This repository contains some resources for ethical hackers penetration tester π This may contain some files, tools, books, and links that need to be used for good purposes only. Do not do any illegal work using these sources.
This is only for keeping some resources and topics in one-place to access easily.
Find my 350+ tryhackme rooms' list here
- Book List
- Everything You Need to Know to Become a HACKER
- PART I: THE ESSENTIALS
- PART II: GLOSSARY
- Why is HTML important in pen-testing?
- Why Kali Linux and why in a Virtual Machine(VM)?
- Why learn Debian commands?
- Why use Tor, ProxyChains, Whonix or a VPN?
- Why use nmap, Burp-Suite and SQLMAP?
- Why learn to use the Metasploit Framework?
- Why understand WEP/WPA?
- Why master the air-ng suite (use for wireless hacking)?
- Why learn how to perform MITM (man in the middle) attacks, sniff networks and tamper data?
- What is Brute-forcing?
- Why learn XSS, LFI, RFI?
- What is a backdoor in Pen-testing?
- Links of Different Topics
Topics
- Attacking HTTPS with Cache Injection
- Bruteforce of PHPSESSID β * Blended Threats and JavaScript
- Broken Authentication and Session Management
- CAPTCHA Re-Riding Attack
- Chronofeit Phishing
- Click Jacking Attacks
- Cookie Eviction
- Cookie Poisoning
- Cross-Site Port Attacks
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Cross Site Scripting Attacks
- Bypassing CSRF protections with Click Jacking and
- Denial oF Service Attack
- Direct OS Code Injection
- DNS Cache Poisoning
- EverCookie
- Fooling B64_Encode(Payload) on WAFs And Filters
- Generic Cross-Browser Cross-Domain theft
- Hibernate Query Language Injection
- HTTP Parameter Pollution
- Improving HTTPS Side Channel Attacks
- Insecure Direct Object References
- Local file inclusion
- Lost iN Translation
- MitM DNS Rebinding SSL/TLS Wildcards and XSS
- Missing Function Level Access Control
- MySQL Stacked Queries with SQL Injection.
- NAT Pinning
- Next Generation Click Jacking
- Persistent Cross Interface Attacks
- PHPwn
- Posting Raw XML cross-domain
- Quick Proxy Detection
- Remote Code Execution Attacks
- Remote File inclusion
- Security Misconfiguration
- Sensitive Data Exposure
- Side Channel Attacks in SSL
- Sql Injection Attack
- SQLi Filter Evasion Cheat Sheet (MySQL)
- SSRF
- Stroke Jacking
- Stroke triggered XSS and Stroke Jacking
- Symlinking β An Insider Attack
- Tap Jacking
- Tabnabbing
- Turning XSS into Clickjacking
- UI Redressing
- Unvalidated Redirects and Forwards
- URL Hijacking
- Using Components with Known Vulnerabilities
- XML Entity Injection
- XSHM
- XSS - Track
- XSSing Client-Side Dynamic HTML
π¦ From Beginner to Expert Tryhackme Walkthrough π¦
π¦ # Level 1 - Intro
- OpenVPN https://tryhackme.com/room/openvpn
- Welcome https://tryhackme.com/jr/welcome
- Intro to Researching https://tryhackme.com/room/introtoresearch
- Learn Linux https://tryhackme.com/room/zthlinux
- Crash Course Pentesting https://tryhackme.com/room/ccpentesting
- Introductory CTFs to get your feet wet
- Google Dorking https://tryhackme.com/room/googledorking
- OHsint https://tryhackme.com/room/ohsint
- Shodan.io https://tryhackme.com/room/shodan
π¦ # Level 2 - Tooling
- Tmux https://tryhackme.com/room/rptmux
- Nmap https://tryhackme.com/room/rpnmap
- Web Scanning https://tryhackme.com/room/rpwebscanning
- Sublist3r https://tryhackme.com/room/rpsublist3r
- Metasploit https://tryhackme.com/room/rpmetasploit
- Hydra https://tryhackme.com/room/hydra
- Linux Privesc https://tryhackme.com/room/linuxprivesc
- Web Scanning https://tryhackme.com/room/rpwebscanning
More introductory CTFs
