├── requirements.txt ├── setup.sh ├── .gitignore ├── extractpdfs.py └── README.md /requirements.txt: -------------------------------------------------------------------------------- 1 | PyPDF2 2 | pycryptodome -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | python3 -m venv .venv 2 | source .venv/bin/activate 3 | pip3 install -r requirements.txt 4 | 5 | echo "Setup complete." 6 | echo "Run 'source .venv/bin/activate' to activate the virtual environment with the required packages: " 7 | cat requirements.txt 8 | echo "Then run 'python3 extractpdfs.py -P ...' to generate the index." -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # pdm 105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 106 | #pdm.lock 107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 108 | # in version control. 109 | # https://pdm.fming.dev/#use-with-ide 110 | .pdm.toml 111 | 112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 113 | __pypackages__/ 114 | 115 | # Celery stuff 116 | celerybeat-schedule 117 | celerybeat.pid 118 | 119 | # SageMath parsed files 120 | *.sage.py 121 | 122 | # Environments 123 | .env 124 | .venv 125 | env/ 126 | venv/ 127 | ENV/ 128 | env.bak/ 129 | venv.bak/ 130 | 131 | # Spyder project settings 132 | .spyderproject 133 | .spyproject 134 | 135 | # Rope project settings 136 | .ropeproject 137 | 138 | # mkdocs documentation 139 | /site 140 | 141 | # mypy 142 | .mypy_cache/ 143 | .dmypy.json 144 | dmypy.json 145 | 146 | # Pyre type checker 147 | .pyre/ 148 | 149 | # pytype static type analyzer 150 | .pytype/ 151 | 152 | # Cython debug symbols 153 | cython_debug/ 154 | 155 | # PyCharm 156 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 157 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 158 | # and can be added to the global gitignore or merged into this file. For a more nuclear 159 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 160 | #.idea/ 161 | -------------------------------------------------------------------------------- /extractpdfs.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import re 3 | import json 4 | from sys import stdout, stderr 5 | from pathlib import Path 6 | from collections import defaultdict 7 | from concurrent.futures import ProcessPoolExecutor 8 | 9 | from textwrap import TextWrapper 10 | from PyPDF2 import PdfReader 11 | 12 | 13 | def fix_text(text): 14 | text = re.sub(r"\b([TY])\s", r"\1", text) 15 | text = re.sub(r'[\t ]+', ' ', text) 16 | text = text.replace('Secu rity', 'Security') 17 | text = text.strip() 18 | return text 19 | 20 | def extract_pdf_text(filename, password=None): 21 | pages = {} 22 | pdf = PdfReader(Path(filename), password=password) 23 | pdf._flatten() 24 | 25 | cover, terms_page = list(pdf.pages)[0:2] 26 | cover_lines = cover.extract_text().split('\n') 27 | course_title = cover_lines.pop(0).split('sans.org')[1].replace(' & ', ' and ') 28 | while not (next_line := cover_lines.pop(0)).startswith('GIAC'): 29 | course_title += ' ' + next_line 30 | course_title = fix_text(course_title) 31 | 32 | course_code, course_name = course_title.split(' | ', 1) 33 | authors = terms_page.extract_text().split('.')[0] 34 | 35 | header = '' 36 | last_header = '' 37 | for n, page in enumerate(pdf.flattened_pages[2:]): 38 | page_num = n+1 39 | 40 | text = page.extract_text() 41 | text = text.split(authors)[0] 42 | text = fix_text(text) 43 | references = re.search( 44 | r'References:\n?(?:\[\d+\].+\n?)+', text, flags=re.MULTILINE) 45 | if references: 46 | references = references.group(0) 47 | text = text.replace(references, '') 48 | 49 | lines = text.split('\n') 50 | end_of_slide_pattern = rf"{course_code} \| +{course_name}\s?" 51 | 52 | if re.search(r"TABLE\sOF\sCONTENTS", lines[0], flags=re.IGNORECASE): 53 | header = "TABLE OF CONTENTS" 54 | 55 | elif re.search(r"Course Roadmap", text, flags=re.IGNORECASE): 56 | header = "Course Roadmap" 57 | 58 | elif re.search(end_of_slide_pattern, text, flags=re.IGNORECASE): 59 | text = re.split(end_of_slide_pattern, text, 60 | flags=re.IGNORECASE | re.MULTILINE)[1] 61 | text = re.sub(r"[••–].+", '', 62 | text).replace(str(page_num), '').strip() 63 | text = re.sub(r"^[^A-Z].+", '', 64 | text).replace(str(page_num), '').strip() 65 | header = text.splitlines()[0] if text else '' 66 | 67 | if last_header == header: 68 | header = last_header + \ 69 | (' (CONT)' if not last_header.endswith('(CONT)') else '') 70 | 71 | if not header: 72 | header = f'UNKNOWN HEADER - {lines[0]}' 73 | 74 | header = fix_text(header) 75 | pages[page_num] = (header, text, references) 76 | print(f"Read {filename} Page {page_num}: {header}", file=stderr) 77 | last_header = header 78 | header = '' 79 | 80 | return filename, pages 81 | 82 | 83 | def make_index(file_pages, keep_roadmap=False, keep_toc=False, keep_continuation=False, keep_summary=False, keep_labs=False): 84 | index = defaultdict(dict) 85 | for filename, pages in file_pages.items(): 86 | for page_num, (header, text, references) in pages.items(): 87 | if not keep_roadmap and header.startswith(("Course Roadmap", "Course Outline")): 88 | continue 89 | if not keep_toc and header == "TABLE OF CONTENTS": 90 | continue 91 | if not keep_continuation and header.endswith('(CONT)'): 92 | continue 93 | if not keep_summary and header.startswith('Summary') or header.startswith('Module Summary'): 94 | continue 95 | if not keep_labs and header.startswith('Lab') or header.startswith('Please work on'): 96 | continue 97 | 98 | index[filename][page_num] = header 99 | 100 | return index 101 | 102 | 103 | def print_index_by_page_order(index, stream=None, maxwidth=80): 104 | for filename, pages in index.items(): 105 | print(f"{filename}:\n", file=stream) 106 | max_pagenum_strlen = len(str(max(pages.keys()))) 107 | for page_num, header in pages.items(): 108 | pagestr = str(page_num).ljust(max_pagenum_strlen) + ": " 109 | pagestr_len = len(pagestr) 110 | wrapper = TextWrapper( 111 | width=maxwidth, initial_indent=pagestr, subsequent_indent=' '*pagestr_len) 112 | print('\n'.join(wrapper.wrap(header)), file=stream) 113 | print("\n", file=stream) 114 | 115 | 116 | def print_index_by_alpha_order(index, stream=None, maxwidth=80): 117 | filenums = {filename: n+1 for n, filename in enumerate(index.keys())} 118 | alpha_index = defaultdict(list) 119 | 120 | for filename, pages in index.items(): 121 | for page_num, header in pages.items(): 122 | alpha_index[header].append(f"{filenums[filename]}:{page_num}") 123 | 124 | def sort_fn(x): return x[0].replace( 125 | 'The ', '', 1).replace('A ', '', 1).lower() 126 | alpha_index = dict(sorted(alpha_index.items(), key=sort_fn)) 127 | max_pagestr_len = max(len(": " + ','.join(page_nums)) 128 | for page_nums in alpha_index.values()) 129 | 130 | for header, page_nums in alpha_index.items(): 131 | pagestr = ": " + ','.join(page_nums).ljust(max_pagestr_len) 132 | 133 | max_header_witdh = max(maxwidth - len(pagestr), 20) 134 | wrapper = TextWrapper(width=max_header_witdh) 135 | wrapped_header = wrapper.wrap(header) 136 | for i, line in enumerate(wrapped_header): 137 | if i == 0: 138 | print(f"{line.ljust(max_header_witdh)}{pagestr}", file=stream) 139 | else: 140 | print(line.ljust(maxwidth), file=stream) 141 | 142 | 143 | def main(): 144 | parser = argparse.ArgumentParser( 145 | description='Extracts indexes from SANS PDF files.') 