Skip to content

Main Navigation Tools Exegol

Appearance

Sidebar Navigation

Active Directory

Reconnaissance

DHCP

DNS

NBT-NS

Responder ⚙️

Port scanning

LDAP

BloodHound ⚙️

MS-RPC

enum4linux ⚙️

Password policy

Movement

Credentials

Dumping

SAM & LSA secrets

DPAPI secrets

NTDS secrets

LSASS secrets

DCSync

Group Policy Preferences

Network shares

Network protocols

Web browsers

In-memory secrets

Kerberos key list

🛠️ Cached Kerberos tickets

Windows Credential Manager

🛠️ Local files

🛠️ Password managers

Cracking

Bruteforcing

Guessing

Spraying

Stuffing

Shuffling

Impersonation

MITM and coerced auths

ARP poisoning

DNS spoofing

DHCP poisoning

DHCPv6 spoofing

WSUS spoofing

LLMNR, NBT-NS, mDNS spoofing

ADIDNS poisoning

WPAD spoofing

MS-EFSR abuse (PetitPotam)

MS-RPRN abuse (PrinterBug)

MS-FSRVP abuse (ShadowCoerce)

MS-DFSNM abuse (DFSCoerce)

PushSubscription abuse

WebClient abuse (WebDAV)

🛠️ NBT Name Overwrite

🛠️ ICMP Redirect

🛠️ Living off the land

NTLM

Capture

Relay

Pass the hash

Kerberos

Pre-auth bruteforce

Pass the key

Overpass the hash

Pass the ticket

Pass the cache

Relay

Forged tickets

Silver tickets

Golden tickets

Diamond tickets

Sapphire tickets

RODC Golden tickets

MS14-068

ASREQroast

ASREProast

Kerberoast

Delegations

(KUD) Unconstrained

(KCD) Constrained

(RBCD) Resource-based constrained

S4U2self abuse

Bronze Bit

Shadow Credentials

UnPAC the hash

Pass the Certificate

sAMAccountName spoofing

SPN-jacking

DACL abuse

AddMember

ForceChangePassword

Targeted Kerberoasting

ReadLAPSPassword

ReadGMSAPassword

Grant ownership

Grant rights

Logon script

Rights on RODC object

Group policies

Trusts

Netlogon

ZeroLogon

Certificate Services (AD-CS)

Certificate templates

Certificate authority

Access controls

Unsigned endpoints

Certifried

SCCM / MECM

Privilege escalation

Lateral movement

Exchange services

🛠️ PrivExchange

🛠️ ProxyLogon

🛠️ ProxyShell

Print Spooler Service

PrinterBug

PrintNightmare

Schannel

Pass the Certificate

Built-ins & settings

Security groups

MachineAccountQuota

Pre-Windows 2000 computers

RODC

Persistence

DC Shadow

SID History

Skeleton key

GoldenGMSA

AdminSDHolder

Kerberos

Forged tickets

Delegation to KRBTGT

Certificate Services (AD-CS)

Certificate authority

Access controls

🛠️ Golden certificate

🛠️ DACL abuse

Shadow Principals (PAM)

Web services

Reconnaissance

HTTP response headers

Comments and metadata

Error messages

Site crawling

Directory fuzzing

Subdomains enumeration

Subdomain & vhost fuzzing

Web Application Firewall (WAF)

Content Management System (CMS)

Other technologies

Known vulnerabilities

Configuration

Default credentials

HTTP methods

HTTP security headers

Clickjacking

MIME type sniffing

🛠️ CORS (Cross-Origin Resource Sharing)

🛠️ CSP (Content Security Policy)

HTTP request smuggling

HTTP response splitting

Insecure Cookies

Denial of Service (DoS)

Identity and Access Management

🛠️ OAuth 2.0

Accounts and sessions

Security policies

Password change

🛠️ Password reset

Account creation

🛠️ Account deletion

🛠️ Logging in

User inputs

File inclusion

LFI to RCE

logs poisoning

phpinfo

file upload

PHP wrappers and streams

PHP session

/proc

RFI to RCE

Unrestricted file upload

SQL injection

XSS (Cross-Site Scripting)

CSRF (Cross-Site Request Forgery)

SSRF (Server-Side Request Forgery)

IDOR (Insecure Direct Object Reference)

ORED Open redirect

Content-Type juggling

XXE injection

Insecure JSON Web Tokens

HTTP parameter pollution

🛠️ SSTI (Server-Side Template Injection)

🛠️ Insecure deserialization

🛠️ CRLF injection

🛠️ Arbitrary file download

🛠️ Directory traversal

🛠️ Null-byte injection

🛠️ API Pentest

Systems & services

Reconnaissance

🛠️ Hosts discovery

Port scanning

Initial access (protocols)

🛠️ FTP

🛠️ SSH

🛠️ Telnet

🛠️ DNS

🛠️ HTTP

🛠️ Kerberos

🛠️ LDAP

🛠️ SMB

🛠️ RTSP

🛠️ MSSQL

🛠️ NFS

🛠️ MySQL

🛠️ WinRM

Initial access (phishing)

Privilege escalation

Windows

🛠️ Credential dumping

🛠️ Unquoted path

🛠️ Scheduled tasks

🛠️ Weak service permissions

🛠️ Vulnerable drivers

🛠️ Account privileges

🛠️ Kernel exploitation

🛠️ Windows Subsystem for Linux

🛠️ Runas saved creds

Unattend files

🛠️ Network secrets

🛠️ Living off the land

UNIX-like

SUDO

SUID/SGID binaries

🛠️ Capabilities

🛠️ Network secrets

🛠️ Living off the land

Pivoting

🛠️ Port forwarding

🛠️ SOCKS proxy

Evasion

(AV) Anti-Virus

🛠️ Loader

🛠️ Dropper

🛠️ Obfuscation

🛠️ Process injection

🛠️ Stealth with C2

🛠️ (EDR) Endpoint Detection and Response

Physical

Locks

Networking

Network Access Control

Machines

HID injection

Keylogging

BIOS security

Encryption

Airstrike attack

Super secret zones

🍌 Banana & chocolate cake

🍳 Omelette du fromage

🍔 Burger du seigneur

🥞 The Pancakes of Heaven

Intelligence gathering

CYBINT

Emails

Web infrastructure

OSINT

GEOINT

Radio

RFID

Mifare Classic

Default keys

Darkside

Nested

Bluetooth

Wi-Fi

WEP

🛠️ WPA2

🛠️ WPA3

WPS

Wireless keyboard/mouse

Mobile apps

Android

Android Debug Bridge ⚙️

APK transform

iOS

Certificate pinning

Contributing to THR

Write 📝

Donate ❤️

Buy ads 🌟

On this page

Keep us growing

Support THR

Consider donating

🛠️ PrivExchange

PushSubscription + ACE abuse

Contribute to this page

Last updated:

Pager

Previous pageLateral movement

Next page🛠️ ProxyLogon

Terms Privacy About

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

🛠️ PrivExchange ​

🛠️ PrivExchange