Introduction
Methodology Flowchart
1.
Methodology Flowchart
CVE Database
2.
CVE Database
Recon & Scanning
3.
Recon & Scanning
Port Enumeration
4.
Port Enumeration
❱
4.1.
FTP (21)
4.2.
SSH (22)
4.3.
DNS (53)
4.4.
SMTP (25/465/587)
4.5.
POP3 (110/995) / IMAP (143/993)
4.6.
SMB (139/445)
4.7.
SNMP (161 UDP)
4.8.
LDAP (389/636)
4.9.
NFS (2049)
4.10.
RPC (111/135)
4.11.
MySQL (3306)
4.12.
MSSQL (1433)
4.13.
RDP (3389)
4.14.
WinRM (5985/5986)
4.15.
Redis (6379)
Web Enumeration
5.
Web Enumeration
Web Attacks
6.
Web Attacks
❱
6.1.
LOCAL FILE INCLUSION (LFI)
6.2.
REMOTE FILE INCLUSION (RFI)
6.3.
SQL INJECTION
6.4.
COMMAND INJECTION
6.5.
FILE UPLOAD ATTACKS
6.6.
AUTHENTICATION ATTACKS
6.7.
SERVER-SIDE TEMPLATE INJECTION (SSTI)
6.8.
XML EXTERNAL ENTITY (XXE)
6.9.
DESERIALIZATION
6.10.
REVERSE SHELLS & PAYLOADS
Common Applications
7.
Common Applications
❱
7.1.
Web Servers & Frameworks
❱
7.1.1.
Apache / Nginx
7.1.2.
IIS
7.1.3.
Node.js / Express
7.1.4.
Flask / Django
7.1.5.
PHP
7.2.
CMS Platforms
❱
7.2.1.
WordPress
7.2.2.
Drupal
7.2.3.
Joomla
7.2.4.
CMS Made Simple
7.2.5.
Magento
7.2.6.
Moodle
7.3.
Application Servers & Admin Panels
❱
7.3.1.
Apache Tomcat
7.3.2.
Jenkins
7.3.3.
GitLab
7.3.4.
Webmin
7.3.5.
Grafana
7.3.6.
phpMyAdmin
7.3.7.
PostgreSQL / pgAdmin
7.3.8.
Elasticsearch / Kibana
7.3.9.
Nagios
7.3.10.
Splunk
7.3.11.
Docker API
7.4.
Service-Specific Exploits
❱
7.4.1.
ProFTPD
7.4.2.
vsftpd 2.3.4
7.4.3.
Samba
7.4.4.
Exim
7.4.5.
Dovecot
7.4.6.
OpenSSH
7.4.7.
CUPS (Printing)
Linux Privilege Escalation
8.
Linux Privilege Escalation
❱
8.1.
AUTOMATED ENUMERATION
8.2.
SYSTEM INFORMATION
8.3.
SUDO
8.4.
SUID / SGID BINARIES
8.5.
CRON JOBS
8.6.
FILE PERMISSIONS & CAPABILITIES
8.7.
PATH HIJACK & LIBRARY HIJACKING
8.8.
WILDCARD INJECTION
8.9.
KERNEL EXPLOITS
8.10.
DOCKER / LXD / CONTAINER ESCAPE
8.11.
NFS & INTERNAL SERVICES
Windows Privilege Escalation
9.
Windows Privilege Escalation
❱
9.1.
AUTOMATED ENUMERATION
9.2.
SYSTEM INFORMATION
9.3.
TOKEN PRIVILEGES (POTATO ATTACKS)
9.4.
SERVICE MISCONFIGURATIONS
9.5.
SERVICE CREATION & PERSISTENCE
9.6.
REGISTRY & AUTOLOGON
9.7.
CREDENTIAL HUNTING
9.8.
SCHEDULED TASKS
9.9.
KERNEL EXPLOITS
Active Directory
10.
Active Directory
❱
10.1.
AD ENUMERATION (FROM FOOTHOLD)
10.2.
BLOODHOUND
10.3.
KERBEROASTING
10.4.
AS-REP ROASTING
10.5.
PASSWORD SPRAYING
10.6.
NTLM RELAY & RESPONDER
10.7.
LATERAL MOVEMENT
10.8.
DELEGATION ATTACKS
10.9.
PRINTNIGHTMARE (CVE-2021-1675)
10.10.
DOMAIN ESCALATION TO DA
10.11.
TICKET ATTACKS (GOLDEN / SILVER)
10.12.
POST-EXPLOITATION (AFTER DA)
Pivoting & Tunneling
11.
Pivoting & Tunneling
❱
11.1.
IDENTIFY PIVOT TARGETS
11.2.
SSH TUNNELING
11.3.
CHISEL (NO SSH NEEDED)
11.4.
LIGOLO-NG (ADVANCED PIVOTING)
11.5.
WINDOWS PORT FORWARDING
11.6.
PROXYCHAINS CONFIGURATION
Buffer Overflow
12.
Buffer Overflow
Password Attacks
13.
Password Attacks
Payload Generation
14.
Payload Generation
Client-Side Attacks
15.
Client-Side Attacks
File Transfers
16.
File Transfers
Compiling Exploits
17.
Compiling Exploits
Restricted Shell Escapes
18.
Restricted Shell Escapes
Port Knocking
19.
Port Knocking
Steganography
20.
Steganography
Persistence
21.
Persistence
Quick Reference
22.
Quick Reference
Speed Hacks
23.
Speed Hacks
❱
23.1.
PARALLEL SCANNING
23.2.
ONE-LINER CHAINS
23.3.
SMART WORDLIST SELECTION
23.4.
SHORTCUTS & TRICKS
Decision Trees
24.
Decision Trees
Rabbit Hole Warnings
25.
Rabbit Hole Warnings
Credential Tracking
26.
Credential Tracking
Vulnerability Research
27.
Vulnerability Research
Light
Rust
Coal
Navy
Ayu
Offensive Security Resources
🏢 Active Directory
Domain enumeration, Kerberos attacks, lateral movement, and domain escalation.
AD ENUMERATION (FROM FOOTHOLD)
KERBEROASTING
AS-REP ROASTING
PASSWORD SPRAYING
LATERAL MOVEMENT
DOMAIN ESCALATION TO DA
POST-EXPLOITATION (AFTER DA)