2. 👾 Welcome!
  3. HackTricks
  4. HackTricks Values & FAQ
  5. About the author
  7. 🤩 Generic Methodologies & Resources
  8. Pentesting Methodology
  9. Fuzzing Methodology
  10. External Recon Methodology
    1. Database Leaks
    2. Wide Source Code Search
    3. Github Dorks & Leaks
  11. Pentesting Network
    1. DHCPv6
    2. EIGRP Attacks
    3. GLBP & HSRP Attacks
    4. IDS and IPS Evasion
    5. Lateral VLAN Segmentation Bypass
    6. Network Protocols Explained (ESP)
    7. Nmap Summary (ESP)
    8. Pentesting IPv6
    9. Telecom Network Exploitation
    10. WebRTC DoS
    11. Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
    12. Spoofing SSDP and UPnP Devices with EvilSSDP
  12. Pentesting Wifi
    1. Enable Nexmon Monitor And Injection On Android
    2. Evil Twin EAP-TLS
  13. Phishing Methodology
    1. Ai Agent Abuse Local Ai Cli Tools And Mcp
    2. Ai Agent Mode Phishing Abusing Hosted Agent Browsers
    3. Clipboard Hijacking
    4. Clone a Website
    5. Detecting Phishing
    6. Discord Invite Hijacking
    7. Homograph Attacks
    8. Mobile Phishing Malicious Apps
    9. Phishing Files & Documents
  14. Basic Forensic Methodology
    1. Adaptixc2 Config Extraction And Ttps
    2. Baseline Monitoring
    3. Anti-Forensic Techniques
    4. Docker Forensics
    5. Image Acquisition & Mount
    6. Ios Backup Forensics
    7. Linux Forensics
    8. Malware Analysis
    9. Memory dump analysis
      1. Volatility - CheatSheet
    10. Partitions/File Systems/Carving
      1. File/Data Carving & Recovery Tools
    11. Pcap Inspection
      1. DNSCat pcap analysis
      2. Suricata & Iptables cheatsheet
      3. USB Keystrokes
      4. Wifi Pcap Analysis
      5. Wireshark tricks
    12. Specific Software/File-Type Tricks
      1. Decompile compiled python binaries (exe, elf) - Retreive from .pyc
      2. Browser Artifacts
      3. Deofuscation vbs (cscript.exe)
      4. Discord Cache Forensics
      5. Local Cloud Storage
      6. Mach O Entitlements And Ipsw Indexing
      7. Office file analysis
      8. PDF File analysis
      9. PNG tricks
      10. Structural File Format Exploit Detection
      11. Svg Font Glyph Analysis And Web Drm Deobfuscation
      12. Video and Audio file analysis
      13. ZIPs tricks
    13. Windows Artifacts
      1. Interesting Windows Registry Keys
  15. Python Sandbox Escape & Pyscript
    1. Bypass Python sandboxes
      1. Js2py Sandbox Escape Cve 2024 28397
      2. LOAD_NAME / LOAD_CONST opcode OOB Read
      3. Reportlab Xhtml2pdf Triple Brackets Expression Evaluation Rce Cve 2023 33733
    2. Class Pollution (Python's Prototype Pollution)
    3. Keras Model Deserialization Rce And Gadget Hunting
    4. Python Internal Read Gadgets
    5. Pyscript
    6. venv
    7. Web Requests
    8. Bruteforce hash (few chars)
    9. Basic Python
  16. Side Channel Attacks On Messaging Protocols
  17. Threat Modeling
  18. Blockchain & Crypto
    1. Defi/AMM Hook Precision
    2. Defi Amm Virtual Balance Cache Exploitation
    3. Mutation Testing With Slither
    4. Erc 4337 Smart Account Security Pitfalls
    5. Value Centric Web3 Red Teaming
    6. Web3 Signing Workflow Compromise Safe Delegatecall Proxy Takeover
  19. Lua Sandbox Escape
  21. 🧙‍♂️ Generic Hacking
  22. Archive Extraction Path Traversal
  23. Brute Force - CheatSheet
  24. Esim Javacard Exploitation
  25. Exfiltration
  26. Reverse Shells (Linux, Windows, MSFVenom)
    1. MSFVenom - CheatSheet
    2. Reverse Shells - Windows
    3. Reverse Shells - Linux
    4. Expose local to the internet
    5. Full TTYs
  27. Search Exploits
  28. Tunneling and Port Forwarding
  30. 🐧 Linux Hardening
  31. Linux Basics
  32. Checklist - Linux Privilege Escalation
  33. Linux Privilege Escalation
    1. Android Rooting Frameworks Manager Auth Bypass Syscall Hook
    2. Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244
    3. Arbitrary File Write to Root
    4. Cisco - vmanage
    5. Containerd (ctr) Privilege Escalation
    6. D-Bus Enumeration & Command Injection Privilege Escalation
    7. Container Security
      1. Runtimes And Engines
      2. Runtime API And Daemon Exposure
      3. Authorization Plugins
      4. Image Security And Secrets
      5. Assessment And Hardening
      6. Sensitive Host Mounts
      7. Privileged Containers
      8. Distroless
      9. Protections
        1. AppArmor