146 | parser.add_argument('FILENAMES', metavar='FILENAMES', type=str, nargs='*', default=[], 147 | help='the PDF files to unlock and extract indexes from') 148 | parser.add_argument("-P", '--password', dest='PASSWORD', required=False, type=str, default=None, 149 | help='the password to unlock the PDF files') 150 | 151 | parser.add_argument('-O', '--out', type=str, 152 | default=None, help='Output file') 153 | parser.add_argument('--maxwidth', type=int, default=120, 154 | help='Maximum width of output') 155 | parser.add_argument('--only-page-order', 156 | action='store_true', help='Print index only in page order') 157 | parser.add_argument('--only-alpha', action='store_true', 158 | help='Print index only in alphabetical order') 159 | 160 | parser.add_argument( 161 | '--keep-roadmap', action=argparse.BooleanOptionalAction, help='Keep roadmap') 162 | parser.add_argument( 163 | '--keep-toc', action=argparse.BooleanOptionalAction, help='Keep table of contents') 164 | parser.add_argument('--keep-continuation', 165 | action=argparse.BooleanOptionalAction, help='Keep continuation') 166 | parser.add_argument( 167 | '--keep-summary', action=argparse.BooleanOptionalAction, help='Keep summary') 168 | parser.add_argument( 169 | '--keep-labs', action=argparse.BooleanOptionalAction, help='Keep labs') 170 | 171 | parser.add_argument('--load-index', type=str, 172 | default=None, help='Load index from file') 173 | parser.add_argument('--save-index', type=str, 174 | default=None, help='Save index to file') 175 | 176 | args = parser.parse_args() 177 | 178 | if not args.FILENAMES and not args.load_index: 179 | parser.error("No PDF files specified") 180 | 181 | if args.only_page_order and args.only_alpha: 182 | parser.error("Cannot use both --only-page-order and --only-alpha") 183 | 184 | if not args.load_index: 185 | num_files = len(args.FILENAMES) 186 | with ProcessPoolExecutor() as executor: 187 | print(f"Extracting text from {num_files} files...", file=stderr) 188 | file_pages = dict(executor.map(extract_pdf_text, 189 | args.FILENAMES, [args.PASSWORD]*num_files)) 190 | print(f"\nDone extracting text {num_files} files.\n", file=stderr) 191 | 192 | index = make_index(file_pages, 193 | args.keep_roadmap, 194 | args.keep_toc, 195 | args.keep_continuation, 196 | args.keep_summary, 197 | args.keep_labs) 198 | 199 | if args.save_index: 200 | with open(args.save_index, 'w') as f: 201 | json.dump(index, f, indent=4) 202 | 203 | else: 204 | with open(args.load_index, 'r') as f: 205 | index = json.load(f) 206 | 207 | stream = open(args.out, 'w+') if args.out else stdout 208 | if not args.only_alpha: 209 | print_index_by_page_order(index, stream, args.maxwidth) 210 | if not args.only_page_order: 211 | print_index_by_alpha_order(index, stream, args.maxwidth) 212 | 213 | stream.close() 214 | 215 | 216 | if __name__ == "__main__": 217 | main() 218 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sans-index-generator 2 | **Generate Indexes from SANS PDFs** 3 | 4 | > NOTE: May not work with all SANS PDFs due to different structures. Modify the `fix_text` and `extract_pdf_text` methods in `extractpdfs.py` to match the structure of the PDFs you are working with if errors occur. 5 | 6 | ## Setup 7 | Run the following command to clone the repository and run the setup script. 8 | ```bash 9 | git clone https://github.com/LucasFaudman/sans-index-generator && cd sans-index-generator && chmod +x setup.sh && ./setup.sh 10 | ``` 11 | 12 | ## Usage 13 | ```bash 14 | usage: extractpdfs.py [-h] [-P PASSWORD] [-O OUT] [--maxwidth MAXWIDTH] 15 | [--only-page-order] [--only-alpha] 16 | [--keep-roadmap | --no-keep-roadmap] 17 | [--keep-toc | --no-keep-toc] 18 | [--keep-continuation | --no-keep-continuation] 19 | [--keep-summary | --no-keep-summary] 20 | [--keep-labs | --no-keep-labs] [--load-index LOAD_INDEX] 21 | [--save-index SAVE_INDEX] 22 | [FILENAMES ...] 23 | 24 | Extracts indexes from SANS PDF files. 25 | 26 | positional arguments: 27 | FILENAMES the PDF files to unlock and extract indexes from 28 | 29 | optional arguments: 30 | -h, --help show this help message and exit 31 | -P PASSWORD, --password PASSWORD 32 | the password to unlock the PDF files 33 | -O OUT, --out OUT Output file 34 | --maxwidth MAXWIDTH Maximum width of output 35 | --only-page-order Print index only in page order 36 | --only-alpha Print index only in alphabetical order 37 | --keep-roadmap, --no-keep-roadmap 38 | Keep roadmap 39 | --keep-toc, --no-keep-toc 40 | Keep table of contents 41 | --keep-continuation, --no-keep-continuation 42 | Keep continuation 43 | --keep-summary, --no-keep-summary 44 | Keep summary 45 | --keep-labs, --no-keep-labs 46 | Keep labs 47 | --load-index LOAD_INDEX 48 | Load index from file 49 | --save-index SAVE_INDEX 50 | Save index to file 51 | ``` 52 | 53 | ## Example Output 54 | ``` 55 | 560/SEC560-Book1.pdf: 56 | 57 | 11: Terms Vulnerability, Exploit 58 | 12: Terms Threat Risk 59 | 13: Terms Pen Test, Red Team, Purple Team, Audit 60 | 14: Terms Vulnerability Assessment, Security Audit 61 | 15: Terms Penetration Testing Goals 62 | 16: Terms Types of Penetration Tests 63 | 17: Terms Attack Phases 64 | 19: Pre-Engagement Penetration Testing Process Phases 65 | 20: Pre-Engagement Documented Permission 66 | 21: Pre-Engagement Steps 67 | 22: Pre-Engagement Goals 68 | 23: Pre-Engagement Scope 69 | 24: Pre-Engagement Rules of Engagement 70 | 25: Pre-Engagement Announced vs. Unannounced Tests 71 | 26: Pre-Engagement Zero-Knowledge vs. Full-Knowledge Testing 72 | 27: Pre-Engagement Viewing Data on Compromised Systems 73 | 28: Pre-Engagement Kickoff Call 74 | 33: Building Infrastructure 75 | 34: Building Infrastructure Building a Lab 76 | 35: Building Infrastructure Systems Used for Internal Testing 77 | 36: Building Infrastructure Dedicated Test Systems 78 | 37: Building Infrastructure Sources for Free Tools and Exploits 79 | 38: Building Infrastructure MITRE ATT&CK 80 | 39: Building Infrastructure Tools for Penetration Testing Teams 81 | 42: Linux vs.Windows 82 | 43: Linux Fun Ease-of-Use Shell Tips 83 | 44: Linux Users: Root and Non-root 84 | 45: Linux Who Am I? 85 | 46: Linux File System Structure 86 | 47: Linux Where Am I? 87 | 48: Linux Navigating the Filesystem 88 | 49: Linux Listing Files 89 | 50: Linux Permissions 90 | 51: Linux Escalating with SETUID 91 | 52: Linux Escalation 92 | 53: Linux Commands for Pen Testers 93 | 54: Linux Software for Testing: Prepackaged Testing Suites 94 | 55: Command Prompts 95 | 61: Recon Motivation 96 | 62: Recon Traffic 97 | 63: Recon Targets 98 | 64: Recon Social Engineering and Ethics 99 | 67: Recon Org Information on the Organization 100 | 68: Recon Org Press Releases and Annual Reports 101 | 69: Recon Org Gather Competitive Intelligence 102 | 71: Recon Infrastructure 103 | 72: Recon Infra Hostname Information 104 | 73: Recon Infra DNSRecon 105 | 74: Recon Infra DNSRecon Usage 106 | 75: Recon Infra DNSDumpster 107 | 76: Recon Infra DNSDumpster Usage (1) 108 | 77: Recon Infra DNSDumpster Usage (2) 109 | 78: Recon Infra WHOIS + Regional Internet Registries 110 | 79: Recon Infra Certificate Transparency Logs 111 | 80: Recon Infra Shodan 112 | 83: Recon User Hunter.io 113 | 84: Recon User phonebook.cz lists emails, URLs for a domain 114 | 85: Recon User Public Breach Data of Credentials 115 | 86: Recon User Look for Open Job Requisitions 116 | 87: Recon User LinkedIn can provide a lot of information on employees 117 | 88: Recon User GatherContacts 118 | 89: Recon User GatherContacts Results 119 | 93: Scanning Goals of Scanning Phase 120 | 94: Scanning Scan Types 121 | 95: Scanning Tip: Dealing with Very Large Scans 122 | 96: Scanning Handling Large Scans by Limiting Scope 123 | 98: Scanning Port Protocol Layers and TCP vs. UDP 124 | 99: Scanning Port TCP Header 125 | 100: Scanning Port TCP Flags 126 | 101: Scanning Port TCP Three-Way Handshake 127 | 102: Scanning Port Handshake Happens Regardless of Higher-Level Protocol 128 | 103: Scanning Port TCP Behavior (1) 129 | 104: Scanning Port TCP Behavior (2): 130 | 105: Scanning Port UDP Header 131 | 106: Scanning Port UDP Behavior (1) 132 | 107: Scanning Port UDP Behavior (2) 133 | 109: Nmap Port Scanner 134 | 110: Nmap's Timing Options 135 | 111: Nmap Input and Output Options 136 | 112: Nmap and Address Probing 137 | 113: Nmap Network Probe/Sweeping Options 138 | 114: Nmap Optimizing Host Detection 139 | 115: Nmap Port Scanning (After Host Detection) 140 | 116: Nmap TCP Port Scan Types: Connect Scan 141 | 117: Nmap UDP Scans 142 | 121: Nmap Limitations and Host Groups 143 | 122: Masscan vs Nmap Faster Scanning 144 | 123: Masscan 145 | 124: Masscan Output 146 | 125: Masscan Extracting Live Hosts and Open Ports 147 | 129: Nmap Active OS Fingerprinting 148 | 130: Nmap Version Scanning 149 | 131: Nmap Version Scanning Functionality 150 | 133: Netcat for the Pen Tester 151 | 134: Netcat Command Flags 152 | 135: Netcat Client Grabbing Service Info 153 | 136: Netcat Automating Service String Information 154 | 137: Netcat uses a Lowercase L 155 | 138: Netcat Moving Files 156 | 140: EyeWitness 157 | 141: EyeWitness Specifying Targets 158 | 142: EyeWitness Report Content 159 | 143: EyeWitness What to Look For 160 | 145: Scanning Vulns Methods for Discovering Vulnerabilities (1) 161 | 146: Scanning Vulns Methods for Discovering Vulnerabilities (2) 162 | 147: Scanning Vulns Scanner Goals 163 | 148: Scanning Vulns Scan Types 164 | 149: Scanning Vulns Safe Checks and Dangerous Plugins 165 | 150: Scanning Vulns Scan Results 166 | 151: Nmap Version Scan as Vulnerability Scanner? 