CompTIA Pentest+
Common Themes
Analyze vulnerability scans for __ that are recurring items ▪ Do the same vulnerabilities show up on many hosts? ▪ Do you see the same types of operating systems and applications being used across the network? ▪ Lack of best practices __● Common mis-configurations __● Weak passwords __● Poor security practices __● Logging disabled
Domain name squatting
Cybersquatting (also known as __ ), according to the United States federal law known as the Anticybersquatting Consumer Protection Act, is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else
White Box Support Resources
Generally provided only for a white box penetration test __● Architectural diagrams __● Sample application requests __● SDK documentation __● SOAP project files __● Swagger document __● WSDL/WADL __● XSD
Empire
PowerShell __ is a post-exploitation hacking tool built on cryptographically secure communications and a flexible architecture. ▪ PowerShell and Python post-exploitation agent
Mobile Devices
Weakness in Specialized Systems - __: ▪ Lack of updates (especially Android) ▪ Root/Jailbreak (especially iPhone) ▪ 3rd party applications ▪ Bluetooth, NFC, and WiFi ▪ Lack of Mobile Device Management in smaller organizations
ctime
__ (change time) is the timestamp of a file that indicates the time that it was changed. Now, the modification can be in terms of its content or in terms of its attributes.
What kind of information are we looking to find?
__ - Reconnaissance : ▪ Phone numbers ▪ Contact names ▪ Email addresses ▪ Security-related information ▪ Information systems used ▪ Job postings ▪ Resumes
Hopper
__ Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications. ▪ Hopper v3 for Linux requires Ubuntu 14.04, Arch Linux, Fedora 20 or higher, and a 64 bits processor.
Clear Text Credentials in LDAP
__ If SSL is not enabled for LDAP, credentials are sent over the network in clear text ▪ Use the Insecure LDAP Bind script to check for this in PowerShell o .\Query-InsecureLDAPBinds.ps1 -ComputerName dc1.contoso.com -Hours 24 ▪ You receive a CSV file as output showing which accounts are vulnerable o "IPAddress","Port","User","BindType" o "10.0.0.3","60901","CONTOSO\Administrator","Simple" o "[::1]","65445","CONTOSO\Administrator","Simple" ● Privilege Escalation (Windows)
Telnet (2)
__ Permits sending commands to remote devices ▪ Information is sent in plain text ▪ Should never be used over an insecure connection and is a huge security risk to use ▪ SSH should always be used instead
Metasploit
__ Project is a computer security project that shows the vulnerabilities and aids in Penetration Testing. ▪ Can be used to create security testing tools and exploit modules and also as a penetration testing system.
Industrial Control Systems (ICS)
__ a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.
Privilege Escalation in Linux
__ allows a user to run a program or process as a different user with additional permissions in a linux os. ▪ Set-User Identification (SUID) ▪ Set-Group Identification (SGID) ▪ Sticky Bit ▪ Unsecure SUDO ▪ Ret2libc
Privilege Escalation in Windows
__ allows a user to run a program or process as a different user with additional permissions in a windows OS. ▪ Cpassword ▪ Clear Text Credentials in LDAP ▪ Kerberoasting ▪ Credentials in LSASS ▪ Unattended Installation ▪ SAM Database ▪ DLL Hijacking ▪ Exploitable Services ▪ Unsecure File and Folder Permissions ▪ Keylogger ▪ Scheduled Tasks
Windows Remote Management (WinRM)
__ allows administrators to remotely run management scripts using the WS-Management Protocol (based on SOAP) ▪ Windows Remote Management is run on server ▪ Windows Remote Shell (WinRS) is run on client
Remote Desktop Protocol (RDP)
__ allows remote access to a machine over the network as if you were sitting right in front of it ▪ Provides GUI access through an RDP client
Apple Remote Desktop
__ allows remote access to a machine over the network through a GUI ▪ Recent versions allow for an encrypted AES 128-bit tunnel to be created from the machine being controlled
Kerberos Silver Tickets
__ allows services (low-level Operating System programs) to log in without double-checking that their token is actually valid, which hackers have exploited to create Silver Tickets. ▪ In the simplest terms, a Silver Ticket is a forged authentication ticket that allows you to log into some accounts ▪ Kerberos Ticket Granting Service (TGS) tickets ▪ Can only be used for a specific Kerberos service
NETBIOS Name Service
__ are 16 characters long, with the first 15 consisting of a unique name (for a single user or computer) or a group name (for a set of users or computers).