- Vulnversity - https://tryhackme.com/room/vulnversity
- Blue - https://tryhackme.com/room/blue
- Simple CTF https://tryhackme.com/room/easyctf
- Bounty Hacker https://tryhackme.com/room/cowboyhacker
π¦ # Level 3 - Crypto & Hashes with CTF practice
- Crack the hash https://tryhackme.com/room/crackthehash
- Agent Sudo https://tryhackme.com/room/agentsudoctf
- The Cod Caper https://tryhackme.com/room/thecodcaper
- Ice https://tryhackme.com/room/ice
- Lazy Admin https://tryhackme.com/room/lazyadmin
- Basic Pentesting https://tryhackme.com/room/basicpentestingjt
π¦ # Level 4 - Web
- OWASP top 10 https://tryhackme.com/room/owasptop10
- Inclusion https://tryhackme.com/room/inclusion
- Injection https://tryhackme.com/room/injection
- Vulnversity https://tryhackme.com/room/vulnversity
- Basic Pentesting https://tryhackme.com/room/basicpentestingjt
- Juiceshop https://tryhackme.com/room/owaspjuiceshop
- Ignite https://tryhackme.com/room/ignite
- Overpass https://tryhackme.com/room/overpass
- Year of the Rabbit https://tryhackme.com/room/yearoftherabbit
- DevelPy https://tryhackme.com/room/bsidesgtdevelpy
- Jack of all trades https://tryhackme.com/room/jackofalltrades
- Bolt https://tryhackme.com/room/bolt
π¦ # Level 5 - Reverse Engineering
- Intro to x86 64 https://tryhackme.com/room/introtox8664
- CC Ghidra https://tryhackme.com/room/ccghidra
- CC Radare2 https://tryhackme.com/room/ccradare2
- CC Steganography https://tryhackme.com/room/ccstego
- Reverse Engineering https://tryhackme.com/room/reverseengineering
- Reversing ELF https://tryhackme.com/room/reverselfiles
- Dumping Router Firmware https://tryhackme.com/room/rfirmware
π¦ # Level 6 - PrivEsc
- Sudo Security Bypass https://tryhackme.com/room/sudovulnsbypass
- Sudo Buffer Overflow https://tryhackme.com/room/sudovulnsbof
- Windows Privesc Arena https://tryhackme.com/room/windowsprivescarena
- Linux Privesc Arena https://tryhackme.com/room/linuxprivescarena
- Windows Privesc https://tryhackme.com/room/windows10privesc
- Blaster https://tryhackme.com/room/blaster
- Ignite https://tryhackme.com/room/ignite
- Kenobi https://tryhackme.com/room/kenobi
- Capture the flag https://tryhackme.com/room/c4ptur3th3fl4g
- Pickle Rick https://tryhackme.com/room/picklerick
π¦ # Level 7 - CTF practice
- Post Exploitation Basics https://tryhackme.com/room/postexploit
- Smag Grotto https://tryhackme.com/room/smaggrotto
- Inclusion https://tryhackme.com/room/inclusion
- Dogcat https://tryhackme.com/room/dogcat
- LFI basics https://tryhackme.com/room/lfibasics
- Buffer Overflow Prep https://tryhackme.com/room/bufferoverflowprep
- Overpass https://tryhackme.com/room/overpass
- Break out the cage https://tryhackme.com/room/breakoutthecage1
- Lian Yu https://tryhackme.com/room/lianyu
Many people are asking me this.
In this section I am regrouping what ethical, black hat and grey hat hackers think are the essential skills and knowledge any pen tester should know. At the top you will find all the essential tools and knowledge one must learn to become efficient and skilled at penetration testing, and at the bottom, the second part explaining what each of these things are.
Some of these tutorial are simple or PoC but I strongly suggest you find books on each of these subjects before you say you understand how this works.
- Start by learning how TCP/UDP works (networking):
TCP and UDP
You must know the fundamentals of HTTP and how Structured Query Language databases work :HTTP fundamentals and SQL
- Learn HTML, install a Linux OS preferably KALI Linux on a virtualization program like VirtualBox (free) or VMWARE (paid).