167 | 153: Nmap Scripting Engine 168 | 154: Nmap Scripting Engine Scripts 169 | 155: Nmap NSE Script Categories 170 | 156: Nmap Some Example NSE Scripts 171 | 172 | 173 | 560/SEC560-Book2.pdf: 174 | 175 | 5 : Initial Access Background 176 | 6 : Initial Access Where Does Access Come From 177 | 8 : Password Guessing The Importance of Passwords 178 | 9 : Password Guessing Credential Stuffing 179 | 10: Password Guessing Credential Databases 180 | 11: Password Guessing Types of Online Password Attacks 181 | 12: Password Guessing with a Custom Dictionary 182 | 13: Password Guessing Trimming Word Lists with Hydra's pw-inspector 183 | 14: Password Guessing Guessing Usernames 184 | 15: Password Guessing Account Lockout 185 | 16: Password Guessing Account Lockout on Windows 186 | 17: Password Guessing Active Directory Lockout Scenario 187 | 18: Password Guessing Suggested Spray Technique 188 | 19: Password Guessing Tools 189 | 20: Password Guessing Hydra 190 | 21: Password Guessing Hydra Examples 191 | 22: Password Guessing Hydra with the Domain 192 | 26: Exploitation What Is Exploitation? 193 | 27: Exploitation Why use Exploitation? 194 | 28: Exploitation Risks of Exploitation 195 | 30: Exploitation Categories of Exploits 196 | 31: Exploitation Server-Side Exploits 197 | 32: Exploitation Client-Side Exploits 198 | 33: Exploitation Client-Side Commonly Vulnerable Software 199 | 34: Exploitation Mounting a Client-Side Exploitation Campaign 200 | 35: Exploitation Client-Side Exploits and Guardrails 201 | 36: Exploitation Using Payloads on Target Systems 202 | 37: Exploitation Use Appropriate, Representative Client Machines 203 | 38: Exploitation Local PrivEsc Exploits 204 | 39: Exploitation Local PrivEsc Attack Categories and Suites 205 | 41: Metasploit Exploitation Framework 206 | 42: Metasploit Design 207 | 43: Metasploit User Interfaces 208 | 44: Metasploit Modules (exploits, payloads, auxiliary, post) 209 | 45: Metasploit Exploit Arsenal 210 | 46: Metasploit Windows Exploits 211 | 47: Metasploit Exploit Rankings 212 | 48: Metasploit Modules: Payloads 213 | 49: Metasploit Payloads: Windows Singles 214 | 50: Metasploit Payloads: Windows Stagers 215 | 51: Metasploit Payloads: Windows Stages 216 | 52: Meterpreter Overview 217 | 53: Meterpreter Functionality: Some Base Commands 218 | 54: Meterpreter Functionality: Process Commands 219 | 55: Meterpreter Functionality: File System Commands 220 | 56: Meterpreter Stdapi Capabilities: Networking Commands 221 | 57: Meterpreter Functionality:Target Machine Console 222 | 58: Meterpreter Functionality: Keystroke Logger 223 | 59: Meterpreter Functionality: Pivoting Using Route 224 | 60: Meterpreter Functionality: Additional Modules 225 | 65: Assumed Breach 226 | 66: Assumed Breach What About Initial Access? 227 | 67: Assumed Breach Access via 0-Day 228 | 68: Assumed Breach Test Assumptions 229 | 69: Assumed Breach Analyzing Modern Attacks 230 | 70: Assumed Breach Post-Exploitation 231 | 72: C2 What is a C2 Framework 232 | 73: C2 The C2 Matrix 233 | 74: C2 Matrix Google Sheet 234 | 76: C2 Sliver C2 Framewor Overview 235 | 77: C2 Sliver Features 236 | 78: C2 Sliver Features Supporting Offensive Operations 237 | 79: C2 Sliver Payload File Format Options 238 | 80: C2 Sliver Payload Options 239 | 81: C2 Sliver Implant Commands 240 | 82: C2 Sliver Multiplayer 241 | 83: C2 Sliver Generating Payloads 242 | 87: C2 Empire Overview 243 | 88: C2 Empire Features 244 | 89: C2 Empire Features Supporting Offensive Operations 245 | 90: C2 Empire Modules 246 | 91: C2 Empire Module Categories (1) 247 | 92: C2 Empire Module Categories (2) 248 | 96: Payloads Overview 249 | 97: Payloads Common Payload Types 250 | 98: Payloads Using Macros 251 | 99: Payloads VBA 252 | 100: Payloads DDE 253 | 101: Payloads ISO 254 | 102: Payloads Zip File 255 | 103: Payloads LNK Files 256 | 107: Post-Exploitation Activities 257 | 108: Post Exploitation Tactics 258 | 109: Post-Exploitation File Transfer (HTTP, SCP, FTP, TFTP) 259 | 110: Post-Exploitation File Transfer (SMB, NFS mounts, Netcat) 260 | 111: Post-Exploitation File Transfer (Meterpreter) 261 | 112: Post-Exploitation File Transfer (Copy/Paste to Move Files) 262 | 114: Situational Awareness Overview 263 | 115: Situational Awareness File Pilfering 264 | 116: Situational Awareness Network Pilfering 265 | 118: Situational Awareness Linux Accounts 266 | 119: Situational Awareness Linux Groups 267 | 120: Situational Awareness Linux Interesting Files (1) 268 | 121: Situational Awareness Linux Interesting Files (2) 269 | 122: Situational Awareness Linux Local File Pilfering 270 | 124: Situational Awareness Windows Environment Variables 271 | 125: Situational Awareness Windows Searching the File System 272 | 126: Situational Awareness Windows Managing Accounts and Groups 273 | 127: Situational Awareness Windows Domain User 274 | 128: Situational Awareness Windows Local Groups 275 | 129: Situational Awareness Windows Domain Groups 276 | 130: Situational Awareness Windows Deleting Users and Accounts 277 | 131: Situational Awareness Windows Determining Firewall Settings 278 | 132: Situational Awareness Windows Displaying and Searching Files 279 | 133: Situational Awareness Windows Interacting with the Registry 280 | 134: Situational Awareness Windows PowerView 281 | 135: Situational Awareness Windows AD Explorer 282 | 137: Situational Awareness Windows Seatbelt GhostPack Overview 283 | 138: Situational Awareness Windows Seatbelt Executing Checks 284 | 139: Situational Awareness Windows Seatbelt Command Groups 285 | 286 | 287 | 560/SEC560-Book3.pdf: 288 | 289 | 5 : PrivEsc Why PrivEsc? 290 | 7 : PrivEsc Linux Why Linux? 291 | 8 : PrivEsc Linux Kernel Exploits 292 | 9 : PrivEsc Linux Services Running as Root 293 | 10: PrivEsc Linux PrivEsc Linux World Writeable Files 294 | 11: PrivEsc Linux SETUID 295 | 12: PrivEsc Linux GTFOBins 296 | 14: PrivEsc Windows Common Flaws 297 | 15: PrivEsc Windows Unattended Install Files 298 | 16: PrivEsc Windows Unattended Install Files Contents 299 | 17: PrivEsc Windows Group Policy Preference (GPP) Files 300 | 18: PrivEsc Windows Group Policy Preference (GPP) 301 | 19: PrivEsc Windows Unquoted Paths with Spaces (1) 302 | 20: PrivEsc Windows Unquoted Paths with Spaces (2) 303 | 21: PrivEsc Windows User Account Control (UAC) 304 | 22: PrivEsc Windows UAC Levels 305 | 23: PrivEsc Windows UAC Bypass Techniques 306 | 24: PrivEsc Windows Tools (BeRoot, Watson, PowerUp) 307 | 25: PrivEsc Windows PowerUp 308 | 26: PrivEsc Windows LOLBAS 309 | 30: BloodHound Overview 310 | 31: BloodHound How Do We Know Where to Steal Credentials? 311 | 32: BloodHound Ingestion via SharpHound 312 | 33: BloodHound Queries 313 | 34: BloodHound Graph Interface 314 | 35: BloodHound Marking Targets (Owned, High Value) 315 | 39: Persistence Why Persistence 316 | 40: Persistence Windows Registry 317 | 41: Persistence Windows Startup Folder 318 | 42: Persistence Windows Scheduled Task 319 | 43: Persistence Windows Services 320 | 44: Persistence Windows WMI Event Consumer 321 | 48: Password Cracking vs. Password Guessing 322 | 49: Password Cracking Synced Passwords 323 | 50: Password Cracking Dictionaries 324 | 51: Password Cracking Custom Dictionaries 325 | 52: Password Cracking Update Your Dictionary 326 | 53: Password Cracking Improving Speed 327 | 54: Password Cracking Alts (Sniffing, Keyloggers, Pass-the-Hash) 328 | 55: Password Cracking Considerations 329 | 56: Password Cracking Reporting 330 | 58: Password Reprs Windows SAM Database 331 | 59: Password Reprs Windows AD (ntds.dit) 332 | 60: Password Reprs Windows LANMAN Hash Algorithm 333 | 61: Password Reprs Windows NT Hash Algorithm 334 | 62: Password Reprs Windows Challenge/Response on the Network 335 | 63: Password Reprs Windows LANMAN Challenge/Response 336 | 64: Password Reprs Windows LANMAN and NTLMv1 Challenge/Response 337 | 65: Password Reprs Windows NTLMv2 Challenge/Response 338 | 66: Password Reprs Windows NTLMv2 Graphically 339 | 67: Password Reprs Windows CAC and Smartcards 340 | 68: Password Reprs Linux and UNIX Password Representations 341 | 69: Password Reprs Linux MD5-Based