Daemons
__ are Background process that exists for the purpose of handling periodic service requests that a computer system expects to receive ▪ For example, sshd is the SSH daemon ▪ In Windows, these are called "services" ● Could be used to Persist on victim machine
passive infrared sensors
__ are alarm system that use infrared light to detect movement, changes in ambient temperature, and body heat.
Rules of Engagement (RoE)
__ are detailed guidelines and constraints regarding the execution of information security testing. The __ is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.
Legal Concepts (1)
__ are laws and regulations regarding cyber-crime vary from country to country, check the local laws before conducting an assessment.
Container
__ are like micro virtual machines ▪ Each container is built from the base Operating System image with unique applications run on top of them ▪ Requires less resources than a typical VM ▪ Docker, Puppet, and Vagrant are examples
Programming Comments
__ are lines in code that are not part of execution but used to describe or remove code ▪ Bash, Python, Ruby, and PowerShell all use a # to signify the code is commented
Credentialed Scans
__ are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. ▪ Scanner uses an authorized user or admin account ▪ Closer to the system administrator's perspective ▪ Finds more vulnerabilities ▪ More detailed, accurate information
Vulnerability Scans
__ are scans of a host, system, or network to determine what vulnerabilities exist ▪ Numerous tools used by both defenders and attackers to identify vulnerabilities ▪ Tools are only as good as their configuration
Programming Constants
__ are used to define a set value across the entire program and cannot be changed
Programming Variable
__ are used to represent any value and can be changed during the execution of the program
XSS DOM
__ arises when an application contains some client-side JavaScript that processes data from an un-trusted source in an unsafe way, usually by writing the data to a potentially dangerous sink within the DOM. ▪ Document Object Model (DOM) is vulnerable ▪ Victim's browser is exploited (client-side XSS)
Pass the Hash
__ attack is an expoit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.
Spear Phishing
__ attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. __ attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information. ▪ Occurs when an attacker creates a message to appeal to a specific individual
Stealth Scan
__ attempt to avoid tripping defensive control thresholds. ▪ Conducts scans by sending a SYN packet and then analyzing the response ▪ If SYN/ACK is received, the destination is trying to establish the connection (port is open) and the scanner sends a packet with RST - nmap -sS <target>
Decompiler
__ attempts to convert executable instructions back into source code. ▪ Output is generally awkward to read at best
De-escalation
__ can decrease the severity, intensity, or magnitude of a security alert that is being reported ● Communication Reasons
Physical Security Attacks
__ describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks
Flow Control
__ determines how program execution should proceed.
Network Address Translation (NAT)
__ enables translation of a private (non-routable) network address to a public (routable) address.
Application Containers
__ encapsulate the files, dependencies and libraries of an application to run on an OS. __ enable the user to create and run a separate container for multiple independent applications or multiple services constitute a single application. ▪ Breaking out of a container can allow attackers to break into other systems
Non-credentialed Scans
__ enumerate ports, protocols, and services that are exposed on a host and identifies vulnerabilities and mis-configurations that could allow an attacker to compromise your network. ▪ Scanner doesn't have a user or admin account ▪ Closer to the hacker's perspective ▪ Fewer details, often used in early phases of attacks/tests
Target Selection - External
__ focuses on publicly facing targets ● Webservers in the DMZ ● Outside the protected LAN
Target Selection - Internal
__ focuses on targets inside the firewall ● Can be on-site or off-site ● Logically internal
Registers (memory registers)
__ frequently hold pointers that reference memory.
Network Basic Input/Output System (NetBIOS)
__ helps facilitate the communications of Microsoft applications over a network and provides services such as protocol management, messaging and data transfer, and hostname resolution.