        2. Capabilities
        3. CGroups
        4. Masked Paths
        5. No New Privileges
        6. Read Only Paths
        7. Seccomp
        8. SELinux
        9. Namespaces
          1. CGroup Namespace
          2. IPC Namespace
          3. PID Namespace
          4. Mount Namespace
          5. Network Namespace
          6. Time Namespace
          7. User Namespace
          8. UTS Namespace
    8. Escaping from Jails
    9. Posix Cpu Timers Toctou Cve 2025 38352
    10. euid, ruid, suid
    11. Interesting Groups - Linux Privesc
      1. lxd/lxc Group - Privilege escalation
    12. Logstash
    13. ld.so privesc exploit example
    14. Linux Active Directory
    15. Linux Capabilities
    16. NFS no_root_squash/no_all_squash misconfiguration PE
    17. Node inspector/CEF debug abuse
    18. Payloads to execute
    19. RunC Privilege Escalation
    20. SELinux
    21. Socket Command Injection
    22. Splunk LPE and Persistence
    23. SSH Forward Agent exploitation
    24. Wildcards Spare tricks
  34. Useful Linux Commands
  35. Bypass Linux Restrictions
    1. Bypass FS protections: read-only / no-exec / Distroless
      1. DDexec / EverythingExec
  36. Linux Environment Variables
  37. Linux Post-Exploitation
    1. PAM - Pluggable Authentication Modules
  38. FreeIPA Pentesting
  40. 🍏 MacOS Hardening
  41. macOS Security & Privilege Escalation
    1. macOS Apps - Inspecting, debugging and Fuzzing
      1. Objects in memory
      2. Introduction to x64
      3. Introduction to ARM64v8
    2. macOS AppleFS
    3. macOS Bypassing Firewalls
    4. macOS Defensive Apps
    5. Macos Dyld Hijacking And Dyld Insert Libraries
    6. macOS GCD - Grand Central Dispatch
    7. macOS Kernel & System Extensions
      1. macOS IOKit
      2. macOS Kernel Extensions & Kernelcache
      3. macOS Kernel Vulnerabilities
      4. macOS System Extensions
      5. macOS NVRAM
    8. macOS Network Services & Protocols
    9. macOS File Extension & URL scheme app handlers
    10. macOS Files, Folders, Binaries & Memory
      1. macOS Bundles
      2. macOS Installers Abuse
      3. macOS Memory Dumping
      4. macOS Sensitive Locations & Interesting Daemons
      5. macOS Universal binaries & Mach-O Format
    11. macOS Objective-C
    12. macOS Privilege Escalation
    13. macOS Process Abuse
      1. macOS Dirty NIB
      2. macOS Chromium Injection
      3. macOS Electron Applications Injection
      4. macOS Function Hooking
      5. macOS IPC - Inter Process Communication
        1. macOS MIG - Mach Interface Generator
        2. macOS XPC
          1. macOS XPC Authorization
          2. macOS XPC Connecting Process Check
            1. macOS PID Reuse
            2. macOS xpc_connection_get_audit_token Attack
        3. macOS Thread Injection via Task port
      6. macOS Java Applications Injection
      7. macOS Library Injection
        1. macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
        2. macOS Dyld Process
      8. macOS Perl Applications Injection
      9. macOS Python Applications Injection
      10. macOS Ruby Applications Injection
      11. macOS .Net Applications Injection
      12. macOS Quick Look Generators
      13. macOS Automator, Preference Panes & NSServices
      14. macOS XPC Mach Services Abuse
    14. macOS Security Protections
      1. macOS Gatekeeper / Quarantine / XProtect
      2. macOS Launch/Environment Constraints & Trust Cache
      3. macOS Sandbox
        1. macOS Default Sandbox Debug
        2. macOS Sandbox Debug & Bypass
          1. macOS Office Sandbox Bypasses
      4. macOS Authorizations DB & Authd
      5. macOS SIP
      6. macOS TCC
        1. macOS Apple Events
        2. macOS TCC Bypasses
          1. macOS Apple Scripts
        3. macOS TCC Payloads
        4. macOS TCC Credential & Data Theft
      7. macOS Dangerous Entitlements & TCC perms
      8. macOS - AMFI - AppleMobileFileIntegrity
      9. macOS MACF - Mandatory Access Control Framework
      10. macOS Code Signing
      11. macOS Code Signing Weaknesses & Sandbox Escapes
      12. macOS Sealed System Volume & DataVault
      13. macOS Input Monitoring, Screen Capture & Accessibility
      14. macOS FS Tricks
        1. macOS xattr-acls extra stuff
    15. macOS Users & External Accounts
  42. macOS Red Teaming
    1. macOS MDM
      1. Enrolling Devices in Other Organisations
