# BookJMP ## Docs - [ADCS Overview](https://docs.bytejmp.com/active-directory/adcs/adcs-overview.md): Active Directory Certificate Services: overview of ESC1-ESC8 vulnerabilities, Certify, and Certipy. - [ESC1 — ESC8](https://docs.bytejmp.com/active-directory/adcs/esc1-esc8.md): ADCS escalation paths ESC1 through ESC8: exploitation steps with Certify and Certipy. - [ASREPRoast](https://docs.bytejmp.com/active-directory/attacks/asrep-roast.md): Exploit accounts with Kerberos pre-authentication disabled to capture and crack AS-REP hashes using Rubeus and Impacket. - [DCSync](https://docs.bytejmp.com/active-directory/attacks/dcsync.md): DCSync: replicate AD credentials using directory replication privileges to dump all domain hashes. - [Delegation Attacks](https://docs.bytejmp.com/active-directory/attacks/delegation.md): Kerberos delegation attacks: unconstrained, constrained, and resource-based constrained delegation (RBCD). - [Golden Ticket](https://docs.bytejmp.com/active-directory/attacks/golden-ticket.md): Golden Ticket: forge TGT with krbtgt hash for complete domain persistence and access. - [GPP Passwords](https://docs.bytejmp.com/active-directory/attacks/gpp-passwords.md): Group Policy Preferences passwords: find and decrypt cpassword from SYSVOL for credential harvesting. - [Kerberoasting](https://docs.bytejmp.com/active-directory/attacks/kerberoasting.md): Kerberoasting: request TGS tickets for service accounts and crack offline to recover passwords. - [NTLM Relay](https://docs.bytejmp.com/active-directory/attacks/ntlm-relay.md): NTLM relay attacks: ntlmrelayx, relay to SMB/LDAP/MSSQL, and delegation abuse. - [Pass-the-Hash](https://docs.bytejmp.com/active-directory/attacks/pass-the-hash.md): Pass-the-Hash: authenticate with NTLM hash without knowing the plaintext password. - [Pass-the-Ticket](https://docs.bytejmp.com/active-directory/attacks/pass-the-ticket.md): Pass-the-Ticket: reuse Kerberos tickets (.kirbi/.ccache) for lateral movement and privilege escalation. - [Password Spraying](https://docs.bytejmp.com/active-directory/attacks/password-spraying.md): Password spraying against Active Directory: Kerbrute, CrackMapExec, and lockout-safe techniques. - [PetitPotam](https://docs.bytejmp.com/active-directory/attacks/petitpotam.md): PetitPotam: coerce DC authentication via MS-EFSRPC and relay to ADCS or LDAP for domain compromise. - [PrintNightmare](https://docs.bytejmp.com/active-directory/attacks/printnightmare.md): PrintNightmare (CVE-2021-34527): remote code execution via Windows Print Spooler vulnerability. - [Responder](https://docs.bytejmp.com/active-directory/attacks/responder.md): Responder: LLMNR/NBT-NS/mDNS poisoning to capture NTLMv2 hashes on the network. - [Silver Ticket](https://docs.bytejmp.com/active-directory/attacks/silver-ticket.md): Silver Ticket: forge TGS with service account hash for targeted access without touching the DC. - [Zerologon (CVE-2020-1472)](https://docs.bytejmp.com/active-directory/attacks/zerologon.md): Zerologon: reset Domain Controller machine account password to empty via Netlogon vulnerability. - [Attack Paths](https://docs.bytejmp.com/active-directory/bloodhound/attack-paths.md): Exploitation commands for BloodHound attack path edges in Active Directory. - [Collectors](https://docs.bytejmp.com/active-directory/bloodhound/collectors.md): Data collection commands for SharpHound (Windows) and BloodHound.py (Linux). - [Custom Queries](https://docs.bytejmp.com/active-directory/bloodhound/custom-queries.md): How to import and manage custom BloodHound Cypher query lists. - [Cypher Queries](https://docs.bytejmp.com/active-directory/bloodhound/cypher-queries.md): Common BloodHound Cypher queries for attack path analysis in Active Directory. - [Edges Reference](https://docs.bytejmp.com/active-directory/bloodhound/edges.md): Quick reference for BloodHound edges: what each means and how to abuse it. - [Installation](https://docs.bytejmp.com/active-directory/bloodhound/installation.md): Installation commands for BloodHound Community Edition, SharpHound, and BloodHound.py. - [OPSEC](https://docs.bytejmp.com/active-directory/bloodhound/opsec.md): Operational security considerations and stealth techniques for BloodHound collection. - [Usage](https://docs.bytejmp.com/active-directory/bloodhound/usage.md): BloodHound Community Edition web interface access, container