Application Scanning - Dynamic Analysis
__ identifies vulnerabilities in a runtime environment. ▪ Automated tools provide flexibility on what to scan for. ▪ It allows for analysis of applications in which you do not have access to the actual code. ▪ It can be conducted against any application. ▪ Occurs while a program is running ▪ Program is run in a sandbox and changed noted
ad-hoc Mode
__ in this mode wireless clients are connected in a peer-to-peer mode. __ is commonly referred as an Independent Basic Service Set (IBSS)
Active Information Gathering
__ involves direct interaction with organizational assets to gather information rather than in-directed interaction via observation or details available via external parties.
Social Engineering
__ involves manipulating people to get information or to gain access. ▪ Often utilizes deception and lies
Packet Inspection
__ is Manual enumeration performed by analyzing the captured packets to determine information ▪ Capturing and analyzing network packets ▪ Tool - Wireshark
Keylogger
__ is Surveillance technology used to monitor and record the keystrokes of a victim user ▪ Can be software or hardware-based ● Privilege Escalation (Windows)
Kerberos Golden Tickets
__ is a Kerberos authentication token for the KRBTGT account, that can use a pass-the-hash technique to log into any account, allowing attackers to move around unnoticed inside the network. ▪ Kerberos Ticket-Granting Tickets (TGT) ▪ Can be used to access any Kerberos service
Red Team
__ is a Penetration test conducted by internal pentesters of an organization during security exercise to ensure defenders (blue team) can perform their jobs adequately
SSLyze
__ is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. ▪ Server certificate validation and revocation checking through OCSP stapling. ▪ Certificate Inspection Tool
Evil Twin Attack
__ is a Rogue access point that appears to be legitimate but is setup to eavesdrop on wireless communication.
Hping
__ is a TCP/IP packet assembler/analyzer, running on most *nix versions. It supports various protocols, including TCP, UDP and ICMP. ▪ Good guys commonly use it to scan ports for holes that bad guys try to exploit. ▪ It's also useful for testing network machines by firing precompiled exploits at them. ▪ is a Packet Crafting Tool
Rlogin
__ is a Unix program that allows users to log in on another host using a network. ▪ Rsh created as part of rlogin package in BSD Unix ▪ Allowed a user to login and issue commands on another Unix computer over a TCP/IP network
HTTP Parameter Pollution (HPP)
__ is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. ▪ In particular, some environments process such requests by concatenating the values taken from all instances of a parameter name within the request.
Scheduled Tasks (at)
__ is a Windows command-line program to schedule tasks ▪ Task Scheduler is the GUI version of the program ● Could be used to Persist on victim machine
Property Lists (plist)
__ is a XML-formatted files stored in binary or text format that provide configuration settings and property data for many kinds of Apple applications.
Searchsploit
__ is a a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. ▪ Note, The name of this utility is SearchSploit and as its name indicates, it will search for all exploits and shellcode. ▪ Command-line search tool for the Exploit-DB ▪ Allows for offline searches through local repo
telnet
__ is a a network protocol that allows a user on one computer to log into another computer that is part of the same network. ▪ Port 23 ▪ Can be used for Banner Grabbing
Dynamic Application Security Testing (DAST)
__ is a black-box security testing methodology in which an application is tested from the outside. ▪ A tester using SAST examines the application from the inside, searching its source code for conditions that indicate that a security vulnerability might be present.
Dictionary Attack
__ is a brute force attack that uses a dictionary of commonly used usernames and passwords. ▪ Weak passwords and passwords from previous data breaches make a great list
Lock Bumping
__ is a brute-force method of opening a pin tumbler lock with a bump key.
Bump Key
__ is a burglary tool, a generic key used along with another mechanism to apply force to open a lock
SQL Injection (Structured Query Language)
__ is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.
Impacket
__ is a collection of Python classes for working with network protocols. ▪ Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. ▪ Collection of Python classes for working with network protocols ▪ Focused on low-level program access for SMB and MSRPC protocol implementation
Group Policy Object (GPO)
__ is a collection of settings that govern user and computer configurations within an Active Directory (AD) network.
Remote Shell (RSH)
__ is a command line program used to execute shell commands as another user on another computer over the network ▪ Is unsecure because it doesn't use encryption, therefore SSH should be used instead
Nslookup
__ is a command-line program in Windows used to determine exactly what information the DNS server is providing about a specific host name. ▪ is a Reconnaissance Tool
Aircrack-ng
__ is a complete suite of tools to assess WiFi network security. ▪ It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools. ▪ Wireless hacking suite that consists of scanner, packet sniffer, and password cracker
FTK or Forensic Toolkit
__ is a computer forensics software made by AccessData. ▪ It scans a hard drive looking for various information. It can, for example, locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
