- Sublist3r
- Censys
- DNSDumpster
- Search stuff in github
- Muraena
- AWS metadata
- Serialization
- Public exploits
- Classics like SQLi, XXS, LFI, RFI, Command Injection, Directory Traversal
- Inject this as parameter: dddd",'|&$;:`({{@<%=ddd
- SSRF (if we can make it link something)
- SSTI (Serverside template injection)
- Serialization
- XXE
- Cache Poisoning
- Request Smuggling
- Host Header Poisoning
- Parameter pollution
- Responder
- SMBRelaying / ntlmrelayx (--remove-mic?) (https://en.hackndo.com/ntlm-relay/)
- Link pointing to attacker in shared folder
- Kerberoasting, ASPResproasting
- Password Spraying
- WinPEAS / adPEAS / WinPwn
- Bloodhound
- Delegation Stuff (Unconstrained/Constrained/RBCD)
- Mimikatz / Safetykatz / Custom MiniDump
- Seatbelt (or Ghostpack)
- Read Keepass data from memory
- Inject keylogger in some processes like RDP
- Steal open RDP sessions (query user - tscon /dest:)
- ADCS (Certify/ForgeCert/adcsPOSH) - https://http418infosec.com/ad-cs-the-certified-pre-owned-attacks // https://github.com/GhostPack/PSPKIAudit
- PKINIT Authentication / Shadow Credentials (Whisker)
- PrintNightmare, Potatoes, ImpersonationPrivs (print stuff), SpoolSploit!
- Find SQLServers (setspn -T Domain.com -Q MSSQLSvc/*) and pwn'em
- Always execute in memory
- Compile c# custom tools
- In memory PsExec
- Use msinstaller
- Dont use mimikatz (use MiniDump)
- Silentrinity
- ShellcodeFluctuation
- ssh (Local/Remote/Dynamic)
- chisel
- 3proxy
- netsh
- DNSTunneling, ICMP Tunneling, GoogleService/Twitter/youtube/pastebin exfiltration
- Check if we are in privileged mode, if we are we can mount root fs and create a ssh authorized key
- Check if we have some shared directory, if we do, create a /bin/bash with suid on, so we can run it as root in parent host
- Check container's capabilities (cat /proc/self/status |grep Cap) to check what cointainer has permission to access
- (All we had before +)
- CORS
- ClickJacking
- Insecure Redirections
- XXS
- IDOR
- Auth/Token bypasses