../banners/hacktricks-training.md}} Android Applications Basics It's highl…
Abusing Android Media Pipelines & Image Parsers
Abusing Android Media Pipelines & Image Parsers {{#include ../../banners/hacktricks-training.md}} Delivery: Messagin…
Android Accessibility Service Abuse
Android Accessibility Service Abuse {{#include ../../banners/hacktricks-training.md}} Overview AccessibilityService was …
Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection)
Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection) {{#include ../../banners/hacktricks-training.md}…
Android Application-Level Virtualization (App Cloning)
Android Application-Level Virtualization (App Cloning) {{#include ../../banners/hacktricks-training.md}} Application-lev…
Android Applications Basics
Android Applications Basics {{#include ../../banners/hacktricks-training.md}} Android Security Model There are two layer…
Android Enterprise Work Profile Required-App Replacement
Android Enterprise Work Profile Required-App Replacement {{#include ../../banners/hacktricks-training.md}} Attack surfac…
Android HCE NFC/EMV Relay Attacks
Android HCE NFC/EMV Relay Attacks {{#include ../../banners/hacktricks-training.md}} Overview Abuse of Android Host Card …
Android Task Hijacking
Android Task Hijacking {{#include ../../banners/hacktricks-training.md}} Task, Back Stack and Foreground Activities In A…
ADB Commands
ADB Commands {{#include ../../banners/hacktricks-training.md}} Adb is usually located in: #Windows C: \U sers \< user…
APK decompilers
APK decompilers {{#include ../../banners/hacktricks-training.md}} For further details on each tool check the original po…
AVD - Android Virtual Device
AVD - Android Virtual Device {{#include ../../banners/hacktricks-training.md}} Thank you very much to @offsecjay for his…
Bypass Biometric Authentication (Android)
Bypass Biometric Authentication (Android) {{#include ../../banners/hacktricks-training.md}} Method 1 – Bypassing with No…
Content Protocol in Android
Content Protocol in Android {{#include ../../banners/hacktricks-training.md}} This is a summary of the post https://cens…
Drozer Tutorial
Drozer Tutorial {{#include ../../../banners/hacktricks-training.md}} APKs to test Sieve (from mrwlabs) DIVA Parts of thi…
Exploiting Content Providers
Exploiting Content Providers {{#include ../../../banners/hacktricks-training.md}} Intro Data is supplied from one applic…
Exploiting a debuggeable application
Exploiting a debuggeable application {{#include ../../banners/hacktricks-training.md}} Bypassing root and debuggeable ch…
Firmware-level Android Backdoor via libandroid_runtime Zygote Injection
Firmware-level Android Backdoor via libandroid_runtime Zygote Injection {{#include ../../banners/hacktricks-training.md}…
Flutter
Flutter {{#include ../../banners/hacktricks-training.md}} Flutter is Google’s cross-platform UI toolkit that lets develo…
Frida Tutorial
Frida Tutorial {{#include ../../../banners/hacktricks-training.md}} Installation Install frida tools : pip install frida…
Frida Tutorial 1
Frida Tutorial 1 {{#include ../../../banners/hacktricks-training.md}} This is a summary of the post : https://medium.com…
Frida Tutorial 2
Frida Tutorial 2 {{#include ../../../banners/hacktricks-training.md}} This is a summary of the post : https://11x256.git…
Frida Tutorial 3
Frida Tutorial 3 {{#include ../../../banners/hacktricks-training.md}} This is a summary of the post : https://joshspicer…
Objection Tutorial
Objection Tutorial {{#include ../../../banners/hacktricks-training.md}} Introduction objection - Runtime Mobile Explorat…
Google CTF 2018 - Shall We Play a Game?
Google CTF 2018 - Shall We Play a Game? {{#include ../../banners/hacktricks-training.md}} Download the APK here: I am go…
Android In-Memory Native Code Execution via JNI (shellcode)
Android In-Memory Native Code Execution via JNI (shellcode) {{#include ../../banners/hacktricks-training.md}} This page …
Android IME / InputMethodService Abuse (Malicious Keyboards)
Android IME / InputMethodService Abuse (Malicious Keyboards) {{#include ../../banners/hacktricks-training.md}} Overview …
Insecure In-App Update Mechanisms – Remote Code Execution via Malicious Plugins
Insecure In-App Update Mechanisms – Remote Code Execution via Malicious Plugins {{#include ../../banners/hacktricks-trai…
Install Burp Certificate
Install Burp Certificate {{#include ../../banners/hacktricks-training.md}} System-wide proxy via ADB Configure a global …
Intent Injection
Intent Injection {{#include ../../banners/hacktricks-training.md}} Intent injection abuses components that accept attack…
Make APK accept CA certificate
Make APK accept CA certificate {{#include ../../banners/hacktricks-training.md}} Some applications don't like user downl…
Manual De-obfuscation Techniques
Manual De-obfuscation Techniques {{#include ../../banners/hacktricks-training.md}} Manual De-obfuscation Techniques In t…
Play Integrity Attestation Bypass (SafetyNet Replacement)
Play Integrity Attestation Bypass (SafetyNet Replacement) {{#include ../../banners/hacktricks-training.md}} What Play In…
React Native Application Analysis
React Native Application Analysis {{#include ../../banners/hacktricks-training.md}} To confirm if the application was bu…
Reversing Native Libraries
Reversing Native Libraries {{#include ../../banners/hacktricks-training.md}} For further information check: https://madd…
Shizuku Privileged API
Shizuku Privileged API {{#include ../../banners/hacktricks-training.md}} Shizuku is an open-source service that starts a…
Smali - Decompiling/[Modifying]/Compiling
Smali - Decompiling/[Modifying]/Compiling {{#include ../../banners/hacktricks-training.md}} Sometimes it is interesting …
Spoofing Your Location in Google Play Store
Spoofing Your Location in Google Play Store {{#include ../../banners/hacktricks-training.md}} In situations where an app…
Tapjacking
Tapjacking {{#include ../../banners/hacktricks-training.md}} Basic Information Tapjacking is an attack where a malicious…
Webview Attacks
Webview Attacks {{#include ../../banners/hacktricks-training.md}} Guide on WebView Configurations and Security Overview …
iOS Pentesting Checklist
iOS Pentesting Checklist {{#include ../banners/hacktricks-training.md}} Preparation [ ] Read iOS Basics [ ] Prepare your…
iOS Pentesting
iOS Pentesting {{#include ../../banners/hacktricks-training.md}} iOS Basics {{#ref}} ios-basics.md {{#endref}} Testing E…
Air Keyboard Remote Input Injection (Unauthenticated TCP / WebSocket Listener)
Air Keyboard Remote Input Injection (Unauthenticated TCP / WebSocket Listener) {{#include ../../banners/hacktricks-train…
iOS App Extensions
iOS App Extensions {{#include ../../banners/hacktricks-training.md}} App extensions enhance the functionality of apps by…
iOS Basics
iOS Basics {{#include ../../banners/hacktricks-training.md}} Filesystem Folders /Applications : Contains all the install…
iOS Basic Testing Operations
iOS Basic Testing Operations {{#include ../../banners/hacktricks-training.md}} Summary of iOS Device Identification and …
iOS Burp Suite Configuration
iOS Burp Suite Configuration {{#include ../../banners/hacktricks-training.md}} Installing the Burp Certificate on iOS De…
iOS Custom URI Handlers / Deeplinks / Custom Schemes
iOS Custom URI Handlers / Deeplinks / Custom Schemes {{#include ../../banners/hacktricks-training.md}} Basic Information…
Extracting Entitlements from Compiled Application
Extracting Entitlements from Compiled Application {{#include ../../banners/hacktricks-training.md}} Summary of the page …
iOS Frida Configuration
iOS Frida Configuration {{#include ../../banners/hacktricks-training.md}} Installing Frida Steps to install Frida on a J…
iOS Hooking with Objection
iOS Hooking with Objection {{#include ../../banners/hacktricks-training.md}} For this section the tool Objection is goin…
iOS Pentesting without Jailbreak
iOS Pentesting without Jailbreak {{#include ../../banners/hacktricks-training.md}} Main idea Applications signed with th…
WebView Protocol Handlers
WebView Protocol Handlers {{#include ../../banners/hacktricks-training.md}}…
iOS Serialisation and Encoding
iOS Serialisation and Encoding {{#include ../../banners/hacktricks-training.md}} Code and more information in https://ma…
iOS Testing Environment
iOS Testing Environment {{#include ../../banners/hacktricks-training.md}} Apple Developer Program A provisioning identit…
iOS UIActivity Sharing
iOS UIActivity Sharing {{#include ../../banners/hacktricks-training.md}} UIActivity Sharing Simplified From iOS 6 onward…
iOS Universal Links
iOS Universal Links {{#include ../../banners/hacktricks-training.md}} Introduction Universal links offer a seamless redi…
iOS Pasteboard
iOS Pasteboard {{#include ../../banners/hacktricks-training.md}} Data sharing within and across applications on iOS devi…
iOS WebViews
iOS WebViews {{#include ../../banners/hacktricks-training.md}} The code of this page was extracted from here . Check the…
itunesstored & bookassetd Sandbox Escape
itunesstored & bookassetd Sandbox Escape {{#include ../../banners/hacktricks-training.md}} Overview Recent research …
Zero-click Messaging → Image Parser Chains
Zero-click Messaging → Image Parser Chains {{#include ../../banners/hacktricks-training.md}} TL;DR Treat messaging app m…
Cordova Apps
Cordova Apps {{#include ../banners/hacktricks-training.md}} For further details check https://infosecwriteups.com/recrea…
Xamarin Apps
Xamarin Apps {{#include ../banners/hacktricks-training.md}} Basic Information Xamarin is an open-source platform designe…
4222 - Pentesting NATS / JetStream
4222 - Pentesting NATS / JetStream {{#include ../banners/hacktricks-training.md}} Basic Information NATS is a high-perfo…
Pentesting JDWP - Java Debug Wire Protocol
Pentesting JDWP - Java Debug Wire Protocol {{#include ../banners/hacktricks-training.md}} Exploiting JDWP exploitation h…
Pentesting SAP
Pentesting SAP {{#include ../banners/hacktricks-training.md}} Introduction about SAP SAP stands for Systems Applications…
Pentesting VoIP
Pentesting VoIP {{#include ../../banners/hacktricks-training.md}} VoIP Basic Information To start learning about how VoI…
Basic VoIP Protocols
Basic VoIP Protocols {{#include ../../../banners/hacktricks-training.md}} Signaling Protocols SIP (Session Initiation Pr…
SIP (Session Initiation Protocol)
SIP (Session Initiation Protocol) {{#include ../../../banners/hacktricks-training.md}} Basic Information SIP (Session In…
Pentesting Remote GdbServer
Pentesting Remote GdbServer {{#include ../banners/hacktricks-training.md}} Basic Information gdbserver is a tool that en…
7/tcp/udp - Pentesting Echo Service
7/tcp/udp - Pentesting Echo Service {{#include ../banners/hacktricks-training.md}} Basic Information An echo service is …
21 - Pentesting FTP
21 - Pentesting FTP {{#include ../../banners/hacktricks-training.md}} Basic Information The File Transfer Protocol (FTP)…
FTP Bounce attack - Scan
FTP Bounce attack - Scan {{#include ../../banners/hacktricks-training.md}} FTP Bounce - Scanning Manual Connect to vulne…
FTP Bounce Download 2 of FTP File
FTP Bounce Download 2 of FTP File {{#include ../../banners/hacktricks-training.md}} Resume If you have access to a bounc…
22 - Pentesting SSH/SFTP
22 - Pentesting SSH/SFTP {{#include ../banners/hacktricks-training.md}} Basic Information SSH (Secure Shell or Secure So…
23 - Pentesting Telnet