management, and credential reset. - [adidnsdump](https://docs.bytejmp.com/active-directory/enumeration/adidnsdump.md): adidnsdump: enumerate DNS records from Active Directory via LDAP to discover internal hosts. - [AD Enumeration](https://docs.bytejmp.com/active-directory/enumeration/enum-ad.md): Active Directory enumeration: net commands, dsquery, ldapsearch, domain info gathering. - [enum4linux](https://docs.bytejmp.com/active-directory/enumeration/enum4linux.md): enum4linux: SMB and RPC enumeration for Active Directory — users, shares, groups, password policy. - [Enumeration with PowerView](https://docs.bytejmp.com/active-directory/enumeration/powerview.md): Active Directory enumeration techniques using PowerView: domain, users, groups, GPOs, ACLs, trusts, and privilege escalation paths. - [rpcclient](https://docs.bytejmp.com/active-directory/enumeration/rpcclient.md): rpcclient: RPC enumeration of Active Directory — RID cycling, user/group enum, password policy. - [windapsearch](https://docs.bytejmp.com/active-directory/enumeration/windapsearch.md): windapsearch: lightweight LDAP enumeration of Active Directory users, groups, computers, and privileges. - [DCOM](https://docs.bytejmp.com/active-directory/lateral/dcom.md): DCOM lateral movement: abuse Distributed COM objects for remote code execution. - [Evil-WinRM](https://docs.bytejmp.com/active-directory/lateral/evil-winrm.md): Evil-WinRM lateral movement: interactive PowerShell shell, file transfer, and script loading via WinRM. - [PsExec](https://docs.bytejmp.com/active-directory/lateral/psexec.md): PsExec lateral movement: Impacket, Sysinternals, and CrackMapExec for remote code execution. - [RDP Hijacking](https://docs.bytejmp.com/active-directory/lateral/rdp-hijacking.md): RDP session hijacking: take over active RDP sessions without password using tscon as SYSTEM. - [SMBExec](https://docs.bytejmp.com/active-directory/lateral/smbexec.md): SMBExec lateral movement: command execution via SMB service creation without binary upload. - [WMIExec](https://docs.bytejmp.com/active-directory/lateral/wmiexec.md): WMIExec lateral movement: Impacket WMI execution for semi-interactive shells and command execution. - [Introduction](https://docs.bytejmp.com/active-directory/overview.md): Enumeration and attack techniques against Active Directory environments. - [ACL Abuse](https://docs.bytejmp.com/active-directory/persistence/acl-abuse.md): Active Directory ACL abuse: GenericAll, WriteDacl, ForceChangePassword, and DACL persistence. - [AdminSDHolder](https://docs.bytejmp.com/active-directory/persistence/admin-sd-holder.md): AdminSDHolder persistence: abuse SDProp to maintain ACL-based backdoor on protected groups. - [DSRM](https://docs.bytejmp.com/active-directory/persistence/dsrm.md): DSRM: abuse Directory Services Restore Mode password for Domain Controller backdoor access. - [SID History](https://docs.bytejmp.com/active-directory/persistence/sid-history.md): SID History injection: add privileged SID to user for persistent elevated access across domains. - [Skeleton Key](https://docs.bytejmp.com/active-directory/persistence/skeleton-key.md): Skeleton Key: inject master password into Domain Controller LSASS for persistent access. - [Domain Trusts](https://docs.bytejmp.com/active-directory/trusts/domain-trusts.md): Domain trust attacks: parent-child escalation, SID filtering bypass, and cross-domain lateral movement. - [Forest Trust Attacks](https://docs.bytejmp.com/active-directory/trusts/forest-trust.md): Cross-forest attacks: SID filtering bypass, foreign group membership, and trust abuse between forests. - [PHPMyAdmin](https://docs.bytejmp.com/apps/xamp.md): PHPMyAdmin attack techniques: default credentials, file read via LOAD_FILE, web shell upload, UDF RCE, and credential extraction. - [Hashcat Cheat Sheet](https://docs.bytejmp.com/brute-force/hashcat.md): Hashcat reference: attack modes, common hash types, rules, masks, and cracking workflows for penetration testing. - [Hydra Cheat Sheet](https://docs.bytejmp.com/brute-force/hydra.md): Brute-force templates for common protocols ordered by port: FTP, SSH, HTTP, SMB, RDP, MySQL, and more. - [John the Ripper](https://docs.bytejmp.com/brute-force/john.md): John the Ripper cheat sheet: cracking passwords from SSH keys, ZIP, Office, KeePass, shadow, and more. - [Wordlists & Generation](https://docs.bytejmp.com/brute-force/wordlists.md): Wordlist reference: default lists, custom generation with CeWL, CUPP, crunch, and mutation techniques. - [Introduction](https://docs.bytejmp.com/introduction.md): A structured knowledge base for penetration testers, CTF players, and security researchers. - [Capabilities](https://docs.bytejmp.com/linux-privesc/capabilities.md): Privilege escalation via Linux capabilities: cap_setuid, cap_dac_read_search, cap_net_raw, and more. - [Enumeration Checklist](https://docs.bytejmp.com/linux-privesc/checklist.md): Linux privilege escalation enumeration: identity, system info, users, network, processes, cron, SUID, and writable directories. - [Credential Hunting](https://docs.bytejmp.com/linux-privesc/credential-hunting.md): Finding credentials on Linux: shadow file, history, config files, SSH keys, environment variables, and memory. - [Cron Jobs](https://docs.bytejmp.com/linux-privesc/cron-jobs.md): Privilege escalation via cron jobs: writable scripts, PATH hijacking, wildcard injection, and systemd timers. - [Docker / LXD Escape](https://docs.bytejmp.com/linux-privesc/docker-lxd.md): Privilege escalation via Docker and LXD group membership: mount host filesystem and escape to root. - [Groups-based Privesc](https://docs.bytejmp.com/linux-privesc/groups.md): Privilege escalation via Linux group memberships: disk, adm, video, staff, shadow, and more. - [Kernel Exploits](https://docs.bytejmp.com/linux-privesc/kernel-exploits.md): Linux kernel exploitation: DirtyPipe, DirtyCow, PwnKit, and Linux Exploit Suggester. - [LinPEAS / LinEnum](https://docs.bytejmp.com/linux-privesc/linpeas.md): Automated Linux privilege escalation enumeration with LinPEAS, LinEnum, and linux-smart-enumeration. - [NFS no_root_squash](https://docs.bytejmp.com/linux-privesc/nfs.md): Privilege escalation via NFS misconfiguration: no_root_squash to create SUID binaries as root. - [Editing /etc/passwd](https://docs.bytejmp.com/linux-privesc/passwd-editing.md): Privilege escalation by modifying /etc/passwd: adding root users, changing UIDs, and removing password requirements. - [Python Library Hijacking](https://docs.bytejmp.com/linux-privesc/python-library-hijacking.md): Privilege escalation via Python library hijacking: module search order abuse, writable paths, and PYTHONPATH injection. - [Restricted Shell Escape](https://docs.bytejmp.com/linux-privesc/restricted-shell.md): Escaping restricted shells: rbash, rksh, rzsh, lshell, and limited PATH environments. - [Screen / tmux Hijacking](https://docs.bytejmp.com/linux-privesc/session-hijacking.md): Privilege escalation by hijacking abandoned screen and tmux sessions running as root or other users. - [Shared Library Hijacking](https://docs.bytejmp.com/linux-privesc/shared-libraries.md): Privilege escalation via shared libraries: writable ld.so.conf, RPATH/RUNPATH injection, and missing library abuse. - [Unix Socket Abuse](https://docs.bytejmp.com/linux-privesc/socket-abuse.md): Privilege escalation via Unix sockets: writable socket files, socket activation, and exposed service sockets. - [SSH Exploitation](https://docs.bytejmp.com/linux-privesc/ssh-exploitation.md): Privilege escalation via SSH: agent forwarding hijack, writable SSH configs, weak keys, and authorized_keys abuse. - [Sudo Abuse](https://docs.bytejmp.com/linux-privesc/sudo-abuse.md): Privilege escalation via sudo misconfigurations: GTFOBins, LD_PRELOAD, env_keep, and sudo CVEs. - [Sudo Token Reuse](https://docs.bytejmp.com/linux-privesc/sudo-token-reuse.md): Privilege escalation by reusing existing sudo tokens: sudo_inject and /var/run/sudo/ts/ abuse. - [SUID / SGID](https://docs.bytejmp.com/linux-privesc/suid-sgid.md): Privilege escalation via SUID and SGID binaries: discovery, GTFOBins, and custom SUID abuse. - [Writable Systemd Services](https://docs.bytejmp.com/linux-privesc/systemd-services.md): Privilege escalation via writable systemd service files, service binaries, and systemd PATH hijacking. - [MSFVENOM – Reverse Shell Cheat Sheet](https://docs.bytejmp.com/metasploit/msf-venom.md): Payload generation with msfvenom for Windows, Linux, and web targets across multiple formats and architectures. - [Introduction](https://docs.bytejmp.com/mobile.md): Penetration testing techniques for mobile applications and devices. - [ADB: Android Debug Bridge](https://docs.bytejmp.com/mobile/android/adb.md): ADB