      2. macOS Serial Number
    2. macOS Keychain
  43. macOS Useful Commands
  44. macOS Auto Start
  46. 🪟 Windows Hardening
  47. Authentication Credentials Uac And Efs
  48. Checklist - Local Windows Privilege Escalation
  49. Windows Local Privilege Escalation
    1. Abusing Auto Updaters And Ipc
    2. Arbitrary Kernel Rw Token Theft
    3. Kernel Race Condition Object Manager Slowdown
    4. Notepad Plus Plus Plugin Autoload Persistence
    5. Abusing Tokens
    6. Access Tokens
    7. ACLs - DACLs/SACLs/ACEs
    8. AppendData/AddSubdirectory permission over service registry
    9. Create MSI with WIX
    10. COM Hijacking
    11. Dll Hijacking
      1. Advanced Html Staged Dll Sideloading
      2. Writable Sys Path +Dll Hijacking Privesc
    12. DPAPI - Extracting Passwords
    13. From High Integrity to SYSTEM with Name Pipes
    14. Integrity Levels
    15. JuicyPotato
    16. Leaked Handle Exploitation
    17. MSI Wrapper
    18. Named Pipe Client Impersonation
    19. Privilege Escalation with Autoruns
    20. RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
    21. SeDebug + SeImpersonate copy token
    22. SeImpersonate from High To System
    23. Semanagevolume Perform Volume Maintenance Tasks
    24. Service Triggers
    25. Telephony Tapsrv Arbitrary Dword Write To Rce
    26. Secure Desktop Accessibility Registry Propagation LPE (RegPwn)
    27. Uiaccess Admin Protection Bypass
    28. Windows C Payloads
  50. Active Directory Methodology
    1. Abusing Active Directory ACLs/ACEs
      1. BadSuccessor
      2. Shadow Credentials
    2. AD Certificates
      1. AD CS Account Persistence
      2. AD CS Domain Escalation
      3. AD CS Domain Persistence
      4. AD CS Certificate Theft
    3. Ad Certificates
    4. Ad Dynamic Objects Anti Forensics
    5. AD information in printers
    6. AD DNS Records
    7. Adws Enumeration
    8. ASREPRoast
    9. Badsuccessor Dmsa Migration Abuse
    10. BloodHound & Other AD Enum Tools
    11. Constrained Delegation
    12. Custom SSP
    13. DCShadow
    14. DCSync
    15. Diamond Ticket
    16. DSRM Credentials
    17. External Forest Domain - OneWay (Inbound) or bidirectional
    18. External Forest Domain - One-Way (Outbound)
    19. Golden Dmsa Gmsa
    20. Golden Ticket
    21. Kerberoast
    22. Kerberos Authentication
    23. Kerberos Double Hop Problem
    24. Lansweeper Security
    25. LAPS
    26. MSSQL AD Abuse
    27. Ldap Signing And Channel Binding
    28. Over Pass the Hash/Pass the Key
    29. Pass the Ticket
    30. Password Spraying / Brute Force
    31. PrintNightmare
    32. Force NTLM Privileged Authentication
    33. Privileged Groups
    34. RDP Sessions Abuse
    35. Resource-based Constrained Delegation
    36. Sccm Management Point Relay Sql Policy Secrets
    37. Security Descriptors
    38. SID-History Injection
    39. Silver Ticket
    40. Skeleton Key
    41. Timeroasting
    42. Unconstrained Delegation
  51. Windows Security Controls
    1. UAC - User Account Control
  52. NTLM
    1. Places to steal NTLM creds
  53. Lateral Movement
    1. AtExec / SchtasksExec
    2. DCOM Exec
    3. PsExec/Winexec/ScExec
    4. RDPexec
    5. SCMexec
    6. WinRM
    7. WmiExec
  54. Pivoting to the Cloud$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/index.html$$
  55. Stealing Windows Credentials
    1. Windows Credentials Protections
    2. Mimikatz
    3. WTS Impersonator
    4. Windows Registry Hive Exploitation
  56. Basic Win CMD for Pentesters
  57. Basic PowerShell for Pentesters
    1. PowerView/SharpView
  58. Antivirus (AV) Bypass
  59. Cobalt Strike
  60. Mythic
  61. Protocol Handler Shell Execute Abuse
  63. 📱 Mobile Pentesting
  64. Android APK Checklist
  65. Android Applications Pentesting
    1. Abusing Android Media Pipelines Image Parsers
    2. Accessibility Services Abuse
    3. Android Anti Instrumentation And Ssl Pinning Bypass
    4. Android Application Level Virtualization
    5. Android Applications Basics
    6. Android Enterprise Work Profile Bypass
    7. Android Hce Nfc Emv Relay Attacks
    8. Android Task Hijacking
    9. ADB Commands
    10. APK decompilers
    11. AVD - Android Virtual Device
    12. Bypass Biometric Authentication (Android)
    13. content:// protocol
    14. Drozer Tutorial
      1. Exploiting Content Providers
    15. Exploiting a debuggeable application
