### Trailmark Installation and Basic Usage Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/fuzzing.md Command-line example showing how to install Trailmark and run complexity analysis on a project. ```bash uv pip install trailmark trailmark analyze --complexity 10 path/to/project ``` -------------------------------- ### Install Volatility2 (Method 2) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md These commands clone the Volatility2 repository and install it using Python's setup script. This method requires Git and Python. ```bash git clone https://github.com/volatilityfoundation/volatility.git cd volatility python setup.py install ``` -------------------------------- ### Fpicker: Installation and Setup (Bash) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md Commands to clone the Fpicker repository, download the Frida core devkit, compile Fpicker, and install Radamsa. This prepares the environment for using the Fpicker fuzzing suite. ```bash # Get fpicker git clone https://github.com/ttdennis/fpicker cd fpicker # Get Frida core devkit and prepare fpicker wget https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-[yourOS]-[yourarchitecture].tar.xz # e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xz tar -xf ./*tar.xz cp libfrida-core.a libfrida-core-[yourOS].a #libfrida-core-macos.a # Install fpicker make fpicker-[yourOS] # fpicker-macos # This generates ./fpicker # Install radamsa (fuzzer generator) brew install radamsa ``` -------------------------------- ### Mythic Installation Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/mythic.md Common bootstrap commands to install and start Mythic. ```bash sudo make sudo ./mythic-cli start ``` -------------------------------- ### Auto-Frida Quick Start Installation Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md Provides the commands to clone, install dependencies, and run the Auto-Frida tool for automated Android security bypass. ```bash git clone https://github.com/ommirkute/Auto-Frida.git cd Auto-Frida pip install -r requirements.txt python auto_frida.py ``` -------------------------------- ### Install Compiled Folder Action Script for GUI Setup Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/macos-hardening/macos-auto-start-locations.md Create the standard directory for Folder Action scripts and move the compiled .scpt file into it, making it available for selection in the Folder Actions Setup application. ```bash mkdir -p "$HOME/Library/Scripts/Folder Action Scripts" mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts" ``` -------------------------------- ### Initialize a new Cordova project Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/mobile-pentesting/cordova-apps.md Installs the Cordova CLI globally, creates a new project with a specified package name and display name, and changes the directory. Use this to start a new Cordova application. ```bash npm install -g cordova@latest cordova create bank-new com.android.bank Bank cd bank-new ``` -------------------------------- ### Setup frida-ipa-extract Environment (Bash) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md Initialize a Python virtual environment and install the necessary dependencies for the 'frida-ipa-extract' tool. ```bash python3 -m venv .venv source .venv/bin/activate pip install -r requirements.txt ``` -------------------------------- ### GDB Installation and Basic Parameters Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md Install GDB and configure startup options for attaching to processes and executing initialization scripts. ```bash apt-get install gdb ``` ```bash -q # No show banner -x # Auto-execute GDB instructions from here -p # Attach to process ``` -------------------------------- ### Fat GET request example Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/pentesting-web/cache-deception/cache-poisoning-to-dos.md Example of a GET request with a body that results in a 403 Forbidden, potentially poisoning the cache for the clean GET key. ```http GET /index.html HTTP/2 Host: redacted.com Content-Length: 3 xyz HTTP/2 403 Forbidden X-Cache: hit ``` -------------------------------- ### Linux Android SDK and AVD Quickstart Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md This comprehensive script sets up the Android command-line tools, installs core SDK components, creates an AVD, and runs it with a writable system image, concluding with a root verification check. ```bash # Directory layout mkdir -p ~/Android/cmdline-tools/latest # Download commandline tools (Linux) wget https://dl.google.com/android/repository/commandlinetools-linux-13114758_latest.zip -O /tmp/cmdline-tools.zip unzip /tmp/cmdline-tools.zip -d ~/Android/cmdline-tools/latest rm /tmp/cmdline-tools.zip # Env vars (add to ~/.bashrc or ~/.zshrc) export ANDROID_HOME=$HOME/Android export PATH=$ANDROID_HOME/cmdline-tools/latest/bin:$ANDROID_HOME/platform-tools:$ANDROID_HOME/emulator:$PATH # Install core SDK components sdkmanager --install "platform-tools" "emulator" # Install a debuggable x86_64 system image (Android 11 / API 30) sdkmanager --install "system-images;android-30;google_apis;x86_64" # Create an AVD and run it with a writable /system & snapshot name avdmanager create avd -n PixelRootX86 -k "system-images;android-30;google_apis;x86_64" -d "pixel" emulator -avd PixelRootX86 -writable-system -snapshot PixelRootX86_snap # Verify root (debuggable images allow `adb root`) adb root adb shell whoami # expect: root ``` -------------------------------- ### Install Agent from MythicAgents Organization Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/mythic.md Commands to install an agent from the MythicAgents GitHub organization, including an example for Apollo. ```bash sudo ./mythic-cli install github https://github.com/MythicAgents/ sudo ./mythic-cli install github https://github.com/MythicAgents/Apollo.git sudo -E ./mythic-cli install github https://github.com/MythicAgents/Apollo.git ``` -------------------------------- ### ngrok Installation and Configuration Init Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-hacking/tunneling-and-port-forwarding.md Steps to download, extract, set permissions, and initialize ngrok with your authentication token. ```bash tar xvzf ~/Downloads/ngrok-v3-stable-linux-amd64.tgz -C /usr/local/bin chmod a+x ./ngrok # Init configuration, with your token ./ngrok config edit ``` -------------------------------- ### SELinux Context in Containers Example (Podman) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/linux-hardening/privilege-escalation/selinux.md This example demonstrates how to run a container with Podman and then inspect its SELinux label, showing the typical `container_t` domain and `container_file_t` for content. ```shell $ podman run -d fedora sleep 100 d4194babf6b877c7100e79de92cd6717166f7302113018686cea650ea40bd7cb $ podman top -l label LABEL system_u:system_r:container_t:s0:c647,c780 ``` -------------------------------- ### Start Simple HTTP Servers in Bash Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/linux-hardening/useful-linux-commands.md Commands to quickly set up basic HTTP servers using Python, Ruby, and PHP for serving files from the current directory. ```bash python -m SimpleHTTPServer 80 ``` ```bash python3 -m http.server ``` ```bash ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start" ``` ```bash php -S $ip:80 ``` -------------------------------- ### Install C2 Profile from MythicC2Profiles Organization Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/mythic.md Commands to download and install a C2 profile from the MythicC2Profiles GitHub organization, including an example for http. ```bash sudo ./mythic-cli install github https://github.com/MythicC2Profiles/ sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http ``` -------------------------------- ### Install Volatility2 (Method 1) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md This method instructs users to download the Volatility2 executable directly from the official website. No command-line installation is involved. ```text Download the executable from https://www.volatilityfoundation.org/26 ``` -------------------------------- ### Install and Run sshesame SSH Honeypot Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/active-directory-methodology/lansweeper-security.md These commands install sshesame on a Debian-based system and then run it using a specified configuration file to start the SSH honeypot. ```bash # Install and run sudo apt install -y sshesame sshesame --config sshesame.conf # Expect client banner similar to RebexSSH and cleartext creds # authentication for user "svc_inventory_lnx" with password "" accepted # connection with client version "SSH-2.0-RebexSSH_5.0.x" established ``` -------------------------------- ### Install QEMU emulation tools for multiple architectures Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/hardware-physical-access/firmware-analysis/README.md Install QEMU user-mode and system emulators to support ARM, MIPS, x86, and other architectures for firmware analysis. ```bash sudo apt-get install qemu qemu-user qemu-user-static qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils ``` -------------------------------- ### Install and Run SPOSE with uv Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/3128-pentesting-squid.md Shows how to install SPOSE dependencies using `uv` and then execute SPOSE to scan all TCP ports on localhost via a Squid proxy. ```bash uv add --script spose.py -r requirements.txt uv run spose.py --proxy http://SQUID_IP:3128 --target localhost --allports ``` -------------------------------- ### Unattended XML Configuration Example Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/windows-local-privilege-escalation/README.md Example of an unattended installation XML file containing AutoLogon credentials and user account information ```xml U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo== true Administrateur *SENSITIVE*DATA*DELETED* administrators;users Administrateur ``` -------------------------------- ### Create and Prepare Writable cgroup v1 (Bash) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/linux-hardening/privilege-escalation/container-security/protections/cgroups.md Initial steps to set up a writable cgroup v1 hierarchy, including mounting the cgroup filesystem and enabling `notify_on_release`. ```bash mkdir /tmp/cgrp mount -t cgroup -o rdma cgroup /tmp/cgrp # or memory if available in v1 mkdir /tmp/cgrp/x echo 1 > /tmp/cgrp/x/notify_on_release ``` -------------------------------- ### usbrip Examples Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md Examples of using `usbrip` to get USB event history, search by PID, VID, or user, and search the USB ID database. ```bash usbrip events history #Get USB history of your curent linux machine usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user #Search for vid and/or pid usbrip ids download #Downlaod database usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid ``` -------------------------------- ### Configure VLAN Interface with DHCP using vconfig Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/pentesting-network/README.md This example demonstrates how to load the 8021q module, add a VLAN interface, and obtain an IP address via DHCP for a specific VLAN. It then shows how to verify the configuration and scan for hosts. ```bash root@kali:~# modprobe 8021q root@kali:~# vconfig add eth1 250 Added VLAN with VID == 250 to IF -:eth1:- root@kali:~# dhclient eth1.250 Reloading /etc/samba/smb.conf: smbd only. root@kali:~# ifconfig eth1.250 eth1.250 Link encap:Ethernet HWaddr 00:0e:c6:f0:29:65 inet addr:10.121.5.86 Bcast:10.121.5.255 Mask:255.255.255.0 inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:19 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2206 (2.1 KiB) TX bytes:1654 (1.6 KiB) root@kali:~# arp-scan -I eth1.250 10.121.5.0/24 ``` -------------------------------- ### Sysinternals PsExec.exe Examples Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/lateral-movement/psexec-and-winexec.md Examples of using PsExec64.exe to get an interactive SYSTEM shell, run a command as a specific domain user, or customize the service name for OPSEC. ```cmd :: Interactive SYSTEM shell on remote host PsExec64.exe -accepteula \\HOST -s -i cmd.exe :: Run a command as a specific domain user PsExec64.exe -accepteula \\HOST -u DOMAIN\user -p 'Passw0rd!' cmd.exe /c whoami /all :: Customize the service name for OPSEC (-r) PsExec64.exe -accepteula \\HOST -r WinSvc$ -s cmd.exe /c ipconfig ``` -------------------------------- ### Path normalization / static-rule confusion example Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/pentesting-web/cache-deception/cache-poisoning-to-dos.md Example of a GET request with a normalized path that results in a 404 Not Found, indicating a potential cache confusion. ```http GET /api/v1%2e1/user HTTP/1.1 Host: redacted.com HTTP/1.1 404 Not Found X-Cache: miss Not Found ``` -------------------------------- ### RegPwn Example Usage Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/windows-local-privilege-escalation/README.md Examples of using 'regpwn' to overwrite service configuration values for privilege escalation, followed by starting the modified service. ```bash beacon> regpwn C:\payload.exe SYSTEM\CurrentControlSet\Services\msiserver ImagePath beacon> regpwn C:\evil.dll SYSTEM\CurrentControlSet\Services\SomeService\Parameters ServiceDll net start msiserver ``` -------------------------------- ### SELinux Context Format Examples Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/linux-hardening/privilege-escalation/selinux.md Illustrates the typical structure of SELinux contexts, showing user, role, type, and level components for different entities. ```text user:role:type:level system_u:system_r:httpd_t:s0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ``` -------------------------------- ### Use punch-q command Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/1414-pentesting-ibmmq.md Example of how to invoke the punch-q tool after installation. ```bash punch-q ``` -------------------------------- ### Example manifest.json with Embedded Public Key Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/pentesting-web/browser-extension-pentesting-methodology/forced-extension-load-preferences-mac-forgery-windows.md Example manifest.json snippet demonstrating how to include the generated public key to ensure a deterministic extension ID. This prevents the ID from being derived from the installation path. ```json { "manifest_version": 3, "name": "Synacktiv extension", "version": "1.0", "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2lMCg6..." } ``` -------------------------------- ### StartupParameters.plist Configuration Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/macos-hardening/macos-auto-start-locations.md XML plist file that defines startup service configuration including description, execution