Systems

Windows

Network / IPv6

• MITM6 (https://github.com/fox-it/mitm6)
• NTLM Relaying and Kerberos Delegation (https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/)
• Compromising IPv4 networks via IPv6 (https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/)
• Domain Attacks Getting an Account (https://systemadminspro.com/domain-attacks-getting-an-account/)
• Peneration Testing Active Directory Part 1 (https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/)
• Taking Over IPv6 Networks (https://blog.vonahi.io/taking-over-ipv6-networks/)
• mitm6 pentesting (https://intrinium.com/mitm6-pen-testing/)
• A pivot cheatsheet for pentesters (https://nullsweep.com/pivot-cheatsheet-for-pentesters/)
• I’m bringing relaying back: A comprehensive guide on relaying anno 2022 (https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/)

Kerberos

• Kerberos Cheatsheet (https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a)
• Hunting for Skeleton Key implants (https://riccardoancarani.github.io/2020-08-08-hunting-for-skeleton-keys/)
• Hunting for Impacket (https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/)
• Kerberoasting without SPNs (https://swarm.ptsecurity.com/kerberoasting-without-spns/)

Privilege Escalation

• PrivExchange (https://github.com/dirkjanm/PrivExchange)

• Abusing Exchange (https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/)

• Exploiting PrivExchange (https://chryzsh.github.io/exploiting-privexchange/)

• LOLBAS (https://lolbas-project.github.io/#)

• Windows EoP Cheatsheet (https://guif.re/windowseop)

• Windows Privilege Escalation (https://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html)

• Abusing Active Directory Permissions with PowerView (http://www.harmj0y.net/blog/redteaming/abusing-active-directory-permissions-with-powerview/)

• DCSync: Dump Password Hashes from Domain Controller (https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)

• Unconstrained Delegations (https://johnkol.com/unconstrained-delegation/)

• No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA (http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html)

• Invoke-Recon (https://github.com/phackt/Invoke-Recon)

• Dumping credentials (offline) (https://kaluche.github.io/posts/2020/09/dumping-credentials-offline/)

• #HiveNightmare aka #SeriousSAM — anybody can read the registry in Windows 10 (https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5)

• MS-EFSRPC to coerce machine authentification (https://github.com/topotam/PetitPotam)

• Spooler Service Abuse (https://book.hacktricks.xyz/windows/active-directory-methodology/printers-spooler-service-abuse)

Evasion

• AMSI Bypass Methods and tools (https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/amp/)
• AMSI.fail (https://amsi.fail/)
• Resurecting an old AMSI Bypass (https://sensepost.com/blog/2020/resurrecting-an-old-amsi-bypass/)
• AMSI Bypass (https://www.contextis.com/us/blog/amsi-bypass)
• Getting Rastamouse’s AmsiScanBufferBypass to Work Again (https://fatrodzianko.com/2020/08/25/getting-rastamouses-amsiscanbufferbypass-to-work-again/)

Azure Services / Azure AD

• Azure Active Directory Redteam (https://github.com/rootsecdev/Azure-Red-Team)
• Introduction to Azure Penetration Testing (https://azure.enterprisesecurity.io/)
• MicroBurst: A PowerShell Toolkit for Attacking Azure (https://github.com/NetSPI/MicroBurst)
• A Beginners Guide to Gathering Azure Passwords (https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/)
• Anonymously Enumerating Azure Services (https://www.netspi.com/blog/technical/cloud-penetration-testing/enumerating-azure-services/)
• Anonymously Enumerating Azure File Resources (https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/)
• Get-AzurePasswords: Exporting Azure RunAs Certificates for Persistence (https://www.netspi.com/blog/technical/cloud-penetration-testing/exporting-azure-runas-certificates/)
• Maintaining Azure Persistence via Automation Accounts (https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/)
• Attacking Azure with Custom Script Extensions (https://www.netspi.com/blog/technical/cloud-penetration-testing/attacking-azure-with-custom-script-extensions/)
• Lateral Movement in Azure App Services (https://www.netspi.com/blog/technical/cloud-penetration-testing/lateral-movement-azure-app-services/)
• Azure Privilege Escalation Using Managed Identities (https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-privilege-escalation-using-managed-identities/)
• Azure Persistence with Desired State Configurations (https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-persistence-with-desired-state-configurations/)
• Webcast: Getting Started in Pentesting The Cloud: Azure (https://www.blackhillsinfosec.com/webcast-getting-started-in-pentesting-the-cloud-azure/)

