# PEH References * [Practical Ethical Hacking - The Complete Course](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course) * [TCM Course Resources - Github](https://github.com/TCM-Course-Resources) * [Practical-Ethical-Hacking-Resources](https://github.com/TCM-Course-Resources/Practical-Ethical-Hacking-Resources) * [PNPT Certification](https://certifications.tcm-sec.com/pnpt/) * [Course and FAQs - Discord](https://discord.gg/tcm) ## Introduction * [Why You Shouldn't Be an Ethical Hacker](https://www.youtube.com/watch?v=rpm_V_88wds) ### Note Keeping * [Notetaking Apps Ranked (Alex Olsen)](https://www.youtube.com/watch?v=KpX7v5Ym3wg) * [Notion](https://www.notion.so/) * [Joplin](https://joplinapp.org/) * [GitBook](https://www.gitbook.com/) * [Obsidian](https://obsidian.md/) * [FlameShot - Screenshot tool](https://flameshot.org/) * [ShareX - Screenshot tool](https://getsharex.com/) * [GreenShot - Screenshot tool](https://getgreenshot.org/downloads/) ### Networking * [Professor Messer - Seven Second Subnetting - Youtube](https://www.youtube.com/watch?v=ZxAwQB8TZsM) * [Subnet Guide - TCM](https://drive.google.com/file/d/1ETKH31-E7G-7ntEOlWGZcDZWuukmeHFe/view) * [Networking Fundalmentals - Practical Networking Youtube](https://www.youtube.com/playlist?list=PLIFyRwBY_4bRLmKfP1KnZA6rZbRHtxmXi) * [Subnetting Mastery - Practical Networking Youtube](https://www.youtube.com/playlist?list=PLIFyRwBY_4bQUE4IB5c4VPRyDoLgOdExE) * [Network Fundamentals - Network Direction Youtube](https://www.youtube.com/playlist?list=PLDQaRcbiSnqF5U8ffMgZzS7fq1rHUI3Q8) * [SMB University - Cisco Networking Fundamentals](https://www.cisco.com/c/dam/global/fi_fi/assets/docs/SMB_University_120307_Networking_Fundamentals.pdf) * [guru99 - TCP 3-Way Handshake](https://www.guru99.com/tcp-3-way-handshake.html) * [guru99 - OSI Model Layers](https://www.guru99.com/layers-of-osi-model.html) * [OSI Cyber Attacks - byos.io](https://www.byos.io/blog/types-of-cyber-attacks-osi) * [Subnet Calculator - mxtoolbox.com](https://mxtoolbox.com/subnetcalculator.aspx) * [CIDR to IPv4 Conversion](https://www.ipaddressguide.com/cidr) ## Lab Set Up * [VMware Workstation Player](https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html) * [VMWare Workstation Pro (Free)](https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Workstation%20Pro) * [VirtualBox + VirtualBox Extension Pack](https://www.virtualbox.org/wiki/Downloads) * [Kali Linux](https://www.kali.org/) * [Kali VM Installation - VMware - syselement](https://blog.syselement.com/home/operating-systems/linux/distros/kali-vm) * [pimpmykali](https://github.com/Dewalt-arch/pimpmykali) * [ParrotOS](https://www.parrotsec.org/) * [TCM Linux-101 - syselement](https://blog.syselement.com/tcm/courses/linux-101) * [chmod Calculator](https://nettools.club/chmod_calc) * [explainshell.com](https://explainshell.com/) * [What is a ping sweep (ICMP sweep)?](https://www.techtarget.com/searchnetworking/definition/ping-sweep-ICMP-sweep) ### Python * [Python Documentation](https://docs.python.org/3/) * [LearnPython.org](https://www.learnpython.org/) * [Python Tutorial - W3Schools](https://www.w3schools.com/python/default.asp) * [Python Cheatsheet](https://www.pythoncheatsheet.org/) * [Automate the Boring Stuff with Python - Book](https://automatetheboringstuff.com/) * [Socket Programming in Python (Guide) - RealPython](https://realpython.com/python-sockets/) ## The Ethical Hacker Methodology * [Phases of Ethical Hacking - InfosecTrain](https://www.infosectrain.com/blog/phases-of-ethical-hacking/) * [Bugcrowd](https://bugcrowd.com/engagements) ### Information Gathering * [Hunter.io](https://hunter.io/domain-search) * [Phonebook.cz](https://phonebook.cz/) * [Clearbit Connect](https://clearbit.com/resources/tools/connect) * [EmailHippo Email address verifiy](https://tools.emailhippo.com/) * [Email-checker](https://email-checker.net/) * [HaveIBeenPwned](https://haveibeenpwned.com/) * [breach-parse](https://github.com/hmaverickadams/breach-parse) * [DeHashed.com](https://dehashed.com/) * [Hashes.com](https://hashes.com/en/decrypt/hash) * [Sublist3r](https://github.com/aboul3la/Sublist3r) * [crt.sh](https://crt.sh/) * [amass](https://github.com/owasp-amass/amass) * [httprobe](https://github.com/tomnomnom/httprobe) * [assetfinder](https://github.com/tomnomnom/assetfinder) * [gowitness](https://github.com/sensepost/gowitness) * [subjack](https://github.com/haccer/subjack) * [waybackurls](https://github.com/tomnomnom/waybackurls) * [BuiltWith.com](https://builtwith.com/) * [Wappalyzer.com](https://www.wappalyzer.com/) * [WhatWeb](https://github.com/urbanadventurer/WhatWeb/) * [Burp