command reference for Android pentesting: device management, file transfer, shell access, app analysis, and traffic interception setup. - [AndroidManifest.xml](https://docs.bytejmp.com/mobile/android/androidmanifest.md): Security vulnerabilities introduced through AndroidManifest.xml misconfigurations: mapped to OWASP MASWE weaknesses. - [MobSF](https://docs.bytejmp.com/mobile/android/mobsf.md): Mobile Security Framework: automated static and dynamic analysis for Android, iOS, and Windows apps. Installation, usage, and REST API. - [Reverse Engineering](https://docs.bytejmp.com/mobile/android/reverse-engineering.md): Android APK reverse engineering: decompiling, analyzing, and extracting secrets from Android applications using JADX. - [Frida](https://docs.bytejmp.com/mobile/tools/frida.md): Dynamic instrumentation toolkit for Android and iOS: hook functions, intercept calls, and modify app behavior at runtime without recompiling. - [Objection](https://docs.bytejmp.com/mobile/tools/objection.md): Runtime mobile exploration toolkit built on Frida: SSL pinning bypass, root detection bypass, memory exploration, and app analysis without recompiling. - [VLAN Hopping](https://docs.bytejmp.com/network/attacks/vlan-hopping.md): VLAN hopping attacks: DTP abuse, switch spoofing, double tagging, and VLAN enumeration. - [Introduction](https://docs.bytejmp.com/network/overview.md): Network reconnaissance, host discovery, and pivoting techniques. - [Chisel](https://docs.bytejmp.com/network/pivoting/chisel.md): Chisel TCP tunneling: reverse SOCKS proxy, port forwarding, and pivoting through compromised hosts. - [Ligolo-ng](https://docs.bytejmp.com/network/pivoting/ligolo.md): Pivoting with Ligolo-ng: tunnel setup, double pivot, port forwarding, and listener through pivot. - [Plink](https://docs.bytejmp.com/network/pivoting/plink.md): Plink (PuTTY CLI) tunneling from Windows: local, remote, and dynamic port forwarding for pivoting. - [ProxyChains](https://docs.bytejmp.com/network/pivoting/proxychains.md): ProxyChains configuration and usage: SOCKS proxy routing, chain types, and integration with pentest tools. - [rpivot](https://docs.bytejmp.com/network/pivoting/rpivot.md): rpivot reverse SOCKS proxy: tunnel through compromised hosts when direct connections are blocked. - [Socat](https://docs.bytejmp.com/network/pivoting/socat.md): Socat port forwarding and relays: TCP redirects, encrypted tunnels, and pivoting through compromised hosts. - [SSH Tunneling](https://docs.bytejmp.com/network/pivoting/ssh-tunneling.md): SSH tunneling techniques: local, remote, and dynamic port forwarding for pivoting through compromised hosts. - [sshuttle](https://docs.bytejmp.com/network/pivoting/sshuttle.md): sshuttle VPN-like pivoting over SSH: transparent proxy, subnet routing, and multi-hop tunneling. - [DNS Enumeration](https://docs.bytejmp.com/network/recon/dns-enum.md): DNS enumeration techniques: zone transfers, subdomain brute-force, reverse lookups with dig, dnsenum, dnsrecon, and fierce. - [Masscan](https://docs.bytejmp.com/network/recon/masscan.md): Masscan fast port scanning: rate tuning, output parsing, and integration with Nmap. - [Nmap](https://docs.bytejmp.com/network/recon/nmap.md): Nmap scanning techniques: host discovery, port scanning, service detection, scripts, evasion, and output formats. - [OS Fingerprinting](https://docs.bytejmp.com/network/recon/os-fingerprinting.md): OS fingerprinting techniques: TTL analysis, Nmap detection, p0f passive fingerprinting, and banner grabbing. - [Ping Sweep](https://docs.bytejmp.com/network/recon/ping-sweep.md): Host discovery techniques: ICMP ping sweep, ARP scan, TCP/UDP discovery, and stealth alternatives. - [SNMP Enumeration](https://docs.bytejmp.com/network/recon/snmpwalk.md): SNMP enumeration with snmpwalk, onesixtyone, and snmpbulkwalk: community strings, OIDs, and data extraction. - [MITM Attacks](https://docs.bytejmp.com/network/traffic/mitm.md): Man-in-the-middle attacks: ARP spoofing, bettercap, ettercap, and traffic interception. - [tcpdump](https://docs.bytejmp.com/network/traffic/tcpdump.md): tcpdump packet capture: filters, common flags, pcap save, and traffic analysis from the command line. - [Wireshark](https://docs.bytejmp.com/network/traffic/wireshark.md): Wireshark packet analysis: display filters, protocol analysis, credential capture, and pcap