23 - Pentesting Telnet {{#include ../banners/hacktricks-training.md}} Basic Information Telnet is a network protocol tha…
25,465,587 - Pentesting SMTP/s
25,465,587 - Pentesting SMTP/s {{#include ../../banners/hacktricks-training.md}} Basic Information The Simple Mail Trans…
SMTP Smuggling
SMTP Smuggling {{#include ../../banners/hacktricks-training.md}} Basic Information This type of vulnerability was origin…
SMTP - Commands
SMTP - Commands {{#include ../../banners/hacktricks-training.md}} Commands from: https://serversmtp.com/smtp-commands/ H…
43 - Pentesting WHOIS
43 - Pentesting WHOIS {{#include ../banners/hacktricks-training.md}} Basic Information The WHOIS protocol serves as a st…
49 - Pentesting TACACS+
49 - Pentesting TACACS+ {{#include ../banners/hacktricks-training.md}} Basic Information The Terminal Access Controller …
53 - Pentesting DNS
53 - Pentesting DNS {{#include ../banners/hacktricks-training.md}} Basic Information The Domain Name System (DNS) serves…
69 - UDP TFTP
69 - UDP TFTP {{#include ../banners/hacktricks-training.md}} Basic Information Trivial File Transfer Protocol (TFTP) is …
79 - Pentesting Finger
79 - Pentesting Finger {{#include ../banners/hacktricks-training.md}} Basic Info The Finger program/service is utilized …
80,443 - Pentesting Web Methodology
80,443 - Pentesting Web Methodology {{#include ../../banners/hacktricks-training.md}} Basic Info The web service is the …
403 & 401 Bypasses
403 & 401 Bypasses {{#include ../../banners/hacktricks-training.md}} HTTP Verbs/Methods Fuzzing Try using different …
AEM (Adobe Experience Manager) Pentesting
AEM (Adobe Experience Manager) Pentesting {{#include ../../banners/hacktricks-training.md}} Adobe Experience Manager (AE…
Angular
Angular {{#include ../../banners/hacktricks-training.md}} The Checklist Checklist from here . [ ] Angular is considered …
Apache
Apache {{#include ../../banners/hacktricks-training.md}} Executable PHP extensions Check which extensions is executing t…
Artifactory Hacking Guide
Artifactory Hacking Guide {{#include ../../banners/hacktricks-training.md}} Check this post: https://www.errno.fr/artifa…
Bolt CMS
Bolt CMS {{#include ../../banners/hacktricks-training.md}} RCE After login as admin (go to /bot lo access the login prom…
Buckets
Buckets {{#include ../../../banners/hacktricks-training.md}} Check this page if you want to learn more about enumerating…
Firebase Database
Firebase Database {{#include ../../../banners/hacktricks-training.md}} What is Firebase Firebase is a Backend-as-a-Servi…
CGI Pentesting
CGI Pentesting {{#include ../../banners/hacktricks-training.md}} Information The CGI scripts are perl scripts , so, if y…
Custom UDP RPC Enumeration & File-Transfer Abuse
Custom UDP RPC Enumeration & File-Transfer Abuse {{#include ../../banners/hacktricks-training.md}} Mapping proprieta…
Django
Django {{#include ../../banners/hacktricks-training.md}} Cache Manipulation to RCE Django's default cache storage method…
.NET SOAP/WSDL Client Proxy Abuse
.NET SOAP/WSDL Client Proxy Abuse {{#include ../../banners/hacktricks-training.md}} TL;DR SoapHttpClientProtocol , Disco…
DotNetNuke (DNN)
DotNetNuke (DNN) {{#include ../../banners/hacktricks-training.md}} DotNetNuke (DNN) If you enter as administrator in DNN…
Drupal
Drupal {{#include ../../../banners/hacktricks-training.md}} Discovery Check meta curl https://www.drupal.org/ | grep …
Drupal RCE
Drupal RCE {{#include ../../../banners/hacktricks-training.md}} With PHP Filter Module ⚠️ Warning In older versions of D…
Electron Desktop Apps
Electron Desktop Apps {{#include ../../../banners/hacktricks-training.md}} Introduction Electron combines a local backen…
Electron contextIsolation RCE via preload code
Electron contextIsolation RCE via preload code {{#include ../../../banners/hacktricks-training.md}} Example 1 Example fr…
Electron contextIsolation RCE via Electron internal code
Electron contextIsolation RCE via Electron internal code {{#include ../../../banners/hacktricks-training.md}} Example 1 …
Electron contextIsolation RCE via IPC
Electron contextIsolation RCE via IPC {{#include ../../../banners/hacktricks-training.md}} If the preload script exposes…
Flask
Flask {{#include ../../banners/hacktricks-training.md}} Probably if you are playing a CTF a Flask application will be re…
Fortinet FortiWeb — Auth bypass via API-prefix traversal and CGIINFO impersonation
Fortinet FortiWeb — Auth bypass via API-prefix traversal and CGIINFO impersonation {{#include ../../banners/hacktricks-t…
Git
Git {{#include ../../banners/hacktricks-training.md}} To dump a .git folder from a URL use https://github.com/arthaud/gi…
GoLang HTTP CONNECT Method
GoLang HTTP CONNECT Method {{#include ../../banners/hacktricks-training.md}} CONNECT method In the Go programming langua…
Grafana
Grafana {{#include ../../banners/hacktricks-training.md}} Interesting stuff Main config is usually in /etc/grafana/grafa…
GraphQL
GraphQL {{#include ../../banners/hacktricks-training.md}} Introduction GraphQL is highlighted as an efficient alternativ…
H2 - Java SQL database
H2 - Java SQL database {{#include ../../banners/hacktricks-training.md}} Official page: https://www.h2database.com/html/…
IIS - Internet Information Services
IIS - Internet Information Services {{#include ../../banners/hacktricks-training.md}} Test executable file extensions: a…
ImageMagick Security
ImageMagick Security {{#include ../../banners/hacktricks-training.md}} Check further details in https://blog.doyensec.co…
ISPConfig
ISPConfig {{#include ../../banners/hacktricks-training.md}} Overview ISPConfig is an open-source hosting control panel. …
JBOSS
JBOSS {{#include ../../banners/hacktricks-training.md}} Enumeration and Exploitation Techniques When assessing the secur…
Jira & Confluence
Jira & Confluence {{#include ../../banners/hacktricks-training.md}} Check Privileges In Jira, privileges can be chec…
Joomla
Joomla {{#include ../../banners/hacktricks-training.md}} Joomla Statistics Joomla collects some anonymous usage statisti…
JSP
JSP {{#include ../../banners/hacktricks-training.md}} getContextPath abuse Info from here . http://127.0.0.1:8080/&s…
Laravel
Laravel {{#include ../../banners/hacktricks-training.md}} Laravel SQLInjection Read information about this here: https:/…
Microsoft SharePoint – Pentesting & Exploitation
Microsoft SharePoint – Pentesting & Exploitation {{#include ../../banners/hacktricks-training.md}} Microsoft SharePo…
Moodle
Moodle {{#include ../../banners/hacktricks-training.md}} Automatic Scans droopescan pip3 install droopescan droopescan s…
NextJS
NextJS {{#include ../../banners/hacktricks-training.md}} General Architecture of a Next.js Application Typical File Stru…
Nginx
Nginx {{#include ../../banners/hacktricks-training.md}} Missing root location When configuring the Nginx server, the roo…
NodeJS Express
NodeJS Express {{#include ../../banners/hacktricks-training.md}} Quick Fingerprinting Useful Express indicators during r…
Sitecore Experience Platform (XP) – Pre‑auth HTML Cache Poisoning to Post‑auth RCE
Sitecore Experience Platform (XP) – Pre‑auth HTML Cache Poisoning to Post‑auth RCE {{#include ../../../banners/hacktrick…
PHP Tricks
PHP Tricks {{#include ../../../banners/hacktricks-training.md}} Cookies common location: This is also valid for phpMyAdm…
PHP - Useful Functions & disable_functions/open_basedir bypass
PHP - Useful Functions & disable_functions/open_basedir bypass {{#include ../../../../banners/hacktricks-training.md…
disable_functions bypass - php-fpm/FastCGI
disable_functions bypass - php-fpm/FastCGI {{#include ../../../../banners/hacktricks-training.md}} PHP-FPM PHP-FPM is pr…
Disable Functions Bypass - dl Function
Disable Functions Bypass - dl Function {{#include ../../../../banners/hacktricks-training.md}} dl() lets PHP load a shar…
disable_functions bypass - PHP 7.0-7.4 (\*nix only)
disable_functions bypass - PHP 7.0-7.4 (*nix only) {{#include ../../../../banners/hacktricks-training.md}} PHP 7.0-7.4 (…
Imagick <= 3.3.0 ‑ PHP >= 5.4 *disable_functions* Bypass
Imagick <= 3.3.0 ‑ PHP >= 5.4 disable_functions Bypass {{#include ../../../../banners/hacktricks-training.md}} The…
PHP 5.x Shellshock Exploit
PHP 5.x Shellshock Exploit {{#include ../../../../banners/hacktricks-training.md}} From http://blog.safebuff.com/2016/05…
PHP 5.2.4 ionCube extension Exploit
PHP 5.2.4 ionCube extension Exploit {{#include ../../../../banners/hacktricks-training.md}} <?php //PHP 5.2.4 ionCube…
PHP <= 5.2.9 on windows
PHP <= 5.2.9 on windows {{#include ../../../../banners/hacktricks-training.md}} From http://blog.safebuff.com/2016/05…
PHP 5.2.4 and 5.2.5 PHP cURL
PHP 5.2.4 and 5.2.5 PHP cURL {{#include ../../../../banners/hacktricks-training.md}} This page documents a legacy but st…
PHP safe_mode bypass via proc_open and custom environment Exploit
PHP safe_mode bypass via proc_open and custom environment Exploit {{#include ../../../../banners/hacktricks-training.md}…
PHP Perl Extension Safe_mode Bypass Exploit
PHP Perl Extension Safe_mode Bypass Exploit {{#include ../../../../banners/hacktricks-training.md}} Background The issue…
PHP 5.2.3 - Win32std ext Protections Bypass
PHP 5.2.3 - Win32std ext Protections Bypass {{#include ../../../../banners/hacktricks-training.md}} This is a legacy Win…
PHP 5.2 - FOpen Exploit
PHP 5.2 - FOpen Exploit {{#include ../../../../banners/hacktricks-training.md}} From http://blog.safebuff.com/2016/05/06…
via mem
via mem {{#include ../../../../banners/hacktricks-training.md}} From http://blog.safebuff.com/2016/05/06/disable-functio…
mod_cgi
mod_cgi {{#include ../../../../banners/hacktricks-training.md}} From http://blog.safebuff.com/2016/05/06/disable-functio…
PHP 4 >= 4.2.0, PHP 5 pcntl_exec
PHP 4 >= 4.2.0, PHP 5 pcntl_exec {{#include ../../../../banners/hacktricks-training.md}} From http://blog.safebuff.co…
PHP - RCE abusing object creation: new $_GET["a"](/page/hacktricks/network-services-pentesting/pentesting-web/php-tricks-esp/$_GET["b"])
PHP - RCE abusing object creation: new $_GET "a" {{#include ../../../banners/hacktricks-training.md}} This is basically …
PHP SSRF
PHP SSRF {{#include ../../../banners/hacktricks-training.md}} SSRF PHP functions Some function such as file_get_contents…
PrestaShop
PrestaShop {{#include ../../banners/hacktricks-training.md}} Perl backticks/qx// sinks in Apache mod_perl handlers (reac…
PrestaShop
PrestaShop {{#include ../../banners/hacktricks-training.md}} From XSS to RCE PrestaXSRF : PrestaShop Exploitation Script…
Python
Python {{#include ../../banners/hacktricks-training.md}} Server using python test a possible code execution , using the …
Rocket Chat
Rocket Chat {{#include ../../banners/hacktricks-training.md}} RCE If you are admin inside Rocket Chat you can get RCE. G…
Ruby Tricks
Ruby Tricks {{#include ../../banners/hacktricks-training.md}} File upload to RCE As explained in this article , uploadin…
Source code Review / SAST Tools
Source code Review / SAST Tools {{#include ../../banners/hacktricks-training.md}} Guidance and & Lists of tools http…
Special HTTP headers
Special HTTP headers {{#include ../../banners/hacktricks-training.md}} Wordlists & Tools https://github.com/danielmi…
Roundcube
Roundcube {{#include ../../banners/hacktricks-training.md}} Overview Roundcube is a PHP webmail client commonly exposed …
Spring Actuators
Spring Actuators {{#include ../../banners/hacktricks-training.md}} Spring Auth Bypass From https://raw.githubusercontent…