Learn HTML
Download Kali on VirtualBox/VirtualBox Workstation Pro
- Learn basic Debian commands to feel comfortable using KALI and download the KALI hand-book
- Learn how to be anonymous using
Tor, ProxyChains, Whonix and VPN's
that don't keep logs (``Mullvad VPN), MAC spoofing, DNS spoofing.
Tor || ProxyChains || Whonix || Mac Spoofing || DNS Spoofing` - Learn to use
Burp Suite
,Nmap
, and once you really understand SQL trySQLMap
.Nmap || BurpSuite || SQLMap
- Learn your way around Metasploit(=)Armitage but before that understand the different OS vulnerabilities by searching their CVE.
Metasploit Framework || CVE Website
- Understand WEP/WPA/WPS, watch out for KRACK which will be released soon and we might learn how to crack WPA2.
WPA-WEP info || KRACK
Once you have understood these find out about the air-ng suite, aircrack-ng, aireplay-ng
and others.
Air-ng suite - How to crack Wireless Networks
-
Learn how to use tamper data, sniff networks and to accomplish MITM attacks.
Tamper Data || Sniff with Wireshark || MITM
-
Learn about wireless adapters and their different modes.
Different modes
-
Learn how to "automate" vulnerability scanning with Nessus.
Nessus Guide
-
Learn about XSS, RFI, LFI. Don't learn how to DDoS (joking).
XSS-LFI-RFI Tutorial
-
Understand the ins and out of the OSI model.
Layers of OSI Model
-
Learn how to create a backdoor, what shells are and the definition of a 0-day.
Create a backdoor
-
Brute-forcing and Dictionary attacks.
Crack passwords with Hydra
Hash cracking:
Crack with John
-
Learn how to use google dorks (google hacking).
Google Hacking Database
-
Learn what are DNS, how to do
whois
lookups. What is a DNS ? -
Learn the most important port numbers.
Port number list
-
How to spoof a phone number.
Caller ID Spoofing
Research different scripting languages, check Rubber Ducky and these kind of hardware tools everybody talks about. Rubber Ducky
-
Learn how to create java-drive-by and browser based infection methods.
Java Drive By [outdated]
-
Understand how AV's work and how to create malwares and how to crypt them.
Basic AV detection methods || Create a Crypter
-
Social Engineering or how to lie. I won't discuss this here but here is a book on persuasion:
Robert Cialdini Influence and Manipulation
Once you have learned all that maybe you can start learning the advanced stuff. Of course, I hope you will become a white-hat and help people with their security instead of breaching it.
TCP/IP (Networking): Computers themselves speak to each other across a network through the use of packets. In essence the base unit of communications in the world of computer networks is the packet. Packets themselves are most commonly built using the TCP/IP stack, which is part of the computer's operating system. Each operating system has some unique values coded into its implementation of the TCP/IP stack. This is how OS fingerprinting works, by studying these unique values such as MSS and MTU among others. It has been said before that to recognize the abnormal you must first understand what is normal. This is why we need to understand what a normal TCP/IP packet looks like and how TCP/IP itself sets up communications between computers.
Here some answer of some common questions related to Ethical Hacking
is listed:
First because everything page you see on the web are displayed to some extent using HTML. It is the minimum to know the most basic language which carries the most content on internet. Also HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute JavaScript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.
First because everything page you see on the web are displayed to some extent using HTML. It is the minimum to know the most basic language which carries the most content on internet. Also HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute JavaScript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.
Don't need spoilers for that one, in my opinion it is important to know your way around the system you use and learn the basic terminal commands that are packed within.
During the penetration testing or vulnerability assessment or hacking, staying anonymous is one of the important factor. If you are a black hat, you also don't want to get caught. Without it, the internet connection will reveal your identity. ProxyChains is Proxifier for Linux system. It allows TCP and DNS tunneling through proxies. It supports HTTP, SOCKS4 and SOCKS5 proxy servers. It uses multiple proxies at a time, so it is called Proxy Chaining. In the tutorial you will be taught to use ProxyChains through the Tor network. Whonix is also a very good way to stay anonymous and makes use of the Tor network with its own gateway. MAC Spoofing allows you to change your MAC address which is your computer's ID. Your MAC address points to your PC's brand and can lead to you when deep searching.
