SUMMARY.md

Summary

• InfoSec Notes

General

• External recon
• Ports scan
• Bind / reverse shells
• File transfer / exfiltration
• Pivoting
• Passwords cracking

Active Directory

• Recon - Domain Recon
• Recon - AD scanners
• Exploitation - NTLM capture and relay
• Exploitation - Password spraying
• Exploitation - Domain Controllers CVE
• Exploitation - Kerberos AS_REP roasting
• Exploitation - Credentials theft shuffling
• Exploitation - GPP and shares searching
• Exploitation - Kerberos Kerberoasting
• Exploitation - ACL exploiting
• Exploitation - GPO users rights
• Exploitation - Active Directory Certificate Services
• Exploitation - Kerberos tickets usage
• Exploitation - Kerberos silver tickets
• Exploitation - Kerberos delegations
• Exploitation - gMS accounts (gMSAs)
• Exploitation - Azure AD Connect
• Exploitation - Operators to Domain Admins
• Post Exploitation - ntds.dit dumping
• Post Exploitation - Kerberos golden tickets
• Post Exploitation - Trusts hopping
• Post Exploitation - Persistence

L7

• Methodology
• 21 - FTP
• 22 - SSH
• 25 - SMTP
• 53 - DNS
• 111 / 2049 - NFS
• 113 - Ident
• 135 - MSRPC
• 137-139 - NetBIOS
• 161 - SNMP
• 389 / 3268 - LDAP
• 445 - SMB
• 512 / 513 - REXEC / RLOGIN
• 554 - RTSP
• 1099 - JavaRMI
• 1433 - MSSQL
• 1521 - ORACLE_DB
• 3128 - Proxy
• 3306 - MySQL
• 3389 - RDP
• 5985 / 5986 - WSMan
• 8000 - JDWP
• 9100 - Printers
• 11211 - memcached
• 27017 / 27018 - MongoDB

Windows

• Shellcode and PE loader
• Bypass PowerShell ConstrainedLanguageMode
• Bypass AppLocker
• Local privilege escalation
• Post exploitation
  • Credentials dumping
  • Defense evasion
  • Local persistence
• Lateral movements
  • Local credentials re-use
  • Over SMB
  • Over WinRM
  • Over WMI
  • Over DCOM
  • CrackMapExec

Linux

• Local privilege escalation
• Post exploitation

DFIR

• Common
  • Image acquisition and mounting
  • Memory forensics
  • Web logs analysis
  • Browsers forensics
  • Email forensics
  • Docker forensics
• Windows
  • Artefacts overview
    • Amcache
    • EVTX
    • Jumplist
    • LNKFile
    • MFT
    • Outlook_files
    • Prefetch
    • RecentFilecache
    • RecycleBin
    • Shellbags
    • Shimcache
    • SRUM
    • Timestamps
    • User Access Logging (UAL)
    • UsnJrnl
    • Miscellaneous
  • TTPs analysis
    • Accounts usage
    • Local persistence
    • Lateral movement
    • PowerShell activity
    • Program execution
    • Timestomping
    • EVTX integrity
    • System uptime
    • ActiveDirectory replication metadata
    • ActiveDirectory persistence
• Linux
  • Artefacts overview
  • TTPs analysis
    • Timestomping
• Cloud
  • Azure
  • AWS
• Tools
  • Velociraptor
  • KAPE
  • Dissect
  • plaso
  • Splunk usage

Red Team specifics

• Phishing - Office Documents
• OpSec Operating Systems environment
• EDR bypass with EDRSandBlast
• Cobalt Strike

Web applications

• Recon - Server exposure
• Recon - Hostnames discovery
• Recon - Application mapping
• Recon - Attack surface overview
• CMS & softwares
  • ColdFusion
  • DotNetNuke
  • Jenkins
  • Jira
  • Ovidentia
  • WordPress
  • WebDAV
• Exploitation - Overview
• Exploitation - Authentication
• Exploitation - LDAP injections
• Exploitation - Local and remote file inclusions
• Exploitation - File upload
• Exploitation - SQL injections
  • SQLMAP.md
  • MSSQL.md
  • MySQL.md
  • SQLite.md
• Exploitation - NoSQL injections
  • NoSQLMap.md
  • mongoDB.md
• Exploitation - GraphQL

Binary exploitation

• Linux - ELF64 ROP leaks
• (Very) Basic reverse

Android

• Basic static analysis

Miscellaneous

• Regex 101
• WinDbg Kernel
• Basic coverage guided fuzzing