Symfony
Symfony {{#include ../../banners/hacktricks-training.md}} Symfony is one of the most widely-used PHP frameworks and regu…
Tomcat
Tomcat {{#include ../../../banners/hacktricks-training.md}} Discovery It usually runs on port 8080 Common Tomcat error: …
Telerik UI for ASP.NET AJAX – Unsafe Reflection via WebResource.axd (type=iec)
Telerik UI for ASP.NET AJAX – Unsafe Reflection via WebResource.axd (type=iec) {{#include ../../banners/hacktricks-train…
Uncovering CloudFlare
Uncovering CloudFlare {{#include ../../banners/hacktricks-training.md}} Common Techniques to Uncover Cloudflare You can …
Vue.js
Vue.js {{#include ../../banners/hacktricks-training.md}} XSS Sinks in Vue.js v-html Directive The v-html directive rende…
VMware ESX / vCenter Pentesting
VMware ESX / vCenter Pentesting {{#include ../../banners/hacktricks-training.md}} Enumeration nmap -sV --script "ht…
Web API Pentesting
Web API Pentesting {{#include ../../banners/hacktricks-training.md}} API Pentesting Methodology Summary Pentesting APIs …
WebDav
WebDav {{#include ../../banners/hacktricks-training.md}} When dealing with a HTTP Server with WebDav enabled, it's possi…
Werkzeug / Flask Debug
Werkzeug / Flask Debug {{#include ../../banners/hacktricks-training.md}} Console RCE If debug is active you could try to…
Wordpress
Wordpress {{#include ../../banners/hacktricks-training.md}} Basic Information Uploaded files go to: http://10.10.10.10/w…
88tcp/udp - Pentesting Kerberos
88tcp/udp - Pentesting Kerberos {{#include ../../banners/hacktricks-training.md}} Basic Information Kerberos operates on…
Harvesting tickets from Windows
Harvesting tickets from Windows {{#include ../../banners/hacktricks-training.md}} Tickets in Windows are managed and sto…
Harvesting Tickets from Linux
Harvesting Tickets from Linux {{#include ../../banners/hacktricks-training.md}} Credential Storage in Linux Linux system…
WSGI Post-Exploitation Tricks
WSGI Post-Exploitation Tricks {{#include ../../banners/hacktricks-training.md}} WSGI Overview Web Server Gateway Interfa…
Zabbix Security
Zabbix Security {{#include ../../banners/hacktricks-training.md}} Overview Zabbix is a monitoring platform exposing a we…
110,995 - Pentesting POP
110,995 - Pentesting POP {{#include ../banners/hacktricks-training.md}} Basic Information Post Office Protocol (POP) is …
111/TCP/UDP - Pentesting Portmapper
111/TCP/UDP - Pentesting Portmapper {{#include ../banners/hacktricks-training.md}} Basic Information Portmapper is a ser…
113 - Pentesting Ident
113 - Pentesting Ident {{#include ../banners/hacktricks-training.md}} Basic Information The Ident Protocol is used over …
123/udp - Pentesting NTP
123/udp - Pentesting NTP {{#include ../banners/hacktricks-training.md}} Basic Information The Network Time Protocol (NTP…
135, 593 - Pentesting MSRPC
135, 593 - Pentesting MSRPC {{#include ../banners/hacktricks-training.md}} Basic Information The Microsoft Remote Proced…
137,138,139 - Pentesting NetBios
137,138,139 - Pentesting NetBios {{#include ../banners/hacktricks-training.md}} NetBios Name Service NetBIOS Name Servic…
139,445 - Pentesting SMB
139,445 - Pentesting SMB {{#include ../../banners/hacktricks-training.md}} Port 139 The Network Basic Input Output Syste…
ksmbd Attack Surface & SMB2/SMB3 Protocol Fuzzing (syzkaller)
ksmbd Attack Surface & SMB2/SMB3 Protocol Fuzzing (syzkaller) {{#include ../../banners/hacktricks-training.md}} Over…
rpcclient enumeration
rpcclient enumeration {{#include ../../banners/hacktricks-training.md}} Overview of Relative Identifiers (RID) and Secur…
143,993 - Pentesting IMAP
143,993 - Pentesting IMAP {{#include ../banners/hacktricks-training.md}} Internet Message Access Protocol The Internet M…
161,162,10161,10162/udp - Pentesting SNMP
161,162,10161,10162/udp - Pentesting SNMP {{#include ../../banners/hacktricks-training.md}} Basic Information SNMP - Sim…
Cisco SNMP
Cisco SNMP {{#include ../../banners/hacktricks-training.md}} Pentesting Cisco Networks SNMP functions over UDP with port…
SNMP RCE
SNMP RCE {{#include ../../banners/hacktricks-training.md}} SNMP can be exploited by an attacker if the administrator ove…
194,6667,6660-7000 - Pentesting IRC
194,6667,6660-7000 - Pentesting IRC {{#include ../banners/hacktricks-training.md}} Basic Information IRC, initially a pl…
# 264/tcp - Pentesting Check Point Firewall
# 264/tcp - Pentesting Check Point Firewall {{#include ../banners/hacktricks-training.md}} It's possible to interact wit…
389, 636, 3268, 3269 - Pentesting LDAP
389, 636, 3268, 3269 - Pentesting LDAP {{#include ../banners/hacktricks-training.md}} The use of LDAP (Lightweight Direc…
500/udp - Pentesting IPsec/IKE VPN
500/udp - Pentesting IPsec/IKE VPN {{#include ../banners/hacktricks-training.md}} Basic Information IPsec is widely reco…
# 502/tcp - Pentesting Modbus Protocol
# 502/tcp - Pentesting Modbus Protocol {{#include ../banners/hacktricks-training.md}} Basic Information In 1979, the Mod…
512 - Pentesting Rexec
512 - Pentesting Rexec {{#include ../banners/hacktricks-training.md}} Basic Information Rexec (remote exec ) is one of t…
513 - Pentesting Rlogin
513 - Pentesting Rlogin {{#include ../banners/hacktricks-training.md}} Basic Information In the past, rlogin was widely …
514 - Pentesting Rsh
514 - Pentesting Rsh {{#include ../banners/hacktricks-training.md}} Basic Information For authentication, .rhosts files …
515 Pentesting Line Printer Daemon (LPD)
515 Pentesting Line Printer Daemon (LPD) {{#include ../banners/hacktricks-training.md}} Introduction to LPD Protocol In …
548 - Pentesting Apple Filing Protocol (AFP)
548 - Pentesting Apple Filing Protocol (AFP) {{#include ../banners/hacktricks-training.md}} Basic Information The Apple …
554,8554 - Pentesting RTSP
554,8554 - Pentesting RTSP {{#include ../banners/hacktricks-training.md}} Basic Information From wikipedia : The Real Ti…
623/UDP/TCP - IPMI
623/UDP/TCP - IPMI {{#include ../banners/hacktricks-training.md}} Basic Information Overview of IPMI Intelligent Platfor…
Internet Printing Protocol
Internet Printing Protocol {{#include ../banners/hacktricks-training.md}} The Internet Printing Protocol (IPP) , as spec…
700 - Pentesting EPP
700 - Pentesting EPP {{#include ../banners/hacktricks-training.md}} Basic Information The Extensible Provisioning Protoc…
873 - Pentesting Rsync
873 - Pentesting Rsync {{#include ../banners/hacktricks-training.md}} Basic Information From wikipedia : rsync is a util…
1026 - Pentesting Rusersd
1026 - Pentesting Rusersd {{#include ../banners/hacktricks-training.md}} Basic Information This protocol will provide yo…
1080 - Pentesting Socks
1080 - Pentesting Socks {{#include ../banners/hacktricks-training.md}} Basic Information SOCKS is a protocol used for tr…
1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
1098/1099/1050 - Pentesting Java RMI - RMI-IIOP {{#include ../banners/hacktricks-training.md}} Basic Information Java Re…
1414 - Pentesting IBM MQ
1414 - Pentesting IBM MQ {{#include ../banners/hacktricks-training.md}} Basic information IBM MQ is an IBM technology to…
1433 - Pentesting MSSQL - Microsoft SQL Server
1433 - Pentesting MSSQL - Microsoft SQL Server {{#include ../../banners/hacktricks-training.md}} Basic Information From …
Types of MSSQL Users
Types of MSSQL Users {{#include ../../banners/hacktricks-training.md}} Table taken from the docs . Column name Data type…
1521,1522-1529 - Pentesting Oracle TNS Listener
1521,1522-1529 - Pentesting Oracle TNS Listener {{#include ../banners/hacktricks-training.md}} Basic Information Oracle …
1723 - Pentesting PPTP
1723 - Pentesting PPTP {{#include ../banners/hacktricks-training.md}} Basic Information Point-to-Point Tunneling Protoco…
1883 - Pentesting MQTT (Mosquitto)
1883 - Pentesting MQTT (Mosquitto) {{#include ../banners/hacktricks-training.md}} Basic Information MQ Telemetry Transpo…
2049 - Pentesting NFS Service
2049 - Pentesting NFS Service {{#include ../banners/hacktricks-training.md}} Basic Information NFS is a system designed …
# 2301/tcp - Pentesting Compaq/HP Insight Manager
# 2301/tcp - Pentesting Compaq/HP Insight Manager {{#include ../banners/hacktricks-training.md}} Default Port: 2301,2381…
2375, 2376 Pentesting Docker
2375, 2376 Pentesting Docker {{#include ../banners/hacktricks-training.md}} Docker Basics What is Docker is the forefron…
3128/tcp - Pentesting Squid
3128/tcp - Pentesting Squid {{#include ../banners/hacktricks-training.md}} Basic Information From Wikipedia : Squid is a…
3260 - Pentesting ISCSI
3260 - Pentesting ISCSI {{#include ../banners/hacktricks-training.md}} Basic Information From Wikipedia : In computing, …
# 3299/tcp - Pentesting SAProuter
# 3299/tcp - Pentesting SAProuter {{#include ../banners/hacktricks-training.md}} PORT STATE SERVICE VERSION 3299/tcp ope…
3306 - Pentesting Mysql
3306 - Pentesting Mysql {{#include ../banners/hacktricks-training.md}} Basic Information MySQL can be described as an op…
3389 - Pentesting RDP
3389 - Pentesting RDP {{#include ../banners/hacktricks-training.md}} Basic Information Developed by Microsoft, the Remot…
3632 - Pentesting Distcc
3632 - Pentesting Distcc {{#include ../banners/hacktricks-training.md}} Basic Information Distcc is a tool that enhances…
3690/tcp - Pentesting Subversion (SVN) Server
3690/tcp - Pentesting Subversion (SVN) Server {{#include ../banners/hacktricks-training.md}} Basic Information Subversio…
3702/UDP - Pentesting WS-Discovery
3702/UDP - Pentesting WS-Discovery {{#include ../banners/hacktricks-training.md}} Basic Information The Web Services Dyn…
4369 Pentesting Erlang Port Mapper Daemon (epmd)
4369 Pentesting Erlang Port Mapper Daemon (epmd) {{#include ../banners/hacktricks-training.md}} Basic Info The Erlang Po…
4786 - Cisco Smart Install
4786 - Cisco Smart Install {{#include ../banners/hacktricks-training.md}} Basic Information Cisco Smart Install is a Cis…
4840 - Pentesting OPC UA
4840 - Pentesting OPC UA {{#include ../banners/hacktricks-training.md}} Basic Information OPC UA , standing for Open Pla…
5000 - Pentesting Docker Registry
5000 - Pentesting Docker Registry {{#include ../banners/hacktricks-training.md}} Basic Information A storage and distrib…
5353/UDP Multicast DNS (mDNS) and DNS-SD
5353/UDP Multicast DNS (mDNS) and DNS-SD {{#include ../banners/hacktricks-training.md}} Basic Information Multicast DNS …
5432,5433 - Pentesting Postgresql
5432,5433 - Pentesting Postgresql {{#include ../banners/hacktricks-training.md}} Basic Information PostgreSQL is describ…
5439 - Pentesting Redshift
5439 - Pentesting Redshift {{#include ../banners/hacktricks-training.md}} Basic Information This port is used by Amazon …
5555 - Android Debug Bridge
5555 - Android Debug Bridge {{#include ../banners/hacktricks-training.md}} Basic Information From the docs : Android Deb…
5601/tcp - Pentesting Kibana
5601/tcp - Pentesting Kibana {{#include ../banners/hacktricks-training.md}} Basic Information Kibana is known for its ab…
5671,5672 - Pentesting AMQP
5671,5672 - Pentesting AMQP {{#include ../banners/hacktricks-training.md}} Basic Information From cloudamqp : RabbitMQ i…
5800,5801,5900,5901 - Pentesting VNC
5800,5801,5900,5901 - Pentesting VNC {{#include ../banners/hacktricks-training.md}} Basic Information Virtual Network Co…
5984,6984 - Pentesting CouchDB
5984,6984 - Pentesting CouchDB {{#include ../banners/hacktricks-training.md}} Basic Information CouchDB is a versatile a…
5985,5986 - Pentesting WinRM