Password Scheme 342 | 71: Password Dumping Linux/UNIX Password Representations 343 | 72: Password Dumping Windows Password Representations 344 | 73: Password Dumping Hashes with Meterpreter 345 | 74: Password Dumping Windows VSS Volume Shadow Copy Service (ntds.dit+ 346 | 75: Password Dumping Windows VSS Extract of ntds.dit 347 | 76: Password Dumping Windows NTDSUtil 348 | 77: Password Dumping Windows from mimikatz Kiwi 349 | 81: Password Cracking John the Ripper 350 | 82: Password Cracking John Config File and Cracking Modes 351 | 83: Password Cracking John john.pot File 352 | 84: Password Cracking John Interpreting Output 353 | 85: Password Cracking John Speed 354 | 86: Password Cracking John vs. Hashcat 355 | 88: Password Cracking Hashcat Multithreaded and GPU 356 | 89: Password Cracking Hashcat Specifying Hash Types 357 | 90: Password Cracking Hashcat Potfile, Show, and Restore 358 | 91: Password Cracking Hashcat Dictionaries, and Word Mangling Rules 359 | 92: Password Cracking Hashcat Masks 360 | 93: Password Cracking Hashcat Mask Examples 361 | 94: Password Cracking Hashcat Status and Temp Sensor 362 | 95: Password Cracking Pipal Password Pattern Analysis 363 | 99: Sniff/Relay Kerberos and NTLMv2 364 | 100: Sniff/Relay NTLMv2 Attack Strategies 365 | 101: Sniff/Relay Windows Challenge/Response 366 | 102: Sniff/Relay PCredz Cracking Process 367 | 103: Sniff/Relay PCredz Extracting Hashes 368 | 104: Sniff/Relay PCredz Getting the Hashes from Log File 369 | 106: Sniff/Relay Resonder Overview 370 | 107: Sniff/Relay Resonder Obtain NetNTLMv2 Challenge/Response 371 | 108: Sniff/Relay Resonder Web Proxy Autodiscovery Protocol 372 | 109: Sniff/Relay Resonder Obtain NetNTLMv2 Other Tricks 373 | 110: Sniff/Relay Resonder NTLM Offline Brute Force Hashcat 374 | 111: Sniff/Relay Resonder NTLM SMB Relaying 375 | 112: Sniff/Relay Resonder NTLM SMB Relaying with Responder 376 | 113: Sniff/Relay Resonder Defenses 377 | 378 | 379 | 560/SEC560-Book4.pdf: 380 | 381 | 5 : LatMov Why Lateral Movement? 382 | 6 : LatMov Linux (Cred Reuse, SSO, SSH key theft) 383 | 8 : LatMov Windows (LOL, RDP, WMI, WinRM, PsExec, ticket/hash reuse) 384 | 9 : LatMov Windows Command Line for Penetration Testers 385 | 10: LatMov Windows Remote Management (WinRM) 386 | 11: LatMov Windows WinRM and PowerShell 387 | 12: LatMov Windows Ticket Reuse 388 | 13: LatMov Windows SMB Session Setup 389 | 14: LatMov Windows SC Controlling Services with SC 390 | 15: LatMov Windows SC Starting and Stopping Services 391 | 16: LatMov Windows SC Determining Service Names 392 | 17: LatMov Windows Run Cmds on Remote Systems Methods 393 | 18: LatMov Windows Run Cmds Sysinternals PsExec.exe (1) 394 | 19: LatMov Windows Run Cmds Sysinternals PsExec.exe (2) 395 | 20: LatMov Windows Run Cmds Metasploit PsExec Module 396 | 21: LatMov Windows Run Cmds schtasks Scheduling a Job 397 | 22: LatMov Windows Run Cmds schtasks Run an Executable 398 | 23: LatMov Windows Run Cmds SC Invoke an Executable 399 | 24: LatMov Windows Run Cmds SC Make Executable a Service 400 | 25: LatMov Windows Run Cmds WMIC Invoke a Program 401 | 26: LatMov Windows Run Cmds WMIC Interacting with Processes 402 | 32: Impacket Overview 403 | 33: Impacket Kerberos (GetUserSPNs, ticketer).py 404 | 34: Impacket Extracting Hashes (secretsdump.py) 405 | 35: Impacket Remote Execution (ps, smb, at, wmi, dcom)exec.py 406 | 36: Impacket Syntax 407 | 37: Impacket smbexec.py vs wmiexec.py 408 | 41: Pass-the-Hash Technique Overview 409 | 42: Pass-the-Hash Advantages 410 | 43: Pass-the-Hash NTLMv2 Graphically 411 | 44: Pass-the-Hash Microsoft's Mitigations 412 | 45: Pass-the-Hash C2 Frameworks 413 | 46: Pass-the-Hash Metasploit PsExec Module 414 | 47: Password Attacks: When to Use Each Technique (with/out hashes) 415 | 52: Evasion AV/EDR Evasion Tactics 416 | 53: Evasion AV/EDR Approaches 417 | 54: Evasion virustotal.com? 418 | 55: Evasion AV/EDR (Static vs Dynamic Evasion) 419 | 56: Evasion AMSI (Antimalware Scan Interface) 420 | 57: Evasion AMSI Initialization in PowerShell 421 | 58: Evasion AMSI - AMSI Initialization 422 | 59: Evasion AMSI - Downgrade Attacks 423 | 60: Evasion AMSI - String Modification 424 | 61: Evasion AV/EDR Static Analysis Evasion 425 | 62: Evasion AV/EDR Stripping PowerShell Comments 426 | 63: Evasion AV/EDR Call API's to Bypass Hooks (SharpBlock) 427 | 64: Evasion AV/EDR Signature-Based Detections 428 | 65: Evasion AV/EDR Windows Defender (1) 429 | 66: Evasion AV/EDR Windows Defender (2) 430 | 67: Evasion AV/EDR Windows Defender (3) 431 | 68: Evasion AV/EDR Windows Defender (4) 432 | 69: Evasion AV/EDR Tools for Automating Evasion 433 | 71: Application Control Overview 434 | 72: Application Control Bypass 435 | 73: Application Control Bypass MSBuild (1) 436 | 74: Application Control Bypass MSBuild (2) 437 | 75: Application Control Bypass MSBuild (3) 438 | 76: Application Control Bypass MSBuild (4) 439 | 77: Application Control Bypass MSBuild (5) 440 | 78: Application Control Bypass MSBuild (6) 441 | 79: Application Control Bypass MSBuild (7) 442 | 80: Application Control Bypass MSBuild (8) 443 | 84: LatMov Pivoting Metasploit route Command 444 | 85: LatMov Pivoting Metasploit Meterpreter Port Forwarding 445 | 86: LatMov Pivoting Metasploit Meterpreter Autoroute 446 | 87: LatMov Pivoting SSH Local Port Forwarding 447 | 88: LatMov Pivoting SSH Dynamic Port Forwarding 448 | 94: Reporting Always Create a Report 449 | 95: Reporting Don't Just Regurgitate Vuln Scan Results 450 | 96: Reporting Recommended Report Format 451 | 97: Reporting 1. Executive Summary (1) 452 | 98: Reporting 1. Executive Summary (2) 453 | 99: Reporting 2. Introduction 454 | 100: Reporting 3. Findings 455 | 101: Reporting 3. Findings Screenshot to Illustrate Findings 456 | 102: Reporting 3. Findings Screenshot Elements 457 | 103: Reporting 3. Findings Screenshot Tools 458 | 104: Reporting Redaction and Transparency 459 | 105: Reporting Recommendations 460 | 107: Reporting Validation and Verification 461 | 108: Reporting 4. Methodology 462 | 109: Reporting Appendices 463 | 110: Reporting Recommended Reading 464 | 111: Reporting Sample Reports 465 | 112: Reporting 3. Findings Order 466 | 113: Reporting Be Consistent! 467 | 114: Reporting Styles and Themes 468 | 115: Reporting Readability 469 | 116: Reporting Clean and Succinct Reporting 470 | 117: Reporting Use of Colors 471 | 118: Reporting Effective Illustrations 472 | 473 | 474 | 560/SEC560-Book5.pdf: 475 | 476 | 5 : Kerberos Introduction 477 | 6 : Kerberos How It Works 478 | 7 : Kerberos Overall Flow 479 | 8 : Kerberos Three Long-Term Keys (KDC, Client, Target Service) 480 | 9 : Kerberos AS-REQ with pre-authentication 481 | 10: Kerberos TGT (Ticket Granting Ticket) and PAC 482 | 11: Kerberos ST Requesting a Service Ticket 483 | 12: Kerberos Service Principal Name 484 | 13: Kerberos ST Using a Service Ticket 485 | 14: Kerberos ST Service Ticket 486 | 16: Kerberoasting Requesting a Service Ticket (ST) Revisited 487 | 17: Kerberoasting Requesting a Ticket 488 | 18: Kerberoasting Attack Overview 489 | 19: Kerberoasting Setspn.exe 490 | 20: Kerberoasting Obtaining Tickets (Tools) 491 | 21: Kerberoasting Attack Steps 492 | 22: Kerberoasting AES vs. RC4 493 | 23: Kerberoasting What Service Accounts are Good Targets? 