forensics. - [110 / 143 - POP3 / IMAP](https://docs.bytejmp.com/ports/110-143-email.md): POP3 and IMAP enumeration: login, email harvesting, brute-force, and credential extraction. - [139 / 445 - SMB](https://docs.bytejmp.com/ports/139-445-smb.md): SMB enumeration and exploitation: null sessions, share listing, credential spraying, and relay attacks. - [1433 - MSSQL](https://docs.bytejmp.com/ports/1433-mssql.md): MSSQL enumeration and exploitation: xp_cmdshell, linked servers, credential extraction, and file access. - [21 - FTP](https://docs.bytejmp.com/ports/21-ftp.md): FTP enumeration and exploitation: anonymous login, credential brute-force, file upload, and bounce attacks. - [22 - SSH](https://docs.bytejmp.com/ports/22-ssh.md): SSH enumeration and exploitation: brute-force, key-based auth abuse, tunneling, and known vulnerabilities. - [25 / 587 - SMTP](https://docs.bytejmp.com/ports/25-smtp.md): SMTP enumeration: user verification with VRFY/EXPN/RCPT, open relay detection, and credential brute-force. - [3128 - Squid Proxy](https://docs.bytejmp.com/ports/3128-squid.md): Squid proxy detection and exploitation: service fingerprinting and internal port scanning through the proxy. - [3306 - MySQL](https://docs.bytejmp.com/ports/3306-mysql.md): MySQL enumeration and exploitation: UDF command execution, file read/write, and credential extraction. - [3389 - RDP](https://docs.bytejmp.com/ports/3389-rdp.md): Remote Desktop Protocol: connection commands and common attack techniques. - [389 / 636 - LDAP](https://docs.bytejmp.com/ports/389-ldap.md): LDAP enumeration: anonymous bind, user/group listing, password policy, and credential extraction. - [53 - DNS](https://docs.bytejmp.com/ports/53-dns.md): DNS enumeration: zone transfers, subdomain brute-force, reverse lookups, and DNS tunneling. - [5432 - PostgreSQL](https://docs.bytejmp.com/ports/5432-postgresql.md): PostgreSQL enumeration and exploitation: COPY command RCE, file read/write, and credential extraction. - [5985 - WinRM](https://docs.bytejmp.com/ports/5985-winrm.md): WinRM enumeration and exploitation: Evil-WinRM, PowerShell remoting, and pass-the-hash. - [6379 - Redis](https://docs.bytejmp.com/ports/6379-redis.md): Redis enumeration and exploitation: unauthenticated access, web shell, SSH key injection, and module RCE. - [80 / 443 - HTTP(S)](https://docs.bytejmp.com/ports/80-http.md): HTTP enumeration: directory busting, technology fingerprinting, vhost discovery, and common attack vectors. - [Introduction](https://docs.bytejmp.com/privesc/overview.md): Privilege escalation techniques for Windows and Linux targets. - [Introduction](https://docs.bytejmp.com/pwn.md): Binary exploitation techniques and vulnerability research. - [Introduction](https://docs.bytejmp.com/web.md): Web application penetration testing techniques and attack references. - [CORS Misconfiguration](https://docs.bytejmp.com/web/cors.md): CORS misconfiguration exploitation: origin reflection, null origin, wildcard abuse, and credential theft. - [Clickjacking](https://docs.bytejmp.com/web/headers/clickjacking.md): Clickjacking attacks: iframe overlay exploitation, X-Frame-Options, frame-ancestors, and PoC generation. - [Cookie Security](https://docs.bytejmp.com/web/headers/cookies.md): Cookie flags and security issues: HttpOnly, Secure, SameSite, Path, Domain, and common misconfigurations. - [Content Security Policy (CSP)](https://docs.bytejmp.com/web/headers/csp.md): CSP analysis and bypass: directive enumeration, unsafe configurations, and exploitation techniques. - [HSTS](https://docs.bytejmp.com/web/headers/hsts.md): HTTP Strict Transport Security: analysis, misconfigurations, and SSL stripping attacks when missing. - [JavaScript Source Maps (.js.map)](https://docs.bytejmp.com/web/js-map-files.md): Exploiting exposed JavaScript source map files to recover original source code, API keys, and internal logic. - [Open Redirect](https://docs.bytejmp.com/web/open-redirect.md): Open redirect vulnerabilities: detection, bypass techniques, and exploitation for phishing and token theft. - [ReDoS](https://docs.bytejmp.com/web/redos.md): Regular Expression Denial of Service — exploiting catastrophic backtracking in regex engines. - [Boolean-Based Blind](https://docs.bytejmp.com/web/sqli/blind-boolean.md): Boolean-based blind SQL injection: extract data one bit at a time through true/false