Overwhelm systems with massive traffic floods โ SYN flood, UDP flood, DNS amplification, HTTP slowloris. Botnet-powered DDoS takes down entire services.
Position between communicating parties โ ARP spoofing, SSL stripping, HTTPS downgrade, evil twin WiFi. Intercept and modify all traffic in real-time.
Passively capture network traffic with Wireshark, tcpdump, tshark. Extract credentials from HTTP, FTP, Telnet. Analyse protocols for vulnerabilities.
Forge source IP addresses to bypass firewalls and ACLs, enable smurf attacks, bypass geo-restrictions, and hide attacker identity during reconnaissance.
Corrupt ARP tables to redirect LAN traffic. Classic gateway impersonation with Ettercap/Arpspoof. Enables full MITM on local networks and credential theft.
DNS cache poisoning, DNS hijacking, DNS tunnelling for C2, DNS amplification DDoS, NXDOMAIN attacks. Redirect victims to attacker-controlled infrastructure.
BGP hijacking to reroute internet traffic globally, RIP route injection, OSPF poisoning. Nation-state level attacks that can redirect entire country's traffic.
Capture and re-transmit authentication tokens, Kerberos tickets (Pass-the-Ticket), NTLM hashes (Pass-the-Hash), OAuth tokens for unauthorized access.
SSL stripping, POODLE, BEAST, HEARTBLEED, certificate pinning bypass. Force protocol downgrade from HTTPS to HTTP and intercept encrypted communications.
Steal session cookies via XSS, network sniffing, MITM. Sidejacking over unencrypted WiFi, cross-site request forgery (CSRF), session fixation attacks.
UNION-based, blind, time-based, error-based SQLi. Extract entire databases, bypass login, dump hashes. SQLMap automates full exploitation. OWASP #1.
Reflected, stored, DOM-based XSS. Steal cookies, bypass CSP, keylogging, redirect victims, BeEF browser exploitation framework, account takeover.
OS command injection, RCE via unsanitized exec(), eval() abuse, SSTI (Server-Side Template Injection), XXE, SSRF. Get a shell on the web server directly.
Bypass file type restrictions to upload PHP/ASP web shells. Magic byte manipulation, double extension bypass (.php.jpg), content-type spoofing for RCE.
Cross-site request forgery, Insecure Direct Object Reference, broken authentication, JWT manipulation, OAuth flaws, password reset poisoning.
Path traversal (../../../etc/passwd), Local/Remote File Inclusion โ read system files, include malicious scripts, access /etc/shadow, SSH keys, config files.
Mass assignment, broken object-level auth, GraphQL introspection abuse, JWT none algorithm, API key leakage, rate limit bypass, BOLA/BFLA attacks.
Java, PHP, Python pickle deserialization RCE. Log4Shell, Apache Struts exploits, gadget chains via ysoserial, arbitrary code execution via serialized objects.
XML External Entity injection to read files, SSRF to reach internal services, metadata endpoint abuse on AWS/GCP, bypass cloud firewall, pivot to internal network.
Invisible iframe overlays trick users into clicking attacker-controlled buttons. Bypasses CSRF protection, steals clicks, enables account takeover, cursorjacking.
Inject malicious instructions into LLM prompts to override system instructions, exfiltrate data, bypass safety filters, perform actions on behalf of the user. Critical threat for AI apps.
DAN (Do Anything Now), roleplay exploits, token smuggling, many-shot jailbreaking, Base64 encoding bypass, rival LLM persona tricks. Force AI to ignore all safety rules.
Imperceptible perturbations fool neural networks โ FGSM, PGD, CarliniWagner attacks. Fool facial recognition, malware detectors, autonomous vehicles, spam filters.
Inject malicious training data to corrupt model behaviour. BadNets backdoors, neural trojans, federated learning poisoning. Model activates maliciously on specific trigger inputs.
Reconstruct training data from model predictions (model inversion), clone model through API queries (model extraction), steal intellectual property and private user data from ML APIs.
Generate convincing fake video/audio of real people โ CEO fraud calls, fake KYC bypass, political disinformation, evidence fabrication. ElevenLabs, FaceSwap, Wav2Lip attacks.
LLM-generated hyper-personalised spear-phishing at scale โ zero grammatical errors, context-aware pretexting from OSINT, AI voicemail & SMS generation, autonomous vishing agents.
Determine if specific data was in the training set โ violates GDPR, leaks sensitive medical/financial records. Shadow model attacks against commercial ML APIs.
Poison retrieval-augmented generation (RAG) knowledge bases, hijack autonomous AI agents via indirect prompt injection, corrupt vector databases, supply chain attacks on LLM pipelines.
Capture 4-way handshake with airodump-ng, deauth clients with aireplay-ng, crack with hashcat/aircrack-ng. PMKID attack requires no deauth. WPS pixie-dust attack.
Create a fake access point mimicking legitimate WiFi. Deauth users from real AP, capture all traffic on fake one. Hostapd-wpe for enterprise WPA, Evilginx for credential harvest.
BlueSnarfing (steal contacts/files), BlueBorne (RCE without pairing), KNOB attack (encryption downgrade), BLE tracking, bluebugging to control devices remotely.
