Home / Attack Chains

🔗 Attack Chains

Comprehensive attack chain documentation showing step-by-step exploitation paths from initial access to target compromise. Each chain includes tools, techniques, and mitigation strategies.

What are Attack Chains?
Attack chains (also known as Kill Chains) document the complete exploitation path from initial reconnaissance to achieving the attack objective. Understanding these chains helps offensive and defensive security professionals.

🌐 Web Application Attack Chains

Chain 1: SQLi to RCE

Critical

Full compromise via SQL injection to remote code execution

  1. Reconnaissance

    Discover SQL injection entry point via parameter fuzzing

  2. Enumeration

    Determine database type, version, and column count via UNION SELECT

  3. Discovery

    Find web root path from database error messages or file read

  4. Webshell Upload

    Write PHP/ASP webshell via INTO OUTFILE with path traversal

  5. Command Execution

    Execute OS commands via HTTP requests to uploaded webshell

  6. Persistence

    Add cron job or SSH key for persistent access

sqlmap Burp Suite Netcat Metasploit

Chain 2: XSS to Account Takeover

High

Stored XSS exploited to steal session cookies

  1. Discovery

    Identify stored XSS in comment/review field

  2. Payload Crafting

    Create cookie stealing JavaScript payload

  3. Injection

    Submit payload in vulnerable form field

  4. Wait

    Admin/user visits page containing payload

  5. Cookie Capture

    JavaScript executes, sending session to attacker

  6. Session Hijack

    Use stolen cookie to authenticate as victim

Burp Suite XSStrike BeEF ngrok

Chain 3: SSRF to Cloud Takeover

Critical

Exploit SSRF to extract cloud credentials and compromise infrastructure

  1. Discovery

    Identify SSRF in URL parameter or image upload

  2. Metadata Access

    Request cloud metadata service (169.254.169.254)

  3. Credential Extraction

    Retrieve IAM credentials from metadata endpoint

  4. AWS CLI Setup

    Configure AWS credentials for target account

  5. Lateral Movement

    Access S3 buckets, Lambda functions, or other services

  6. Data Exfiltration

    Download sensitive data from cloud storage

Burp Suite AWS CLI Cloud_enum Pacu

Chain 4: File Upload to RCE

High

Bypass file upload restrictions to gain shell access

  1. Discovery

    Identify file upload functionality

  2. Fingerprinting

    Determine allowed extensions and content validation

  3. Bypass Attempt

    Try double extensions, null bytes, or polyglot files

  4. Webshell Upload

    Upload web shell disguised as image or document

  5. Shell Activation

    Access uploaded shell via direct URL

  6. Post-Exploitation

    Enumerate and pivot to internal network

Burp Suite FFUF Metasploit weevely

Chain 5: IDOR to Privilege Escalation

Medium

Exploit insecure direct object references to access unauthorized data

  1. Discovery

    Identify endpoints with object IDs (user profile, documents)