Suite](https://portswigger.net/burp/communitydownload) * [Google Search Syntax](https://www.google.com/search?client=firefox-b-e\&q=google+search+syntax) * [Google Search Operators: The Complete List (44 Advanced Operators)](https://ahrefs.com/blog/google-advanced-search-operators/) * [Open-Source Intelligence Fundamentals - TCM Security](https://academy.tcm-sec.com/p/osint-fundamentals) * [sumrecon script - Gr1mmie](https://github.com/Gr1mmie/sumrecon) * [The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix](https://www.youtube.com/watch?v=uKWu6yhnhbQ) * [Nahamsec Recon Playlist](https://www.youtube.com/watch?v=MIujSpuDtFY\&list=PLKAaMVNxvLmAkqBkzFaOxqs3L66z2n8LA) ### Scanning & Enumeration * [PEH Course VMs - TCM Security](https://drive.google.com/drive/folders/1z923e0icfJADbhgS0Qfaxuez-GJTWvjt) * [PEH Course Capstone VMs (updated) - TCM Security](https://drive.google.com/drive/folders/1xJy4ozXaahXvjbgTeJVWyY-eUGIKgCj1) * [VulnHub](https://www.vulnhub.com/) * [nmap](https://nmap.org/) * [nikto](https://github.com/sullo/nikto) * [dirbuster](https://www.kali.org/tools/dirbuster/) * [dirb](https://www.kali.org/tools/dirb/) * [ffuf](https://github.com/ffuf/ffuf) * [HTTP response codes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status) * [Metasploit](https://docs.metasploit.com/) * [Vulnerability & Exploit Database - Rapid7](https://www.rapid7.com/db/modules/) * [How to Enumerate SMB with Enum4linux & Smbclient - Null Byte](https://null-byte.wonderhowto.com/how-to/enumerate-smb-with-enum4linux-smbclient-0198049/) * [smbclient](https://www.samba.org/samba/docs/current/man-html/smbclient.1.html) * [exploit-db](https://www.exploit-db.com) * [searchsploit](https://www.exploit-db.com/searchsploit) ### Vulnerability Scanning with Nessus * [Nessus](https://www.tenable.com/products/nessus/nessus-essentials) * [Nessus Essentials - syselement](https://blog.syselement.com/home/operating-systems/linux/tools/nessus) ### Exploitation Basics * [Hacking with Netcat part 2: Bind and reverse shells](https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/) * [netcat](https://netcat.sourceforge.net/) * [Metasploit Unleashed - OffSec](https://www.offsec.com/metasploit-unleashed/) * [Apache mod\_ssl < 2.8.7 OpenSSL - Remote Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2002-0082) * [Top 13 Vulnerable Web Applications and Websites for Ethical Hacking Practice | by ByteBusterX | Medium](https://bytebusterx.medium.com/top-13-vulnerable-web-applications-and-websites-for-ethical-hacking-practice-1850c6163e89) * [Damn Vulnerable Web Application (DVWA)](https://github.com/digininja/DVWA) * [Credential stuffing](https://owasp.org/www-community/attacks/Credential_stuffing) * [Password spraying](https://owasp.org/www-community/attacks/Password_Spraying_Attack) * [CVE-2017-0144 - MS17-010](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144) * [CrackStation - Online Password Hash Cracking](https://crackstation.net/) * [hashcat](https://crackstation.net/) * [GitHub - pentestmonkey/php-reverse-shell](https://github.com/pentestmonkey/php-reverse-shell) * [LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) * [WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) * [pspy](https://github.com/DominicBreuker/pspy) * [Reverse Shell Cheat Sheet | pentestmonkey](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) * [fcrackzip](https://www.kali.org/tools/fcrackzip/) * [GTFO Bins](https://gtfobins.github.io/) * [Pure Groovy/Java Reverse Shell](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) * [Unquoted Service Paths | Red Team Notes](https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths) * [dnsrecon](https://github.com/darkoperator/dnsrecon) * [Spawning a TTY Shell | SecWiki](https://wiki.zacheller.dev/pentest/privilege-escalation/spawning-a-tty-shell) * [Linux Privilege Escalation - SUDO and SUID | HackTricks](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid) * [Linux Privilege Escalation | TCM Security](https://academy.tcm-sec.com/p/linux-privilege-escalation) * [Windows Privilege Escalation for Beginners | TCM Security](https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners) ## Active Directory * [Active Directory Domain Services](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) * [Introduction to Active Directory - HTB Academy](https://academy.hackthebox.com/module/details/74) * [Compromising Active Directory module - TryHackMe](https://tryhackme.com/module/hacking-active-directory) * [PimpmyADLab](https://github.com/Dewalt-arch/pimpmyadlab) * [Building a Windows AD lab](https://ad-lab.gitbook.io/building-a-windows-ad-lab/) * [GrouppVM](https://github.com/vulfilip/grouppvm) * [How