Clone proximity access cards with Proxmark3, skim NFC cards via Flipper Zero, crack HID/EM4100 cards, replay contactless payment cards, bypass physical access control.
IMSI catchers (Stingray) intercept cellular traffic, 5G NR protocol vulnerabilities, SS7 exploitation for SMS interception and call rerouting, SIM swapping attacks.
GoPhish campaigns, Evilginx2 reverse proxy MFA bypass, spear phishing with OSINT context, pretexting emails, credential harvesting pages, O365/Google account compromise.
Voice phishing โ impersonate IT helpdesk, bank support, government agencies to extract credentials or MFA codes. SMS phishing with fake package or bank alerts.
Create fabricated scenarios โ pose as vendor, auditor, employee, contractor. Tailgating, piggybacking, identity theft, dumpster diving for sensitive info extraction.
Rubber Ducky / BadUSB hidden as legitimate drive โ auto-executes payloads. Lure victims with infected drives/CDs. USB HID injection attacks, malicious chargers (juice jacking).
Malicious QR codes bypass email filters, replace legitimate QR codes on posters/menus, redirect to phishing pages, deliver malware, steal MFA tokens โ evades email security.
Hydra, Medusa, Burp Intruder for online attacks. Hashcat for offline GPU-accelerated hash cracking (MD5/NTLM/bcrypt). RockYou wordlists, custom rules, rainbow tables.
Use leaked credential databases (HIBP, dark web) to automate login attacks across multiple services. Password reuse exploitation โ one breach compromises all accounts.
Try common passwords against many accounts to avoid lockout. O365, Exchange, VPN spray with MSOLSpray/Spray. Particularly effective against corporate environments with weak policies.
Authenticate with NTLM hash instead of plaintext (Mimikatz, Impacket). Kerberoasting โ request service tickets offline and crack to get service account passwords.
MFA push notification fatigue (bombing), SIM swapping, OTP phishing in real-time via Evilginx2, TOTP seed theft, SS7 SMS interception, OAuth token theft. Bypass 2FA entirely.
Encrypt victim files with AES-256/RSA-2048, demand Bitcoin ransom. LockBit, BlackCat, Conti TTPs. Double extortion (encrypt + exfil). Disable VSS, spread via SMB, exfil before encryption.
Kernel-level rootkits hide processes/files from OS, UEFI/bootkit persistence survives reinstall, registry run keys, scheduled tasks, WMI subscriptions, DLL hijacking for persistence.
Metasploit Meterpreter, Cobalt Strike, Sliver, Havoc C2 frameworks. DNS-over-HTTPS C2, encrypted C2 channels, domain fronting, peer-to-peer botnets, fileless malware.
Compromise software build pipelines (SolarWinds, 3CX, XZ Utils backdoor). NPM/PyPI package typosquatting, dependency confusion, malicious CI/CD injection, code signing abuse.
Process injection (process hollowing, DLL injection), PowerShell-based attacks, Living-off-the-Land binaries (certutil, regsvr32, mshta), memory-only malware evades AV/EDR.
BloodHound/SharpHound AD mapping, DCSync, Golden/Silver tickets, AS-REP Roasting, ACL abuse, AdminSDHolder persistence. Pwn domain in hours from foothold.
Windows: unquoted service paths, weak permissions, always install elevated, token impersonation. Linux: SUID/GUID binaries, sudo misconfig, kernel exploits, cron jobs, PATH hijacking.
ZeroLogon (CVE-2020-1472), PrintNightmare, EternalBlue/MS17-010, noPac, PetitPotam, NTLM relay, MS-RPRN, Exchange ProxyLogon โ critical Windows domain exploits.
Responder captures NTLM hashes, ntlmrelayx relays auth to other machines, ADCS relay for domain takeover, SMB signing bypass. Compromise entire domain without cracking hashes.
Mimikatz sekurlsa::logonpasswords dumps cleartext creds from LSASS. DCSync replicates domain password hashes without touching DC disk. Dump entire AD with one command.
IMDSv1 SSRF metadata credential theft, overly-permissive IAM, public S3 buckets with sensitive data, exposed security groups, assume-role escalation, CloudTrail evasion.
Docker privileged container escape, cgroup v1 notifyrelease exploit, Kubernetes RBAC abuse, etcd unauthenticated access, malicious admission webhooks, pod service account token theft.
Lambda environment variable secrets theft, cold-start timing attacks, shared execution environment data leakage, dependency injection in function packages, event injection attacks.
Azure AD token theft, Service Principal abuse, Managed Identity escalation, PRT theft via pass-the-cookie, OAuth consent phishing, AADInternals lateral movement across tenants.
Tailgating, lock picking, bump keys, under-door tools, REX sensors. Bypass electronic access with relay attack on key fobs, badge cloning, emergency door exploitation.
JTAG/UART debug port exploitation, firmware extraction via SPI flash, hardware keyloggers, network tap implants, evil maid attacks on unattended devices, cold boot RAM attacks.
Timing attacks break constant-time assumptions, power analysis on smart cards, Spectre/Meltdown CPU vulnerabilities, cache-timing attacks, acoustic cryptanalysis, EM emanation.