SUMMARY.md

👾 Welcome!

• HackTricks
• HackTricks Values & FAQ
• About the author

🤩 Generic Methodologies & Resources

• Pentesting Methodology
• External Recon Methodology
• Wide Source Code Search
• Github Dorks & Leaks
• Pentesting Network
• DHCPv6
• EIGRP Attacks
• GLBP & HSRP Attacks
• IDS and IPS Evasion
• Lateral VLAN Segmentation Bypass
• Network Protocols Explained (ESP)
• Nmap Summary (ESP)
• Pentesting IPv6
• WebRTC DoS
• Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
• Spoofing SSDP and UPnP Devices with EvilSSDP
• Pentesting Wifi
• Evil Twin EAP-TLS
• Phishing Methodology
• Clone a Website
• Detecting Phishing
• Phishing Files & Documents
• Basic Forensic Methodology
• Baseline Monitoring
• Anti-Forensic Techniques
• Docker Forensics
• Image Acquisition & Mount
• Linux Forensics
• Malware Analysis
• Memory dump analysis
  • Volatility - CheatSheet
• Partitions/File Systems/Carving
  • File/Data Carving & Recovery Tools
• Pcap Inspection
  • DNSCat pcap analysis
  • Suricata & Iptables cheatsheet
  • USB Keystrokes
  • Wifi Pcap Analysis
  • Wireshark tricks
• Specific Software/File-Type Tricks
  • Decompile compiled python binaries (exe, elf) - Retreive from .pyc
  • Browser Artifacts
  • Deofuscation vbs (cscript.exe)
  • Local Cloud Storage
  • Office file analysis
  • PDF File analysis
  • PNG tricks
  • Video and Audio file analysis
  • ZIPs tricks
• Windows Artifacts
  • Interesting Windows Registry Keys
• Python Sandbox Escape & Pyscript
• Bypass Python sandboxes
  • LOAD_NAME / LOAD_CONST opcode OOB Read
• Class Pollution (Python's Prototype Pollution)
• Python Internal Read Gadgets
• Pyscript
• venv
• Web Requests
• Bruteforce hash (few chars)
• Basic Python
• Threat Modeling

🧙‍♂️ Generic Hacking

• Brute Force - CheatSheet
• Exfiltration
• Reverse Shells (Linux, Windows, MSFVenom)
• MSFVenom - CheatSheet
• Reverse Shells - Windows
• Reverse Shells - Linux
• Expose local to the internet
• Full TTYs
• Search Exploits
• Tunneling and Port Forwarding

🐧 Linux Hardening

• Checklist - Linux Privilege Escalation
• Linux Privilege Escalation
• Arbitrary File Write to Root
• Cisco - vmanage
• Containerd (ctr) Privilege Escalation
• D-Bus Enumeration & Command Injection Privilege Escalation
• Docker Security
  • Abusing Docker Socket for Privilege Escalation
  • AppArmor
  • AuthZ& AuthN - Docker Access Authorization Plugin
  • CGroups
  • Docker --privileged
  • Docker Breakout / Privilege Escalation
  • release_agent exploit - Relative Paths to PIDs
  • Docker release_agent cgroups escape
  • Sensitive Mounts
  • Namespaces
  • CGroup Namespace
  • IPC Namespace
  • PID Namespace
  • Mount Namespace
  • Network Namespace
  • Time Namespace
  • User Namespace
  • UTS Namespace
  • Seccomp
  • Weaponizing Distroless
• Escaping from Jails
• euid, ruid, suid
• Interesting Groups - Linux Privesc
  • lxd/lxc Group - Privilege escalation
• Logstash
• ld.so privesc exploit example
• Linux Active Directory
• Linux Capabilities
• NFS no_root_squash/no_all_squash misconfiguration PE
• Node inspector/CEF debug abuse
• Payloads to execute
• RunC Privilege Escalation
• SELinux
• Socket Command Injection
• Splunk LPE and Persistence
• SSH Forward Agent exploitation
• Wildcards Spare tricks
• Useful Linux Commands
• Bypass Linux Restrictions
• Bypass FS protections: read-only / no-exec / Distroless
  • DDexec / EverythingExec
• Linux Environment Variables
• Linux Post-Exploitation
• PAM - Pluggable Authentication Modules
• FreeIPA Pentesting

