Professional Documents
Culture Documents
php/Learn_to_hack
Learn to hack
This page aims to compile high quality resources for hackers for both the experienced and inexperienced.
All books listed on this page can be found (https://libgen.lc) on Library Genesis (https://libgen.fun/).
Make sure that you follow good OPSEC when carrying out your operations! See OPSEC (https://enlaceh
acktivista.org/index.php?title=Learn_to_hack#Operational_security)
Contents
General Resources
General references
Recommended Reading - The Library
Operational security
Recommended Measures
Secure Messaging
Recommended Applications
Initial Access
Common Initial Access TTPs
Attacking Common Services
Scanning and Recon
Search Engines
OSINT
Persistence
Post exploitation
Windows
Linux
Exfiltration
Destruction
Hacking Misc
Web Application Hacking
API Hacking
IoT Hacking
Hacking The Cloud
Reverse Engineering
Product-specific Hacking
Google Workspace
VMware
Rocket.Chat
Microsoft Exchange
1 of 7 3/16/24, 07:43
Learn to hack - Enlace Hacktivista https://www.enlacehacktivista.org/index.php/Learn_to_hack
General Resources
Resources that assume little to no background knowledge:
▪ https://www.hoppersroppers.org/training.html
▪ https://tryhackme.com/
▪ https://github.com/jhaddix/tbhm
▪ Application Analysis: https://youtu.be/FqnSAa2KmBI
▪ The Bug Hunter's Methodology v4.0: https://youtu.be/p4JgIu1mceI?si=jXcYksd4UqodZDBF
Practice labs:
▪ https://www.hackthebox.com
▪ https://academy.hackthebox.com
▪ https://www.pentesteracademy.com
2 of 7 3/16/24, 07:43
Learn to hack - Enlace Hacktivista https://www.enlacehacktivista.org/index.php/Learn_to_hack
▪ https://lab.pentestit.ru
▪ https://overthewire.org/wargames
▪ https://www.vulnhub.com/
Appsec:
▪ https://github.com/paragonie/awesome-appsec
▪ https://github.com/vxunderground/MalwareSourceCode
▪ https://github.com/ytisf/theZoo/tree/master/malware
General references
Operational security
Operational security (OPSEC) is crucial for protecting oneself from surveillance and maintaining
anonymity while conducting hacktivist operations.
Recommended Measures
Any illegal hacktivity should be done from an encrypted and separate computer or virtual machine, with
all traffic router over Tor.
For more information on recommended operational security measures, see Opsec Measures
Secure Messaging
Best practice for secure messaging includes proxying connections over Tor and using end-to-end
encryption for messages.
3 of 7 3/16/24, 07:43
Learn to hack - Enlace Hacktivista https://www.enlacehacktivista.org/index.php/Learn_to_hack
Recommended Applications
For Jabber/XMPP, make sure to enable OTR or OMEMO encryption. For e-mail use PGP for encryption.
For file sharing use onionshare.
Initial Access
There are many ways to gain initial access (https://attack.mitre.org/tactics/TA0001/) into a targets
network, from phishing, buying credential access, buying infected machines in corporate networks,
password spraying, performing a targeted penetration test (https://www.ired.team/offensive-security-expe
riments/offensive-security-cheetsheets) and spray and pray scanning for vulnerabilities and hacking in.
Here we list some resources in these regards.
For more information on gaining a foothold, see Initial Access Tactics, techniques and procedures
Your targets will likely use many services either externally or internally, this could be SSH, RDP, SMB,
etc. It's important to know their common misconfigurations, attack vectors, their attack surface and how
to hack these various protocols which may serve as the initial access vector. Here we cover various tools,
techniques, common misconfigurations, tips and tricks and we cover both internal and external (publicly
accessible) networks.
For scanning and recon (https://attack.mitre.org/tactics/TA0043) tools, see Scanning and Recon. Make
sure to make use of your tool's documentation and read the help menu (-hh/-h/--help).
Search Engines
Search engines are a useful tool for gathering information and intelligence from publicly available
sources. Some are paid and some are free. Make sure to operate good OPSEC whenever placing a
purchase for any service that will be used in your recon on a target.
For more information on recommended search engines, see Search Engines Resources
OSINT
Open-source intelligence (OSINT) refers to the collection and analysis of information from publicly
available sources.