494 | 27: Kerberos Pass-the-Ticket 495 | 28: Kerberos Pass-the-Ticket Mimikatz Example 496 | 29: Kerberos Overpass-the-Hash 497 | 30: Kerberos Golden Ticket Overview 498 | 32: DomDom and AD Persistence 499 | 33: DomDom Obtaining Access to Back-Up NTDS.dit File 500 | 35: DomDom Creating a Domain Admin Account 501 | 36: DomDom Mimikatz Skeleton Key 502 | 37: DomDom Mimikatz Skeleton Key in Action 503 | 38: DomDom DCSync Replicating the Domain Controller 504 | 39: DomDom DCSync Replicating the Domain Controller Example 505 | 40: DomDom DCShadow Becoming a Domain Controller 506 | 41: DomDom DCShadow Becoming a Domain Controller Example 507 | 42: AD CS Abusing Active Directory Certificate Services 508 | 46: AD CS Overview (1) 509 | 47: AD CS Overview (2) 510 | 48: AD CS Terms (CA, Enterprise CA, Cert Templates, CSR, EKU, Digital Sig) 511 | 49: AD CS Internal CA how it Work? 512 | 50: AD CS ESC1 (Misconfigured Certificate Templates) 513 | 51: AD CS ESC1 CA Configuration 514 | 52: AD CS ESC1 Template Misconfiguration (1) 515 | 53: AD CS ESC1 Template Misconfiguration (2) 516 | 54: AD CS ESC1 Template Misconfiguration (3) 517 | 55: AD CS ESC1 Template Misconfiguration (4) 518 | 56: AD CS ESC1 Exploitation Tools (Certify, Certipy, Certi, Rubeus) 519 | 57: AD CS ESC1 Exploitation Certify List CAs and Templates 520 | 58: AD CS ESC1 Exploitation Certify Finding vulnerable templates (1) 521 | 59: AD CS ESC1 Exploitation Certify Finding vulnerable templates (2) 522 | 60: AD CS ESC1 Exploitation Certify Requesting a certificate 523 | 61: AD CS ESC1 Exploitation Certify Convert to .pfx 524 | 62: AD CS ESC1 Exploitation Rubeus Requesting a TGT 525 | 63: AD CS ESC1 Exploitation Rubeus PrivEsc using TGT (1) 526 | 64: AD CS ESC1 Exploitation Rubeus PrivEsc using TGT (2) 527 | 65: AD CS ESC1 Exploitation Certipy Find vulnerable CAs + templates (1) 528 | 66: AD CS ESC1 Exploitation Certipy Find vulnerable CAs + templates (2) 529 | 67: AD CS ESC1 Exploitation Certipy Find vulnerable CAs + templates (3) 530 | 68: AD CS ESC1 Exploitation Certipy Requesting a certificate 531 | 69: AD CS ESC1 Exploitation Certipy Recovering NT hash 532 | 70: AD CS ESC4 (Vulnerable Certificate Template Access Control) 533 | 72: AD CS ESC4 Permission Descriptions 534 | 73: AD CS ESC4 Identification Certify (1) 535 | 74: AD CS ESC4 Identification Certify (2) 536 | 75: AD CS ESC4 Identification Certipy (3) 537 | 76: AD CS ESC4 Identification Certipy (4) 538 | 77: AD CS ESC4 Exploitation Certipy (5) 539 | 78: AD CS ESC4 Exploitation Certipy (6) 540 | 79: AD CS ESC4 Exploitation Certipy (7) 541 | 80: AD CS ESC4 Exploitation Certipy (8) 542 | 81: AD CS ESC4 Exploitation Certipy (9) 543 | 82: AD CS ESC8 (NTLM Relay to AD CS HTTP Endpoints) 544 | 83: AD CS ESC8 Tools (Ntlmrelayx.py, ADCSPwn) 545 | 87: Kerberos Silver Ticket Overview 546 | 88: Kerberos Silver Ticket Service Ticket and PAC 547 | 89: Kerberos Silver Ticket Generation Impacket ticketer.py 548 | 90: Kerberos Silver Ticket Use on Linux and Windows 549 | 94: Kerberos Golden Ticket Overview 550 | 95: Kerberos Golden Ticket Flow 551 | 96: Kerberos Golden Ticket Properties 552 | 97: Kerberos Golden Ticket Generation Tools (ticketer.py, mimikatz) 553 | 101: DomPrivEsc PowerViewFind-InterestingDomainShareFile 554 | 102: DomPrivEsc PowerViewFind-LocalAdminAccess 555 | 103: DomPrivEsc Process Memory Dumps 556 | 104: DomPrivEsc (AS-REP Roasting) 557 | 106: Azure Services Overview (1) 558 | 107: Azure Services Overview (2) 559 | 108: Azure Management Portals 560 | 109: Azure AD vs Azure 561 | 111: Azure AD Overview 562 | 112: Azure AD Authentication Flow (1) 563 | 113: Azure AD Authentication Flow (2) 564 | 114: Azure AD Authentication Flow (3) 565 | 115: Azure AD Authentication Flow (4) 566 | 116: Azure AD (Microsoft Authentication Systems compared) 567 | 117: Azure AD Identity Architecture Types 568 | 118: Azure AD Syncronization and Federation 569 | 120: Azure Recon AADInternals Overview 570 | 121: Azure Recon AADInternals Recon 571 | 122: Azure Recon Username Enumeration Endpoints 572 | 123: Azure Recon Username Enumeration GetCredentialType Endpoint 573 | 125: Azure Recon Username Enumeration GetCredentialType Throttling 574 | 126: Azure Recon Username Enumeration OAuth Token Endpoint (1) 575 | 127: Azure Recon Username Enumeration OAuth Token Endpoint (2) 576 | 128: Azure Recon Legacy Authentication and Protocols 577 | 129: Azure Recon Modern Authentication 578 | 131: Azure Password Attacks Password Spraying in Azure 579 | 132: Azure Password Attacks TrevorSpray 580 | 134: Azure Password Attacks Spray365 581 | 135: Azure Password Attacks Spray365 Usage 582 | 136: Azure Password Attacks Azure Smart Lockout 583 | 137: Azure Password Attacks Azure Smart Lockout Customization 584 | 138: Azure Password Attacks Lockout Bypass Overview 585 | 139: Azure Password Attacks Lockout Bypass IP Rotation (1) 586 | 140: Azure Password Attacks Lockout Bypass IP Rotation (2) 587 | 144: Azure OpenID Connect Flows Overview 588 | 145: Azure OpenID Connect Authentication Flows (1) 589 | 146: Azure OpenID Connect Authentication Flows (2) 590 | 147: Azure OpenID Connect Authentication Flows (3) 591 | 148: Azure OpenID Connect Authentication Flows (4) 592 | 149: Azure OpenID Connect Authentication Flows (5) 593 | 150: Azure OpenID Connect Authentication Flows (6) 594 | 151: Azure OpenID Connect Authentication Flows (7) 595 | 152: Azure OpenID Connect Authentication Flows (8) 596 | 153: Azure OpenID Connect Authentication Flows (9) 597 | 154: Azure OpenID Connect Authentication Flows (10) 598 | 155: Azure OpenID OAuth Flow Types 599 | 157: Azure Infrastructure Components 600 | 158: Azure Infrastructure Organization 601 | 159: Azure Infrastructure Control Plane and Data Plane 602 | 161: Azure CLI Tools 603 | 162: Azure CLI Basics 604 | 163: Azure VM Operations 605 | 164: Azure VM Running Commands 606 | 166: Azure Permissions Global Administrator 607 | 167: Azure Permissions (Builtin and Custom Roles) 608 | 168: Azure Permissions IAM Document 609 | 169: Azure Permissions Where are Permissions Applied? 610 | 170: Azure Permissions IMDS 611 | 171: Azure Permissions Managed Identities 612 | 175: Ngrok Overview 613 | 176: Ngrok How it Works 614 | 177: Ngrok Example Flow 615 | 178: Ngrok Visualization of ngrok 616 | 617 | 618 | AD CS Abusing Active Directory Certificate Services : 5:42 619 | AD CS ESC1 (Misconfigured Certificate Templates) : 5:50 620 | AD CS ESC1 CA Configuration : 5:51 621 | AD CS ESC1 Exploitation Certify Convert to .pfx : 5:61 622 | AD CS ESC1 Exploitation Certify Finding vulnerable templates (1) : 5:58 623 | AD CS ESC1 Exploitation Certify Finding vulnerable templates (2) : 5:59 624 | AD CS ESC1 Exploitation Certify List CAs and Templates : 5:57 625 | AD CS ESC1 Exploitation Certify Requesting a certificate : 5:60 626 | AD CS ESC1 Exploitation Certipy Find vulnerable CAs + templates (1) : 5:65 627 | AD CS ESC1 Exploitation Certipy Find vulnerable CAs + templates (2) : 5:66 628 | AD CS ESC1 Exploitation Certipy Find vulnerable CAs + templates (3) : 5:67 629 | AD CS ESC1 Exploitation Certipy Recovering NT hash : 5:69 630 | AD CS ESC1 Exploitation Certipy Requesting a certificate : 5:68 631 | AD CS ESC1 Exploitation Rubeus PrivEsc using TGT (1) : 5:63 632 | AD CS ESC1 Exploitation Rubeus PrivEsc using TGT (2) : 5:64 633 | AD CS ESC1 Exploitation Rubeus Requesting a TGT : 5:62 634 | AD CS ESC1 Exploitation Tools (Certify, Certipy, Certi, Rubeus) : 5:56 635 | AD CS ESC1 Template Misconfiguration (1) : 5:52 636 | AD CS ESC1 Template Misconfiguration (2) : 5:53 637 | AD CS ESC1 Template Misconfiguration (3) : 5:54 638 | AD CS ESC1 Template Misconfiguration (4) : 5:55 639 | AD CS ESC4 (Vulnerable Certificate Template Access Control) : 5:70 640 | AD CS ESC4 Exploitation Certipy (5) : 5:77 641 | AD CS ESC4 Exploitation Certipy (6) : 5:78 642 | AD CS ESC4 Exploitation Certipy (7) : 5:79 643 | AD CS ESC4 Exploitation Certipy (8) : 5:80 644 | AD CS ESC4 Exploitation Certipy (9) : 5:81 645 | AD CS ESC4 Identification Certify (1) : 5:73 646 | AD CS ESC4 Identification Certify (2) : 5:74 647 | AD CS ESC4 Identification Certipy (3) : 5:75 648 | AD CS ESC4 Identification Certipy (4) : 5:76 649 | AD CS ESC4 Permission Descriptions : 5:72 650 | AD CS ESC8 (NTLM Relay to AD CS HTTP Endpoints) : 5:82 651 | AD CS ESC8 Tools (Ntlmrelayx.py, ADCSPwn) : 5:83 652 | AD CS Internal CA how it Work? : 5:49 653 | AD CS Overview (1) : 5:46 654 | AD CS Overview (2) : 5:47 655 | AD CS Terms (CA, Enterprise CA, Cert Templates, CSR, EKU, Digital Sig) : 5:48 656 | Application Control Bypass : 4:72 657 | Application Control Bypass MSBuild (1) : 4:73 658 | Application Control Bypass MSBuild (2) : 4:74 659 | Application Control Bypass MSBuild (3) : 4:75 660 | Application Control Bypass MSBuild (4) : 4:76 661 | Application Control Bypass MSBuild (5) : 4:77 662 | Application Control Bypass MSBuild (6) : 4:78 663 | Application Control Bypass MSBuild (7) : 4:79 664 | Application Control Bypass MSBuild (8) : 4:80 665 | Application Control Overview : 4:71 666 | Assumed Breach : 2:65 667 | Assumed Breach Access via 0-Day : 2:67 668 | Assumed Breach Analyzing Modern Attacks : 2:69 669 | Assumed Breach Post-Exploitation : 2:70 670 | Assumed Breach Test Assumptions : 2:68 671 | Assumed Breach What About Initial Access? : 2:66 672 | Azure AD (Microsoft Authentication Systems compared) : 