Packet Capture
__ is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is stored temporarily so that it can be analyzed.
Netcat (nc)
__ is a computer networking utility for reading from and writing to network connections using TCP or UDP. ▪ The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. ▪ Is a Packet Crafting Tool & Banner Grabbing Tool
Access Limiation
__ is a condition in which the penetration tester hjas restrictions on access when they begin testing.
Master Service Agreement (MSA)
__ is a contract where parties agree to most of the terms that will govern future actions. ▪ High level contract between a service provider and a client that specifies details of the business arrangement
APK Studio
__ is a cross-platform free and open-source tool that lets you decompile APK files and edit codes and resources and recompile it. ▪ You can call it IDE (Integrated Development Environment) which comes with complete user friendly GUI much like other common IDEs. ▪ Cross-platform IDE for reverse engineering and recompiling Android application binaries
(Security Account Manager) SAM Database
__ is a database file that stores the user passwords in Windows as a LM hash or NTLM hash ▪ File is used to authenticate local users and remote users ▪ Passwords can be cracked offline if the SAM file is stolen ● Privilege Escalation (Windows)
GDB
__ is a debugger is a program that runs other programs, allowing the user to exercise control over these programs, and to examine variables when problems arise. ▪ GNU Debugger, which is also called gdb, is the most popular debugger for UNIX systems to debug C and C++ programs. ▪ Runs on Unix and Linux systems
Discover.sh
__ is a discovery framework was developed to quickly and efficiently identify passive information about a company or network. ▪ This framework is through a tool called Discover-scripts ▪ is a Reconnaissance Tool
Pretexting (Pretext)
__ is a false context develop to justify other actions or make them believable to a victim
root bridge
__ is a feature of the Spanning Tree Protocol (STP) that serves as a reference point for all switches in a spanning tree topology.
Network File System (NFS)
__ is a file system and protocol that enables network file sharing for *NIX operating systems.
foremost
__ is a forensic data recovery program for Linux used to recover files using their headers, footers, and data structures through a process known as file carving. ▪ Although written for law enforcement use, it is freely available and can be used as a general data recovery tool.
DNS Cache Poisoning
__ is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address.
Vishing (Voice Phishing)
__ is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward. ▪ Phishing that occurs over a telephone ▪ Involves calling someone and pretending you are someone else
Statement of Work (SOW)
__ is a formal document stating scope of what will be performed during a penetration test. ▪ Clearly states what tasks are to be accomplished during an engagement
OpenVAS
__ is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. ▪ The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total.
iOS Simulator
__ is a function of the iOS developer tool kit (Xcode) that can mimic the basic behavior of an iDevice and how it interacts with an iOS application.
AFL
__ is a fuzzer, a tool for testing software by providing randomly-generated inputs, searching for those inputs which cause the program to crash. ▪ The native-code compiler "ocamlopt" can generate such instrumentation, allowing afl-fuzz to be used against programs written in OCaml.
Ncat (ncat)
__ is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. __ is suitable for interactive use or as a network-connected back end for other tools. ▪ is a Packet Crafting Tool
NCAT
__ is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. ▪ It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks. ▪ Is suitable for interactive use or as a network-connected back end for other tools. ▪ From makers of Nmap as update to Netcat
Contracting Officer
__ is a government employee with the authority to enter into, administer, and/or terminate contracts and make related determinations and findings
Array
__ is a group of elements of the same data type.
netgroup
__ is a group of users or hosts used for permission checking when permitting remote operation such as mounting file shares, remote logins, remote execution, in Linux and Unix network domain environments.
Microwave Sensor
__ is a high-frequencry radio wave, offering the ability to tranverse through building materials.
Redirect Attack
__ is a kind of vulnerability that redirects you to another page freely out of the original website when accessed, usually integrated with a phishing attack ▪ Sends user to login page to capture credentials
Pivoting
__ is a lateral movement technique that can allow an attacker to move from host to host using remote access tools such as SSH, Telnet, FTP, RDP, VNC.