order, and service names. Must be named StartupParameters.plist and placed in a StartupItem directory under /Library/StartupItems/ or /System/Library/StartupItems/. ```xml Description This is a description of this service OrderPreference None Provides superservicename ``` -------------------------------- ### Install and Start Vulnerable Kernel Driver Service Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/av-bypass.md Register a signed vulnerable driver as a kernel service and start it to expose device object for IOCTL exploitation. The driver must be present at the specified path. ```powershell sc create ServiceMouse type= kernel binPath= "C:\Windows\System32\drivers\ServiceMouse.sys" sc start ServiceMouse ``` -------------------------------- ### Executing Commands with expect:// Wrapper Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/pentesting-web/file-inclusion/README.md Examples of using the expect:// wrapper to execute system commands directly via URL parameters. Requires expect extension to be activated. ```URL http://example.com/index.php?page=expect://id ``` ```URL http://example.com/index.php?page=expect://ls ``` -------------------------------- ### Starting Exported Activity via ADB Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/mobile-pentesting/android-app-pentesting/README.md Command to invoke an exported activity from an external app using adb shell. Example shows starting MainActivity from com.example.demo package. ```bash adb shell am start -n com.example.demo/com.example.test.MainActivity ``` -------------------------------- ### Install and analyze with pyrit Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/pentesting-wifi/README.md Commands to install pyrit and analyze a .cap file for handshakes. ```bash apt-get install pyrit #Not working for newer versions of kali pyrit -r psk-01.cap analyze ``` -------------------------------- ### Install and Configure Let's Encrypt TLS Certificate Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/phishing-methodology/README.md Download and install Certbot, then generate a TLS certificate for the domain that will be used by Gophish. The domain must already be registered and pointing to the VPS IP address. ```bash DOMAIN="" wget https://dl.eff.org/certbot-auto chmod +x certbot-auto sudo apt install snapd sudo snap install core sudo snap refresh core sudo apt-get remove certbot sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot certbot certonly --standalone -d "$DOMAIN" mkdir /opt/gophish/ssl_keys cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" /opt/gophish/ssl_keys/key.pem cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" /opt/gophish/ssl_keys/key.crt​ ``` -------------------------------- ### Start TFTP server in Python (ptftpd) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-hacking/exfiltration.md Commands to install and run a Python-based TFTP server. ```bash pip install ptftpd ptftpd -p 69 tap0 . # ptftp -p ``` -------------------------------- ### PAM Configuration for Login Service Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md Example PAM configuration file showing typical module stack for the login service. Demonstrates the order of auth, account, password, and session modules with their respective control flags and parameters. ```conf auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so try_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_ldap.so password required /lib/security/pam_pwdb.so use_first_pass session required /lib/security/pam_unix_session.so ``` -------------------------------- ### Get GPO Applied to an Organizational Unit Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/basic-powershell-for-pentesters/powerview.md Retrieves the GPO associated with a specific OU using its GUID. ```PowerShell Get-NetGPO -GPOName '{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}' ``` -------------------------------- ### Configure and Start Gophish Service Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/phishing-methodology/README.md Set up logging directory, make the service script executable, register it with the system, and verify that Gophish is running on ports 3333 (admin) and 443 (phishing). ```bash mkdir /var/log/gophish chmod +x /etc/init.d/gophish update-rc.d gophish defaults #Check the service service gophish start service gophish status ss -l | grep "3333\|443" service gophish stop ``` -------------------------------- ### Install APK and Launch Application Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/5555-android-debug-bridge.md Installs an Android application package (APK) with automatic runtime permission grants and then launches the application using the 'monkey' command. ```bash adb install -r -g payload.apk # -g grants all runtime perms declared in manifest adb shell monkey -p -c android.intent.category.LAUNCHER 1 ``` -------------------------------- ### Rack::Static LFI encoded path traversal examples Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/pentesting-web/ruby-tricks.md Example GET requests demonstrating encoded path traversal attacks against Rack::Static with misconfigured :root. Uses %2e%2e encoding to bypass basic traversal filters. ```text GET /assets/%2e%2e/%2e%2e/config/database.yml ``` ```text GET /favicon.ico/..