5985,5986 - Pentesting WinRM {{#include ../banners/hacktricks-training.md}} WinRM Windows Remote Management (WinRM) is h…
5985,5986 - Pentesting OMI
5985,5986 - Pentesting OMI {{#include ../banners/hacktricks-training.md}} Basic Information OMI is presented as an open-…
6000 - Pentesting X11
6000 - Pentesting X11 {{#include ../banners/hacktricks-training.md}} Basic Information X Window System (X) is a versatil…
6379 - Pentesting Redis
6379 - Pentesting Redis {{#include ../banners/hacktricks-training.md}} Basic Information From the docs : Redis is an ope…
8009 - Pentesting Apache JServ Protocol (AJP)
8009 - Pentesting Apache JServ Protocol (AJP) {{#include ../banners/hacktricks-training.md}} Basic Information From http…
8086 - Pentesting InfluxDB
8086 - Pentesting InfluxDB {{#include ../banners/hacktricks-training.md}} Basic Information InfluxDB is an open-source t…
8089 - Pentesting Splunkd
8089 - Pentesting Splunkd {{#include ../banners/hacktricks-training.md}} Basic Information Log analytics tool used for d…
8333,18333,38333,18444 - Pentesting Bitcoin
8333,18333,38333,18444 - Pentesting Bitcoin {{#include ../banners/hacktricks-training.md}} Basic Information The port 83…
9000 Pentesting FastCGI
9000 Pentesting FastCGI {{#include ../banners/hacktricks-training.md}} Basic Information If you want to learn what is Fa…
9001 - Pentesting HSQLDB
9001 - Pentesting HSQLDB {{#include ../banners/hacktricks-training.md}} Basic Information HSQLDB ( HyperSQL DataBase ) i…
9042/9160 - Pentesting Cassandra
9042/9160 - Pentesting Cassandra {{#include ../banners/hacktricks-training.md}} Basic Information Apache Cassandra is a …
9100/tcp - PJL (Printer Job Language)
9100/tcp - PJL (Printer Job Language) {{#include ../banners/hacktricks-training.md}} Basic Information From here : Raw p…
9200 - Pentesting Elasticsearch
9200 - Pentesting Elasticsearch {{#include ../banners/hacktricks-training.md}} Basic information Elasticsearch is a dist…
10000/tcp - Network Data Management Protocol (NDMP)
10000/tcp - Network Data Management Protocol (NDMP) {{#include ../banners/hacktricks-training.md}} Protocol Information …
11211 - Pentesting Memcache
11211 - Pentesting Memcache {{#include ../../banners/hacktricks-training.md}} Protocol Information From wikipedia : Memc…
Memcache Commands
Memcache Commands {{#include ../../banners/hacktricks-training.md}} Commands Cheat-Sheet From https://lzone.de/cheat-she…
15672 - Pentesting RabbitMQ Management
15672 - Pentesting RabbitMQ Management {{#include ../banners/hacktricks-training.md}} Basic Information You can learn mo…
24007-24008-24009-49152 - Pentesting GlusterFS
24007-24008-24009-49152 - Pentesting GlusterFS {{#include ../banners/hacktricks-training.md}} Basic Information GlusterF…
27017,27018 - Pentesting MongoDB
27017,27018 - Pentesting MongoDB {{#include ../banners/hacktricks-training.md}} Basic Information MongoDB is an open sou…
32100/UDP - Pentesting PPPP (CS2) P2P Cameras
32100/UDP - Pentesting PPPP (CS2) P2P Cameras {{#include ../banners/hacktricks-training.md}} Overview PPPP (a.k.a. “P2P”…
44134 Tiller / Helm
44134 Tiller / Helm {{#include ../banners/hacktricks-training.md}} Basic Information Helm is the package manager for Kub…
44818 Pentesting EtherNet/IP
44818 Pentesting EtherNet/IP {{#include ../banners/hacktricks-training.md}} Protocol Information EtherNet/IP is an indus…
47808/udp - BACnet
47808/udp - BACnet {{#include ../banners/hacktricks-training.md}} Protocol Information BACnet is a communications protoc…
50030-50060-50070-50075-50090 - Pentesting Hadoop
50030-50060-50070-50075-50090 - Pentesting Hadoop {{#include ../banners/hacktricks-training.md}} Basic Information Apach…
Web Vulnerabilities Methodology
Web Vulnerabilities Methodology {{#include ../banners/hacktricks-training.md}} In every Web Pentest, there are several h…
Reflecting Techniques - PoCs and Polygloths CheatSheet
Reflecting Techniques - PoCs and Polygloths CheatSheet {{#include ../../banners/hacktricks-training.md}} The goal of the…
Web Vulns List
Web Vulns List {{#include ../../banners/hacktricks-training.md}} {{ 7 * 7 }}[ 7 * 7 ] 1 ; sleep $ { IFS } 9 ; #${IFS}…
2FA/MFA/OTP Bypass
2FA/MFA/OTP Bypass {{#include ../banners/hacktricks-training.md}} Enhanced Two-Factor Authentication Bypass Techniques D…
Account Takeover
Account Takeover {{#include ../banners/hacktricks-training.md}} Authorization Issue The email of an account should be at…
Browser Extension Pentesting Methodology
Browser Extension Pentesting Methodology {{#include ../../banners/hacktricks-training.md}} Basic Information Browser ext…
BrowExt - ClickJacking
BrowExt - ClickJacking {{#include ../../banners/hacktricks-training.md}} Basic Information This page is going to abuse a…
BrowExt - permissions & host_permissions
BrowExt - permissions & host_permissions {{#include ../../banners/hacktricks-training.md}} Basic Information permiss…
BrowExt - XSS Example
BrowExt - XSS Example {{#include ../../banners/hacktricks-training.md}} Cross-Site Scripting (XSS) through Iframe In thi…
Forced Extension Load & Preferences MAC Forgery (Windows)
Forced Extension Load & Preferences MAC Forgery (Windows) {{#include ../../banners/hacktricks-training.md}} Overview…
Bypass Payment Process
Bypass Payment Process {{#include ../banners/hacktricks-training.md}} Payment Bypass Techniques Request Interception Dur…
Captcha Bypass
Captcha Bypass {{#include ../banners/hacktricks-training.md}} Captcha Bypass To bypass the captcha during server testing…
Cache Poisoning and Cache Deception
Cache Poisoning and Cache Deception {{#include ../../banners/hacktricks-training.md}} The difference What is the differe…
Cache Poisoning via URL discrepancies
Cache Poisoning via URL discrepancies {{#include ../../banners/hacktricks-training.md}} This is a summary of the techniq…
Cache Poisoning to DoS
Cache Poisoning to DoS {{#include ../../banners/hacktricks-training.md}} ⚠️ Caution In this page you can find different …
Clickjacking
Clickjacking {{#include ../banners/hacktricks-training.md}} What is Clickjacking In a clickjacking attack, a user is tri…
Client Side Template Injection (CSTI)
Client Side Template Injection (CSTI) {{#include ../banners/hacktricks-training.md}} Summary It is like a Server Side Te…
Client Side Path Traversal
Client Side Path Traversal {{#include ../banners/hacktricks-training.md}} Basic Information A client side path traversal…
Command Injection
Command Injection {{#include ../banners/hacktricks-training.md}} What is command Injection? A command injection permits …
Content Security Policy (CSP) Bypass
Content Security Policy (CSP) Bypass {{#include ../../banners/hacktricks-training.md}} What is CSP Content Security Poli…
CSP Bypass via Self + Unsafe Inline with Iframes
CSP Bypass via Self + Unsafe Inline with Iframes {{#include ../../banners/hacktricks-training.md}} A configuration such …
Cookies Hacking
Cookies Hacking {{#include ../../banners/hacktricks-training.md}} Cookie Attributes Cookies come with several attributes…
Cookie Tossing
Cookie Tossing {{#include ../../banners/hacktricks-training.md}} Description If an attacker can control a subdomain or t…
Cookie Jar Overflow
Cookie Jar Overflow {{#include ../../banners/hacktricks-training.md}} The browsers have a limit on the number of cookies…
Cookie Bomb
Cookie Bomb {{#include ../../banners/hacktricks-training.md}} Cookie bomb involves adding a significant number of large …
CORS - Misconfigurations & Bypass
CORS - Misconfigurations & Bypass {{#include ../banners/hacktricks-training.md}} What is CORS? Cross-Origin Resource…
CRLF (%0D%0A) Injection
CRLF (%0D%0A) Injection {{#include ../banners/hacktricks-training.md}} CRLF Carriage Return (CR) and Line Feed (LF), col…
CSRF (Cross Site Request Forgery)
CSRF (Cross Site Request Forgery) {{#include ../banners/hacktricks-training.md}} Cross-Site Request Forgery (CSRF) Expla…
Dangling Markup - HTML scriptless injection
Dangling Markup - HTML scriptless injection {{#include ../../banners/hacktricks-training.md}} Resume This technique can …
SS-Leaks
SS-Leaks {{#include ../../banners/hacktricks-training.md}} Check the post https://infosec.zeyu2001.com/2023/from-xs-leak…
DApps - Decentralized Applications
DApps - Decentralized Applications {{#include ../banners/hacktricks-training.md}} What is a DApp? A DApp is a decentrali…
Dependency Confusion
Dependency Confusion {{#include ../banners/hacktricks-training.md}} Basic Information Dependency Confusion (a.k.a. subst…
Deserialization
Deserialization {{#include ../../banners/hacktricks-training.md}} Basic Information Serialization is understood as the m…
NodeJS - \_\_proto\_\_ & prototype Pollution
NodeJS - __proto__ & prototype Pollution {{#include ../../../banners/hacktricks-training.md}} Objects in JavaScript …
Client Side Prototype Pollution
Client Side Prototype Pollution {{#include ../../../banners/hacktricks-training.md}} Discovering using Automatic tools T…
Express Prototype Pollution Gadgets
Express Prototype Pollution Gadgets {{#include ../../../banners/hacktricks-training.md}} Serve XSS responses For further…
Prototype Pollution to RCE
Prototype Pollution to RCE {{#include ../../../banners/hacktricks-training.md}} Vulnerable Code Imagine a real JS using …
Java JSF ViewState Deserialization
Java JSF ViewState Deserialization {{#include ../../banners/hacktricks-training.md}} Check the posts: https://www.alphab…
Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner {{#include ../../banners/hacktricks-training.md}}…
Basic Java Deserialization with ObjectInputStream readObject
Basic Java Deserialization with ObjectInputStream readObject {{#include ../../banners/hacktricks-training.md}} In this P…
Java SignedObject-gated Deserialization and Pre-auth Reachability via Error Paths
Java SignedObject-gated Deserialization and Pre-auth Reachability via Error Paths {{#include ../../banners/hacktricks-tr…
Laravel Livewire Hydration & Synthesizer Abuse
Laravel Livewire Hydration & Synthesizer Abuse {{#include ../../banners/hacktricks-training.md}} Recap of the Livewi…
PHP - Deserialization + Autoload Classes
PHP - Deserialization + Autoload Classes {{#include ../../banners/hacktricks-training.md}} First, you should check what …
CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep {{#include ../../banners/hacktricks-tra…
Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net) {{#include ../../banners/hacktrick…
Exploiting __VIEWSTATE Knowing the Secret
Exploiting __VIEWSTATE Knowing the Secret {{#include ../../banners/hacktricks-training.md}} Check the amazing post from …
Exploiting \_\_VIEWSTATE without knowing the secrets
Exploiting __VIEWSTATE without knowing the secrets {{#include ../../banners/hacktricks-training.md}} What is ViewState V…
Python Yaml Deserialization
Python Yaml Deserialization {{#include ../../banners/hacktricks-training.md}} Yaml Deserialization Yaml python libraries…
JNDI - Java Naming and Directory Interface & Log4Shell
JNDI - Java Naming and Directory Interface & Log4Shell {{#include ../../banners/hacktricks-training.md}} Basic Infor…
Ruby _json pollution
Ruby _json pollution {{#include ../../banners/hacktricks-training.md}} This is a summary from the post https://nastyster…
Ruby Class Pollution
Ruby Class Pollution {{#include ../../banners/hacktricks-training.md}} This is a summary from the post https://blog.doye…
Domain/Subdomain takeover