5:116 673 | Azure AD Authentication Flow (1) : 5:112 674 | Azure AD Authentication Flow (2) : 5:113 675 | Azure AD Authentication Flow (3) : 5:114 676 | Azure AD Authentication Flow (4) : 5:115 677 | Azure AD Identity Architecture Types : 5:117 678 | Azure AD Overview : 5:111 679 | Azure AD Syncronization and Federation : 5:118 680 | Azure AD vs Azure : 5:109 681 | Azure CLI Basics : 5:162 682 | Azure CLI Tools : 5:161 683 | Azure Infrastructure Components : 5:157 684 | Azure Infrastructure Control Plane and Data Plane : 5:159 685 | Azure Infrastructure Organization : 5:158 686 | Azure Management Portals : 5:108 687 | Azure OpenID Connect Authentication Flows (1) : 5:145 688 | Azure OpenID Connect Authentication Flows (10) : 5:154 689 | Azure OpenID Connect Authentication Flows (2) : 5:146 690 | Azure OpenID Connect Authentication Flows (3) : 5:147 691 | Azure OpenID Connect Authentication Flows (4) : 5:148 692 | Azure OpenID Connect Authentication Flows (5) : 5:149 693 | Azure OpenID Connect Authentication Flows (6) : 5:150 694 | Azure OpenID Connect Authentication Flows (7) : 5:151 695 | Azure OpenID Connect Authentication Flows (8) : 5:152 696 | Azure OpenID Connect Authentication Flows (9) : 5:153 697 | Azure OpenID Connect Flows Overview : 5:144 698 | Azure OpenID OAuth Flow Types : 5:155 699 | Azure Password Attacks Azure Smart Lockout : 5:136 700 | Azure Password Attacks Azure Smart Lockout Customization : 5:137 701 | Azure Password Attacks Lockout Bypass IP Rotation (1) : 5:139 702 | Azure Password Attacks Lockout Bypass IP Rotation (2) : 5:140 703 | Azure Password Attacks Lockout Bypass Overview : 5:138 704 | Azure Password Attacks Password Spraying in Azure : 5:131 705 | Azure Password Attacks Spray365 : 5:134 706 | Azure Password Attacks Spray365 Usage : 5:135 707 | Azure Password Attacks TrevorSpray : 5:132 708 | Azure Permissions (Builtin and Custom Roles) : 5:167 709 | Azure Permissions Global Administrator : 5:166 710 | Azure Permissions IAM Document : 5:168 711 | Azure Permissions IMDS : 5:170 712 | Azure Permissions Managed Identities : 5:171 713 | Azure Permissions Where are Permissions Applied? : 5:169 714 | Azure Recon AADInternals Overview : 5:120 715 | Azure Recon AADInternals Recon : 5:121 716 | Azure Recon Legacy Authentication and Protocols : 5:128 717 | Azure Recon Modern Authentication : 5:129 718 | Azure Recon Username Enumeration Endpoints : 5:122 719 | Azure Recon Username Enumeration GetCredentialType Endpoint : 5:123 720 | Azure Recon Username Enumeration GetCredentialType Throttling : 5:125 721 | Azure Recon Username Enumeration OAuth Token Endpoint (1) : 5:126 722 | Azure Recon Username Enumeration OAuth Token Endpoint (2) : 5:127 723 | Azure Services Overview (1) : 5:106 724 | Azure Services Overview (2) : 5:107 725 | Azure VM Operations : 5:163 726 | Azure VM Running Commands : 5:164 727 | BloodHound Graph Interface : 3:34 728 | BloodHound How Do We Know Where to Steal Credentials? : 3:31 729 | BloodHound Ingestion via SharpHound : 3:32 730 | BloodHound Marking Targets (Owned, High Value) : 3:35 731 | BloodHound Overview : 3:30 732 | BloodHound Queries : 3:33 733 | Building Infrastructure : 1:33 734 | Building Infrastructure Building a Lab : 1:34 735 | Building Infrastructure Dedicated Test Systems : 1:36 736 | Building Infrastructure MITRE ATT&CK : 1:38 737 | Building Infrastructure Sources for Free Tools and Exploits : 1:37 738 | Building Infrastructure Systems Used for Internal Testing : 1:35 739 | Building Infrastructure Tools for Penetration Testing Teams : 1:39 740 | C2 The C2 Matrix : 2:73 741 | C2 Empire Features : 2:88 742 | C2 Empire Features Supporting Offensive Operations : 2:89 743 | C2 Empire Module Categories (1) : 2:91 744 | C2 Empire Module Categories (2) : 2:92 745 | C2 Empire Modules : 2:90 746 | C2 Empire Overview : 2:87 747 | C2 Matrix Google Sheet : 2:74 748 | C2 Sliver C2 Framewor Overview : 2:76 749 | C2 Sliver Features : 2:77 750 | C2 Sliver Features Supporting Offensive Operations : 2:78 751 | C2 Sliver Generating Payloads : 2:83 752 | C2 Sliver Implant Commands : 2:81 753 | C2 Sliver Multiplayer : 2:82 754 | C2 Sliver Payload File Format Options : 2:79 755 | C2 Sliver Payload Options : 2:80 756 | C2 What is a C2 Framework : 2:72 757 | Command Prompts : 1:55 758 | DomDom and AD Persistence : 5:32 759 | DomDom Creating a Domain Admin Account : 5:35 760 | DomDom DCShadow Becoming a Domain Controller : 5:40 761 | DomDom DCShadow Becoming a Domain Controller Example : 5:41 762 | DomDom DCSync Replicating the Domain Controller : 5:38 763 | DomDom DCSync Replicating the Domain Controller Example : 5:39 764 | DomDom Mimikatz Skeleton Key : 5:36 765 | DomDom Mimikatz Skeleton Key in Action : 5:37 766 | DomDom Obtaining Access to Back-Up NTDS.dit File : 5:33 767 | DomPrivEsc (AS-REP Roasting) : 5:104 768 | DomPrivEsc PowerViewFind-InterestingDomainShareFile : 5:101 769 | DomPrivEsc PowerViewFind-LocalAdminAccess : 5:102 770 | DomPrivEsc Process Memory Dumps : 5:103 771 | Evasion AMSI (Antimalware Scan Interface) : 4:56 772 | Evasion AMSI - AMSI Initialization : 4:58 773 | Evasion AMSI - Downgrade Attacks : 4:59 774 | Evasion AMSI - String Modification : 4:60 775 | Evasion AMSI Initialization in PowerShell : 4:57 776 | Evasion AV/EDR (Static vs Dynamic Evasion) : 4:55 777 | Evasion AV/EDR Approaches : 4:53 778 | Evasion AV/EDR Call API's to Bypass Hooks (SharpBlock) : 4:63 779 | Evasion AV/EDR Evasion Tactics : 4:52 780 | Evasion AV/EDR Signature-Based Detections : 4:64 781 | Evasion AV/EDR Static Analysis Evasion : 4:61 782 | Evasion AV/EDR Stripping PowerShell Comments : 4:62 783 | Evasion AV/EDR Tools for Automating Evasion : 4:69 784 | Evasion AV/EDR Windows Defender (1) : 4:65 785 | Evasion AV/EDR Windows Defender (2) : 4:66 786 | Evasion AV/EDR Windows Defender (3) : 4:67 787 | Evasion AV/EDR Windows Defender (4) : 4:68 788 | Evasion virustotal.com? : 4:54 789 | Exploitation Categories of Exploits : 2:30 790 | Exploitation Client-Side Commonly Vulnerable Software : 2:33 791 | Exploitation Client-Side Exploits : 2:32 792 | Exploitation Client-Side Exploits and Guardrails : 2:35 793 | Exploitation Local PrivEsc Attack Categories and Suites : 2:39 794 | Exploitation Local PrivEsc Exploits : 2:38 795 | Exploitation Mounting a Client-Side Exploitation Campaign : 2:34 796 | Exploitation Risks of Exploitation : 2:28 797 | Exploitation Server-Side Exploits : 2:31 798 | Exploitation Use Appropriate, Representative Client Machines : 2:37 799 | Exploitation Using Payloads on Target Systems : 2:36 800 | Exploitation What Is Exploitation? : 2:26 801 | Exploitation Why use Exploitation? : 2:27 802 | EyeWitness : 1:140 803 | EyeWitness Report Content : 1:142 804 | EyeWitness Specifying Targets : 1:141 805 | EyeWitness What to Look For : 1:143 806 | Impacket Extracting Hashes (secretsdump.py) : 4:34 807 | Impacket Kerberos (GetUserSPNs, ticketer).py : 4:33 808 | Impacket Overview : 4:32 809 | Impacket Remote Execution (ps, smb, at, wmi, dcom)exec.py : 4:35 810 | Impacket smbexec.py vs wmiexec.py : 4:37 811 | Impacket Syntax : 4:36 812 | Initial Access Background : 2:5 813 | Initial Access Where Does Access Come From : 2:6 814 | Kerberoasting AES vs. RC4 : 5:22 815 | Kerberoasting Attack Overview : 5:18 816 | Kerberoasting Attack Steps : 5:21 817 | Kerberoasting Obtaining Tickets (Tools) : 5:20 818 | Kerberoasting Requesting a Service Ticket (ST) Revisited : 5:16 819 | Kerberoasting Requesting a Ticket : 5:17 820 | Kerberoasting Setspn.exe : 5:19 821 | Kerberoasting What Service Accounts are Good Targets? : 5:23 822 | Kerberos AS-REQ with pre-authentication : 5:9 823 | Kerberos Golden Ticket Flow : 5:95 824 | Kerberos Golden Ticket Generation Tools (ticketer.py, mimikatz) : 5:97 825 | Kerberos Golden Ticket Overview : 5:30,5:94 826 | Kerberos Golden Ticket Properties : 5:96 827 | Kerberos How It Works : 5:6 828 | Kerberos Introduction : 5:5 829 | Kerberos Overall Flow : 5:7 830 | Kerberos Overpass-the-Hash : 5:29 831 | Kerberos Pass-the-Ticket : 5:27 832 | Kerberos Pass-the-Ticket Mimikatz Example : 5:28 833 | Kerberos Service Principal Name : 5:12 834 | Kerberos Silver Ticket Generation Impacket ticketer.py : 5:89 835 | Kerberos Silver Ticket Overview : 5:87 836 | Kerberos Silver Ticket Service Ticket and PAC : 5:88 837 | Kerberos Silver