🍏 MacOS Hardening

• macOS Security & Privilege Escalation
• macOS Apps - Inspecting, debugging and Fuzzing
  • Objects in memory
  • Introduction to x64
  • Introduction to ARM64v8
• macOS AppleFS
• macOS Bypassing Firewalls
• macOS Defensive Apps
• macOS GCD - Grand Central Dispatch
• macOS Kernel & System Extensions
  • macOS IOKit
  • macOS Kernel Extensions & Debugging
  • macOS Kernel Vulnerabilities
  • macOS System Extensions
• macOS Network Services & Protocols
• macOS File Extension & URL scheme app handlers
• macOS Files, Folders, Binaries & Memory
  • macOS Bundles
  • macOS Installers Abuse
  • macOS Memory Dumping
  • macOS Sensitive Locations & Interesting Daemons
  • macOS Universal binaries & Mach-O Format
• macOS Objective-C
• macOS Privilege Escalation
• macOS Process Abuse
  • macOS Dirty NIB
  • macOS Chromium Injection
  • macOS Electron Applications Injection
  • macOS Function Hooking
  • macOS IPC - Inter Process Communication
  • macOS MIG - Mach Interface Generator
  • macOS XPC
    • macOS XPC Authorization
    • macOS XPC Connecting Process Check
    • macOS PID Reuse
    • macOS xpc_connection_get_audit_token Attack
  • macOS Thread Injection via Task port
  • macOS Java Applications Injection
  • macOS Library Injection
  • macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
  • macOS Dyld Process
  • macOS Perl Applications Injection
  • macOS Python Applications Injection
  • macOS Ruby Applications Injection
  • macOS .Net Applications Injection
• macOS Security Protections
  • macOS Gatekeeper / Quarantine / XProtect
  • macOS Launch/Environment Constraints & Trust Cache
  • macOS Sandbox
  • macOS Default Sandbox Debug
  • macOS Sandbox Debug & Bypass
    • macOS Office Sandbox Bypasses
  • macOS Authorizations DB & Authd
  • macOS SIP
  • macOS TCC
  • macOS Apple Events
  • macOS TCC Bypasses
    • macOS Apple Scripts
  • macOS TCC Payloads
  • macOS Dangerous Entitlements & TCC perms
  • macOS - AMFI - AppleMobileFileIntegrity
  • macOS MACF - Mandatory Access Control Framework
  • macOS Code Signing
  • macOS FS Tricks
  • macOS xattr-acls extra stuff
• macOS Users & External Accounts
• macOS Red Teaming
• macOS MDM
  • Enrolling Devices in Other Organisations
  • macOS Serial Number
• macOS Keychain
• macOS Useful Commands
• macOS Auto Start