Domain/Subdomain takeover {{#include ../banners/hacktricks-training.md}} Domain takeover If you discover some domain (do…
Email Injections
Email Injections {{#include ../banners/hacktricks-training.md}} Inject in sent e-mail Inject Cc and Bcc after sender arg…
File Inclusion/Path traversal
File Inclusion/Path traversal {{#include ../../banners/hacktricks-training.md}} File Inclusion Remote File Inclusion (RF…
phar:// deserialization
phar:// deserialization {{#include ../../banners/hacktricks-training.md}} Phar files (PHP Archive) files contain meta da…
LFI2RCE via PHP Filters
LFI2RCE via PHP Filters {{#include ../../banners/hacktricks-training.md}} Intro This writeup explains that you can use p…
LFI2RCE via Nginx temp files
LFI2RCE via Nginx temp files {{#include ../../banners/hacktricks-training.md}} Vulnerable configuration Example from bie…
LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS {{#include ../../banners/hacktricks-training.md}} Basic Info If you found a Loca…
LFI2RCE via Segmentation Fault
LFI2RCE via Segmentation Fault {{#include ../../banners/hacktricks-training.md}} According to the writeups https://spycl…
LFI to RCE via PHPInfo
LFI to RCE via PHPInfo {{#include ../../banners/hacktricks-training.md}} To exploit this technique you need all of the f…
LFI to RCE via Temporary File Uploads
LFI to RCE via Temporary File Uploads {{#include ../../banners/hacktricks-training.md}} Check the full details of this t…
LFI2RCE via Eternal waiting
LFI2RCE via Eternal waiting {{#include ../../banners/hacktricks-training.md}} Basic Information By default when a file i…
LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure {{#include ../../banners/hacktricks-training.md}}…
File Upload
File Upload {{#include ../../banners/hacktricks-training.md}} File Upload General Methodology Other useful extensions: P…
PDF Upload - XXE and CORS bypass
PDF Upload - XXE and CORS bypass {{#include ../../banners/hacktricks-training.md}} Check https://insert-script.blogspot.…
Formula/CSV/Doc/LaTeX/GhostScript Injection
Formula/CSV/Doc/LaTeX/GhostScript Injection {{#include ../banners/hacktricks-training.md}} Formula Injection Info If you…
Pentesting gRPC-Web
Pentesting gRPC-Web {{#include ../banners/hacktricks-training.md}} Quick protocol recap and attack surface Transport: gR…
HTTP Connection Contamination
HTTP Connection Contamination {{#include ../banners/hacktricks-training.md}} This is a summary of the post: https://port…
HTTP Connection Request Smuggling
HTTP Connection Request Smuggling {{#include ../banners/hacktricks-training.md}} This page summarizes, extends and updat…
HTTP Request Smuggling / HTTP Desync Attack
HTTP Request Smuggling / HTTP Desync Attack {{#include ../../banners/hacktricks-training.md}} What is This vulnerability…
Browser HTTP Request Smuggling
Browser HTTP Request Smuggling {{#include ../../banners/hacktricks-training.md}} Browser-powered desync (aka client-side…
Request Smuggling in HTTP/2 Downgrades
Request Smuggling in HTTP/2 Downgrades {{#include ../../banners/hacktricks-training.md}} HTTP/2 is generally considered …
HTTP Response Smuggling / Desync
HTTP Response Smuggling / Desync {{#include ../banners/hacktricks-training.md}} The technique of this post was taken fro…
Upgrade Header Smuggling
Upgrade Header Smuggling {{#include ../banners/hacktricks-training.md}} H2C Smuggling HTTP2 Over Cleartext (H2C) H2C, or…
hop-by-hop headers
hop-by-hop headers {{#include ../banners/hacktricks-training.md}} This is a summary of the post https://nathandavison.co…
IDOR (Insecure Direct Object Reference)
IDOR (Insecure Direct Object Reference) {{#include ../banners/hacktricks-training.md}} IDOR (Insecure Direct Object Refe…
JWT Vulnerabilities (Json Web Tokens)
JWT Vulnerabilities (Json Web Tokens) {{#include ../banners/hacktricks-training.md}} Part of this post is based in the a…
JSON, XML & Yaml Hacking & Issues
JSON, XML & Yaml Hacking & Issues {{#include ../banners/hacktricks-training.md}} Go JSON Decoder The following i…
LDAP Injection
LDAP Injection {{#include ../banners/hacktricks-training.md}} LDAP Injection LDAP If you want to know what is LDAP acces…
Login Bypass
Login Bypass {{#include ../../banners/hacktricks-training.md}} Bypass regular login If you find a login page, here you c…
SQL Login Bypass Payloads
SQL Login Bypass Payloads {{#include ../../banners/hacktricks-training.md}} This list contains payloads to bypass the lo…
Mass Assignment (CWE-915) – Privilege Escalation via Unsafe Model Binding
Mass Assignment (CWE-915) – Privilege Escalation via Unsafe Model Binding {{#include ../banners/hacktricks-training.md}}…
NoSQL injection
NoSQL injection {{#include ../banners/hacktricks-training.md}} Exploit In PHP you can send an Array changing the sent pa…
OAuth to Account takeover
OAuth to Account takeover {{#include ../banners/hacktricks-training.md}} Basic Information OAuth offers various versions…
Open Redirect
Open Redirect {{#include ../banners/hacktricks-training.md}} Open redirect Redirect to localhost or arbitrary domains If…
ORM Injection
ORM Injection {{#include ../banners/hacktricks-training.md}} Django ORM (Python) In this post is explained how it's poss…
Parameter Pollution | JSON Injection
Parameter Pollution | JSON Injection {{#include ../banners/hacktricks-training.md}} HTTP Parameter Pollution (HPP) Overv…
Phone Number Injections
Phone Number Injections {{#include ../banners/hacktricks-training.md}} It's possible to add strings at the end the phone…
PostMessage Vulnerabilities
PostMessage Vulnerabilities {{#include ../../banners/hacktricks-training.md}} Send PostMessage PostMessage uses the foll…
Blocking main page to steal postmessage
Blocking main page to steal postmessage {{#include ../../banners/hacktricks-training.md}} Winning RCs with Iframes Accor…
Bypassing SOP with Iframes - 1
Bypassing SOP with Iframes - 1 {{#include ../../banners/hacktricks-training.md}} Iframes in SOP-1 In this challenge crea…
Bypassing SOP with Iframes - 2
Bypassing SOP with Iframes - 2 {{#include ../../banners/hacktricks-training.md}} Iframes in SOP-2 In the solution for th…
Steal postmessage modifying iframe location
Steal postmessage modifying iframe location {{#include ../../banners/hacktricks-training.md}} Changing child iframes loc…
Proxy / WAF Protections Bypass
Proxy / WAF Protections Bypass {{#include ../banners/hacktricks-training.md}} Bypass Nginx ACL Rules with Pathname Manip…
Race Condition
Race Condition {{#include ../banners/hacktricks-training.md}} ⚠️ Warning For obtaining a deep understanding of this tech…
Rate Limit Bypass
Rate Limit Bypass {{#include ../banners/hacktricks-training.md}} Rate limit bypass techniques Exploring Similar Endpoint…
Registration & Takeover Vulnerabilities
Registration & Takeover Vulnerabilities {{#include ../banners/hacktricks-training.md}} Registration Takeover Duplica…
Regular expression Denial of Service - ReDoS
Regular expression Denial of Service - ReDoS {{#include ../banners/hacktricks-training.md}} Regular Expression Denial of…
Reset/Forgotten Password Bypass
Reset/Forgotten Password Bypass {{#include ../banners/hacktricks-training.md}} Password Reset Token Leak Via Referrer Th…
Reverse Tab Nabbing
Reverse Tab Nabbing {{#include ../banners/hacktricks-training.md}} Description In a situation where an attacker can cont…
RSQL Injection
RSQL Injection {{#include ../banners/hacktricks-training.md}} What is RSQL? RSQL is a query language designed for parame…
SAML Attacks
SAML Attacks {{#include ../../banners/hacktricks-training.md}} Basic Information {{#ref}} saml-basics.md {{#endref}} Too…
SAML Basics
SAML Basics {{#include ../../banners/hacktricks-training.md}} SAML Overview Security Assertion Markup Language (SAML) en…
Server Side Inclusion/Edge Side Inclusion Injection
Server Side Inclusion/Edge Side Inclusion Injection {{#include ../banners/hacktricks-training.md}} Server Side Inclusion…
SOAP/JAX-WS ThreadLocal Authentication Bypass
SOAP/JAX-WS ThreadLocal Authentication Bypass {{#include ../banners/hacktricks-training.md}} TL;DR Some middleware chain…
SQL Injection
SQL Injection {{#include ../../banners/hacktricks-training.md}} What is SQL injection? An SQL injection is a security fl…
MS Access SQL Injection
MS Access SQL Injection {{#include ../../banners/hacktricks-training.md}} Online Playground https://www.w3schools.com/sq…
MSSQL Injection
MSSQL Injection {{#include ../../banners/hacktricks-training.md}} Active Directory enumeration It may be possible to enu…
MySQL injection
MySQL injection {{#include ../../../banners/hacktricks-training.md}} Comments -- MYSQL Comment # MYSQL Comment /* MYSQL …
MySQL File priv to SSRF/RCE
MySQL File priv to SSRF/RCE {{#include ../../../banners/hacktricks-training.md}} This is a summary of the MySQL/MariaDB/…
Oracle injection
Oracle injection {{#include ../../banners/hacktricks-training.md}} Serve this post a wayback machine copy of the deleted…
Cypher Injection (neo4j)
Cypher Injection (neo4j) {{#include ../../banners/hacktricks-training.md}} Check the following blogs: https://www.varoni…
SQLMap
SQLMap {{#include ../../banners/hacktricks-training.md}} Basic arguments for SQLmap Generic -u "<URL>" -…
PostgreSQL injection
PostgreSQL injection {{#include ../../../banners/hacktricks-training.md}} This page aims to explain different tricks tha…
dblink/lo_import data exfiltration
dblink/lo_import data exfiltration {{#include ../../../banners/hacktricks-training.md}} This is an example of how to exf…
PL/pgSQL Password Bruteforce
PL/pgSQL Password Bruteforce {{#include ../../../banners/hacktricks-training.md}} Find more information about these atta…
Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
Network - Privesc, Port Scanner and NTLM chanllenge response disclosure {{#include ../../../banners/hacktricks-training.…
Big Binary Files Upload in PostgreSQL
Big Binary Files Upload in PostgreSQL {{#include ../../../banners/hacktricks-training.md}} PostgreSQL Large Objects Post…
RCE with PostgreSQL Languages
RCE with PostgreSQL Languages {{#include ../../../banners/hacktricks-training.md}} PostgreSQL Languages The PostgreSQL d…
RCE with PostgreSQL Extensions
RCE with PostgreSQL Extensions {{#include ../../../banners/hacktricks-training.md}} PostgreSQL Extensions PostgreSQL has…
Second Order Injection with SQLMap
Second Order Injection with SQLMap {{#include ../../../banners/hacktricks-training.md}} SQLMap can exploit Second Order …
SSRF (Server Side Request Forgery)
SSRF (Server Side Request Forgery) {{#include ../../banners/hacktricks-training.md}} Basic Information A Server-side Req…
URL Format Bypass
URL Format Bypass {{#include ../../banners/hacktricks-training.md}} Localhost Localhost payloads # Localhost 0 # Yes, ju…
SSRF Vulnerable Platforms
SSRF Vulnerable Platforms {{#include ../../banners/hacktricks-training.md}} Check https://blog.assetnote.io/2021/01/13/b…
Cloud SSRF
Cloud SSRF {{#include ../../banners/hacktricks-training.md}} AWS Abusing SSRF in AWS EC2 environment The metadata endpoi…
SSTI (Server Side Template Injection)
SSTI (Server Side Template Injection) {{#include ../../banners/hacktricks-training.md}} What is SSTI (Server-Side Templa…
EL - Expression Language
EL - Expression Language {{#include ../../banners/hacktricks-training.md}} Bsic Info Expression Language (EL) is integra…
Jinja2 SSTI
Jinja2 SSTI {{#include ../../banners/hacktricks-training.md}} Lab from flask import Flask , request , render_template_st…