To Setup Red Team And Blue Team Lab 2024 - Part 2 - InfoSec Pat](https://www.youtube.com/watch?v=uGvb8zE219Y) * [LLMNR Poisoning and How to Prevent It - TCM Security](https://tcm-sec.com/llmnr-poisoning-and-how-to-prevent-it/) * [LLMNR | Pentest Everything - viperone.gitbook.io](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adversary-in-the-middle/llmnr) * [Responder](https://github.com/lgandx/Responder) * [SMB Relay Attacks and How to Prevent Them - TCM Security](https://tcm-sec.com/smb-relay-attacks-and-how-to-prevent-them/) * [ntlmrelayx.py](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py) * [mitm6 - compromising IPv4 networks via IPv6 - Fox-IT](https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/) * [mitm6](https://github.com/dirkjanm/mitm6) * [How to Hack Through a Pass-Back Attack: MFP Hacking Guide](https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack)+ * [PRET](https://github.com/RUB-NDS/PRET) * [Printer Security Testing Cheat Sheet - Hacking Printers](https://www.hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet) * [Praeda](https://github.com/percx/Praeda) * [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) * [BloodHound](https://github.com/SpecterOps/BloodHound) * [PlumHound](https://github.com/PlumHound/PlumHound) * [PingCastle](https://www.pingcastle.com/) * [Forest Druid](https://www.semperis.com/forest-druid/resources/) * [Purple Knight](https://www.semperis.com/purple-knight/resources/) * [crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec) * [CrackMapExec Cheat Sheet 2024 (Commands & Examples) - Stationx](https://www.stationx.net/crackmapexec-cheat-sheet/) * [netexec](https://github.com/Pennyw0rth/NetExec) * [secretsdump.py](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py) * [HTB: Cicada | 0xdf hacks stuff](https://0xdf.gitlab.io/2025/02/15/htb-cicada.html#nmap) * [Kerberoasting - CrowdStrike](https://www.crowdstrike.com/cybersecurity-101/kerberoasting/) * [Kerberoast | HackTricks](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast) * [Kerberoasting | Red Team Notes](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting) * [GetUserSPNs.py](https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py) * [Token Impersonation | Pentest Everything](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/access-token-manipultion/token-impersonation) * [Fun with Incognito - Metasploit Unleashed](https://www.offsec.com/metasploit-unleashed/fun-incognito/) * [Forced Authentication | Red Team Notes](https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication) * [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences – Active Directory Security](https://adsecurity.org/?p=2288) * [MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014 - Microsoft Support](https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30) * [Exploiting-GPP-AKA-MS14\_025-vulnerability](https://github.com/incredibleindishell/Windows-AD-environment-related/blob/master/Exploiting-GPP-AKA-MS14_025-vulnerability/README.md) * [GPP attacks | Internal Pentest](https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/gpp-attacks) * [mimikatz](https://github.com/gentilkiwi/mimikatz) * [Kerberos Golden Ticket Attack Explained - StationX](https://www.stationx.net/golden-ticket-attack/) * [Golden Ticket Attack Explained | Semperis Identity Attack Catalog](https://www.semperis.com/blog/golden-ticket-attack-explained/) * [Golden Ticket Attack Explained - MITRE ATT\&CK T1558.001](https://www.picussecurity.com/resource/blog/golden-ticket-attack-mitre-t1558.001) * [rycon.hu - mimikatz's Golden Ticket](https://rycon.hu/papers/goldenticket.html) * [Zerologon](https://www.secura.com/blog/zero-logon) * [ZeroLogon testing script](https://github.com/SecuraBV/CVE-2020-1472) * [dirkjanm/CVE-2020-1472: PoC for Zerologon](https://github.com/dirkjanm/CVE-2020-1472) * [What Is Zerologon? | Trend Micro (US)](https://www.trendmicro.com/en_us/what-is/zerologon.html) * [PrintNightmare Exposes Windows Servers to RCE | Huntress](https://www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution) * [Playing with PrintNightmare | 0xdf hacks stuff](https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html) * [cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527](https://github.com/cube0x0/CVE-2021-1675) * [calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)](https://github.com/calebstewart/CVE-2021-1675) * [AD Case Study #1 - You Spent How Much on Security? - TCM Security](https://tcm-sec.com/pentest-tales-001-you-spent-how-much-on-security/) * [AD Case Study #2 - #Pentest Tales #002: Digging Deep - TCM