SSH Authorized_keys The ssh backdoor essentially consists of leaving our ssh keys in some user’s home directory. Usually the user would be root as it’s the user with the highest privileges. Explo...

Scheduled Tasks We can achieve persistence by adding our reverse shell payload to scheduled task. We could even just configure a task where every minute a reverse shell is sent to you. Which is ex...

Token Impersonation — PrintSpoofer For this exploit to work, we need local service or network service access and with SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege enabled. Enumeration ...

Cronjob Once you got root access on any host, you can add any scheduled task. You could even just configure a task where every minute a reverse shell is sent to you. Which is exactly what we’re go...

.bashrc If a user has bash as their login shell, the “.bashrc” file in their home directory is executed when an interactive session is launched Exploitation We are going to leverage .bashrc file...

Password Spraying Is an attack that uses a single or small list of passwords against many different accounts to attempt to acquire valid account credentials. Exploitation We have got a valid cre...

NTLMRelay SMB signing is a security mechanism that allows digitally signing SMB packets to enforce their authenticity and integrity - the client/server knows that the incoming SMB packets they are...

LLMNR/NBT-NS Poisoning By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. ...

Privileged Group Machine accounts could be added to privileged groups for establishing domain persistence. Note: This is a domain persistence technigue, therefore, assume we have compromised doma...

UserAccountControl User-Account-Control Attribute Flags that control the behavior of the Microsoft Active Directory user account. It contains a range of flags which define some important basic pro...