Burp-Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals to identify vulnerabilities and verify attack vectors for web-based applications.
In its simplest form, Burp-Suite can be classified as an Interception Proxy. A penetration tester configures their Internet browser to route traffic through the proxy which then acts as a sort of Man In The Middle by capturing and analyzing each request and response to and from the target web application. Individual HTTP requests can be paused, manipulated and replayed back to the web server for targeted analysis of parameter specific injection points. Injection points can be specified for manual as well as automated fuzzing attacks to discover potentially unintended application behaviors, crashes and error messages.
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit framework has the worldβs largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems. It is the most renown framework used to exploit systems.
If you want to become a professional pen-tester you will have to learn about WEP/WPA encryption because the whole wireless ecosystem resolves around these encryption, understand these will give you greater power when cracking wireless networks.
Most if not every Wi-FI cracking methods involve using aircrack-ng. Learning how to use these tools will allow you to crack most wireless network.
In a sense, a man-in-the-middle attack (MITM) is like eavesdropping. Data is sent from point A (computer) to point B (server/website), and an attacker can get in-between these transmissions. They then set up tools programmed to βlisten inβ on transmissions, intercept data that is specifically targeted as valuable, and capture the data. Sometimes this data can be modified in the process of transmission to try to trick the end user to divulge sensitive information, such as log in credentials. Once the user has fallen for the bait, the data is collected from the target, and the original data is then forwarded to the intended destination unaltered.
Sniffing and snooping. They refer to listening to a conversation. For example, if you login to a website that uses no encryption, your username and password can be sniffed off the network by someone who can capture the network traffic between you and the web site.
Spoofing refers to actively introducing network traffic pretending to be someone else. For example, spoofing is sending a command to computer A pretending to be computer B. It is typically used in a scenario where you generate network packets that say they originated by computer B while they really originated by computer C. Spoofing in an email context means sending an email pretending to be someone else.
Tamper Data is an add-on for Firefox that lets you view and modify HTTP requests before they are sent. It shows what information the web browser is sending on your behalf, such as cookies and hidden form fields. Use of this plugin can reveal web applications that trust the client not to misbehave.
A brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is
typically created from the password using a key derivation function. This is known as an exhaustive key search.
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of invalidated or unencoded user input within the output it generates.
Remote File inclusion (RFI) refers to an inclusion attack wherein an attacker can cause the web application to include a remote file by exploiting a web application that dynamically includes external files or scripts. The consequences of a successful RFI attack include Information Disclosure and Cross-site Scripting (XSS) to Remote Code Execution.
Remote File Inclusion (RFI) usually occurs, when an application receives the path to the file that has to be included as an input without properly sanitizing it. This would allow an external URL to be supplied to the include statement.
Local File inclusion (LFI), or simply File Inclusion, refers to an inclusion attack through which an attacker can trick the web application in including files on the web server by exploiting functionality that dynamically includes local files or scripts. The consequence of a successful LFI attack includes Directory Traversal and Information Disclosure as well as Remote Code Execution.
Typically, Local File Inclusion (LFI) occurs, when an application gets the path to the file that has to be included as an input without treating it as untrusted input. This would allow a local file to be supplied to the include statement.
Attackers can install their own backdoor on a targeted system. Doing so allows them to come and go as they please and gives them remote access to the system. Malware installed on systems for this purpose is often called a remote access Trojan, or a RAT, and can be used to install other malware on the system or exfiltrate data.
Would love writing more. Good luck on your journey and remember white hats shine more then black.
