Skip to content

The Hacker Recipes

Main Navigation Tools Exegol

Appearance

Sidebar Navigation

Active Directory

Reconnaissance

DHCP

DNS

NBT-NS

Responder ⚙️

Port scanning

LDAP

BloodHound ⚙️

MS-RPC

enum4linux ⚙️

Password policy

Movement

Credentials

Dumping

SAM & LSA secrets

DPAPI secrets

NTDS secrets

LSASS secrets

DCSync

Group Policy Preferences

Network shares

Network protocols

Web browsers

In-memory secrets

Kerberos key list

🛠️ Cached Kerberos tickets

Windows Credential Manager

🛠️ Local files

🛠️ Password managers

Cracking

Bruteforcing

Guessing

Spraying

Stuffing

Shuffling

Impersonation

MITM and coerced auths

ARP poisoning

DNS spoofing

DHCP poisoning

DHCPv6 spoofing

WSUS spoofing

LLMNR, NBT-NS, mDNS spoofing

ADIDNS poisoning

WPAD spoofing

MS-EFSR abuse (PetitPotam)

MS-RPRN abuse (PrinterBug)

MS-FSRVP abuse (ShadowCoerce)

MS-DFSNM abuse (DFSCoerce)

PushSubscription abuse

WebClient abuse (WebDAV)

🛠️ NBT Name Overwrite

🛠️ ICMP Redirect

🛠️ Living off the land

NTLM

Capture

Relay

Pass the hash

Kerberos

Pre-auth bruteforce

Pass the key

Overpass the hash

Pass the ticket

Pass the cache

Relay

Forged tickets

Silver tickets

Golden tickets

Diamond tickets

Sapphire tickets

RODC Golden tickets

MS14-068

ASREQroast

ASREProast

Kerberoast

Delegations

(KUD) Unconstrained

(KCD) Constrained

(RBCD) Resource-based constrained

S4U2self abuse

Bronze Bit

Shadow Credentials

UnPAC the hash

Pass the Certificate

sAMAccountName spoofing

SPN-jacking

DACL abuse

AddMember

ForceChangePassword

Targeted Kerberoasting

ReadLAPSPassword

ReadGMSAPassword

Grant ownership

Grant rights

Logon script

Rights on RODC object

Group policies

Trusts

Netlogon

ZeroLogon

Certificate Services (AD-CS)

Certificate templates

Certificate authority

Access controls

Unsigned endpoints

Certifried

SCCM / MECM

Privilege escalation

Lateral movement

Exchange services

🛠️ PrivExchange

🛠️ ProxyLogon

🛠️ ProxyShell

Print Spooler Service

PrinterBug

PrintNightmare

Schannel

Pass the Certificate

Built-ins & settings

Security groups

MachineAccountQuota

Pre-Windows 2000 computers

RODC

Persistence

DC Shadow

SID History

Skeleton key

GoldenGMSA

AdminSDHolder

Kerberos

Forged tickets

Delegation to KRBTGT

Certificate Services (AD-CS)

Certificate authority

Access controls

🛠️ Golden certificate

🛠️ DACL abuse

Shadow Principals (PAM)

Web services

Reconnaissance

HTTP response headers

Comments and metadata

Error messages

Site crawling

Directory fuzzing

Subdomains enumeration

Subdomain & vhost fuzzing

Web Application Firewall (WAF)

Content Management System (CMS)

Other technologies

Known vulnerabilities

Configuration

Default credentials

HTTP methods

HTTP security headers

Clickjacking

MIME type sniffing

🛠️ CORS (Cross-Origin Resource Sharing)

🛠️ CSP (Content Security Policy)

HTTP request smuggling

HTTP response splitting

Insecure Cookies

Denial of Service (DoS)

Identity and Access Management

🛠️ OAuth 2.0

Accounts and sessions

Security policies

Password change

🛠️ Password reset

Account creation

🛠️ Account deletion

🛠️ Logging in

User inputs

File inclusion

LFI to RCE

logs poisoning

phpinfo

file upload

PHP wrappers and streams

PHP session

/proc

RFI to RCE

Unrestricted file upload

SQL injection

XSS (Cross-Site Scripting)

CSRF (Cross-Site Request Forgery)

SSRF (Server-Side Request Forgery)

IDOR (Insecure Direct Object Reference)

ORED Open redirect

Content-Type juggling

XXE injection

Insecure JSON Web Tokens

HTTP parameter pollution

🛠️ SSTI (Server-Side Template Injection)

🛠️ Insecure deserialization

🛠️ CRLF injection

🛠️ Arbitrary file download

🛠️ Directory traversal

🛠️ Null-byte injection

🛠️ API Pentest

Systems & services

Reconnaissance

🛠️ Hosts discovery

Port scanning

Initial access (protocols)

🛠️ FTP

🛠️ SSH

🛠️ Telnet

🛠️ DNS

🛠️ HTTP

🛠️ Kerberos

🛠️ LDAP

🛠️ SMB

🛠️ RTSP

🛠️ MSSQL

🛠️ NFS

🛠️ MySQL

🛠️ WinRM

Initial access (phishing)

Privilege escalation

Windows

🛠️ Credential dumping

🛠️ Unquoted path

🛠️ Scheduled tasks

🛠️ Weak service permissions

🛠️ Vulnerable drivers

🛠️ Account privileges

🛠️ Kernel exploitation

🛠️ Windows Subsystem for Linux

🛠️ Runas saved creds

Unattend files

🛠️ Network secrets

🛠️ Living off the land

UNIX-like

SUDO

SUID/SGID binaries

🛠️ Capabilities

🛠️ Network secrets

🛠️ Living off the land

Pivoting

🛠️ Port forwarding

🛠️ SOCKS proxy

Evasion

(AV) Anti-Virus

🛠️ Loader

🛠️ Dropper

🛠️ Obfuscation

🛠️ Process injection

🛠️ Stealth with C2

🛠️ (EDR) Endpoint Detection and Response

Physical

Locks

Networking

Network Access Control

Machines

HID injection

Keylogging

BIOS security

Encryption

Airstrike attack

Super secret zones

🍌 Banana & chocolate cake

🍳 Omelette du fromage

🍔 Burger du seigneur

🥞 The Pancakes of Heaven

Intelligence gathering

CYBINT

Emails

Web infrastructure

OSINT

GEOINT

Radio

RFID

Mifare Classic

Default keys

Darkside

Nested

Bluetooth

Wi-Fi

WEP

🛠️ WPA2

🛠️ WPA3

WPS

Wireless keyboard/mouse

Mobile apps

Android

Android Debug Bridge ⚙️

APK transform

iOS

Certificate pinning

Contributing to THR

Write 📝

Donate ❤️

Buy ads 🌟

On this page

Keep us growing

Support THR

Consider donating

Pass the cache

This technique is equivalent to pass the ticket. Instead of using Kerberos tickets from, or found on, Windows systems, it's based of UNIX-like formatted tickets that serve the exact same purpose.

Read the Pass the ticket article for more insight

Contribute to this page

Last updated:

Pager

Previous pagePass the ticket

Terms Privacy About