Security](https://tcm-sec.com/pentest-tales-002-digging-deep) ## Post Exploitation * [proxychains](https://github.com/haad/proxychains) * [sshuttle](https://github.com/sshuttle/sshuttle) * [chisel](https://github.com/jpillora/chisel) ## Web Application * [Alex Olsen - AppSecExplained](https://linktr.ee/appsecexplained) * [AppSecExplained](https://appsecexplained.gitbook.io/appsecexplained) * [Burp Suite documentation - PortSwigger](https://portswigger.net/burp/documentation) * [Web Security Academy - PortSwigger](https://portswigger.net/web-security) * [OWASP Top Ten](https://owasp.org/www-project-top-ten/) * [Webhook.site - Test, transform and automate Web requests and emails](https://webhook.site) * [SQL injection cheat sheet | Web Security Academy](https://portswigger.net/web-security/sql-injection/cheat-sheet) * [SQL Injection | OWASP Foundation](https://owasp.org/www-community/attacks/SQL_Injection) * [Cross-Site Scripting (XSS) Cheat Sheet - 2024 Edition | Web Security Academy](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) * [What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy](https://portswigger.net/web-security/cross-site-scripting) * [Cross Site Scripting (XSS) | OWASP Foundation](https://owasp.org/www-community/attacks/xss/) * [alert() is dead, long live print() | PortSwigger Research](https://portswigger.net/research/alert-is-dead-long-live-print) * [The Modern JavaScript Tutorial](https://javascript.info/) * [PayloadsAllTheThings - Command Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection) * [What is OS command injection, and how to prevent it? | Web Security Academy](https://portswigger.net/web-security/os-command-injection) * [Command Injection | OWASP Foundation](https://owasp.org/www-community/attacks/Command_Injection) * [Command injection | AppSecExplained](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection) * [Reverse Shell Cheat Sheet - Internal All The Things](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/) * [PayloadsAllTheThings - Upload Insecure Files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files) * [File uploads | Web Security Academy](https://portswigger.net/web-security/file-upload) * [Insecure file upload | AppSecExplained](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-file-upload) * [List of file signatures (Magic bytes) - Wikipedia](https://en.wikipedia.org/wiki/List_of_file_signatures) * [Authentication | AppSecExplained](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/authentication) * [Authentication vulnerabilities | Web Security Academy](https://portswigger.net/web-security/authentication) * [PayloadsAllTheThings - XXE Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md) * [What is XXE (XML external entity) injection? | Web Security Academy](https://portswigger.net/web-security/xxe) * [XXE (XML external entity) injection | AppSecExplained](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/xxe-xml-external-entity-injection) * [PayloadsAllTheThings - Insecure Direct Object References](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Direct%20Object%20References) * [Insecure direct object references (IDOR) | Web Security Academy](https://portswigger.net/web-security/access-control/idor) ## Wireless Penetration Testing * [Pentesting Wifi - HackTricks](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-wifi/index.html) * [ricardojoserf/wifi-pentesting-guide](https://github.com/ricardojoserf/wifi-pentesting-guide) * [Offensive Security Tool: WEF (WiFi Exploitation Framework) | Black Hat Ethical Hacking](https://www.blackhatethicalhacking.com/tools/wef-wifi-exploitation-framework/) * [D3Ext/WEF: Wi-Fi Exploitation Framework](https://github.com/D3Ext/WEF) * [Curso Gratis de Hacking Wifi | D3Ext](https://d3ext.github.io/posts/Curso/) * [Best Kali Linux Compatible USB Adapters 2024 – WirelesSHack](https://www.wirelesshack.org/best-kali-linux-compatible-usb-adapter-dongles.html) * [OpenWrt & WiFi Exploitation | syselement's Blog](https://blog.syselement.com/home/home-lab/misc/openwrt-wifi-hack#hacking-time) * [aircrack-ng Usage](https://www.kali.org/tools/aircrack-ng/) * [airmon-ng](https://www.aircrack-ng.org/doku.php?id=airmon-ng) * [airodump-ng](https://www.aircrack-ng.org/doku.php?id=airodump-ng) ## Legal Documents and Report Writing * [Sample pentest report provided by TCM Security](https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report) * [Writing a Pentest Report - TCM video](https://www.youtube.com/watch?v=EOoBAq6z4Zk) *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.syselement.com/tcm/courses/peh/peh-references.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.