Hacktricks 179 Best [hot]

Since "179" is not a standard chapter number in the official HackTricks book (which is organized by technology like Linux, Windows, Cloud, etc.), I will provide a comprehensive write-up on what HackTricks is, why it is considered the "best" resource for security professionals, and highlight some of the specific techniques that are often cited as "best" or "top-tier" (which might correspond to high-ranking entries on bookmark lists).

Here is a write-up on the topic.

---

Quick reference: Tools mentioned

• Recon: amass, subfinder, crt.sh, shodan, censys
• Scanning: nmap, massdns, ffuf, gobuster, dirsearch
• Exploitation: sqlmap, msfvenom, Metasploit, ysoserial, Mimikatz, impacket
• Post-exploitation: LinPEAS/WinPEAS, Rubeus, responder, PowerShell Empire techniques
• Cloud & CI: awscli, truffleHog, kube-hunter, kubectl, scout2
• Network: Wireshark/tshark, Bettercap, mitmproxy, aircrack-ng, tcpdump

---

1–20: Reconnaissance — discovery and information gathering

1. Passive DNS enumeration

   • Use securitytrails, VirusTotal, or PassiveTotal APIs to collect historical DNS records.
   • Goal: find old subdomains and infrastructure.

2. Subdomain enumeration (wordlist + brute)

   • Tools: subfinder, assetfinder, amass, crt.sh, certspotter.
   • Command example: amass enum -d target.com -o amass.txt

3. Subdomain takeover check

   • Check CNAMEs pointing to absent services (e.g., GitHub pages, AWS S3).
   • Use tko-subs or subjack: subjack -w subdomains.txt -t 100 -timeout 30 -o takeover.txt

4. DNS zone transfer attempt

   • dig axfr @ns1.target.com target.com

5. DNS brute-force

   • Tools: dnsenum, fierce, massdns with a wordlist for speed.

6. Reverse IP lookup / virtual host discovery

   • Use crt.sh, censys, Shodan, or crtsearch.

7. Port scanning (fast then full)

   • Nmap fast: nmap -sS -T4 -p- --min-rate 1000 target -oA nmap-fast
   • Then version: nmap -sC -sV -p <open_ports> -oA nmap-service

8. Service fingerprinting

   • Tools: nmap scripts, httprobe, WhatWeb, Wappalyzer.

9. Web crawling & content discovery

   • Tools: gobuster, dirsearch, ffuf. Example: ffuf -u https://target/FUZZ -w common.txt -mc 200

10. Fuzzing parameters and endpoints

    • Use wfuzz/ffuf with wordlists; target common parameters (id, page, q).

11. Credential and secret harvesting from public repos

    • Search GitHub/GitLab for “password”, “aws_access_key_id”, .env files. Use truffleHog, gitrob.

12. WHOIS and contact harvesting

    • whois target.com; check registrant email for phishing or social engineering vectors.

13. OSINT on personnel (profiles, emails)

    • Use hunter.io, LinkedIn, Clearbit, PwnedEmails.

14. Staff email permutation generation

    • Generate patterns: first.last@domain, etc. Use account-existence checks.

15. Shodan / Censys infrastructure search

    • Query for product versions, exposed services, or API keys.

16. Cloud resource discovery (AWS/GCP/Azure)

    • Search for exposed buckets, metadata endpoints, IAM misconfigs. Tools: scout2, CloudSploit.

17. API enumeration & swagger discovery

    • Look for swagger.json, openapi.json; use Burp to map.

18. Sitemap and robots.txt analysis

    • Check /sitemap.xml and /robots.txt for hidden paths.

19. Certificate transparency monitoring

    • Use crt.sh to find subdomains and cert-related history.

20. Rate-limited endpoint fingerprinting

    • Use scheduled, low-noise scans; randomize requests and respect rate limits.

---

21–40: Web application testing — common vulnerabilities

21. SQL Injection (basic GET/POST)

    • Test with ' OR '1'='1' -- ; use sqlmap: sqlmap -u "http://t/?id=1" --batch

22. Blind SQLi (time-based)

    • Use sleep-based payloads or sqlmap --technique=T

23. NoSQL Injection (MongoDB)

    • Test payloads: "$ne": null, use Burp intruder or NoSQLMap.

24. Command injection (OS)

    • Test ; ls -la, && whoami; use burp and parameterized payloads.

25. SSTI (Server-Side Template Injection)

    • Try 77, $77, and payloads for Jinja, Twig, etc. Use Tplmap.

26. XSS (Stored, Reflected, DOM)

    • Test common payloads , DOM-based using DOM analyzer.

27. CSRF testing

    • Check for missing CSRF tokens on state-changing requests; attempt forged requests.

28. IDOR / Insecure Direct Object Reference

    • Iterate numeric IDs, attempt access to other users' data.

29. Authentication bypass (logic flaws)

    • Test password reset flows, enumable tokens, privileged endpoint access.