responses. - [Time-Based Blind](https://docs.bytejmp.com/web/sqli/blind-time.md): Time-based blind SQL injection: extract data through conditional time delays. - [Cheat Sheet — MSSQL](https://docs.bytejmp.com/web/sqli/cheatsheet-mssql.md): MSSQL SQL injection cheat sheet: syntax, xp_cmdshell, linked servers, file access, and enumeration. - [Cheat Sheet — MySQL](https://docs.bytejmp.com/web/sqli/cheatsheet-mysql.md): MySQL SQL injection cheat sheet: syntax, functions, enumeration, file access, and RCE payloads. - [Cheat Sheet — Oracle](https://docs.bytejmp.com/web/sqli/cheatsheet-oracle.md): Oracle SQL injection cheat sheet: syntax, enumeration, file access, and OOB exfiltration payloads. - [Cheat Sheet — PostgreSQL](https://docs.bytejmp.com/web/sqli/cheatsheet-postgresql.md): PostgreSQL SQL injection cheat sheet: syntax, COPY RCE, file access, and enumeration payloads. - [Cheat Sheet — SQLite](https://docs.bytejmp.com/web/sqli/cheatsheet-sqlite.md): SQLite SQL injection cheat sheet: syntax, enumeration, file access, and RCE via ATTACH DATABASE. - [Error-Based](https://docs.bytejmp.com/web/sqli/error-based.md): Error-based SQL injection: extract data through database error messages in MySQL, MSSQL, and PostgreSQL. - [Out-of-Band (OOB)](https://docs.bytejmp.com/web/sqli/out-of-band.md): Out-of-band SQL injection: exfiltrate data via DNS and HTTP requests when no in-band output is available. - [Second-Order](https://docs.bytejmp.com/web/sqli/second-order.md): Second-order SQL injection: stored payloads that trigger when used in a different query context. - [SQLmap](https://docs.bytejmp.com/web/sqli/sqlmap.md): SQLmap automated SQL injection: detection, extraction, OS shell, and tamper scripts. - [Stacked Queries](https://docs.bytejmp.com/web/sqli/stacked-queries.md): Stacked queries SQL injection: execute multiple statements to modify data, create users, and gain RCE. - [UNION-Based](https://docs.bytejmp.com/web/sqli/union-based.md): UNION-based SQL injection: column enumeration, data extraction, and database-specific payloads. - [WAF Bypass](https://docs.bytejmp.com/web/sqli/waf-bypass.md): SQL injection WAF bypass techniques: encoding, comments, alternative syntax, and filter evasion. - [Captive Portal](https://docs.bytejmp.com/wifi/attacks/captive-portal.md): Rogue captive portal attacks: credential phishing, MAC bypass, and portal evasion techniques. - [WPA Enterprise](https://docs.bytejmp.com/wifi/attacks/enterprise-attacks.md): Complete WPA Enterprise attack chain: rogue AP credential capture (manual and automated), online brute force, MSCHAPv2 relay, and post-capture cracking. - [WPA Enterprise: Recon](https://docs.bytejmp.com/wifi/attacks/enterprise-recon.md): Passive reconnaissance against WPA Enterprise networks: harvest EAP identities, extract server certificates, and enumerate supported EAP methods before attacking. - [Evil Twin / Rogue AP](https://docs.bytejmp.com/wifi/attacks/evil-twin.md): Rogue access point attacks: capturing WPA2 handshakes from offline networks, credential phishing via captive portals, and hostile portal attacks. - [WEP](https://docs.bytejmp.com/wifi/attacks/wep.md): Crack WEP-protected networks using ARP replay attacks and aircrack-ng: exploiting the fundamental weakness in WEP's IV reuse. - [WPA2](https://docs.bytejmp.com/wifi/attacks/wpa2.md): Capture WPA2 4-way handshakes via deauthentication and crack the PSK offline with aircrack-ng. - [WPA3 SAE](https://docs.bytejmp.com/wifi/attacks/wpa3.md): Attacking WPA3 SAE networks: online brute force with wacker and downgrade attacks against mixed WPA2/WPA3 configurations. - [WPS](https://docs.bytejmp.com/wifi/attacks/wps.md): WPS PIN brute force and Pixie Dust attacks using wash, reaver, and bully. - [Open Network](https://docs.bytejmp.com/wifi/connect/open.md): Connect to open (OPN) networks with no authentication using wpa_supplicant. - [WEP](https://docs.bytejmp.com/wifi/connect/wep.md): Connect to WEP-protected networks using wpa_supplicant with a hex or ASCII key. - [WPA Enterprise: PEAP](https://docs.bytejmp.com/wifi/connect/wpa-enterprise-peap.md): Connect to WPA Enterprise networks using PEAP/MSCHAPv2 authentication with domain credentials. - [WPA Enterprise: TLS](https://docs.bytejmp.com/wifi/connect/wpa-enterprise-tls.md): Connect to WPA Enterprise networks using EAP-TLS with a client certificate instead of a