🪟 Windows Hardening

• Checklist - Local Windows Privilege Escalation
• Windows Local Privilege Escalation
• Abusing Tokens
• Access Tokens
• ACLs - DACLs/SACLs/ACEs
• AppendData/AddSubdirectory permission over service registry
• Create MSI with WIX
• COM Hijacking
• Dll Hijacking
  • Writable Sys Path +Dll Hijacking Privesc
• DPAPI - Extracting Passwords
• From High Integrity to SYSTEM with Name Pipes
• Integrity Levels
• JuicyPotato
• Leaked Handle Exploitation
• MSI Wrapper
• Named Pipe Client Impersonation
• Privilege Escalation with Autoruns
• RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
• SeDebug + SeImpersonate copy token
• SeImpersonate from High To System
• Windows C Payloads
• Active Directory Methodology
• Abusing Active Directory ACLs/ACEs
  • Shadow Credentials
• AD Certificates
  • AD CS Account Persistence
  • AD CS Domain Escalation
  • AD CS Domain Persistence
  • AD CS Certificate Theft
• AD information in printers
• AD DNS Records
• ASREPRoast
• BloodHound & Other AD Enum Tools
• Constrained Delegation
• Custom SSP
• DCShadow
• DCSync
• Diamond Ticket
• DSRM Credentials
• External Forest Domain - OneWay (Inbound) or bidirectional
• External Forest Domain - One-Way (Outbound)
• Golden Ticket
• Kerberoast
• Kerberos Authentication
• Kerberos Double Hop Problem
• LAPS
• MSSQL AD Abuse
• Over Pass the Hash/Pass the Key
• Pass the Ticket
• Password Spraying / Brute Force
• PrintNightmare
• Force NTLM Privileged Authentication
• Privileged Groups
• RDP Sessions Abuse
• Resource-based Constrained Delegation
• Security Descriptors
• SID-History Injection
• Silver Ticket
• Skeleton Key
• Unconstrained Delegation
• Windows Security Controls
• UAC - User Account Control
• NTLM
• Places to steal NTLM creds
• Lateral Movement
• AtExec / SchtasksExec
• DCOM Exec
• PsExec/Winexec/ScExec
• SmbExec/ScExec
• WinRM
• WmiExec
• Pivoting to the Cloud$$external:https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements$$
• Stealing Windows Credentials
• Windows Credentials Protections
• Mimikatz
• WTS Impersonator
• Basic Win CMD for Pentesters
• Basic PowerShell for Pentesters
• PowerView/SharpView
• Antivirus (AV) Bypass
• Cobalt Strike

📱 Mobile Pentesting

• Android APK Checklist
• Android Applications Pentesting
• Android Applications Basics
• Android Task Hijacking
• ADB Commands
• APK decompilers
• AVD - Android Virtual Device
• Bypass Biometric Authentication (Android)
• content:// protocol
• Drozer Tutorial
  • Exploiting Content Providers
• Exploiting a debuggeable application
• Frida Tutorial
  • Frida Tutorial 1
  • Frida Tutorial 2
  • Frida Tutorial 3
  • Objection Tutorial
• Google CTF 2018 - Shall We Play a Game?
• Install Burp Certificate
• Intent Injection
• Make APK Accept CA Certificate
• Manual DeObfuscation
• React Native Application
• Reversing Native Libraries
• Smali - Decompiling/[Modifying]/Compiling
• Spoofing your location in Play Store
• Tapjacking
• Webview Attacks
• iOS Pentesting Checklist
• iOS Pentesting
• iOS App Extensions
• iOS Basics
• iOS Basic Testing Operations
• iOS Burp Suite Configuration
• iOS Custom URI Handlers / Deeplinks / Custom Schemes
• iOS Extracting Entitlements From Compiled Application
• iOS Frida Configuration
• iOS Hooking With Objection
• iOS Protocol Handlers
• iOS Serialisation and Encoding
• iOS Testing Environment
• iOS UIActivity Sharing
• iOS Universal Links
• iOS UIPasteboard
• iOS WebViews
• Cordova Apps
• Xamarin Apps