Mimikatz
__ is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets. ▪ Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets. ▪ Targets Windows machines to extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from the machine's memory ▪ Can be used for pass-the-hash, pass-the-ticket, and creating Golden Tickets
Non-Disclosure Agreement (NDA)
__ is a legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it. ▪ Agreement that defines confidential material and restrictions on use and sharing sensitive information with other parties
Dynamic Link Library (DLL)
__ is a library that contains code and data that can be used by more than one program at the same time. ● Can be used for Privilege Escalation (Windows)
PsExec
__ is a light-weight telnet-replacement that lets you execute processes on other systems with full interactivity for console applications without having to manually install client software
Security Account Manager (SAM)
__ is a local database file that contains local account settings and password hashes for the host.
Cipher lock
__ is a lock opened via a programmable keypad designed to limit access to a controlled area.
Social Networking
__ is a means by which people use the Internet to communicate and share information among their immediate friends, and meet and connect with others through common interests, experiences, and friends. ▪ is a Reconnaissance Tool
X11 Forwarding
__ is a mechanism that allows a user to start up remote applications but forward the application display to your local Windows machine. ▪ X-windows/X-server is the GUI for Linux __● Known collectively as X11 ▪ X-windows/X-server over an SSH connection
Backdoors
__ is a method to bypass normal authentication or encryption in a computer system ▪ May take the form of a hidden part of a program (such as a trojan or rootkit) ▪ Default passwords are considered a backdoor when they are not changed by the user ● Could be used to Persist on victim machine
Persistence
__ is a method to maintain access to a victim machine.
Kerberoasting
__ is a method used to steal service account credentials. ▪ Any domain user account that has a service principal name (SPN) set can have a service ticket (TGS) ▪ Ticket can be requested by any user in the domain and allows for offline cracking of the service account plaintext password ● Privilege Escalation (Windows)
Rooting
__ is a mobile device exploitation that is the process of exploiting a software vulnerability in the operating system that enables low-level execution with elevated privileges and enables the user to make modifications to the operating system that were not necessarily intended by the manufacture.
Dirbuster
__ is a multi threaded java application designed to brute force directories and files names on web/application servers. ' ▪ Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. ▪ Brute-force tool for directories and file names on web/application servers
Patator
__ is a multi-purpose brute-forcer, with a modular design and a flexible usage. ▪ Multi-purpose brute-force attack tool ▪ Supports modules for different target services
WinDBG
__ is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. ▪ Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development.
Kerberos
__ is a network authentication protocol that leverages a ticketing system to allow hosts and user operating over the network to prove their identity to one another in a secure fashion.
kismet
__ is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. ▪ will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. ▪ The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. ▪ Wireless hacking suite that consists of scanner, packet sniffer, and IDS
Address Resolution Protocol (ARP)
__ is a network layer protocol used to convert an IP address into a physical address (called a DLC address), such as an Ethernet address. ▪ A host wishing to obtain a physical address broadcastsan ARP request onto the TCP/IP network.
Censys
__ is a new Search Engine for devices exposed on the Internet, it could be used by experts to assess the security they implement. ▪ Search engine for hosts and networks across the internet with data about their configuration ▪ Contains search interface, report builder, and SQL engine
Bully Tool
__ is a new implementation of the WPS brute force attack, written in C. ▪ It is conceptually identical to other programs, in that it exploits the (now well known) design flaw in the WPS specification.
Java Archive (JAR)
__ is a package file format that includes all of the necessary resources (i.e., class files, images, text, etc.) into one resource for a Java application to execute successfully.
Android Debug Bridge (ADB)
__ is a packaged file format that includes the necessary files to run an application on the Android operating system.
Hydra
__ is a password detection tool (cracking) that can be used in a wide range of situations, including authentication-based forms commonly used in web applications. ▪ When you need brute force cracking remote authentication. ▪ Brute-force network log-on cracking tool ▪ Repeatedly attempts to login to a system
Cain and Abel (Cain)
__ is a password recovery tool for Microsoft Windows. ▪ It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks.
Perimeter Barrier
__ is a physical security protection to help delay an attack or reduce damage to the facility, such as a gate, concrete barrier or fence.
QualysGuard Vulnerability Scanner
__ is a popular SaaS (software as a service) vulnerability management offering. It's web-based UI offers network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk.