For more information on recommended tools and resources, see OSINT Tools and Resources
4 of 7 3/16/24, 07:43
Learn to hack - Enlace Hacktivista https://www.enlacehacktivista.org/index.php/Learn_to_hack
Persistence
Once you've found a weakness in your targets infrastructure and have been able to gain initial access (http
s://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures) you'll want
to keep it and avoid detection to maintain your access to your targets network for as long as possible.
See Persistence.
Post exploitation
Windows
For Windows post exploitation, Active Directory and networking hacking, Lateral movement techniques,
privilege escalation, defensive and offensive techniques:
Linux
For performing Linux post exploitation, gaining persistence, evading detection, privilege escalation and
more:
Exfiltration
One of the main objectives for a hacktivist is that of exfiltrating data, company secrets and if your
motivations is that of revealing corruption then this step is of the most importance.
See Data Exfiltration for techniques and methods for exfiltrating data out of your targets network.
Destruction
There may be times during a hacktivist operation when you come to the end of your hack, you've fully
compromised your target, exfiltrated everything you can/want and now before finally leaving the network
and leaking all the targets secrets online you want to cause chaos and destruction. As was seen by
Guacamaya (https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T) where they used
sdelete64.exe -accepteula -r -s C:\* to wipe systems attached to Pronicos domain you
might also want to do the same for Linux and Windows systems in your operations, maybe you want to
recursively print a text file with your manifesto across a system/network, encrypt files beyond recovery
or just delete everything.
Hacking Misc
5 of 7 3/16/24, 07:43
Learn to hack - Enlace Hacktivista https://www.enlacehacktivista.org/index.php/Learn_to_hack
API Hacking
Application Programming Interfaces (APIs) are the plumbing of today’s financial services and FinTech
infrastructure, enabling FinTechs to embed banking into their apps and banks to offer a more unified
experience to their customers demanding more from their bank (Knight (https://web.archive.org/web/202
30713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whit
epaper.pdf)). APIs can be exploited (https://owasp.org/www-project-api-security) to aid in data
exfiltration and taking advantage of an existing service.
IoT Hacking
▪ https://github.com/V33RU/IoTSecurity101
More and more of corporate networks are moving away from on-prem to in the cloud. Learning how to
hack the cloud infrastructure (https://hackingthe.cloud) of your target is a valuable skill and as time
progresses more and more networks will migrate towards the cloud.
Reverse Engineering
Product-specific Hacking
Google Workspace
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
VMware
▪ Exploiting vCenter to add vSphere user: https://github.com/HynekPetrak/HynekPetrak
/blob/master/take_over_vcenter_670.md
▪ VMware Workspace ONE Access and Identity Manager RCE via SSTI. CVE-2022-22954: (h
ttps://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis) Unauthenticated
server-side template injection. Mass Exploit (https://github.com/tunelko/CVE-2022-22954-Po
C)
6 of 7 3/16/24, 07:43
Learn to hack - Enlace Hacktivista https://www.enlacehacktivista.org/index.php/Learn_to_hack
Rocket.Chat
▪ Account hijacking and RCE as admin: https://edbrsk.dev/content/real-cases/how-
I-compromised-300-stores-and-a-spanish-consultancy (https://web.archive.org/web/202108
05092939/https://edbrsk.dev/content/real-cases/how-I-compromised-300-stores-and-a-spani
sh-consultancy)
Microsoft Exchange
ProxyLogon is dead. It's mitigated by Defender. ProxyShell is not. AMSI catches unmodified public
exploits.
▪ ProxyShell: https://github.com/dmaasland/proxyshell-poc
▪ Improved proxyshell-poc: https://github.com/horizon3ai/proxyshell
▪ ProxyShell (webshell via New-MailboxExportRequest): https://github.com/rapid7/metasploit-
framework/blob/master/documentation/modules/exploit/windows
/http/exchange_proxyshell_rce.md
▪ ProxyShell (webshell via New-ExchangeCertificate): https://gist.github.com/dmaasland
/0720891aaf6dec8d3b42a5b92c8d6f94
▪ Polymorphic webshells: https://github.com/grCod/poly
▪ ProxyShell (no webshell, dump mailboxes via PowerShell): https://github.com/Jumbo-
WJB/Exchange_SSRF
▪ Proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool: https://github.com
/FDlucifer/Proxy-Attackchain
▪ Automatic ProxyShell Exploit: https://github.com/Udyz/proxyshell-auto
7 of 7 3/16/24, 07:43