👽 Network Services Pentesting

• Pentesting JDWP - Java Debug Wire Protocol
• Pentesting Printers$$external:http://hacking-printers.net/wiki/index.php/Main_Page$$
• Pentesting SAP
• Pentesting VoIP
• Basic VoIP Protocols
  • SIP (Session Initiation Protocol)
• Pentesting Remote GdbServer
• 7/tcp/udp - Pentesting Echo
• 21 - Pentesting FTP
• FTP Bounce attack - Scan
• FTP Bounce - Download 2ºFTP file
• 22 - Pentesting SSH/SFTP
• 23 - Pentesting Telnet
• 25,465,587 - Pentesting SMTP/s
• SMTP Smuggling
• SMTP - Commands
• 43 - Pentesting WHOIS
• 49 - Pentesting TACACS+
• 53 - Pentesting DNS
• 69/UDP TFTP/Bittorrent-tracker
• 79 - Pentesting Finger
• 80,443 - Pentesting Web Methodology
• 403 & 401 Bypasses
• AEM - Adobe Experience Cloud
• Angular
• Apache
• Artifactory Hacking guide
• Bolt CMS
• Buckets
  • Firebase Database
• CGI
• DotNetNuke (DNN)
• Drupal
  • Drupal RCE
• Electron Desktop Apps
  • Electron contextIsolation RCE via preload code
  • Electron contextIsolation RCE via Electron internal code
  • Electron contextIsolation RCE via IPC
• Flask
• NextJS
• NodeJS Express
• Git
• Golang
• GWT - Google Web Toolkit
• Grafana
• GraphQL
• H2 - Java SQL database
• IIS - Internet Information Services
• ImageMagick Security
• JBOSS
• Jira & Confluence
• Joomla
• JSP
• Laravel
• Moodle
• Nginx
• NextJS
• PHP Tricks
  • PHP - Useful Functions & disable_functions/open_basedir bypass
  • disable_functions bypass - php-fpm/FastCGI
  • disable_functions bypass - dl function
  • disable_functions bypass - PHP 7.0-7.4 (-nix only)
  • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
  • disable_functions - PHP 5.x Shellshock Exploit
  • disable_functions - PHP 5.2.4 ionCube extension Exploit
  • disable_functions bypass - PHP <= 5.2.9 on windows
  • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
  • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
  • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
  • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
  • disable_functions bypass - PHP 5.2 - FOpen Exploit
  • disable_functions bypass - via mem
  • disable_functions bypass - mod_cgi
  • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
  • PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
  • PHP SSRF
• PrestaShop
• Python
• Rocket Chat
• Special HTTP headers$$external:network-services-pentesting/pentesting-web/special-http-headers.md$$
• Source code Review / SAST Tools
• Spring Actuators
• Symfony
• Tomcat
• Uncovering CloudFlare
• VMWare (ESX, VCenter...)
• Web API Pentesting
• WebDav
• Werkzeug / Flask Debug
• Wordpress
• 88tcp/udp - Pentesting Kerberos
• Harvesting tickets from Windows
• Harvesting tickets from Linux
• 110,995 - Pentesting POP