    16. Firmware Level Zygote Backdoor Libandroid Runtime
    17. Flutter
    18. Frida Tutorial
      1. Frida Tutorial 1
      2. Frida Tutorial 2
      3. Frida Tutorial 3
      4. Objection Tutorial
    19. Google CTF 2018 - Shall We Play a Game?
    20. In Memory Jni Shellcode Execution
    21. Inputmethodservice Ime Abuse
    22. Insecure In App Update Rce
    23. Install Burp Certificate
    24. Intent Injection
    25. Make APK Accept CA Certificate
    26. Manual DeObfuscation
    27. Play Integrity Attestation Bypass
    28. React Native Application
    29. Reversing Native Libraries
    30. Shizuku Privileged Api
    31. Smali - Decompiling, Modifying, Compiling
    32. Spoofing your location in Play Store
    33. Tapjacking
    34. Webview Attacks
  66. iOS Pentesting Checklist
  67. iOS Pentesting
    1. Air Keyboard Remote Input Injection
    2. iOS App Extensions
    3. iOS Basics
    4. iOS Basic Testing Operations
    5. iOS Burp Suite Configuration
    6. iOS Custom URI Handlers / Deeplinks / Custom Schemes
    7. iOS Extracting Entitlements From Compiled Application
    8. iOS Frida Configuration
    9. iOS Hooking With Objection
    10. iOS Pentesting withuot Jailbreak
    11. iOS Protocol Handlers
    12. iOS Serialisation and Encoding
    13. iOS Testing Environment
    14. iOS UIActivity Sharing
    15. iOS Universal Links
    16. iOS UIPasteboard
    17. iOS WebViews
    18. Itunesstored Bookassetd Sandbox Escape
    19. Zero Click Messaging Image Parser Chains
  68. Cordova Apps
  69. Xamarin Apps
  71. 👽 Network Services Pentesting
  72. 4222 Pentesting Nats
  73. Pentesting JDWP - Java Debug Wire Protocol
  74. Pentesting Printers$$external:http://hacking-printers.net/wiki/index.php/Main_Page$$
  75. Pentesting SAP
  76. Pentesting VoIP
    1. Basic VoIP Protocols
      1. SIP (Session Initiation Protocol)
  77. Pentesting Remote GdbServer
  78. 7/tcp/udp - Pentesting Echo
  79. 21 - Pentesting FTP
    1. FTP Bounce attack - Scan
    2. FTP Bounce - Download 2ºFTP file
  80. 22 - Pentesting SSH/SFTP
  81. 23 - Pentesting Telnet
  82. 25,465,587 - Pentesting SMTP/s
    1. SMTP Smuggling
    2. SMTP - Commands
  83. 43 - Pentesting WHOIS
  84. 49 - Pentesting TACACS+
  85. 53 - Pentesting DNS
  86. 69/UDP TFTP/Bittorrent-tracker
  87. 79 - Pentesting Finger
  88. 80,443 - Pentesting Web Methodology
    1. 403 & 401 Bypasses
    2. AEM - Adobe Experience Cloud
    3. Angular
    4. Apache
    5. Artifactory Hacking guide
    6. Bolt CMS
    7. Buckets
      1. Firebase Database
    8. CGI
    9. Custom Protocols
    10. Django
    11. Dotnet Soap Wsdl Client Exploitation
    12. DotNetNuke (DNN)
    13. Drupal
      1. Drupal RCE
    14. Electron Desktop Apps
      1. Electron contextIsolation RCE via preload code
      2. Electron contextIsolation RCE via Electron internal code
      3. Electron contextIsolation RCE via IPC
    15. Flask
    16. Fortinet Fortiweb
    17. Git
    18. Golang
    19. Grafana
    20. GraphQL
    21. H2 - Java SQL database
    22. IIS - Internet Information Services
    23. ImageMagick Security
    24. Ispconfig
    25. JBOSS
    26. Jira & Confluence
    27. Joomla
    28. JSP
    29. Laravel
    30. Microsoft Sharepoint
    31. Moodle
    32. NextJS
    33. Nginx
    34. NodeJS Express
    35. Sitecore
    36. PHP Tricks
      1. PHP - Useful Functions & disable_functions/open_basedir bypass
        1. disable_functions bypass - php-fpm/FastCGI
        2. disable_functions bypass - dl function
        3. disable_functions bypass - PHP 7.0-7.4 (-nix only)
        4. disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
        5. disable_functions - PHP 5.x Shellshock Exploit
        6. disable_functions - PHP 5.2.4 ionCube extension Exploit
        7. disable_functions bypass - PHP <= 5.2.9 on windows
        8. disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
        9. disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
        10. disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
        11. disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
        12. disable_functions bypass - PHP 5.2 - FOpen Exploit
        13. disable_functions bypass - via mem
        14. disable_functions bypass - mod_cgi
        15. disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      2. Php Rce Abusing Object Creation New Usd Get A Usd Get B