%2f..%2f.env ``` -------------------------------- ### Gophish Init.d Service Script Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/phishing-methodology/README.md Create a systemd init.d service script at /etc/init.d/gophish to manage Gophish startup, shutdown, and status checking. Requires executable permissions and registration with update-rc.d. ```bash #!/bin/bash # /etc/init.d/gophish # initialization file for stop/start of gophish application server # # chkconfig: - 64 36 # description: stops/starts gophish application server # processname:gophish # config:/opt/gophish/config.json # From https://github.com/gophish/gophish/issues/586 # define script variables processName=Gophish process=gophish appDirectory=/opt/gophish logfile=/var/log/gophish/gophish.log errfile=/var/log/gophish/gophish.error start() { echo 'Starting '${processName}'...' cd ${appDirectory} nohup ./$process >>$logfile 2>>$errfile & sleep 1 } stop() { echo 'Stopping '${processName}'...' pid=$(/bin/pidof ${process}) kill ${pid} sleep 1 } status() { pid=$(/bin/pidof ${process}) if [["$pid" != ""| "$pid" != "" ]]; then echo ${processName}' is running...' else echo ${processName}' is not running...' fi } case $1 in start|stop|status) "$1" ;; esac ``` -------------------------------- ### Install FISSURE from GitHub Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/todo/radio-hacking/fissure-the-rf-framework.md Clone the FISSURE repository, select a branch, update submodules, and run the installation script. This will install necessary PyQt dependencies and other components. ```bash git clone https://github.com/ainfosec/FISSURE.git cd FISSURE git checkout or or git submodule update --init ./install ``` -------------------------------- ### Run Xplico Framework Services Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md Commands to restart Apache2 and start the Xplico service after installation, making the web interface accessible. ```bash /etc/init.d/apache2 restart /etc/init.d/xplico start ``` -------------------------------- ### CouchDB Database List Response Example Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/5984-pentesting-couchdb.md Example response showing a list of available databases when sufficient privileges are granted. ```bash ["_global_changes","_metadata","_replicator","_users","passwords","simpsons"] ``` -------------------------------- ### reGeorg SOCKS Proxy Setup Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-hacking/tunneling-and-port-forwarding.md Start a reGeorg SOCKS proxy server using a previously uploaded web file tunnel. ```bash python reGeorgSocksProxy.py -p 8080 -u http://upload.sensepost.net:8080/tunnel/tunnel.jsp ``` -------------------------------- ### Example Tomcat User Configuration (tomcat-users.xml) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/pentesting-web/tomcat/README.md Illustrates the structure of the 'tomcat-users.xml' file, showing how user roles like 'manager-gui' and associated credentials are defined for Tomcat manager access. ```xml [...] [...] ``` -------------------------------- ### Suricata Rule Definition Example Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md Example HTTP rule that alerts on GET requests containing 'rule' in the URI. Demonstrates rule structure with action, header, and rule options including flow state, HTTP method, content matching, and metadata. ```bash alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;) ``` -------------------------------- ### Example Usage of NFShell (Bash) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md Demonstrates how to use the NFShell script to list directory contents on an NFS mount, respecting file UIDs for stealthy access. ```bash # ll ./mount/ drwxr-x--- 6 1008 1009 1024 Apr 5 2017 9.3_old ``` -------------------------------- ### SharpMove Service Modification and Execution Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/windows-hardening/lateral-movement/psexec-and-winexec.md Example commands using SharpMove to modify/create a service and execute a command remotely, then start the service. ```cmd SharpMove.exe action=modsvc computername=remote.host.local command="C:\windows\temp\payload.exe" amsi=true servicename=TestService SharpMove.exe action=startservice computername=remote.host.local servicename=TestService ``` -------------------------------- ### Boot Emulator from Specific Snapshot Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md This command starts an Android emulator, specifying an AVD and a previously saved snapshot to boot from, while also enabling a writable system. ```bash emulator -avd PixelRootX86 -writable-system -snapshot my_clean_setup ``` -------------------------------- ### Snyk