30. Session fixation and session hijacking

    • Test cookie attributes (HttpOnly, Secure, SameSite) and session token predictability.

31. File upload vulnerabilities (unrestricted)

    • Upload webshells, bypass extension checks with polyglot GIF-PHP, double extensions.

32. Insecure deserialization

    • Test for serialized PHP/Java objects; use ysoserial for Java gadgets.

33. SSRF (Server-Side Request Forgery)

    • Attempt internal endpoint access (http://127.0.0.1:80), metadata IPs, gopher payloads.

34. Rate limiting abuse / brute-force

    • Test authentication endpoints for lockout and implement exponential backoff.

35. Business logic flaws

    • Try price manipulation, coupon stacking, workflow bypass.

36. Clickjacking vulnerability check

    • Check X-Frame-Options header; attempt framing attack.

37. Remote file inclusion (RFI/LFI)

    • LFI string traversal (../../etc/passwd), RFI via file:// or http:// URL in include.

38. XML External Entity (XXE)

    • Send XML with external entities to read files or SSRF out.

39. Cache poisoning / HTTP request smuggling

    • Test ambiguous Content-Length and Transfer-Encoding headers.

40. OAuth & SSO misconfigurations

    • Check redirect_uri whitelist, token leakage, open redirects.

---

1. Linux Privilege Escalation (Top 30)

| # | Trick | Command / Technique | |---|-------|----------------------| | 1 | Find SUID binaries | find / -perm -4000 2>/dev/null | | 2 | Exploit writable /etc/passwd | openssl passwd -1 -salt hacker password → add entry | | 3 | Sudo abuse (CVE-2021-3156) | sudoedit -s / | | 4 | LD_PRELOAD injection | Compile malicious .so → LD_PRELOAD=./mal.so ./suid_bin | | 5 | Docker group escape | docker run -v /:/mnt -it alpine | | 6 | Cron job wildcard injection | Write to /etc/cron.hourly/ with wildcard commands | | 7 | PATH hijacking | PATH=.:$PATH then create malicious ls | | 8 | NFS no_root_squash | mount -o rw,vers=2 and write SUID | | 9 | Capabilities – CAP_SETUID | ./binary -p to spawn root shell | | 10 | LXD group abuse | lxc init alpine -c security.privileged=true | | ... | ... | ... | | 30 | Kernel exploits (check distro) | uname -a → searchsploit |

61–80: Network attacks & defenses evasion

61. ARP poisoning / MITM (mitmproxy, Bettercap)

    • Enable IP forwarding and route traffic through attacker box for inspection.

62. DNS spoofing / poisoned responses

    • Use dnsspoof or Bettercap; craft fake responses for targeted hosts.

63. WPA/WPA2 Wi‑Fi attack basics (handshake capture) hacktricks 179 best

    • Use aircrack-ng suite: airodump-ng, aireplay-ng, aircrack-ng.

64. Evil Twin / captive portal attacks

    • Host open AP, intercept traffic, present fake login.

65. Deauth attacks to capture WPA handshakes

    • aireplay-ng --deauth 0 -a -c wlan0mon

66. Bluetooth Low Energy reconnaissance

    • Use bluetoothctl, gatttool, bettercap BLE modules.

67. IPv6 attack surface and SLAAC abuse

    • Check for exposed IPv6 services and transition mechanisms.

68. MAC flooding / switch CAM overflow

    • Simulate many MAC addresses to force fallback to hub behavior.

69. DNS tunneling for data exfiltration

    • Use iodine or dnscat2 to tunnel traffic over DNS.

70. Covert channels using ICMP, HTTP, or DNS

    • Exfiltrate small data with base64 over ICMP or DNS TXT records.

71. BGP hijacking basics (overview)

    • Monitor routing announcements for suspicious origin AS; advanced attacks require infra.

72. Wireless WPA3 downgrade vectors (if misconfigured)

    • Check implementations for downgrade to WPA2.

73. Evading IDS/IPS with fragmentation and obfuscation

    • Fragment packets, alter payloads, randomize timing.

74. Tunneling via HTTPS (stunnel, nginx reverse proxy)

    • Wrap traffic in TLS to blend with normal traffic.

75. Using ICMP for tunneling and command-and-control

    • Implement c2 channels over ICMP for stealth.

76. ARP cache poisoning detection evasion

    • Maintain proper timing and ARP responses to avoid detection noise.

77. IPv4 fragmentation-based evasion for signature detection

    • Break exploit payloads across fragments.

78. SMB relay to escalate access on Windows networks Since "179" is not a standard chapter number

    • Use ntlmrelayx.py with relay to SMB/HTTP endpoints.

79. Exploiting UPnP and SSDP devices on LAN

    • Use upnpc and search for exposed devices to pivot.

80. Passive network sniffing (tshark, tcpdump)

    • Capture and analyze traffic for credentials and tokens.

---