      3. PHP SSRF
    37. Perl Tricks
    38. PrestaShop
    39. Python
    40. Rocket Chat
    41. Ruby Tricks
    42. Special HTTP headers$$external:network-services-pentesting/pentesting-web/special-http-headers.md$$
    43. Source code Review / SAST Tools
    44. Special Http Headers
    45. Roundcube
    46. Spring Actuators
    47. Symfony
    48. Tomcat
    49. Telerik Ui Aspnet Ajax Unsafe Reflection Webresource Axd
    50. Uncovering CloudFlare
    51. Vuejs
    52. VMWare (ESX, VCenter...)
    53. Web API Pentesting
    54. WebDav
    55. Werkzeug / Flask Debug
    56. Wordpress
  89. 88tcp/udp - Pentesting Kerberos
    1. Harvesting tickets from Windows
    2. Harvesting tickets from Linux
    3. Wsgi
    4. Zabbix
  90. 110,995 - Pentesting POP
  91. 111/TCP/UDP - Pentesting Portmapper
  92. 113 - Pentesting Ident
  93. 123/udp - Pentesting NTP
  94. 135, 593 - Pentesting MSRPC
  95. 137,138,139 - Pentesting NetBios
  96. 139,445 - Pentesting SMB
    1. Ksmbd Attack Surface And Fuzzing Syzkaller
    2. rpcclient enumeration
  97. 143,993 - Pentesting IMAP
  98. 161,162,10161,10162/udp - Pentesting SNMP
    1. Cisco SNMP
    2. SNMP RCE
  99. 194,6667,6660-7000 - Pentesting IRC
  100. 264 - Pentesting Check Point FireWall-1
  101. 389, 636, 3268, 3269 - Pentesting LDAP
  102. 500/udp - Pentesting IPsec/IKE VPN
  103. 502 - Pentesting Modbus
  104. 512 - Pentesting Rexec
  105. 513 - Pentesting Rlogin
  106. 514 - Pentesting Rsh
  107. 515 - Pentesting Line Printer Daemon (LPD)
  108. 548 - Pentesting Apple Filing Protocol (AFP)
  109. 554,8554 - Pentesting RTSP
  110. 623/UDP/TCP - IPMI
  111. 631 - Internet Printing Protocol(IPP)
  112. 700 - Pentesting EPP
  113. 873 - Pentesting Rsync
  114. 1026 - Pentesting Rusersd
  115. 1080 - Pentesting Socks
  116. 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
  117. 1414 - Pentesting IBM MQ
  118. 1433 - Pentesting MSSQL - Microsoft SQL Server
    1. Types of MSSQL Users
  119. 1521,1522-1529 - Pentesting Oracle TNS Listener
  120. 1723 - Pentesting PPTP
  121. 1883 - Pentesting MQTT (Mosquitto)
  122. 2049 - Pentesting NFS Service
  123. 2301,2381 - Pentesting Compaq/HP Insight Manager
  124. 2375, 2376 Pentesting Docker
  125. 3128 - Pentesting Squid
  126. 3260 - Pentesting ISCSI
  127. 3299 - Pentesting SAPRouter
  128. 3306 - Pentesting Mysql
  129. 3389 - Pentesting RDP
  130. 3632 - Pentesting distcc
  131. 3690 - Pentesting Subversion (svn server)
  132. 3702/UDP - Pentesting WS-Discovery
  133. 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
  134. 4786 - Cisco Smart Install
  135. 4840 - OPC Unified Architecture
  136. 5000 - Pentesting Docker Registry
  137. 5353/UDP Multicast DNS (mDNS) and DNS-SD
  138. 5432,5433 - Pentesting Postgresql
  139. 5439 - Pentesting Redshift
  140. 5555 - Android Debug Bridge
  141. 5601 - Pentesting Kibana
  142. 5671,5672 - Pentesting AMQP
  143. 5800,5801,5900,5901 - Pentesting VNC
  144. 5984,6984 - Pentesting CouchDB
  145. 5985,5986 - Pentesting WinRM
  146. 5985,5986 - Pentesting OMI
  147. 6000 - Pentesting X11
  148. 6379 - Pentesting Redis
  149. 8009 - Pentesting Apache JServ Protocol (AJP)
  150. 8086 - Pentesting InfluxDB
  151. 8089 - Pentesting Splunkd
  152. 8333,18333,38333,18444 - Pentesting Bitcoin
  153. 9000 - Pentesting FastCGI
  154. 9001 - Pentesting HSQLDB
  155. 9042/9160 - Pentesting Cassandra
  156. 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
  157. 9200 - Pentesting Elasticsearch
  158. 10000 - Pentesting Network Data Management Protocol (ndmp)
  159. 11211 - Pentesting Memcache
    1. Memcache Commands
  160. 15672 - Pentesting RabbitMQ Management
  161. 24007,24008,24009,49152 - Pentesting GlusterFS
  162. 27017,27018 - Pentesting MongoDB
  163. 32100 Udp - Pentesting Pppp Cs2 P2p Cameras
  164. 44134 - Pentesting Tiller (Helm)
  165. 44818/UDP/TCP - Pentesting EthernetIP
  166. 47808/udp - Pentesting BACNet
  167. 50030,50060,50070,50075,50090 - Pentesting Hadoop
  169. 🕸️ Pentesting Web
  170. Web Vulnerabilities Methodology