- MySQL:
- MSQQL:
- ORACLE:
- POSTGRESQL:
- Others
Read my [CTF Resources](./CTF Resources/README.md) notes which is a simply managed and updated copy of information from ctf/resources repository
- Practice:
- Read to Learn:
- HTTP basics
- Cookie Security
- HTML Parsing
- MIME Sniffing
- Encoding Sniffing
- Same-origin
- Cross-site request forgery (CSRF)
- Cross-site scripting
- Reflected
- Stored
- DOM
- Detection, exploitation and Mitigation
- Authorization bypasses and forced browsing
- Directory Traversal
- Command Injection
- SQL Injection
- Detection, exploitation and mitigation
- Exploiting blind SQLi
- Session Fixation
- Clickjacking
- File inclusion and upload vulnerabilities
- Null termination vulnerabilities
- Unchecked redirects
- Secure password storage
- Crypto crash
- XOR
- Symmetric ciphers
- Stream
- Block
- Symmetric ciphers
- Asymmetric ciphers
- Hashes
- MACs
- XOR
- Crypto attacks
- Stream cipher reuse
- ECB block reordering
- ECB partial decryption
- Padding oracles
- Hash length extension
- Crypto tricks
- Detecting ECB
- Determining block sizes
- Determining controllable data offsets
- Lightweight Threat Modeling
- Secure Architecture Review
- SSRF
- Source Review Techniques
- Cookie Tampering Techniques & XML External Entity Attack
- Burp Suite
- Setting up Burp proxy
- Introduction to Burp Suite
- Intermediate Burp Suite Techniques
- Advanced Burp Hacks for Bounty Hunters
- From Social Media
- Web server
whois
- Subdomain
- Reserved IP Location
- Which platform used for developing
- Ping to identify server details
- Collecting Information from Email Header
- Email Tracking Tools
- Tracking of a target person
- Website Cookies history
- Recover any deleted files. [ PC or Mobile]
- Learn Web Attacking Method
- SQL Injection
- Session Hijacking
- Server Exploit
- Bypass
- Shell upload
- private
- legal
- Compromising Session
- using Sniffing
- predicting Session Token
- Password cracking method
- All possible
- Default
- Guessing
- Keylogger
- Ardamax
- Hardware
- Binding with real setup file
- Spyware
- Trojan
- Batch-programming
- Server shell
- File extension viruses
- Backdoors virus
- Phishing
- CSRF and XSS
- Blind SQL
- POST base
- WAF Bypass
- Error base
-
Remote and Local file inclusion (RFI and LFI)
β Malicious File Upload
β This is an important and common attack vector in this type of testing. β A file upload functions need a lot of protections to be adequately secure.
β Attacks:
β 1. Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...
β 2. Execute XSS via same types of files. Images as well!
β 3. Attack the parser to DOS the site or XSS via storing payloads in metadata or file header
β 4. Bypass security zones and store malware on target site via file polyglots
File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:
β 5. content type spoofing
β 6. extension trickery
As referenced file polyglots can be used to store malware on servers! See @dan_crowley βs talk and @angealbertini research:
-
X-path
-
Cryptography
- Nmap
- VEGA
- Acunetix
- Login Page Injection
- Cross site scripting
- Bypass it
- Authentication Bypass
- Cookie Injection
- Man-in-the-Middle
- HTML and CSS Injection
- Remote code execution and Directory Traversing
- Android Keylogger
- Steganography
- HackTheKeyboard
- Burp Suite
- Cryptography
- Networking
- Computer Networking Problems and Solutions by Russ White and Ethan Banks
- Computer Networks by Tanenbaum & Wetherall
- Guide to Network Programming by Beej
- [Network Scanning Cookbook by Sairam Jetty](./Networking/Network%20Scanning%20Cookbook .pdf)
- Networking All in One for Dummies by Doug Lowe
- Networking Fundamentals by Gordon Davies
- Seven Deadliest Network Attacks by Prowell, Borkin & Kraus
- SSH The Secure Shell - The Definitive Guide by Silverman & Barrett
- The Only Ip Book You Will Ever Need Unraveling The Mysteries Of Ipv4 Ipv6 by Diaz
- Nmap
- Mastering Nmap Scripting Engine by Paulino Calderon Pale
- Nmap - Network Exploration and Security Auditing Cookbook by Paulino Calderon
- Nmap Essentials by David Shaw
- Nmap in the Enterprise: Your Guide to Network Scanning by Angela Orebaugh, Becky Pinkard
- Nmap7 - From Beginner to Pro by Nicholas Brown
- Quick Start Guide to Penetration Testing With NMAP, OpenVAS and Metasploit
- Termux