Others

• Virtual/Remote Environments Breakout (https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
• WriteUp LeHack19 Akerva (https://github.com/aas-n/leHACK19)
• A view of persistence (https://rastamouse.me/2018/03/a-view-of-persistence/)
• AD Security Attack Defense (https://github.com/infosecn1nja/AD-Attack-Defense)
• Active Directory Enumeration with AD Module without RSAT or Admin Privileges (https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges)
• AMSI - Resurecting the Dead (https://crawl3r.github.io/2020-05-22/AMSI_Resurrecting_the_dead)
• Over-Pass-The-Hash (http://inf0sec.fr/article-17.php)
• SigThief (https://github.com/secretsquirrel/SigThief)
• AD Pentesting mindmap (https://raw.githubusercontent.com/Orange-Cyberdefense/arsenal/master/mindmap/pentest_ad.png)
• Pentesting Active Directory Mindmap (https://www.xmind.net/m/5dypm8/#)
• MS Exchange Server pentesting mindmap (https://raw.githubusercontent.com/Orange-Cyberdefense/arsenal/master/mindmap/Pentesting_MS_Exchange_Server_on_the_Perimeter.png)
• WADComs interactive Cheatsheet (https://wadcoms.github.io/)
• Windows & AD Exploitation Cheat Sheet and Command Reference (https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/)
• Attacking Active Directory (https://zer1t0.gitlab.io/posts/attacking_ad/)
• Atomic Red Team repository (https://github.com/redcanaryco/atomic-red-team)
• PowerShell commands for enumerating Active Directory (https://www.notion.so/53512dc072c241589fc45c577ccea2ee?v=7b908e7e76a9416f98f40d9d3843d3cb)
• Detecting Resilient Adversaries - Active Directory (https://raw.githubusercontent.com/RiccardoAncarani/talks/master/r00tMI/20200709-r00tMi-ADDtalk_v1.0.pdf)

Linux

Privilege Escalation

• Basic Linux Privilege Escalation (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)

• Restricted Linux Shell Escaping Techniques (https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/)

• GTFO Bins (https://gtfobins.github.io/)

• Privilege Escalation Cheatsheet for OSCP (Vulnhub) (https://github.com/Ignitetechnologies/Privilege-Escalation#kernel)

Others

• TMUX Cheatsheet (https://gist.github.com/MohamedAlaa/2961058)
• Blocky, un proxy DNS pour votre nunux (https://lord.re/posts/204-profiter-de-dns-over-httpstls-sur-linux/)
• List of everyday enhanced tools (https://twitter.com/amilajack/status/1479328649820000256?t=MXq9Cw3whFODqwFtqJOgsA&s=19)
  • bat (Enhanced cat) https://github.com/sharkdp/bat
  • diff-so-fancy (diff) https://github.com/so-fancy/diff-so-fancy
  • fx (JSON viewer) https://github.com/antonmedv/fx
  • fzf (fast fuzzy search) https://github.com/junegunn/fzf
  • exa (ls colored) https://twitter.com/fig/status/1479189142743384064
  • duf (enhanced du) https://github.com/muesli/duf

FreeIPA

• Attacking FreeIPA Part 1 (https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a)
• Attacking FreeIPA Part 2 (https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1)

AWS

• My arsenal of AWS Security Tools (https://github.com/toniblyx/my-arsenal-of-aws-security-tools)
• AWS Cheatsheet (https://www.magnussen.funcmylife.fr/article_35)