  171. Reflecting Techniques - PoCs and Polygloths CheatSheet
    1. Web Vulns List
  172. 2FA/MFA/OTP Bypass
  173. Account Takeover
  174. Browser Extension Pentesting Methodology
    1. BrowExt - ClickJacking
    2. BrowExt - permissions & host_permissions
    3. BrowExt - XSS Example
    4. Forced Extension Load Preferences Mac Forgery Windows
  175. Bypass Payment Process
  176. Captcha Bypass
  177. Cache Poisoning and Cache Deception
    1. Cache Poisoning via URL discrepancies
    2. Cache Poisoning to DoS
  178. Clickjacking
  179. Client Side Template Injection (CSTI)
  180. Client Side Path Traversal
  181. Command Injection
  182. Content Security Policy (CSP) Bypass
    1. CSP bypass: self + 'unsafe-inline' with Iframes
  183. Cookies Hacking
    1. Cookie Tossing
    2. Cookie Jar Overflow
    3. Cookie Bomb
  184. CORS - Misconfigurations & Bypass
  185. CRLF (%0D%0A) Injection
  186. CSRF (Cross Site Request Forgery)
  187. Dangling Markup - HTML scriptless injection
    1. SS-Leaks
  188. DApps - Decentralized Applications
  189. Dependency Confusion
  190. Deserialization
    1. NodeJS - __proto__ & prototype Pollution
      1. Client Side Prototype Pollution
      2. Express Prototype Pollution Gadgets
      3. Prototype Pollution to RCE
    2. Java JSF ViewState (.faces) Deserialization
    3. Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    4. Basic Java Deserialization (ObjectInputStream, readObject)
    5. Java Signedobject Gated Deserialization
    6. Livewire Hydration Synthesizer Abuse
    7. PHP - Deserialization + Autoload Classes
    8. CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    9. Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    10. Exploiting __VIEWSTATE knowing the secrets
    11. Exploiting __VIEWSTATE without knowing the secrets
    12. Python Yaml Deserialization
    13. JNDI - Java Naming and Directory Interface & Log4Shell
    14. Ruby Json Pollution
    15. Ruby Class Pollution
  191. Domain/Subdomain takeover
  192. Email Injections
  193. File Inclusion/Path traversal
    1. phar:// deserialization
    2. LFI2RCE via PHP Filters
    3. LFI2RCE via Nginx temp files
    4. LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
    5. LFI2RCE via Segmentation Fault
    6. LFI2RCE via phpinfo()
    7. LFI2RCE Via temp file uploads
    8. LFI2RCE via Eternal waiting
    9. LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
  194. File Upload
    1. PDF Upload - XXE and CORS bypass
  195. Formula/CSV/Doc/LaTeX/GhostScript Injection
  196. gRPC-Web Pentest
  197. HTTP Connection Contamination
  198. HTTP Connection Request Smuggling
  199. HTTP Request Smuggling / HTTP Desync Attack
    1. Browser HTTP Request Smuggling
    2. Request Smuggling in HTTP/2 Downgrades
  200. HTTP Response Smuggling / Desync
  201. Upgrade Header Smuggling
  202. hop-by-hop headers
  203. IDOR
  204. JWT Vulnerabilities (Json Web Tokens)
  205. JSON, XML and YAML Hacking
  206. LDAP Injection
  207. Login Bypass
    1. Login bypass List
  208. Mass Assignment Cwe 915
  209. NoSQL injection
  210. OAuth to Account takeover
  211. Open Redirect
  212. ORM Injection
  213. Parameter Pollution | JSON Injection
  214. Phone Number Injections
  215. PostMessage Vulnerabilities
    1. Blocking main page to steal postmessage
    2. Bypassing SOP with Iframes - 1
    3. Bypassing SOP with Iframes - 2
    4. Steal postmessage modifying iframe location
  216. Proxy / WAF Protections Bypass
  217. Race Condition
  218. Rate Limit Bypass
  219. Registration & Takeover Vulnerabilities
  220. Regular expression Denial of Service - ReDoS
  221. Reset/Forgotten Password Bypass
  222. Reverse Tab Nabbing
  223. RSQL Injection
  224. SAML Attacks
    1. SAML Basics
  225. Server Side Inclusion/Edge Side Inclusion Injection
  226. Soap Jax Ws Threadlocal Auth Bypass
  227. SQL Injection
    1. MS Access SQL Injection
    2. MSSQL Injection
    3. MySQL injection
      1. MySQL File priv to SSRF/RCE
    4. Oracle injection
    5. Cypher Injection (neo4j)