  2. Parameter Tampering

    Modify IDs in requests to access other users' resources

  3. Horizontal Enum

    Enumerate IDs to map accessible objects

  4. Vertical Escalation

    Find admin endpoints or privileged operations

  5. Data Access

    Access sensitive documents, financial records

  6. Account Manipulation

    Modify settings, passwords, or permissions

Burp Suite Auth Analyzer Jinja2

Chain 6: Open Redirect to Phishing

Medium

Leverage open redirect for credential harvesting

  1. Discovery

    Identify open redirect in return URL parameter

  2. Phishing Page Creation

    Clone legitimate login page

  3. Payload URL

    Construct redirect URL to phishing page

  4. Social Engineering

    Send phishing URL via email or message

  5. Credential Harvest

    Victim enters credentials on fake page

  6. Session Hijack

    Use credentials to access real application

SET Gophish Burp Suite SocialFish

🔌 API Attack Chains

Chain 7: API BOLA to Mass Data Breach

High

Exploit broken object level authorization in REST API

  1. API Discovery

    Enumerate API endpoints via documentation or crawling

  2. Auth Analysis

    Authenticate as regular user, capture tokens

  3. ID Enumeration

    Test endpoints with different object IDs

  4. BOLA Exploitation

    Access other users' resources by modifying IDs

  5. Scripting

    Automate ID enumeration to extract all data

  6. Exfiltration

    Download complete dataset

Burp Suite Postman FFUF Python

Chain 8: JWT Authentication Bypass

High

Forge JWT tokens to escalate privileges

  1. Token Analysis

    Extract JWT from authentication responses

  2. Algorithm Assessment

    Determine if "none" algorithm or weak secret is used

  3. Signature Bypass

    Use none algorithm or crack weak secret

  4. Claim Manipulation

    Modify role/permissions to admin

  5. Token Forgery

    Generate new valid token with elevated privileges

  6. Admin Access

    Access admin endpoints with forged token

jwt_tool Burp Suite hashcat John

🌍 Network Attack Chains

Chain 9: Phishing to Domain Admin

Critical

Full Active Directory compromise via credential phishing

  1. Reconnaissance

    Gather employee emails via OSINT

  2. Phishing Campaign

    Create convincing email with malicious link/attachment

  3. Initial Access

    Victim enters credentials on fake Office 365 login

  4. FOIA Attack

    Extract tokens, access OAuth applications

  5. Kerberoasting

    Request service account TGS tickets

  6. Password Cracking

    Crack weak service account passwords offline

  7. Domain Dominance

    Use service account to modify AD, add new admin

Gophish Certify Rubeus hashcat BloodHound

Chain 10: WiFi to Internal Network

High

Compromise WPA2/WPA3 network to pivot to internal systems

  1. Wardriving

    Identify target wireless networks

  2. Handshake Capture

    Deauth clients, capture WPA handshake

  3. Password Cracking

    Crack WPA password using dictionary/rules

  4. Network Access

    Connect to wireless network

  5. Reconnaissance

    Scan internal network, identify services

  6. Lateral Movement

    Exploit vulnerabilities in internal hosts

  7. Persistence

    Establish VPN or reverse shell

Wifite2 hashcat Wireshark Responder Impacket

Chain 11: SMB Relay to Domain Admin

Critical

Relay SMB authentication to compromise servers

  1. Responder Setup

    Configure SMB relay with LLMNR/NBT-NS poisoning

  2. Network Poisoning

    Poison LLMNR/NBT-NS requests on network

  3. Credential Capture

    Intercept NTLMv2 hash from victim

  4. Relay Attack

    Relay hash to target server with SMB signing disabled

  5. Local Admin

    Gain local administrator access on target

  6. Privilege Escalation

    Escalate to Domain Admin via LAPS or Kerberoast

Responder ntlmrelayx smbexec Mimikatz BloodHound

☁️ Cloud Attack Chains

Chain 12: Lambda Backdoor Creation

High

Create persistent backdoor in AWS Lambda functions

  1. IAM Enum

    Enumerate current user's Lambda permissions

  2. Lambda Access

    Get permissions to create/update Lambda functions

  3. Backdoor Function

    Create malicious Lambda with reverse shell

  4. Trigger Setup

    Configure CloudWatch trigger for persistence

  5. Execution

    Trigger function via CloudWatch event

  6. C2 Channel

    Establish command and control via Lambda

AWS CLI Pacu CloudFormation Python

Chain 13: S3 Bucket Misconfiguration

Medium

Exploit public S3 bucket to access sensitive data

  1. Bucket Discovery

    Find S3 buckets via DNS, Shodan, or guessing

  2. Access Testing

    Test if bucket is publicly accessible

  3. Enumeration

    List bucket contents with AWS CLI

  4. Data Analysis

    Identify sensitive files (backups, configs, keys)

  5. Download

    Download interesting files to local system

  6. Key Extraction

    Extract API keys, credentials from downloaded files

AWS CLI awscli S3Scanner Sandman

📱 Mobile Attack Chains

Chain 14: Android APK to Data Theft

High

Reverse engineer Android app to steal sensitive data

  1. APK Acquisition

    Download APK from app store or device

  2. Static Analysis

    Decompile APK, analyze code for API keys/secrets

  3. Certificate Pinning

    Identify and bypass SSL pinning

  4. Runtime Analysis

    Hook app with Frida to extract runtime data

  5. Data Extraction

    Extract tokens, credentials from memory/storage

  6. Lateral Movement

    Use extracted credentials on other platforms

jadx-gui Frida Objection MobSF

🛡️ Chain Mitigation Strategies

Defense in Depth
Each attack chain should be disrupted at multiple points. Focus on early-stage prevention to stop attacks before they reach critical stages.
Chain StagePreventionDetectionResponse
Reconnaissance Minimize information exposure, rotate credentials Monitor DNS queries, port scans Block source IPs, alert SOC
Initial Access MFA, least privilege, input validation Login anomaly detection, WAF alerts Lock accounts, rotate credentials
Execution Endpoint protection, application whitelisting EDR telemetry, process monitoring Isolate endpoint, collect forensics
Persistence Harden systems, monitor startup items Detect new scheduled tasks, registry changes Remove persistence mechanisms
Privilege Escalation Least privilege, patch management Monitor admin group changes Audit admin accounts, rotate passwords
Lateral Movement Network segmentation, strong auth Monitor lateral traffic, SMB usage Isolate affected segments
Back to Home