Ticket Use on Linux and Windows : 5:90 838 | Kerberos ST Requesting a Service Ticket : 5:11 839 | Kerberos ST Service Ticket : 5:14 840 | Kerberos ST Using a Service Ticket : 5:13 841 | Kerberos TGT (Ticket Granting Ticket) and PAC : 5:10 842 | Kerberos Three Long-Term Keys (KDC, Client, Target Service) : 5:8 843 | LatMov Linux (Cred Reuse, SSO, SSH key theft) : 4:6 844 | LatMov Pivoting Metasploit Meterpreter Autoroute : 4:86 845 | LatMov Pivoting Metasploit Meterpreter Port Forwarding : 4:85 846 | LatMov Pivoting Metasploit route Command : 4:84 847 | LatMov Pivoting SSH Dynamic Port Forwarding : 4:88 848 | LatMov Pivoting SSH Local Port Forwarding : 4:87 849 | LatMov Why Lateral Movement? : 4:5 850 | LatMov Windows (LOL, RDP, WMI, WinRM, PsExec, ticket/hash reuse) : 4:8 851 | LatMov Windows Command Line for Penetration Testers : 4:9 852 | LatMov Windows Remote Management (WinRM) : 4:10 853 | LatMov Windows Run Cmds Metasploit PsExec Module : 4:20 854 | LatMov Windows Run Cmds on Remote Systems Methods : 4:17 855 | LatMov Windows Run Cmds SC Invoke an Executable : 4:23 856 | LatMov Windows Run Cmds SC Make Executable a Service : 4:24 857 | LatMov Windows Run Cmds schtasks Run an Executable : 4:22 858 | LatMov Windows Run Cmds schtasks Scheduling a Job : 4:21 859 | LatMov Windows Run Cmds Sysinternals PsExec.exe (1) : 4:18 860 | LatMov Windows Run Cmds Sysinternals PsExec.exe (2) : 4:19 861 | LatMov Windows Run Cmds WMIC Interacting with Processes : 4:26 862 | LatMov Windows Run Cmds WMIC Invoke a Program : 4:25 863 | LatMov Windows SC Controlling Services with SC : 4:14 864 | LatMov Windows SC Determining Service Names : 4:16 865 | LatMov Windows SC Starting and Stopping Services : 4:15 866 | LatMov Windows SMB Session Setup : 4:13 867 | LatMov Windows Ticket Reuse : 4:12 868 | LatMov Windows WinRM and PowerShell : 4:11 869 | Linux Commands for Pen Testers : 1:53 870 | Linux Escalating with SETUID : 1:51 871 | Linux Escalation : 1:52 872 | Linux File System Structure : 1:46 873 | Linux Fun Ease-of-Use Shell Tips : 1:43 874 | Linux Listing Files : 1:49 875 | Linux Navigating the Filesystem : 1:48 876 | Linux Permissions : 1:50 877 | Linux Software for Testing: Prepackaged Testing Suites : 1:54 878 | Linux Users: Root and Non-root : 1:44 879 | Linux vs.Windows : 1:42 880 | Linux Where Am I? : 1:47 881 | Linux Who Am I? : 1:45 882 | Masscan : 1:123 883 | Masscan Extracting Live Hosts and Open Ports : 1:125 884 | Masscan Output : 1:124 885 | Masscan vs Nmap Faster Scanning : 1:122 886 | Metasploit Design : 2:42 887 | Metasploit Exploit Arsenal : 2:45 888 | Metasploit Exploit Rankings : 2:47 889 | Metasploit Exploitation Framework : 2:41 890 | Metasploit Modules (exploits, payloads, auxiliary, post) : 2:44 891 | Metasploit Modules: Payloads : 2:48 892 | Metasploit Payloads: Windows Singles : 2:49 893 | Metasploit Payloads: Windows Stagers : 2:50 894 | Metasploit Payloads: Windows Stages : 2:51 895 | Metasploit User Interfaces : 2:43 896 | Metasploit Windows Exploits : 2:46 897 | Meterpreter Functionality: Additional Modules : 2:60 898 | Meterpreter Functionality: File System Commands : 2:55 899 | Meterpreter Functionality: Keystroke Logger : 2:58 900 | Meterpreter Functionality: Pivoting Using Route : 2:59 901 | Meterpreter Functionality: Process Commands : 2:54 902 | Meterpreter Functionality: Some Base Commands : 2:53 903 | Meterpreter Functionality:Target Machine Console : 2:57 904 | Meterpreter Overview : 2:52 905 | Meterpreter Stdapi Capabilities: Networking Commands : 2:56 906 | Netcat Automating Service String Information : 1:136 907 | Netcat Client Grabbing Service Info : 1:135 908 | Netcat Command Flags : 1:134 909 | Netcat for the Pen Tester : 1:133 910 | Netcat Moving Files : 1:138 911 | Netcat uses a Lowercase L : 1:137 912 | Ngrok Example Flow : 5:177 913 | Ngrok How it Works : 5:176 914 | Ngrok Overview : 5:175 915 | Ngrok Visualization of ngrok : 5:178 916 | Nmap Active OS Fingerprinting : 1:129 917 | Nmap and Address Probing : 1:112 918 | Nmap Input and Output Options : 1:111 919 | Nmap Limitations and Host Groups : 1:121 920 | Nmap Network Probe/Sweeping Options : 1:113 921 | Nmap NSE Script Categories : 1:155 922 | Nmap Optimizing Host Detection : 1:114 923 | Nmap Port Scanner : 1:109 924 | Nmap Port Scanning (After Host Detection) : 1:115 925 | Nmap Scripting Engine : 1:153 926 | Nmap Scripting Engine Scripts : 1:154 927 | Nmap Some Example NSE Scripts : 1:156 928 | Nmap TCP Port Scan Types: Connect Scan : 1:116 929 | Nmap UDP Scans : 1:117 930 | Nmap Version Scan as Vulnerability Scanner? : 1:151 931 | Nmap Version Scanning : 1:130 932 | Nmap Version Scanning Functionality : 1:131 933 | Nmap's Timing Options : 1:110 934 | Pass-the-Hash Advantages : 4:42 935 | Pass-the-Hash C2 Frameworks : 4:45 936 | Pass-the-Hash Metasploit PsExec Module : 4:46 937 | Pass-the-Hash Microsoft's Mitigations : 4:44 938 | Pass-the-Hash NTLMv2 Graphically : 4:43 939 | Pass-the-Hash Technique Overview : 4:41 940 | Password Attacks: When to Use Each Technique (with/out hashes) : 4:47 941 | Password Cracking Alts (Sniffing, Keyloggers, Pass-the-Hash) : 3:54 942 | Password Cracking Considerations : 3:55 943 | Password Cracking Custom Dictionaries : 3:51 944 | Password Cracking Dictionaries : 3:50 945 | Password Cracking Hashcat Dictionaries, and Word Mangling Rules : 3:91 946 | Password Cracking Hashcat Mask Examples : 3:93 947 | Password Cracking Hashcat Masks : 3:92 948 | Password Cracking Hashcat Multithreaded and GPU : 3:88 949 | Password Cracking Hashcat Potfile, Show, and Restore : 3:90 950 | Password Cracking Hashcat Specifying Hash Types : 3:89 951 | Password Cracking Hashcat Status and Temp Sensor : 3:94 952 | Password Cracking Improving Speed : 3:53 953 | Password Cracking John Config File and Cracking Modes : 3:82 954 | Password Cracking John Interpreting Output : 3:84 955 | Password Cracking John john.pot File : 3:83 956 | Password Cracking John Speed : 3:85 957 | Password Cracking John the Ripper : 3:81 958 | Password Cracking John vs. Hashcat : 3:86 959 | Password Cracking Pipal Password Pattern Analysis : 3:95 960 | Password Cracking Reporting : 3:56 961 | Password Cracking Synced Passwords : 3:49 962 | Password Cracking Update Your Dictionary : 3:52 963 | Password Cracking vs. Password Guessing : 3:48 964 | Password Dumping Hashes with Meterpreter : 3:73 965 | Password Dumping Linux/UNIX Password Representations : 3:71 966 | Password Dumping Windows from mimikatz Kiwi : 3:77 967 | Password Dumping Windows NTDSUtil : 3:76 968 | Password Dumping Windows Password Representations : 3:72 969 | Password Dumping Windows VSS Extract of ntds.dit : 3:75 970 | Password Dumping Windows VSS Volume Shadow Copy Service (ntds.dit+ : 3:74 971 | Password Guessing Account Lockout : 2:15 972 | Password Guessing Account Lockout on Windows : 2:16 973 | Password Guessing Active Directory Lockout Scenario : 2:17 974 | Password Guessing Credential Databases : 2:10 975 | Password Guessing Credential Stuffing : 2:9 976 | Password Guessing Guessing Usernames : 2:14 977 | Password Guessing Hydra : 2:20 978 | Password Guessing Hydra Examples : 2:21 979 | Password Guessing Hydra with the Domain : 2:22 980 | Password Guessing The Importance of Passwords : 2:8 981 | Password Guessing Suggested Spray Technique : 2:18 982 | Password Guessing Tools : 2:19 983 | Password Guessing Trimming Word Lists with Hydra's pw-inspector : 2:13 984 | Password Guessing Types of Online Password Attacks : 2:11 985 | Password Guessing with a Custom Dictionary : 2:12 986 | Password Reprs Linux and UNIX Password Representations : 3:68 987 | Password Reprs Linux MD5-Based Password Scheme : 3:69 988 | Password Reprs Windows AD (ntds.dit) : 3:59 989 | Password Reprs Windows CAC and Smartcards : 3:67 990 | Password Reprs Windows Challenge/Response on the Network : 3:62 991 | Password Reprs Windows LANMAN and NTLMv1 Challenge/Response : 3:64 992 | Password Reprs Windows LANMAN Challenge/Response : 3:63 993 | Password Reprs Windows LANMAN Hash Algorithm : 3:60 994 | Password Reprs Windows NT Hash Algorithm : 3:61 995 | Password Reprs Windows NTLMv2 Challenge/Response : 3:65 996 | Password Reprs Windows NTLMv2 Graphically : 3:66 997 | Password Reprs Windows SAM Database : 3:58 998 | Payloads Common Payload Types : 2:97 999 | Payloads DDE : 2:100 1000 | Payloads ISO : 2:101 1001 | Payloads LNK Files : 2:103 1002 | Payloads Overview : 2:96 1003 | Payloads Using Macros : 2:98 1004 | Payloads VBA : 2:99 1005 | Payloads Zip File : 2:102 1006 | Persistence Why Persistence : 3:39 1007 | Persistence Windows Registry : 3:40 1008 | Persistence Windows Scheduled Task : 3:42 1009 | Persistence Windows Services : 3:43 1010 | Persistence Windows Startup Folder : 3:41 1011 | Persistence Windows WMI Event Consumer : 3:44 1012 | Post Exploitation Tactics : 2:108 1013 | Post-Exploitation Activities : 2:107 1014 | Post-Exploitation File Transfer (Copy/Paste to Move Files) : 2:112 1015 | Post-Exploitation File Transfer (HTTP, SCP, FTP, TFTP) : 2:109 1016 | Post-Exploitation File Transfer (Meterpreter) : 2:111 1017 | Post-Exploitation File Transfer (SMB, NFS mounts, Netcat) : 2:110 1018 | Pre-Engagement Announced vs. Unannounced Tests : 1:25 1019 | Pre-Engagement Documented Permission : 1:20 1020 | Pre-Engagement Goals : 1:22 1021 | Pre-Engagement Kickoff Call : 1:28 1022 | Pre-Engagement Penetration Testing Process Phases : 1:19 1023 | Pre-Engagement Rules of Engagement : 1:24 1024 | Pre-Engagement Scope : 1:23 1025 | Pre-Engagement Steps : 1:21 1026 | Pre-Engagement Viewing Data on Compromised Systems : 1:27 1027 | Pre-Engagement Zero-Knowledge vs. Full-Knowledge Testing : 1:26 1028 | PrivEsc Linux GTFOBins : 3:12 1029 | PrivEsc Linux Kernel Exploits : 3:8 1030 | PrivEsc Linux PrivEsc Linux World Writeable Files : 3:10 1031 | PrivEsc Linux Services Running as Root : 3:9 1032 | PrivEsc Linux SETUID : 3:11 1033 | PrivEsc Linux Why Linux? : 3:7 1034 | PrivEsc Why PrivEsc? : 3:5 1035 | PrivEsc Windows Common Flaws : 3:14 1036 | PrivEsc Windows Group Policy Preference (GPP) : 3:18 1037 | PrivEsc Windows Group Policy Preference (GPP) Files : 3:17 1038 | PrivEsc Windows LOLBAS : 3:26 1039 | PrivEsc Windows PowerUp : 3:25 1040 | PrivEsc Windows Tools (BeRoot, Watson, PowerUp) : 3:24 1041 | PrivEsc Windows UAC Bypass Techniques : 3:23 1042 | PrivEsc Windows UAC Levels : 3:22 1043 | PrivEsc Windows Unattended Install Files : 3:15 1044 | PrivEsc Windows Unattended Install Files Contents : 3:16 1045 | PrivEsc Windows Unquoted Paths with Spaces (1) : 3:19 1046 | PrivEsc Windows Unquoted Paths with Spaces (2) : 3:20 1047 | PrivEsc Windows User Account Control (UAC) : 3:21 1048 | Recon Infra Certificate Transparency Logs : 1:79 1049 | Recon Infra DNSDumpster : 1:75 1050 | Recon Infra DNSDumpster Usage (1) : 1:76 1051 | Recon Infra DNSDumpster Usage (2) : 1:77 1052 | Recon Infra DNSRecon : 1:73 1053 | Recon Infra DNSRecon Usage : 1:74 1054 | Recon Infra Hostname Information : 1:72 1055 | Recon Infra Shodan : 1:80 1056 | Recon Infra WHOIS + Regional Internet Registries : 1:78 1057 | Recon Infrastructure : 1:71 1058 | Recon Motivation : 1:61 1059 | Recon Org Gather Competitive Intelligence : 1:69 1060 | Recon Org Information on the Organization : 1:67 1061 | Recon Org Press Releases and Annual Reports : 1:68 1062 | Recon Social Engineering and Ethics : 1:64 1063 | Recon Targets : 1:63 1064 | Recon Traffic : 1:62 1065 | Recon User GatherContacts : 1:88 1066 | Recon User GatherContacts Results : 1:89 1067 | Recon User Hunter.io : 1:83 1068 | Recon User LinkedIn can provide a lot of information on employees : 1:87 1069 | Recon User Look for Open Job Requisitions : 1:86 1070 | Recon User phonebook.cz lists emails, URLs for a domain : 1:84 1071 | Recon User Public Breach Data of Credentials : 1:85 1072 | Reporting 1. Executive Summary (1) : 4:97 1073 | Reporting 1. Executive Summary (2) : 4:98 1074 | Reporting 2. Introduction : 4:99 1075 | Reporting 3. Findings : 4:100 1076 | Reporting 3. Findings Order : 4:112 1077 | Reporting 3. Findings Screenshot Elements : 4:102 1078 | Reporting 3. Findings Screenshot to Illustrate Findings : 4:101 1079 | Reporting 3. Findings Screenshot Tools : 4:103 1080 | Reporting 4. Methodology : 4:108 1081 | Reporting Always Create a Report : 4:94 1082 | Reporting Appendices : 4:109 1083 | Reporting Be Consistent! : 4:113 1084 | Reporting Clean and Succinct Reporting : 4:116 1085 | Reporting Don't Just Regurgitate Vuln Scan Results : 4:95 1086 | Reporting Effective Illustrations : 4:118 1087 | Reporting Readability : 4:115 1088 | Reporting Recommendations : 4:105 1089 | Reporting Recommended Reading : 4:110 1090 | Reporting Recommended Report Format : 4:96 1091 | Reporting Redaction and Transparency : 4:104 1092 | Reporting Sample Reports : 4:111 1093 | Reporting Styles and Themes : 4:114 1094 | Reporting Use of Colors : 4:117 1095 | Reporting Validation and Verification : 4:107 1096 | Scanning Goals of Scanning Phase : 1:93 1097 | Scanning Handling Large Scans by Limiting Scope : 1:96 1098 | Scanning Port Handshake Happens Regardless of Higher-Level Protocol : 1:102 1099 | Scanning Port Protocol Layers and TCP vs. UDP : 1:98 1100 | Scanning Port TCP Behavior (1) : 1:103 1101 | Scanning Port TCP Behavior (2): : 1:104 1102 | Scanning Port TCP Flags : 1:100 1103 | Scanning Port TCP Header : 1:99 1104 | Scanning Port TCP Three-Way Handshake : 1:101 1105 | Scanning Port UDP Behavior (1) : 1:106 1106 | Scanning Port UDP Behavior (2) : 1:107 1107 | Scanning Port UDP Header : 1:105 1108 | Scanning Scan Types : 1:94 1109 | Scanning Tip: Dealing with Very Large Scans : 1:95 1110 | Scanning Vulns Methods for Discovering Vulnerabilities (1) : 1:145 1111 | Scanning Vulns Methods for Discovering Vulnerabilities (2) : 1:146 1112 | Scanning Vulns Safe Checks and Dangerous Plugins : 1:149 1113 | Scanning Vulns Scan Results : 1:150 1114 | Scanning Vulns Scan Types : 1:148 1115 | Scanning Vulns Scanner Goals : 1:147 1116 | Situational Awareness File Pilfering : 2:115 1117 | Situational Awareness Linux Accounts : 2:118 1118 | Situational Awareness Linux Groups : 2:119 1119 | Situational Awareness Linux Interesting Files (1) : 2:120 1120 | Situational Awareness Linux Interesting Files (2) : 2:121 1121 | Situational Awareness Linux Local File Pilfering : 2:122 1122 | Situational Awareness Network Pilfering : 2:116 1123 | Situational Awareness Overview : 2:114 1124 | Situational Awareness Windows AD Explorer : 2:135 1125 | Situational Awareness Windows Deleting Users and Accounts : 2:130 1126 | Situational Awareness Windows Determining Firewall Settings : 2:131 1127 | Situational Awareness Windows Displaying and Searching Files : 2:132 1128 | Situational Awareness Windows Domain Groups : 2:129 1129 | Situational Awareness Windows Domain User : 2:127 1130 | Situational Awareness Windows Environment Variables : 2:124 1131 | Situational Awareness Windows Interacting with the Registry : 2:133 1132 | Situational Awareness Windows Local Groups : 2:128 1133 | Situational Awareness Windows Managing Accounts and Groups : 2:126 1134 | Situational Awareness Windows PowerView : 2:134 1135 | Situational Awareness Windows Searching the File System : 2:125 1136 | Situational Awareness Windows Seatbelt Command Groups : 2:139 1137 | Situational Awareness Windows Seatbelt Executing Checks : 2:138 1138 | Situational Awareness Windows Seatbelt GhostPack Overview : 2:137 1139 | Sniff/Relay Kerberos and NTLMv2 : 3:99 1140 | Sniff/Relay NTLMv2 Attack Strategies : 3:100 1141 | Sniff/Relay PCredz Cracking Process : 3:102 1142 | Sniff/Relay PCredz Extracting Hashes : 3:103 1143 | Sniff/Relay PCredz Getting the Hashes from Log File : 3:104 1144 | Sniff/Relay Resonder Defenses : 3:113 1145 | Sniff/Relay Resonder NTLM Offline Brute Force Hashcat : 3:110 1146 | Sniff/Relay Resonder NTLM SMB Relaying : 3:111 1147 | Sniff/Relay Resonder NTLM SMB Relaying with Responder : 3:112 1148 | Sniff/Relay Resonder Obtain NetNTLMv2 Challenge/Response : 3:107 1149 | Sniff/Relay Resonder Obtain NetNTLMv2 Other Tricks : 3:109 1150 | Sniff/Relay Resonder Overview : 3:106 1151 | Sniff/Relay Resonder Web Proxy Autodiscovery Protocol : 3:108 1152 | Sniff/Relay Windows Challenge/Response : 3:101 1153 | Terms Attack Phases : 1:17 1154 | Terms Pen Test, Red Team, Purple Team, Audit : 1:13 1155 | Terms Penetration Testing Goals : 1:15 1156 | Terms Threat Risk : 1:12 1157 | Terms Types of Penetration Tests : 1:16 1158 | Terms Vulnerability Assessment, Security Audit : 1:14 1159 | Terms Vulnerability, Exploit : 1:11 1160 | ``` --------------------------------------------------------------------------------