    6. Sqlmap
    7. PostgreSQL injection
      1. dblink/lo_import data exfiltration
      2. PL/pgSQL Password Bruteforce
      3. Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
      4. Big Binary Files Upload (PostgreSQL)
      5. RCE with PostgreSQL Languages
      6. RCE with PostgreSQL Extensions
    8. SQLMap - CheatSheet
      1. Second Order Injection - SQLMap
  228. SSRF (Server Side Request Forgery)
    1. URL Format Bypass
    2. SSRF Vulnerable Platforms
    3. Cloud SSRF
  229. SSTI (Server Side Template Injection)
    1. EL - Expression Language
    2. Jinja2 SSTI
  230. Timing Attacks
  231. Unicode Injection
    1. Unicode Normalization
  232. UUID Insecurities
  233. WebSocket Attacks
  234. Web Tool - WFuzz
  235. XPATH injection
  236. XS Search
  237. XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
  238. XXE - XEE - XML External Entity
  239. XSS (Cross Site Scripting)
    1. Abusing Service Workers
    2. Chrome Cache to XSS
    3. Debugging Client Side JS
    4. Dom Clobbering
    5. DOM Invader
    6. DOM XSS
    7. Iframes in XSS, CSP and SOP
    8. Integer Overflow
    9. JS Hoisting
    10. Misc JS Tricks & Relevant Info
    11. PDF Injection
    12. Server Side XSS (Dynamic PDF)
    13. Shadow DOM
    14. SOME - Same Origin Method Execution
    15. Sniff Leak
    16. Steal Info JS
    17. Wasm Linear Memory Template Overwrite Xss
    18. XSS in Markdown
  240. XSSI (Cross-Site Script Inclusion)
  241. XS-Search/XS-Leaks
    1. Connection Pool Examples
    2. Connection Pool by Destination Example
    3. Cookie Bomb + Onerror XS Leak
    4. URL Max Length - Client Side
    5. performance.now example
    6. performance.now + Force heavy task
    7. Event Loop Blocking + Lazy images
    8. JavaScript Execution XS Leak
    9. CSS Injection
      1. CSS Injection Code
      2. LESS Code Injection
  242. Iframe Traps
  244. ⛈️ Cloud Security
  245. Pentesting Kubernetes$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/index.html$$
  246. Pentesting Cloud (AWS, GCP, Az...)$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/pentesting-cloud-methodology.html$$
  247. Pentesting CI/CD (Github, Jenkins, Terraform...)$$external:https://cloud.hacktricks.wiki/en/pentesting-ci-cd/pentesting-ci-cd-methodology.html$$
  249. 😎 Hardware/Physical Access
  250. Physical Attacks
  251. Escaping from KIOSKs
  252. Firmware Analysis
    1. Android Mediatek Secure Boot Bl2 Ext Bypass El3
    2. Bootloader testing
    3. Firmware Integrity
  254. 🎯 Binary Exploitation
  255. Basic Stack Binary Exploitation Methodology
    1. ELF Basic Information
    2. Exploiting Tools
      1. PwnTools
  256. Stack Overflow
    1. Pointer Redirecting
    2. Ret2win
      1. Ret2win - arm64
    3. Stack Shellcode
      1. Stack Shellcode - arm64
    4. Stack Pivoting
    5. Uninitialized Variables
    6. ROP & JOP
    7. BROP - Blind Return Oriented Programming
    8. Ret2csu
    9. Ret2dlresolve
    10. Ret2esp / Ret2reg
    11. Ret2lib
      1. Leaking libc address with ROP
        1. Leaking libc - template
      2. One Gadget
      3. Ret2lib + Printf leak - arm64
    12. Ret2syscall
      1. Ret2syscall - arm64
    13. Ret2vDSO
    14. SROP - Sigreturn-Oriented Programming
      1. SROP - arm64
    15. Mediatek Xflash Carbonara Da2 Hash Bypass
    16. Synology Encrypted Archive Decryption
    17. Windows SEH Overflow
  257. Array Indexing
  258. Chrome Exploiting
  259. Common Exploiting Problems Unsafe Relocation Fixups
  260. Integer Overflow
  261. Format Strings
    1. Format Strings - Arbitrary Read Example
    2. Format Strings Template
  262. Libc Heap
    1. Bins & Memory Allocations
    2. Heap Memory Functions
      1. free
      2. malloc & sysmalloc
      3. unlink
      4. Heap Functions Security Checks
    3. Use After Free
      1. First Fit
    4. Double Free
    5. Gnu Obstack Function Pointer Hijack
    6. Overwriting a freed chunk
    7. Heap Overflow
    8. Unlink Attack
    9. Fast Bin Attack
    10. Unsorted Bin Attack