Timing Attacks
Timing Attacks {{#include ../banners/hacktricks-training.md}} ⚠️ Warning For obtaining a deep understanding of this tech…
Unicode Injection
Unicode Injection {{#include ../../banners/hacktricks-training.md}} Introduction Depending on how the back-end/front-end…
Unicode Normalization
Unicode Normalization {{#include ../../banners/hacktricks-training.md}} This is a summary of: https://appcheck-ng.com/un…
UUID Insecurities
UUID Insecurities {{#include ../banners/hacktricks-training.md}} Basic Information Universally Unique Identifiers (UUIDs…
WebSocket Attacks
WebSocket Attacks {{#include ../banners/hacktricks-training.md}} What are WebSockets WebSocket connections are establish…
Web Tool - WFuzz
Web Tool - WFuzz {{#include ../banners/hacktricks-training.md}} A tool to FUZZ web applications anywhere. Wfuzz has been…
XPATH injection
XPATH injection {{#include ../banners/hacktricks-training.md}} Basic Syntax An attack technique known as XPath Injection…
XS-Search/XS-Leaks
XS-Search/XS-Leaks {{#include ../banners/hacktricks-training.md}} Basic Information XS-Search is a method used for extra…
XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations) {{#include ../banners/hacktricks-training.md…
XXE - XEE - XML External Entity
XXE - XEE - XML External Entity {{#include ../banners/hacktricks-training.md}} XML Basics XML is a markup language desig…
XSS (Cross Site Scripting)
XSS (Cross Site Scripting) {{#include ../../banners/hacktricks-training.md}} Methodology Check if any value you control …
Abusing Service Workers
Abusing Service Workers {{#include ../../banners/hacktricks-training.md}} Basic Information A service worker is a script…
Chrome Cache to XSS
Chrome Cache to XSS {{#include ../../banners/hacktricks-training.md}} More in depth details in this writeup . The techni…
Debugging Client Side JS
Debugging Client Side JS {{#include ../../banners/hacktricks-training.md}} Debugging client side JS can be a pain becaus…
Dom Clobbering
Dom Clobbering {{#include ../../banners/hacktricks-training.md}} Basics It's possible to generate global variables insid…
DOM Invader
DOM Invader {{#include ../../banners/hacktricks-training.md}} DOM Invader DOM Invader is a browser tool installed in Bur…
DOM XSS
DOM XSS {{#include ../../banners/hacktricks-training.md}} DOM Vulnerabilities DOM vulnerabilities occur when data from a…
Iframes in XSS, CSP and SOP
Iframes in XSS, CSP and SOP {{#include ../../banners/hacktricks-training.md}} Iframes in XSS There are 3 ways to indicat…
Integer Overflow (Web Applications)
Integer Overflow (Web Applications) {{#include ../../banners/hacktricks-training.md}} This page focuses on how integer o…
JS Hoisting
JS Hoisting {{#include ../../banners/hacktricks-training.md}} Basic Information In the JavaScript language, a mechanism …
Misc JS Tricks & Relevant Info
Misc JS Tricks & Relevant Info {{#include ../../banners/hacktricks-training.md}} Javascript Fuzzing Valid JS Comment…
PDF Injection
PDF Injection {{#include ../../banners/hacktricks-training.md}} If your input is being reflected inside a PDF file, you …
Server Side XSS (Dynamic PDF)
Server Side XSS (Dynamic PDF) {{#include ../../banners/hacktricks-training.md}} Server Side XSS (Dynamic PDF) If a web p…
Shadow DOM
Shadow DOM {{#include ../../banners/hacktricks-training.md}} Check out this blog: https://blog.ankursundara.com/shadow-d…
SOME - Same Origin Method Execution
SOME - Same Origin Method Execution {{#include ../../banners/hacktricks-training.md}} Same Origin Method Execution There…
Sniff Leak
Sniff Leak {{#include ../../banners/hacktricks-training.md}} Leak script content by converting it to UTF16 This writeup …
Steal Info JS
Steal Info JS {{#include ../../banners/hacktricks-training.md}} // SELECT HERE THE EXFILTRATION MODE (more than 1 can be…
WebAssembly linear memory corruption to DOM XSS (template overwrite)
WebAssembly linear memory corruption to DOM XSS (template overwrite) {{#include ../../banners/hacktricks-training.md}} T…
XSS in Markdown
XSS in Markdown {{#include ../../banners/hacktricks-training.md}} If you have the chance to inject code in markdown, the…
XSSI (Cross-Site Script Inclusion)
XSSI (Cross-Site Script Inclusion) {{#include ../banners/hacktricks-training.md}} Basic Information Cross-Site Script In…
Connection Pool Examples
Connection Pool Examples {{#include ../../banners/hacktricks-training.md}} Sekaictf2022 - safelist In the Sekaictf2022 -…
Connection Pool by Destination Example
Connection Pool by Destination Example {{#include ../../banners/hacktricks-training.md}} In this exploit , @terjanq prop…
Cookie Bomb + Onerror XS Leak
Cookie Bomb + Onerror XS Leak {{#include ../../banners/hacktricks-training.md}} This technique combines: - Cookie bombin…
URL Max Length - Client Side
URL Max Length - Client Side {{#include ../../banners/hacktricks-training.md}} Code from https://ctf.zeyu2001.com/2023/h…
performance.now example
performance.now example {{#include ../../banners/hacktricks-training.md}} Example taken from https://ctf.zeyu2001.com/20…
performance.now + Force heavy task
performance.now + Force heavy task {{#include ../../banners/hacktricks-training.md}} Exploit taken from https://blog.hul…
Event Loop Blocking + Lazy images
Event Loop Blocking + Lazy images {{#include ../../banners/hacktricks-training.md}} In this exploit , @aszx87410 mixes t…
JavaScript Execution XS Leak
JavaScript Execution XS Leak {{#include ../../banners/hacktricks-training.md}} This XS-Search primitive turns whether a …
CSS Injection
CSS Injection {{#include ../../../banners/hacktricks-training.md}} CSS Injection LESS Code Injection LESS is a popular C…
CSS Injection Code
CSS Injection Code {{#include ../../../banners/hacktricks-training.md}} ```html:victim.html @import url("//localhost:500…
LESS Code Injection leading to SSRF & Local File Read
LESS Code Injection leading to SSRF & Local File Read {{#include ../../../banners/hacktricks-training.md}} LESS is a…
Iframe Traps
Iframe Traps {{#include ../banners/hacktricks-training.md}} Basic Information This form of abusing XSS via iframes to st…
Physical Attacks
Physical Attacks {{#include ../banners/hacktricks-training.md}} BIOS Password Recovery and System Security Resetting the…
Escaping from KIOSKs
Escaping from KIOSKs {{#include ../banners/hacktricks-training.md}} Check physical device Component Action Power button …
Firmware Analysis
Firmware Analysis {{#include ../../banners/hacktricks-training.md}} Introduction Related resources {{#ref}} synology-enc…
MediaTek bl2_ext Secure-Boot Bypass (EL3 Code Execution)
MediaTek bl2_ext Secure-Boot Bypass (EL3 Code Execution) {{#include ../../banners/hacktricks-training.md}} This page doc…
Bootloader Testing
Bootloader Testing {{#include ../../banners/hacktricks-training.md}} The following steps are recommended for modifying d…
Firmware Integrity
Firmware Integrity {{#include ../../banners/hacktricks-training.md}} The custom firmware and/or compiled binaries can be…
Basic Binary Exploitation Methodology
Basic Binary Exploitation Methodology {{#include ../../banners/hacktricks-training.md}} ELF Basic Info Before start expl…
ELF Basic Information
ELF Basic Information {{#include ../../banners/hacktricks-training.md}} Program Headers The describe to the loader how t…
Exploiting Tools
Exploiting Tools {{#include ../../../banners/hacktricks-training.md}} Metasploit pattern_create.rb -l 3000 #Length patte…
PwnTools
PwnTools {{#include ../../../banners/hacktricks-training.md}} pip3 install pwntools Pwn asm Get opcodes from line or fil…
Stack Overflow
Stack Overflow {{#include ../../banners/hacktricks-training.md}} What is a Stack Overflow A stack overflow is a vulnerab…
Pointer Redirecting
Pointer Redirecting {{#include ../../banners/hacktricks-training.md}} String pointers If a function call is going to use…
Ret2win
Ret2win {{#include ../../../banners/hacktricks-training.md}} Basic Information Ret2win challenges are a popular category…
Ret2win - arm64
Ret2win - arm64 {{#include ../../../banners/hacktricks-training.md}} Find an introduction to arm64 in: {{#ref}} ../../..…
Stack Shellcode
Stack Shellcode {{#include ../../../banners/hacktricks-training.md}} Basic Information Stack shellcode is a technique us…
Stack Shellcode - arm64
Stack Shellcode - arm64 {{#include ../../../banners/hacktricks-training.md}} Find an introduction to arm64 in: {{#ref}}……
Stack Pivoting
Stack Pivoting {{#include ../../banners/hacktricks-training.md}} Basic Information This technique exploits the ability t…
Uninitialized Variables
Uninitialized Variables {{#include ../../banners/hacktricks-training.md}} Basic Information The core idea here is to und…
ROP & JOP
ROP & JOP {{#include ../../banners/hacktricks-training.md}} Basic Information Return-Oriented Programming (ROP) is a…
BROP - Blind Return Oriented Programming
BROP - Blind Return Oriented Programming {{#include ../../banners/hacktricks-training.md}} Basic Information The goal of…
Ret2csu
Ret2csu {{#include ../../banners/hacktricks-training.md}} https://www.scs.stanford.edu/brop/bittau-brop.pdf Basic Inform…
Ret2dlresolve
Ret2dlresolve {{#include ../../banners/hacktricks-training.md}} Basic Information As explained in the page about GOT/PLT…
Ret2esp / Ret2reg
Ret2esp / Ret2reg {{#include ../../banners/hacktricks-training.md}} Ret2esp Because the ESP (Stack Pointer) always point…
Ret2lib
Ret2lib {{#include ../../../banners/hacktricks-training.md}} Basic Information The essence of Ret2Libc is to redirect th…
Leaking libc address with ROP
Leaking libc address with ROP {{#include ../../../../banners/hacktricks-training.md}} Quick Resume Find overflow offset …
Leaking libc - template
Leaking libc - template {{#include ../../../../banners/hacktricks-training.md}} ```python:template.py from pwn import EL…
One Gadget
One Gadget {{#include ../../../banners/hacktricks-training.md}} Basic Information One Gadget allows to obtain a shell in…
Ret2lib + Printf leak - ARM64
Ret2lib + Printf leak - ARM64 {{#include ../../../banners/hacktricks-training.md}} Ret2lib - NX bypass with ROP (no ASLR…
Ret2syscall
Ret2syscall {{#include ../../../banners/hacktricks-training.md}} Basic Information This is similar to Ret2lib, however, …
Ret2syscall - ARM64
Ret2syscall - ARM64 {{#include ../../../banners/hacktricks-training.md}} Find an introduction to arm64 in: {{#ref}} ../.…
Ret2vDSO
Ret2vDSO {{#include ../../banners/hacktricks-training.md}} Basic Information There might be gadgets in the vDSO region ,…
SROP - Sigreturn-Oriented Programming
SROP - Sigreturn-Oriented Programming {{#include ../../../banners/hacktricks-training.md}} Basic Information Sigreturn i…
{{#include ../../../banners/hacktricks-training.md}}
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}} Pwntools examp…
MediaTek XFlash Carbonara DA2 Hash Bypass
MediaTek XFlash Carbonara DA2 Hash Bypass {{#include ../../banners/hacktricks-training.md}} Summary "Carbonara" abuses M…
Synology PAT/SPK Encrypted Archive Decryption
Synology PAT/SPK Encrypted Archive Decryption {{#include ../../banners/hacktricks-training.md}} Overview Several Synolog…
Windows SEH-based Stack Overflow Exploitation (nSEH/SEH)
Windows SEH-based Stack Overflow Exploitation (nSEH/SEH) {{#include ../../banners/hacktricks-training.md}} SEH-based exp…
Array Indexing
Array Indexing {{#include ../banners/hacktricks-training.md}} Basic Information This category includes all vulnerabiliti…