• 111/TCP/UDP - Pentesting Portmapper
• 113 - Pentesting Ident
• 123/udp - Pentesting NTP
• 135, 593 - Pentesting MSRPC
• 137,138,139 - Pentesting NetBios
• 139,445 - Pentesting SMB
• rpcclient enumeration
• 143,993 - Pentesting IMAP
• 161,162,10161,10162/udp - Pentesting SNMP
• Cisco SNMP
• SNMP RCE
• 194,6667,6660-7000 - Pentesting IRC
• 264 - Pentesting Check Point FireWall-1
• 389, 636, 3268, 3269 - Pentesting LDAP
• 500/udp - Pentesting IPsec/IKE VPN
• 502 - Pentesting Modbus
• 512 - Pentesting Rexec
• 513 - Pentesting Rlogin
• 514 - Pentesting Rsh
• 515 - Pentesting Line Printer Daemon (LPD)
• 548 - Pentesting Apple Filing Protocol (AFP)
• 554,8554 - Pentesting RTSP
• 623/UDP/TCP - IPMI
• 631 - Internet Printing Protocol(IPP)
• 700 - Pentesting EPP
• 873 - Pentesting Rsync
• 1026 - Pentesting Rusersd
• 1080 - Pentesting Socks
• 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
• 1414 - Pentesting IBM MQ
• 1433 - Pentesting MSSQL - Microsoft SQL Server
• Types of MSSQL Users
• 1521,1522-1529 - Pentesting Oracle TNS Listener
• 1723 - Pentesting PPTP
• 1883 - Pentesting MQTT (Mosquitto)
• 2049 - Pentesting NFS Service
• 2301,2381 - Pentesting Compaq/HP Insight Manager
• 2375, 2376 Pentesting Docker
• 3128 - Pentesting Squid
• 3260 - Pentesting ISCSI
• 3299 - Pentesting SAPRouter
• 3306 - Pentesting Mysql
• 3389 - Pentesting RDP
• 3632 - Pentesting distcc
• 3690 - Pentesting Subversion (svn server)
• 3702/UDP - Pentesting WS-Discovery
• 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
• 4786 - Cisco Smart Install
• 4840 - OPC Unified Architecture
• 5000 - Pentesting Docker Registry
• 5353/UDP Multicast DNS (mDNS) and DNS-SD
• 5432,5433 - Pentesting Postgresql
• 5439 - Pentesting Redshift
• 5555 - Android Debug Bridge
• 5601 - Pentesting Kibana
• 5671,5672 - Pentesting AMQP
• 5800,5801,5900,5901 - Pentesting VNC
• 5984,6984 - Pentesting CouchDB
• 5985,5986 - Pentesting WinRM
• 5985,5986 - Pentesting OMI
• 6000 - Pentesting X11
• 6379 - Pentesting Redis
• 8009 - Pentesting Apache JServ Protocol (AJP)
• 8086 - Pentesting InfluxDB
• 8089 - Pentesting Splunkd
• 8333,18333,38333,18444 - Pentesting Bitcoin
• 9000 - Pentesting FastCGI
• 9001 - Pentesting HSQLDB
• 9042/9160 - Pentesting Cassandra
• 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
• 9200 - Pentesting Elasticsearch
• 10000 - Pentesting Network Data Management Protocol (ndmp)
• 11211 - Pentesting Memcache
• Memcache Commands
• 15672 - Pentesting RabbitMQ Management
• 24007,24008,24009,49152 - Pentesting GlusterFS
• 27017,27018 - Pentesting MongoDB
• 44134 - Pentesting Tiller (Helm)
• 44818/UDP/TCP - Pentesting EthernetIP
• 47808/udp - Pentesting BACNet
• 50030,50060,50070,50075,50090 - Pentesting Hadoop