    11. Large Bin Attack
    12. Tcache Bin Attack
    13. Off by one overflow
    14. House of Spirit
    15. House of Lore | Small bin Attack
    16. House of Einherjar
    17. House of Force
    18. House of Orange
    19. House of Rabbit
    20. House of Roman
  263. Common Binary Exploitation Protections & Bypasses
    1. ASLR
      1. Ret2plt
      2. Ret2ret & Reo2pop
    2. CET & Shadow Stack
    3. Libc Protections
    4. Memory Tagging Extension (MTE)
    5. No-exec / NX
    6. PIE
      1. BF Addresses in the Stack
    7. Relro
    8. Stack Canaries
      1. BF Forked & Threaded Stack Canaries
      2. Print Stack Canary
  264. Write What Where 2 Exec
    1. Aw2exec Sips Icc Profile
    2. WWW2Exec - atexit()
    3. WWW2Exec - .dtors & .fini_array
    4. WWW2Exec - GOT/PLT
    5. WWW2Exec - __malloc_hook & __free_hook
    6. Virtualbox Slirp Nat Packet Heap Exploitation
  265. Common Exploiting Problems
  266. Adreno A7xx Sds Rb Priv Bypass Gpu Smmu Kernel Rw
  267. Af Unix Msg Oob Uaf Skb Primitives
  268. Arm64 Static Linear Map Kaslr Bypass
  269. Ksmbd Streams Xattr Oob Write Cve 2025 37947
  270. Pixel Bigwave Bigo Job Timeout Uaf Kernel Write
  271. Linux kernel exploitation - toctou
  272. PS5 compromission
  273. Vmware Workstation Pvscsi Lfh Escape
  274. Windows Exploiting (Basic Guide - OSCP lvl)
  275. Windows Vectored Overloading
  276. iOS Exploiting
    1. ios CVE-2020-27950-mach_msg_trailer_t
    2. ios CVE-2021-30807-IOMobileFrameBuffer
    3. Imessage Media Parser Zero Click Coreaudio Pac Bypass
    4. ios Corellium
    5. ios Heap Exploitation
    6. ios Physical UAF - IOSurface
    7. Webkit Dfg Store Barrier Uaf Angle Oob
  278. 🤖 AI
  279. AI Security
    1. Ai Assisted Fuzzing And Vulnerability Discovery
    2. AI Security Methodology
    3. Burp MCP: LLM-assisted traffic review
    4. AI MCP Security
    5. AI Model Data Preparation
    6. AI Models RCE
    7. AI Prompts
    8. AI Risk Frameworks
    9. AI Supervised Learning Algorithms
    10. AI Unsupervised Learning Algorithms
    11. AI Reinforcement Learning Algorithms
    12. LLM Training
      1. 0. Basic LLM Concepts
      2. 1. Tokenizing
      3. 2. Data Sampling
      4. 3. Token Embeddings
      5. 4. Attention Mechanisms
      6. 5. LLM Architecture
      7. 6. Pre-training & Loading models
      8. 7.0. LoRA Improvements in fine-tuning
      9. 7.1. Fine-Tuning for Classification
      10. 7.2. Fine-Tuning to follow instructions
  281. 🔩 Reversing
  282. Reversing Tools & Basic Methods
    1. Angr
      1. Angr - Examples
    2. Z3 - Satisfiability Modulo Theories (SMT)
    3. Cheat Engine
    4. Blobrunner
  283. Common API used in Malware
  284. Word Macros
  286. 🕵️ Crypto
  287. Crypto
  288. Crypto CTF Workflow
  289. Symmetric Crypto
  290. Hashes, MACs & KDFs
  291. Public-Key Crypto
    1. RSA Attacks
  292. TLS & Certificates
  293. Crypto in Malware
  294. Crypto CTF Misc
  296. 🔮 Stego
  297. Stego
  298. Stego Workflow
  299. Images
  300. Audio
  301. Text Stego
  302. Documents
  303. Malware & Network Stego
  305. ✍️ TODO
  306. Interesting Http
  307. Rust Basics
  308. More Tools
  309. Hardware Hacking
    1. Fault Injection Attacks
    2. I2C
    3. Side Channel Analysis
    4. UART
    5. Radio
    6. JTAG
    7. SPI
  310. Industrial Control Systems Hacking
    1. Modbus Protocol
  311. Radio Hacking
    1. Maxiprox Mobile Cloner
    2. Pentesting RFID
    3. Infrared
    4. Sub-GHz RF
    5. iButton
    6. Flipper Zero
      1. FZ - NFC
      2. FZ - Sub-GHz
      3. FZ - Infrared
      4. FZ - iButton
      5. FZ - 125kHz RFID
    7. Proxmark 3
    8. FISSURE - The RF Framework
    9. Low-Power Wide Area Network
    10. Pentesting BLE - Bluetooth Low Energy
  312. Test LLMs
  313. Burp Suite
  314. Other Web Tricks
  315. Interesting HTTP$$external:todo/interesting-http.md$$
  316. Android Forensics
  317. Online Platforms with API
  318. Stealing Sensitive Information Disclosure from a Web
  319. Post Exploitation
  320. Investment Terms
  321. Cookies Policy