Chrome Exploiting
Chrome Exploiting {{#include ../banners/hacktricks-training.md}} This page provides a high-level yet practical overview …
Unsafe Relocation Fixups in Asset Loaders
Unsafe Relocation Fixups in Asset Loaders {{#include ../banners/hacktricks-training.md}} Why asset relocations matter Ma…
Integer Overflow
Integer Overflow {{#include ../banners/hacktricks-training.md}} Basic Information At the heart of an integer overflow is…
Format Strings
Format Strings {{#include ../../banners/hacktricks-training.md}} Basic Information In C printf is a function that can be…
Format Strings - Arbitrary Read Example
Format Strings - Arbitrary Read Example {{#include ../../banners/hacktricks-training.md}} Read Binary Start Code #includ…
Format Strings Template
Format Strings Template {{#include ../../banners/hacktricks-training.md}} from pwn import * from time import sleep #####…
Libc Heap
Libc Heap {{#include ../../banners/hacktricks-training.md}} Heap Basics The heap is basically the place where a program …
Bins & Memory Allocations
Bins & Memory Allocations {{#include ../../banners/hacktricks-training.md}} Basic Information In order to improve th…
Heap Memory Functions
Heap Memory Functions {{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-traini…
free
free {{#include ../../../banners/hacktricks-training.md}} Free Order Summary (No checks are explained in this summary an…
malloc & sysmalloc
malloc & sysmalloc {{#include ../../../banners/hacktricks-training.md}} Allocation Order Summary (No checks are expl…
unlink
unlink {{#include ../../../banners/hacktricks-training.md}} Code // From https://github.com/bminor/glibc/blob/master/mal…
Heap Functions Security Checks
Heap Functions Security Checks {{#include ../../../banners/hacktricks-training.md}} unlink For more info check: {{#ref}}…
Use After Free
Use After Free {{#include ../../../banners/hacktricks-training.md}} Basic Information As the name implies, this vulnerab…
First Fit
First Fit {{#include ../../../banners/hacktricks-training.md}} First Fit When you free memory in a program using glibc, …
Double Free
Double Free {{#include ../../banners/hacktricks-training.md}} Basic Information If you free a block of memory more than …
GNU obstack function-pointer hijack
GNU obstack function-pointer hijack {{#include ../../banners/hacktricks-training.md}} Overview GNU obstacks embed alloca…
Overwriting a freed chunk
Overwriting a freed chunk {{#include ../../banners/hacktricks-training.md}} Several of the proposed heap exploitation te…
Heap Overflow
Heap Overflow {{#include ../../banners/hacktricks-training.md}} Basic Information A heap overflow is like a stack overfl…
Unlink Attack
Unlink Attack {{#include ../../banners/hacktricks-training.md}} Basic Information When this attack was discovered it mos…
Fast Bin Attack
Fast Bin Attack {{#include ../../banners/hacktricks-training.md}} Basic Information For more information about what is a…
Unsorted Bin Attack
Unsorted Bin Attack {{#include ../../banners/hacktricks-training.md}} Basic Information For more information about what …
Large Bin Attack
Large Bin Attack {{#include ../../banners/hacktricks-training.md}} Basic Information For more information about what is …
Tcache Bin Attack
Tcache Bin Attack {{#include ../../banners/hacktricks-training.md}} Basic Information For more information about what a …
Off by one overflow
Off by one overflow {{#include ../../banners/hacktricks-training.md}} Basic Information Having just access to a 1B overf…
House of Spirit
House of Spirit {{#include ../../banners/hacktricks-training.md}} Basic Information Code House of Spirit #include <un…
House of Lore | Small bin Attack
House of Lore | Small bin Attack {{#include ../../banners/hacktricks-training.md}} Basic Information Code Check the one …
House of Einherjar
House of Einherjar {{#include ../../banners/hacktricks-training.md}} Basic Information Code Check the example from https…
House of Force
House of Force {{#include ../../banners/hacktricks-training.md}} Basic Information Code This technique was patched ( her…
House of Orange
House of Orange {{#include ../../banners/hacktricks-training.md}} Basic Information Code Find an example in https://gith…
House of Rabbit
House of Rabbit {{#include ../../banners/hacktricks-training.md}} Requirements Ability to modify fast bin fd pointer or …
House of Roman
House of Roman {{#include ../../banners/hacktricks-training.md}} Basic Information This was a very interesting technique…
Common Binary Exploitation Protections & Bypasses
Common Binary Exploitation Protections & Bypasses {{#include ../../banners/hacktricks-training.md}} Enable Core file…
ASLR
ASLR {{#include ../../../banners/hacktricks-training.md}} Basic Information Address Space Layout Randomization (ASLR) is…
Ret2plt
Ret2plt {{#include ../../../banners/hacktricks-training.md}} Basic Information The goal of this technique would be to le…
Ret2ret & Ret2pop
Ret2ret & Ret2pop {{#include ../../../banners/hacktricks-training.md}} Ret2ret The main goal of this technique is to…
CET & Shadow Stack
CET & Shadow Stack {{#include ../../banners/hacktricks-training.md}} Control Flow Enforcement Technology (CET) CET i…
Libc Protections
Libc Protections {{#include ../../banners/hacktricks-training.md}} Chunk Alignment Enforcement Malloc allocates memory i…
Memory Tagging Extension (MTE)
Memory Tagging Extension (MTE) {{#include ../../banners/hacktricks-training.md}} Basic Information Memory Tagging Extens…
No-exec / NX
No-exec / NX {{#include ../../banners/hacktricks-training.md}} Basic Information The No-Execute (NX) bit, also known as …
PIE
PIE {{#include ../../../banners/hacktricks-training.md}} Basic Information A binary compiled as PIE, or Position Indepen…
BF Addresses in the Stack
BF Addresses in the Stack {{#include ../../../banners/hacktricks-training.md}} If you are facing a binary protected by a…
Relro
Relro {{#include ../../banners/hacktricks-training.md}} Relro RELRO stands for Relocation Read-Only and it is a mitigati…
Stack Canaries
Stack Canaries {{#include ../../../banners/hacktricks-training.md}} StackGuard and StackShield StackGuard inserts a spec…
BF Forked & Threaded Stack Canaries
BF Forked & Threaded Stack Canaries {{#include ../../../banners/hacktricks-training.md}} If you are facing a binary …
Print Stack Canary
Print Stack Canary {{#include ../../../banners/hacktricks-training.md}} Enlarge printed stack Imagine a situation where …
Arbitrary Write 2 Exec
Arbitrary Write 2 Exec {{#include ../../banners/hacktricks-training.md}}…
WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)
WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236) {{#include ../../banners/hacktricks-training.md}} Overv…
WWW2Exec - atexit(), TLS Storage & Other mangled Pointers
WWW2Exec - atexit(), TLS Storage & Other mangled Pointers {{#include ../../banners/hacktricks-training.md}} __atexit…
WWW2Exec - .dtors & .fini_array
WWW2Exec - .dtors & .fini_array {{#include ../../banners/hacktricks-training.md}} .dtors ⚠️ Caution Nowadays is very…
WWW2Exec - GOT/PLT
WWW2Exec - GOT/PLT {{#include ../../banners/hacktricks-training.md}} Basic Information GOT: Global Offset Table The Glob…
WWW2Exec - __malloc_hook & __free_hook
WWW2Exec - __malloc_hook & __free_hook {{#include ../../banners/hacktricks-training.md}} Malloc Hook As you can Offi…
VirtualBox Slirp NAT Packet Heap Exploitation
VirtualBox Slirp NAT Packet Heap Exploitation {{#include ../../banners/hacktricks-training.md}} TL;DR VirtualBox ships a…
Common Exploiting Problems
Common Exploiting Problems {{#include ../banners/hacktricks-training.md}} FDs in Remote Exploitation When sending an exp…
Adreno A7xx SDS->RB privilege bypass (GPU SMMU takeover to Kernel R/W)
Adreno A7xx SDS->RB privilege bypass (GPU SMMU takeover to Kernel R/W) {{#include ../../banners/hacktricks-training.m…
AF_UNIX MSG_OOB UAF & SKB-based kernel primitives
AF_UNIX MSG_OOB UAF & SKB-based kernel primitives {{#include ../../banners/hacktricks-training.md}} TL;DR Linux >…
Linux arm64 Static Linear Map KASLR Bypass
Linux arm64 Static Linear Map KASLR Bypass {{#include ../../banners/hacktricks-training.md}} Overview Android kernels bu…
ksmbd streams_xattr OOB write → local LPE (CVE-2025-37947)
ksmbd streams_xattr OOB write → local LPE (CVE-2025-37947) {{#include ../../banners/hacktricks-training.md}} This page d…
Pixel BigWave BIGO timeout race UAF → 2KB kernel write from mediacodec
Pixel BigWave BIGO timeout race UAF → 2KB kernel write from mediacodec {{#include ../../banners/hacktricks-training.md}}…
POSIX CPU Timers TOCTOU race (CVE-2025-38352)
POSIX CPU Timers TOCTOU race (CVE-2025-38352) {{#include ../../banners/hacktricks-training.md}} This page documents a TO…
FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study)
FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study) {{#include ../banners/hacktricks-training.md}} Overview …
VMware Workstation PVSCSI LFH Escape (VMware-vmx on Windows 11)
VMware Workstation PVSCSI LFH Escape (VMware-vmx on Windows 11) {{#include ../banners/hacktricks-training.md}} Bug anato…
Windows Exploiting (Basic Guide - OSCP lvl)
Windows Exploiting (Basic Guide - OSCP lvl) {{#include ../banners/hacktricks-training.md}} 💡 Tip Looking for post-OSCP k…
Vectored Overloading PE Injection
Vectored Overloading PE Injection {{#include ../banners/hacktricks-training.md}} 💡 Tip Looking for Windows 11 LFH heap s…
iOS Exploiting
iOS Exploiting {{#include ../../banners/hacktricks-training.md}} iOS Exploit Mitigations 1. Code Signing / Runtime Signa…
CVE-2021-30807: IOMobileFrameBuffer OOB
CVE-2021-30807: IOMobileFrameBuffer OOB {{#include ../../banners/hacktricks-training.md}} The Bug You have a great expla…
CVE-2021-30807: IOMobileFrameBuffer OOB
CVE-2021-30807: IOMobileFrameBuffer OOB {{#include ../../banners/hacktricks-training.md}} The Bug You have a great expla…
iMessage Media Parser Zero-Click → CoreAudio RCE → PAC/RPAC → Kernel → CryptoTokenKit Abuse
iMessage Media Parser Zero-Click → CoreAudio RCE → PAC/RPAC → Kernel → CryptoTokenKit Abuse {{#include ../../banners/hac…
iOS How to Connect to Corellium
iOS How to Connect to Corellium {{#include ../../banners/hacktricks-training.md}} Prereqs A Corellium iOS VM (jailbroken…
iOS How to Connect to Corellium
iOS How to Connect to Corellium {{#include ../../banners/hacktricks-training.md}} Vuln Code #define _GNU_SOURCE #include…
iOS Physical Use After Free via IOSurface
iOS Physical Use After Free via IOSurface {{#include ../../banners/hacktricks-training.md}} iOS Exploit Mitigations Code…
WebKit DFG Store-Barrier UAF + ANGLE PBO OOB (iOS 26.1)
WebKit DFG Store-Barrier UAF + ANGLE PBO OOB (iOS 26.1) {{#include ../../banners/hacktricks-training.md}} Summary DFG St…
AI in Cybersecurity
AI in Cybersecurity {{#include ../banners/hacktricks-training.md}} Main Machine Learning Algorithms The best starting po…
AI-Assisted Fuzzing & Automated Vulnerability Discovery
AI-Assisted Fuzzing & Automated Vulnerability Discovery {{#include ../banners/hacktricks-training.md}} Overview Larg…
Deep Learning
Deep Learning {{#include ../banners/hacktricks-training.md}} Deep Learning Deep learning is a subset of machine learning…
Burp MCP: LLM-assisted traffic review
Burp MCP: LLM-assisted traffic review {{#include ../banners/hacktricks-training.md}} Overview Burp's MCP Server extensio…