🕸️ Pentesting Web

• Web Vulnerabilities Methodology
• Reflecting Techniques - PoCs and Polygloths CheatSheet
• Web Vulns List
• 2FA/MFA/OTP Bypass
• Account Takeover
• Browser Extension Pentesting Methodology
• BrowExt - ClickJacking
• BrowExt - permissions & host_permissions
• BrowExt - XSS Example
• Bypass Payment Process
• Captcha Bypass
• Cache Poisoning and Cache Deception
• Cache Poisoning via URL discrepancies
• Cache Poisoning to DoS
• Clickjacking
• Client Side Template Injection (CSTI)
• Client Side Path Traversal
• Command Injection
• Content Security Policy (CSP) Bypass
• CSP bypass: self + 'unsafe-inline' with Iframes
• Cookies Hacking
• Cookie Tossing
• Cookie Jar Overflow
• Cookie Bomb
• CORS - Misconfigurations & Bypass
• CRLF (%0D%0A) Injection
• CSRF (Cross Site Request Forgery)
• Dangling Markup - HTML scriptless injection
• SS-Leaks
• Dependency Confusion
• Deserialization
• NodeJS - __proto__ & prototype Pollution
  • Client Side Prototype Pollution
  • Express Prototype Pollution Gadgets
  • Prototype Pollution to RCE
• Java JSF ViewState (.faces) Deserialization
• Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
• Basic Java Deserialization (ObjectInputStream, readObject)
• PHP - Deserialization + Autoload Classes
• CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
• Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
• Exploiting __VIEWSTATE knowing the secrets
• Exploiting __VIEWSTATE without knowing the secrets
• Python Yaml Deserialization
• JNDI - Java Naming and Directory Interface & Log4Shell
• Ruby Class Pollution
• Domain/Subdomain takeover
• Email Injections
• File Inclusion/Path traversal
• phar:// deserialization
• LFI2RCE via PHP Filters
• LFI2RCE via Nginx temp files
• LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
• LFI2RCE via Segmentation Fault
• LFI2RCE via phpinfo()
• LFI2RCE Via temp file uploads
• LFI2RCE via Eternal waiting
• LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
• File Upload
• PDF Upload - XXE and CORS bypass
• Formula/CSV/Doc/LaTeX/GhostScript Injection
• gRPC-Web Pentest
• HTTP Connection Contamination
• HTTP Connection Request Smuggling
• HTTP Request Smuggling / HTTP Desync Attack
• Browser HTTP Request Smuggling
• Request Smuggling in HTTP/2 Downgrades
• HTTP Response Smuggling / Desync
• Upgrade Header Smuggling
• hop-by-hop headers
• IDOR
• JWT Vulnerabilities (Json Web Tokens)
• LDAP Injection
• Login Bypass
• Login bypass List
• NoSQL injection
• OAuth to Account takeover
• Open Redirect
• ORM Injection
• Parameter Pollution | JSON Injection
• Phone Number Injections
• PostMessage Vulnerabilities
• Blocking main page to steal postmessage
• Bypassing SOP with Iframes - 1
• Bypassing SOP with Iframes - 2
• Steal postmessage modifying iframe location
• Proxy / WAF Protections Bypass
• Race Condition
• Rate Limit Bypass
• Registration & Takeover Vulnerabilities
• Regular expression Denial of Service - ReDoS
• Reset/Forgotten Password Bypass
• Reverse Tab Nabbing
• SAML Attacks
• SAML Basics
• Server Side Inclusion/Edge Side Inclusion Injection
• SQL Injection
• MS Access SQL Injection
• MSSQL Injection
• MySQL injection
  • MySQL File priv to SSRF/RCE
• Oracle injection
• Cypher Injection (neo4j)
• PostgreSQL injection
  • dblink/lo_import data exfiltration
  • PL/pgSQL Password Bruteforce
  • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
  • Big Binary Files Upload (PostgreSQL)
  • RCE with PostgreSQL Languages
  • RCE with PostgreSQL Extensions
• SQLMap - CheatSheet
  • Second Order Injection - SQLMap
• SSRF (Server Side Request Forgery)
• URL Format Bypass
• SSRF Vulnerable Platforms
• Cloud SSRF
• SSTI (Server Side Template Injection)
• EL - Expression Language
• Jinja2 SSTI
• Timing Attacks
• Unicode Injection
• Unicode Normalization
• UUID Insecurities
• WebSocket Attacks
• Web Tool - WFuzz
• XPATH injection
• XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
• XXE - XEE - XML External Entity
• XSS (Cross Site Scripting)
• Abusing Service Workers
• Chrome Cache to XSS
• Debugging Client Side JS
• Dom Clobbering
• DOM Invader
• DOM XSS
• Iframes in XSS, CSP and SOP
• Integer Overflow
• JS Hoisting
• Misc JS Tricks & Relevant Info
• PDF Injection
• Server Side XSS (Dynamic PDF)
• Shadow DOM
• SOME - Same Origin Method Execution
• Sniff Leak
• Steal Info JS
• XSS in Markdown
• XSSI (Cross-Site Script Inclusion)
• XS-Search/XS-Leaks
• Connection Pool Examples
• Connection Pool by Destination Example
• Cookie Bomb + Onerror XS Leak
• URL Max Length - Client Side
• performance.now example
• performance.now + Force heavy task
• Event Loop Blocking + Lazy images
• JavaScript Execution XS Leak
• CSS Injection
  • CSS Injection Code
• Iframe Traps

⛈️ Cloud Security

• Pentesting Kubernetes$$external:https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security$$
• Pentesting Cloud (AWS, GCP, Az...)$$external:https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology$$
• Pentesting CI/CD (Github, Jenkins, Terraform...)$$external:https://cloud.hacktricks.xyz/pentesting-ci-cd/pentesting-ci-cd-methodology$$

😎 Hardware/Physical Access

• Physical Attacks
• Escaping from KIOSKs
• Firmware Analysis
• Bootloader testing
• Firmware Integrity