password. - [WPA Enterprise: TTLS](https://docs.bytejmp.com/wifi/connect/wpa-enterprise-ttls.md): Connect to WPA Enterprise networks using TTLS with PAP, CHAP, or MSCHAPv2 as the inner authentication method. - [WPA / WPA2 PSK](https://docs.bytejmp.com/wifi/connect/wpa2.md): Connect to WPA and WPA2 personal networks using wpa_supplicant with a pre-shared key. - [WPA3 SAE](https://docs.bytejmp.com/wifi/connect/wpa3.md): Connect to WPA3 SAE networks using wpa_supplicant with Simultaneous Authentication of Equals. - [WPS](https://docs.bytejmp.com/wifi/connect/wps.md): Connect to WPS-enabled networks using Push Button (PBC) or PIN method via wpa_supplicant and wpa_cli. - [Introduction](https://docs.bytejmp.com/wifi/overview.md): Attack and analysis techniques for wireless networks. - [Recon](https://docs.bytejmp.com/wifi/recon.md): Wireless network reconnaissance: scanning for APs, identifying clients, discovering hidden SSIDs, and enumerating probe requests. - [Interface Setup](https://docs.bytejmp.com/wifi/setup.md): Prepare a wireless interface for monitor mode using airmon-ng: required before running any active wireless attack. - [air-hammer](https://docs.bytejmp.com/wifi/tools/air-hammer.md): WPA Enterprise online brute force tool: tests credentials directly against a live 802.1X access point. - [Aircrack-ng Suite](https://docs.bytejmp.com/wifi/tools/aircrack-ng.md): Complete 802.11 security toolkit: monitor mode, packet capture, injection, WEP/WPA cracking, and traffic decryption. - [asleap](https://docs.bytejmp.com/wifi/tools/asleap.md): MSCHAPv2 / LEAP offline password cracker: recovers plaintext credentials from captured challenge-response pairs. - [berate_ap](https://docs.bytejmp.com/wifi/tools/berate-ap.md): Rogue AP framework with WPA Enterprise support: integrates with wpa_sycophant for MSCHAPv2 relay attacks and supports custom certificate loading. - [Bully](https://docs.bytejmp.com/wifi/tools/bully.md): WPS PIN brute force and Pixie Dust attack tool, alternative to Reaver with better handling of some APs. - [eaphammer](https://docs.bytejmp.com/wifi/tools/eaphammer.md): WPA Enterprise evil twin framework: captures MSCHAPv2 credentials, runs captive portals, and performs hostile portal attacks. - [hashcat](https://docs.bytejmp.com/wifi/tools/hashcat.md): GPU-accelerated offline password cracker: supports WPA2 handshakes, MSCHAPv2, NTLMv2, and hundreds of other hash modes. - [hcxtools](https://docs.bytejmp.com/wifi/tools/hcxtools.md): PCAP and hash conversion tools for WPA captures: convert handshakes to hashcat-compatible formats. - [hostapd-mana](https://docs.bytejmp.com/wifi/tools/hostapd-mana.md): Rogue access point tool: captures WPA2 handshakes from probing clients and harvests MSCHAPv2 credentials from WPA Enterprise targets. - [macchanger](https://docs.bytejmp.com/wifi/tools/macchanger.md): MAC address spoofing tool: change, randomize, or restore the hardware address of a network interface. - [mdk4](https://docs.bytejmp.com/wifi/tools/mdk4.md): 802.11 frame injection tool: SSID brute force, deauthentication floods, beacon spam, and probe request fuzzing. - [Reaver](https://docs.bytejmp.com/wifi/tools/reaver.md): WPS PIN brute force and Pixie Dust attack tool against WPS-enabled access points. - [wacker](https://docs.bytejmp.com/wifi/tools/wacker.md): WPA3 SAE online brute force tool: tests passwords directly against a live WPA3 access point. - [Wash](https://docs.bytejmp.com/wifi/tools/wash.md): Enumerate WPS-enabled access points and identify locked/unlocked targets for WPS attacks. - [wpa_sycophant](https://docs.bytejmp.com/wifi/tools/wpa-sycophant.md): MSCHAPv2 relay tool: reuses a victim's authentication challenge/response to authenticate to the real WPA Enterprise AP without knowing their password. - [AppLocker Bypass](https://docs.bytejmp.com/windows-privesc/applocker-bypass.md): Bypassing AppLocker application whitelisting: writable paths, alternate executables, and LOLBAS techniques. - [Enumeration Checklist](https://docs.bytejmp.com/windows-privesc/checklist.md): Windows privilege escalation enumeration: identity, system info, users, network, services, and credential hunting via CMD and PowerShell. - [Clipboard & Browser Credentials](https://docs.bytejmp.com/windows-privesc/clipboard-browser.md): Harvesting credentials from clipboard content, browser saved passwords, and browser