| # | Trick | Tool / Command | |---|-------|----------------| | 161 | Subdomain enumeration | assetfinder target.com | | 162 | Cloud bucket finder | cloud_enum -k target.com | | 163 | Waybackurls | echo target.com | waybackurls > urls.txt | | 164 | GitHub dorks | extension:pem "BEGIN RSA PRIVATE KEY" | | 165 | Shodan CLI | shodan search "apache" | | ... | ... | ... | | 179 | Passive DNS recon | dnslytics or securitytrails API |
Here is a write-up on the topic.
Credential and secret harvesting from public repos
BGP hijacking basics (overview)
Routes are not cryptographically verified, allowing attackers to claim ownership of IP ranges they don't own.
Cache poisoning / HTTP request smuggling
If an attacker successfully establishes a malicious BGP neighbor adjacency with an open router, they can inject falsified routing advertisements. BGP Active vs Passive - NetworkLessons.com hacktricks 179 best
The Border Gateway Protocol (BGP) is the "glue" that holds the internet together by managing how data packets are routed across different autonomous systems. Because of its critical role, port 179 is a high-value target for attackers looking to disrupt network traffic or intercept data. Protocol : BGP operates over TCP port 179 .
Use Access Control Lists to restrict access to port 179 only to known, trusted peers.
Anti-forensics basics (log tampering, timestomping) - Modify timestamps and clear logs carefully; may be detected. | # | Trick | Tool / Command
| # | Trick | Command | |---|-------|---------| | 126 | SSH dynamic port forward | ssh -D 1080 user@target | | 127 | Chisel SOCKS5 | chisel client server:8000 socks | | 128 | Ligolo-ng tunnel | ligolo-proxy -selfcert | | 129 | Plink (Windows SSH) | plink.exe -ssh -R 1080 | | 130 | ICMP tunneling | ptunnel -p target -lp 8000 | | 131 | DNS tunneling (dnscat2) | dnscat2-server domain.com | | ... | ... | ... | | 140 | Proxychains + nmap | proxychains nmap -sT -Pn 10.0.0.1 |
File upload vulnerabilities (unrestricted)