🎯 Binary Exploitation

• Basic Stack Binary Exploitation Methodology
• ELF Basic Information
• Exploiting Tools
  • PwnTools
• Stack Overflow
• Pointer Redirecting
• Ret2win
  • Ret2win - arm64
• Stack Shellcode
  • Stack Shellcode - arm64
• Stack Pivoting - EBP2Ret - EBP chaining
• Uninitialized Variables
• ROP - Return Oriented Programing
• BROP - Blind Return Oriented Programming
• Ret2csu
• Ret2dlresolve
• Ret2esp / Ret2reg
• Ret2lib
  • Leaking libc address with ROP
  • Leaking libc - template
  • One Gadget
  • Ret2lib + Printf leak - arm64
• Ret2syscall
  • Ret2syscall - ARM64
• Ret2vDSO
• SROP - Sigreturn-Oriented Programming
  • SROP - ARM64
• Array Indexing
• Integer Overflow
• Format Strings
• Format Strings - Arbitrary Read Example
• Format Strings Template
• Libc Heap
• Bins & Memory Allocations
• Heap Memory Functions
  • free
  • malloc & sysmalloc
  • unlink
  • Heap Functions Security Checks
• Use After Free
  • First Fit
• Double Free
• Overwriting a freed chunk
• Heap Overflow
• Unlink Attack
• Fast Bin Attack
• Unsorted Bin Attack
• Large Bin Attack
• Tcache Bin Attack
• Off by one overflow
• House of Spirit
• House of Lore | Small bin Attack
• House of Einherjar
• House of Force
• House of Orange
• House of Rabbit
• House of Roman
• Common Binary Exploitation Protections & Bypasses
• ASLR
  • Ret2plt
  • Ret2ret & Reo2pop
• CET & Shadow Stack
• Libc Protections
• Memory Tagging Extension (MTE)
• No-exec / NX
• PIE
  • BF Addresses in the Stack
• Relro
• Stack Canaries
  • BF Forked & Threaded Stack Canaries
  • Print Stack Canary
• Write What Where 2 Exec
• WWW2Exec - atexit()
• WWW2Exec - .dtors & .fini_array
• WWW2Exec - GOT/PLT
• WWW2Exec - __malloc_hook & __free_hook
• Common Exploiting Problems
• Windows Exploiting (Basic Guide - OSCP lvl)
• iOS Exploiting

🔩 Reversing

• Reversing Tools & Basic Methods
• Angr
  • Angr - Examples
• Z3 - Satisfiability Modulo Theories (SMT)
• Cheat Engine
• Blobrunner
• Common API used in Malware
• Word Macros

🔮 Crypto & Stego

• Cryptographic/Compression Algorithms
• Unpacking binaries
• Certificates
• Cipher Block Chaining CBC-MAC
• Crypto CTFs Tricks
• Electronic Code Book (ECB)
• Hash Length Extension Attack
• Padding Oracle
• RC4 - Encrypt\&Decrypt
• Stego Tricks
• Esoteric languages
• Blockchain & Crypto Currencies

✍️ TODO

• Other Big References
• Rust Basics
• More Tools
• MISC
• Pentesting DNS
• Hardware Hacking
• I2C
• UART
• Radio
• JTAG
• SPI
• Industrial Control Systems Hacking
• Modbus Protocol
• Radio Hacking
• Pentesting RFID
• Infrared
• Sub-GHz RF
• iButton
• Flipper Zero
  • FZ - NFC
  • FZ - Sub-GHz
  • FZ - Infrared
  • FZ - iButton
  • FZ - 125kHz RFID
• Proxmark 3
• FISSURE - The RF Framework
• Low-Power Wide Area Network
• Pentesting BLE - Bluetooth Low Energy
• Industrial Control Systems Hacking
• Test LLMs
• LLM Training
• 0. Basic LLM Concepts
• 1. Tokenizing
• 2. Data Sampling
• 3. Token Embeddings
• 4. Attention Mechanisms
• 5. LLM Architecture
• 6. Pre-training & Loading models
• 7.0. LoRA Improvements in fine-tuning
• 7.1. Fine-Tuning for Classification
• 7.2. Fine-Tuning to follow instructions
• Burp Suite
• Other Web Tricks
• Interesting HTTP$$external:todo/interesting-http.md$$
• Android Forensics
• TR-069
• 6881/udp - Pentesting BitTorrent
• Online Platforms with API
• Stealing Sensitive Information Disclosure from a Web
• Post Exploitation
• Investment Terms
• Cookies Policy