MCP Servers
MCP Servers {{#include ../banners/hacktricks-training.md}} What is MPC - Model Context Protocol The Model Context Protoc…
Model Data Preparation & Evaluation
Model Data Preparation & Evaluation {{#include ../banners/hacktricks-training.md}} Model data preparation is a cruci…
Models RCE
Models RCE {{#include ../banners/hacktricks-training.md}} Loading models to RCE Machine Learning models are usually shar…
AI Prompts
AI Prompts {{#include ../banners/hacktricks-training.md}} Basic Information AI prompts are essential for guiding AI mode…
AI Risks
AI Risks {{#include ../banners/hacktricks-training.md}} OWASP Top 10 Machine Learning Vulnerabilities Owasp has identifi…
Supervised Learning Algorithms
Supervised Learning Algorithms {{#include ../banners/hacktricks-training.md}} Basic Information Supervised learning uses…
Unsupervised Learning Algorithms
Unsupervised Learning Algorithms {{#include ../banners/hacktricks-training.md}} Unsupervised Learning Unsupervised learn…
Reinforcement Learning Algorithms
Reinforcement Learning Algorithms {{#include ../banners/hacktricks-training.md}} Reinforcement Learning Reinforcement le…
LLM Training - Data Preparation
LLM Training - Data Preparation {{#include ../../banners/hacktricks-training.md}} These are my notes from the very recom…
0. Basic LLM Concepts
0. Basic LLM Concepts {{#include ../../banners/hacktricks-training.md}} Pretraining Pretraining is the foundational phas…
1. Tokenizing
1. Tokenizing {{#include ../../banners/hacktricks-training.md}} Tokenizing Tokenizing is the process of breaking down da…
2. Data Sampling
2. Data Sampling {{#include ../../banners/hacktricks-training.md}} Data Sampling Data Sampling is a crucial process in p…
3. Token Embeddings
3. Token Embeddings {{#include ../../banners/hacktricks-training.md}} Token Embeddings After tokenizing text data, the n…
4. Attention Mechanisms
4. Attention Mechanisms {{#include ../../banners/hacktricks-training.md}} Attention Mechanisms and Self-Attention in Neu…
5. LLM Architecture
5. LLM Architecture {{#include ../../banners/hacktricks-training.md}} LLM Architecture 💡 Tip The goal of this fifth phas…
6. Pre-training & Loading models
6. Pre-training & Loading models {{#include ../../banners/hacktricks-training.md}} Text Generation In order to train…
7.0. LoRA Improvements in fine-tuning
7.0. LoRA Improvements in fine-tuning {{#include ../../banners/hacktricks-training.md}} LoRA Improvements 💡 Tip The use …
7.1. Fine-Tuning for Classification
7.1. Fine-Tuning for Classification {{#include ../../banners/hacktricks-training.md}} What is Fine-tuning is the process…
7.2. Fine-Tuning to follow instructions
7.2. Fine-Tuning to follow instructions {{#include ../../banners/hacktricks-training.md}} 💡 Tip The goal of this section…
Reversing Tools & Basic Methods
Reversing Tools & Basic Methods {{#include ../../banners/hacktricks-training.md}} ImGui Based Reversing tools Softwa…
Angr
Angr {{#include ../../../banners/hacktricks-training.md}} Part of this cheatsheet is based on the angr documentation . I…
Angr - Examples
Angr - Examples {{#include ../../../banners/hacktricks-training.md}} 💡 Tip If the program is using `scanf` to get **seve…
Satisfiability Modulo Theories (SMT) - Z3
Satisfiability Modulo Theories (SMT) - Z3 {{#include ../../banners/hacktricks-training.md}} Very basically, this tool wi…
Cheat Engine
Cheat Engine {{#include ../../banners/hacktricks-training.md}} Cheat Engine is a useful program to find where important …
Blobrunner
Blobrunner {{#include ../../banners/hacktricks-training.md}} The only modified line from the original code is the line 1…
Common API used in Malware
Common API used in Malware {{#include ../banners/hacktricks-training.md}} Generic Networking Raw Sockets WinAPI Sockets …
Word Macros
Word Macros {{#include ../banners/hacktricks-training.md}} Junk Code It's very common to find junk code that is never us…
Crypto
Crypto {{#include ../banners/hacktricks-training.md}} This section focuses on practical cryptography for hacking/CTFs : …
Crypto CTF Workflow
Crypto CTF Workflow {{#include ../../banners/hacktricks-training.md}} Triage checklist Identify what you have: encoding …
Symmetric Crypto
Symmetric Crypto {{#include ../../banners/hacktricks-training.md}} What to look for in CTFs Mode misuse : ECB patterns, …
Hashes, MACs & KDFs
Hashes, MACs & KDFs {{#include ../../banners/hacktricks-training.md}} Common CTF patterns "Signature" is actually ha…
Public-Key Crypto
Public-Key Crypto {{#include ../../banners/hacktricks-training.md}} Most CTF hard crypto ends up here: RSA, ECC/ECDSA, l…
RSA Attacks
RSA Attacks {{#include ../../../banners/hacktricks-training.md}} Fast triage Collect: n , e , c (and any additional ciph…
TLS & Certificates
TLS & Certificates {{#include ../../banners/hacktricks-training.md}} This area is about X.509 parsing, formats, conv…
Crypto in Malware / Reverse Engineering
Crypto in Malware / Reverse Engineering {{#include ../../banners/hacktricks-training.md}} This subsection helps when you…
Crypto CTF Misc
Crypto CTF Misc {{#include ../../banners/hacktricks-training.md}} Grab-bag pages that show up a lot in crypto challenges…
Stego
Stego {{#include ../banners/hacktricks-training.md}} This section focuses on finding and extracting hidden data from fil…
Stego Workflow
Stego Workflow {{#include ../../banners/hacktricks-training.md}} Most stego problems are solved faster by systematic tri…
Image Steganography
Image Steganography {{#include ../../banners/hacktricks-training.md}} Most CTF image stego reduces to one of these bucke…
Audio Steganography
Audio Steganography {{#include ../../banners/hacktricks-training.md}} Common patterns: Spectrogram messages WAV LSB embe…
Text Steganography
Text Steganography {{#include ../../banners/hacktricks-training.md}} Look for: Unicode homoglyphs Zero-width characters …
Document Steganography
Document Steganography {{#include ../../banners/hacktricks-training.md}} Documents are often just containers: PDF (embed…
Malware & Network Stego
Malware & Network Stego {{#include ../../banners/hacktricks-training.md}} Not all steganography is pixel LSB; commod…
Interesting HTTP
Interesting HTTP {{#include ../banners/hacktricks-training.md}} Referrer headers and policy Referrer is the header used …
Rust Basics
Rust Basics {{#include ../banners/hacktricks-training.md}} Ownership of variables Memory is managed through a system of …
More tools
More tools {{#include ../banners/hacktricks-training.md}} BlueTeam https://github.com/yarox24/attack_monitor https://cap…
Hardware Hacking
Hardware Hacking {{#include ../../banners/hacktricks-training.md}} JTAG JTAG allows to perform a boundary scan. The boun…
Fault Injection Attacks
Fault Injection Attacks {{#include ../../banners/hacktricks-training.md}} Fault injections attacks includes introducing …
I2C
I2C {{#include ../../banners/hacktricks-training.md}} Bus Pirate To test a Bus Pirate is working, connect +5V with VPU a…
Side Channel Analysis Attacks
Side Channel Analysis Attacks {{#include ../../banners/hacktricks-training.md}} Side-channel attacks recover secrets by …
UART
UART {{#include ../../banners/hacktricks-training.md}} Basic Information UART is a serial protocol, which means it trans…
Radio
Radio {{#include ../../banners/hacktricks-training.md}} SigDigger SigDigger is a free digital signal analyzer for GNU/Li…
JTAG
JTAG {{#include ../../banners/hacktricks-training.md}} {{#ref}} README.md {{#endref}} JTAGenum JTAGenum is a tool you ca…
SPI
SPI {{#include ../../banners/hacktricks-training.md}} Basic Information SPI (Serial Peripheral Interface) is an Synchron…
Industrial Control Systems Hacking
Industrial Control Systems Hacking {{#include ../../banners/hacktricks-training.md}} About this Section This section con…
The Modbus Protocol
The Modbus Protocol {{#include ../../banners/hacktricks-training.md}} Introduction to Modbus Protocol The Modbus protoco…
Radio Hacking
Radio Hacking {{#include ../../banners/hacktricks-training.md}}…
Building a Portable HID MaxiProx 125 kHz Mobile Cloner
Building a Portable HID MaxiProx 125 kHz Mobile Cloner {{#include ../../banners/hacktricks-training.md}} Goal Turn a mai…
Pentesting RFID
Pentesting RFID {{#include ../../banners/hacktricks-training.md}} Introduction Radio Frequency Identification (RFID) is …
Infrared
Infrared {{#include ../../banners/hacktricks-training.md}} How the Infrared Works Infrared light is invisible to humans …
Sub-GHz RF
Sub-GHz RF {{#include ../../banners/hacktricks-training.md}} Garage Doors Garage door openers typically operate at frequ…
iButton
iButton {{#include ../../banners/hacktricks-training.md}} Intro iButton is a generic name for an electronic identificati…
Flipper Zero
Flipper Zero {{#include ../../../banners/hacktricks-training.md}} With Flipper Zero you can: Listen/Capture/Replay radio…
FZ - NFC
FZ - NFC {{#include ../../../banners/hacktricks-training.md}} Intro For info about RFID and NFC check the following page…
FZ - Sub-GHz
FZ - Sub-GHz {{#include ../../../banners/hacktricks-training.md}} Intro Flipper Zero can receive and transmit radio freq…
FZ - Infrared
FZ - Infrared {{#include ../../../banners/hacktricks-training.md}} Intro For more info about how Infrared works check: {…
FZ - iButton
FZ - iButton {{#include ../../../banners/hacktricks-training.md}} Intro For more info about what is an iButton check: {{…
FZ - 125kHz RFID
FZ - 125kHz RFID {{#include ../../../banners/hacktricks-training.md}} Intro For more info about how 125kHz tags work che…
Proxmark 3
Proxmark 3 {{#include ../../banners/hacktricks-training.md}} Attacking RFID Systems with Proxmark3 The first thing you n…
FISSURE - The RF Framework
FISSURE - The RF Framework {{#include ../../banners/hacktricks-training.md}} Frequency Independent SDR-based Signal Unde…
Low-Power Wide Area Network
Low-Power Wide Area Network {{#include ../../banners/hacktricks-training.md}} Introduction Low-Power Wide Area Network (…
Pentesting BLE - Bluetooth Low Energy
Pentesting BLE - Bluetooth Low Energy {{#include ../../banners/hacktricks-training.md}} Introduction Available since the…
Test LLMs
Test LLMs {{#include ../banners/hacktricks-training.md}} Run & train models locally Hugging Face Transformers Huggin…
Burp Suite
Burp Suite {{#include ../banners/hacktricks-training.md}} Basic Payloads Simple List: Just a list containing an entry in…
Other Web Tricks
Other Web Tricks {{#include ../banners/hacktricks-training.md}} Host header Several times the back-end trust the Host he…
Android Forensics
Android Forensics {{#include ../banners/hacktricks-training.md}} Locked Device To start extracting data from an Android …
Online Platforms with API
Online Platforms with API {{#include ../banners/hacktricks-training.md}} ProjectHoneypot You can ask if an IP is related…
Stealing Sensitive Information Disclosure from a Web
Stealing Sensitive Information Disclosure from a Web {{#include ../banners/hacktricks-training.md}} If at some point you…
Post Exploitation
Post Exploitation {{#include ../banners/hacktricks-training.md}} Local l00t PEASS-ng : These scripts, apart for looking …
Investment Terms
Investment Terms {{#include ../banners/hacktricks-training.md}} Spot This is the most basic way to do some trading. You …
Cookies Policy
Cookies Policy Last updated: 02/04/2023 Introduction This Cookies Policy applies to the following websites owned and ope…