history. - [Credential Harvesting](https://docs.bytejmp.com/windows-privesc/credential-harvesting.md): Extracting credentials from SAM/SYSTEM, DPAPI, Credential Manager, Unattend.xml, and PowerShell history. - [Cached GPP Passwords](https://docs.bytejmp.com/windows-privesc/gpp-passwords.md): Extracting credentials from Group Policy Preferences: cpassword decryption from SYSVOL. - [From High to SYSTEM](https://docs.bytejmp.com/windows-privesc/high-to-system.md): Escalating from Administrator (high integrity) to NT AUTHORITY\SYSTEM: new service, PsExec, scheduled tasks, and token manipulation. - [Insecure GUI Applications](https://docs.bytejmp.com/windows-privesc/insecure-gui.md): Privilege escalation via GUI applications running as admin: file dialog escape and browser-based command execution. - [Kerberoasting (Local)](https://docs.bytejmp.com/windows-privesc/kerberoasting.md): Extract and crack TGS tickets from service accounts for local privilege escalation. - [Kernel Exploits](https://docs.bytejmp.com/windows-privesc/kernel-exploits.md): Windows kernel exploitation: finding missing patches with Windows Exploit Suggester and common CVEs. - [LAPS Enumeration](https://docs.bytejmp.com/windows-privesc/laps.md): Extracting local admin passwords from LAPS: enumeration, reading ms-Mcs-AdmPwd, and LAPS v2. - [LSASS Dump (Without Mimikatz)](https://docs.bytejmp.com/windows-privesc/lsass-dump.md): Dumping LSASS process memory using built-in tools and LOLBINs: comsvcs.dll, ProcDump, Task Manager, and more. - [Mimikatz](https://docs.bytejmp.com/windows-privesc/mimikatz.md): Mimikatz cheat sheet: credential dumping, pass-the-hash, pass-the-ticket, golden/silver tickets, and token manipulation. - [Misconfigurations](https://docs.bytejmp.com/windows-privesc/misconfigurations.md): Privilege escalation via Windows misconfigurations: AlwaysInstallElevated, autorun, and scheduled tasks. - [Potato Attacks](https://docs.bytejmp.com/windows-privesc/potatoes.md): Privilege escalation via token impersonation: JuicyPotato, PrintSpoofer, GodPotato, SweetPotato, and RoguePotato. - [PowerShell Transcripts & Logging](https://docs.bytejmp.com/windows-privesc/powershell-logging.md): Credential harvesting from PowerShell transcript files, module logging, and script block logging. - [PrintNightmare](https://docs.bytejmp.com/windows-privesc/printnightmare.md): CVE-2021-1675 / CVE-2021-34527: local and remote privilege escalation via Windows Print Spooler. - [Privileged Groups](https://docs.bytejmp.com/windows-privesc/privileged-groups.md): Privilege escalation via Windows group memberships: Server Operators, Backup Operators, DnsAdmins, Account Operators, and more. - [Registry Permissions](https://docs.bytejmp.com/windows-privesc/registry-permissions.md): Privilege escalation via writable service registry keys: modify ImagePath, add DLL, and hijack service configuration. - [Service Exploits](https://docs.bytejmp.com/windows-privesc/service-exploits.md): Privilege escalation via Windows services: unquoted paths, weak permissions, and DLL hijacking. - [Service Recovery Actions](https://docs.bytejmp.com/windows-privesc/service-recovery.md): Privilege escalation via Windows service failure recovery actions: execute commands as SYSTEM on service crash. - [Sticky Notes](https://docs.bytejmp.com/windows-privesc/sticky-notes.md): Credential harvesting from the Windows Sticky Notes application: file locations, extraction methods, and post-exploitation use. - [Token Abuse](https://docs.bytejmp.com/windows-privesc/token-abuse.md): Privilege escalation via dangerous Windows privileges: SeBackup, SeRestore, SeTakeOwnership, and named pipe impersonation. - [File Transfer](https://docs.bytejmp.com/windows-privesc/transfer.md): File transfer techniques for Windows targets: HTTP, SMB, Netcat, and Base64 encoding for restricted environments. - [UAC Bypass](https://docs.bytejmp.com/windows-privesc/uac-bypass.md): User Account Control bypass techniques: fodhelper, eventvwr, CMSTP, DiskCleanup, and UACME. - [WinPEAS / Automated Enumeration](https://docs.bytejmp.com/windows-privesc/winpeas.md): Automated Windows privilege escalation enumeration with WinPEAS, PowerUp, Seatbelt, and SharpUp. - [WSUS Exploitation](https://docs.bytejmp.com/windows-privesc/wsus.md): Privilege escalation via Windows Server Update Services: MITM updates to execute as SYSTEM.