Quick Start Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/pentesting-web/code-review-tools.md Commands to install, authenticate, and test with Snyk for various vulnerability types. ```bash # Install sudo npm install -g snyk # Authenticate (you can use a free account) snyk auth # Test for open source vulns & license issues snyk test [--all-projects] # Test for code vulnerabilities ## This will upload your code and you need to enable this option in: Settings > Snyk Code snyk test code # Test for vulns in images snyk container test [image] # Test for IaC vulns snyk iac test ``` -------------------------------- ### Create xbar Plugin Script Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/macos-hardening/macos-auto-start-locations.md If xbar is installed, placing an executable script in its plugins directory will cause xbar to execute it when the application starts. ```bash cat > "$HOME/Library/Application Support/xbar/plugins/a.sh" << EOF #!/bin/bash touch /tmp/xbar EOF chmod +x "$HOME/Library/Application Support/xbar/plugins/a.sh" ``` -------------------------------- ### Prepare and Start hostapd Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/pentesting-wifi/README.md Commands to kill conflicting processes, set monitor mode, and start the hostapd service. ```bash airmon-ng check kill iwconfig wlan0 mode monitor ifconfig wlan0 up hostapd ./hostapd.conf ``` -------------------------------- ### Create Electron Renderer Process Window Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md Demonstrates how to create a new Electron BrowserWindow instance and load a local HTML file, which acts as a renderer process. ```javascript const { BrowserWindow } = require("electron") let win = new BrowserWindow() //Open Renderer Process win.loadURL(`file://path/to/index.html`) ``` -------------------------------- ### Setting up DNS Spoofing with Dnsmasq Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/pentesting-network/README.md Steps to install and configure dnsmasq to act as a custom DNS server for spoofing, including testing the setup. ```bash apt-get install dnsmasq ``` ```bash echo "addn-hosts=dnsmasq.hosts" > dnsmasq.conf ``` ```bash echo "127.0.0.1 domain.example.com" > dnsmasq.hosts ``` ```bash sudo dnsmasq -C dnsmasq.conf --no-daemon ``` ```bash dig @localhost domain.example.com # Test the configured DNS ``` -------------------------------- ### Get latest XProtect update information Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md Retrieve system profiler data to display the most recent XProtect security definition updates installed on the Mac. ```bash system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5 ``` -------------------------------- ### Service file with backdoor execution Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/linux-hardening/privilege-escalation/README.md Example of modifying a writable .service file to execute a backdoor script on service start, restart, or stop events. ```bash ExecStart=/tmp/script.sh ``` -------------------------------- ### Suricata Service Startup and Execution Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md Start Suricata service and run it with specific configuration and network interface. Add custom rules to /etc/suricata/rules/suricata.rules before starting. ```bash # Run ## Add rules in /etc/suricata/rules/suricata.rules systemctl suricata start suricata -c /etc/suricata/suricata.yaml -i eth0 ``` -------------------------------- ### SNMPv3 Secure Configuration Example Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/pentesting-snmp/cisco-snmp.md Configuration snippet demonstrating secure SNMPv3 setup with authPriv using SHA-256 and AES-256 encryption ```cisco-ios snmp-server group SECURE v3 priv snmp-server user monitor SECURE v3 auth sha priv aes 256 ``` -------------------------------- ### Generate and Install krb5.conf using NetExec Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/network-services-pentesting/pentesting-kerberos-88/README.md This snippet demonstrates how to generate a valid krb5.conf file for the target realm/domain using netexec and then install it to /etc/krb5.conf. ```bash # Generate krb5.conf and install it netexec smb -u -p '' -k --generate-krb5-file krb5.conf sudo cp krb5.conf /etc/krb5.conf ``` -------------------------------- ### Install MCP SDK and CLI Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/AI/AI-MCP-Servers.md Install the official MCP Python SDK and command-line tools required to build and test MCP servers. ```bash pip3 install mcp "mcp[cli]" mcp version # verify installation ``` -------------------------------- ### Server-side Fragment Smuggling Request (HTTP) Source: https://github.com/hacktricks-wiki/hacktricks/blob/master/src/pentesting-web/open-redirect.md Example HTTP GET request demonstrating how a server-side URL parser ignoring fragments can be exploited for open redirects. ```http GET /user/auth-tokens/rotate?redirectTo=/%23/..//\//attacker.com HTTP/1.1 ```