John the Ripper
__ is a popular open source password cracking tool that combines several different cracking programs and runs in both brute force and dictionary attack modes.
Tableau
__ is a powerful and fastest growing data visualization tool used in the Business Intelligence Industry. ▪ It helps in simplifying raw data into the very easily understandable format. ▪ Data analysis is very fast with Tableau and the visualizations created are in the form of dashboards and worksheets.
Responder
__ is a powerful tool for quickly gaining credentials and possibly even remote system access. ▪ Has the ability to prompt users for credentials when certain network services are requested, resulting in clear text passwords. It can also perform pass-the-hash style attacks and provide remote shells ▪ LLMNR, NBT-NS, and MDNA poisoner ▪ Used to answer specific queries based on name suffix on the network
Rainbow Tables
__ is a pre-computed hash values of known usernames and passwords used for offline password file cracking
Local Security Authority Subsystem Service (LSASS)
__ is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. ● Privilege Escalation (Windows)
Compliance Auditing
__ is a process of evaluating organizational controls to determine their adherence to standards and regulations.
Communication
__ is a process through which you send messages to and receive messages from others. ▪ Lots of communication is needed before, during, and after a penetration test ▪ Therefore, it is important to understand: __● Communication paths __● What triggers communication to occur __● And the reason for communicating in the first place
Binary Search
__ is a process used to determine the middle element of the array and compare it to the target value. If the middle element matches, it is returned. However, if the value is greater than the middle element position, the lower-half of the array is discarded. This method can be used to help speed up SQL injection attacks.
remediation
__ is a process used to fix or resolve an unwanted deficiency.
Maltego
__ is a program that can be used to determine the relationships and real world links between: People. Groups of people (social networks) Companies ▪ Intelligence gathering and analysis platform ▪ is a Reconnaissance Tool
Distributed Component Object Model (DCOM)
__ is a proprietary Microsoft technology for communication between software components on networked computers
Link-Local Multicast Name Resolution (LLMNR)
__ is a protocol based on the Domain Name System packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
Simple Mail Transfer Protocol (SMTP)
__ is a protocol for sending e-mail messages between servers. ▪ Standard protocol for transmitting email ▪ Open relay, local relay, phishing, spam, etc.
Microsoft Remote Procedure Call (MSRPC)
__ is a protocol that allows a remote user to call procedures on a remote system as though they were calling it from the local system.
Remote Procedure Call (RPC)
__ is a protocol used in Windows to allow the remote execution of code on a remote computer or server
Domain Name System (DNS)
__ is a protocol within a set of standards that is used to associate a computer name to an IP address.
Whois
__ is a public Internet database that contains information about Internet domain names and the people or organizations that registered the domains. ▪ It is a source of information that can be used to exploit system vulnerabilities. ▪ is a Reconnaissance Tool
WHOIS
__ is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. ▪ Query and response protocol for internet resources
Interrogation
__ is a question or an intense questioning session. ▪ Interviews used by law enforcement, military, or intelligence agencies ▪ Pentesters won't generally use this technique...
Tenable's Nessus Vulnerability Scanner
__ is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network.
Double Tagging
__ is a result of a switch port being configured to use native VLANs, where an attacker can craft a packet and pre-pend a false VLAN tag along with its native VLAN to bypass layer-3 access control.
CeWL
__ is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. ▪ Tool to create a custom wordlist or dictionary ▪ Searches a target website for words meeting criteria set as inputs
Credentialed Vulnerability Scanning
__ is a scan conducted by a vulnerability scanner that has been given access to the system with the same rights as an authorized user.
__ is a search engine that can be used to find information about a target. ▪ is a Reconnaissance Tool
Shodan
__ is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. ▪ Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client. ▪ Search engine that lets you find webcams, routers, servers, and more on the internet
Data Execution Prevention (DEP)
__ is a security feature implemented in hardware and software that controls execution behavior on the stack and helps prevent against stack-based buffer overflows.
Fuzzing
__ is a security testing technique that sends unexpected , random data to a input control within a application or network service to generate errors in hopes of discovering or exposing security weaknesses that could be exploited.
Magnetic Switches
__ is a sensor that can be installed between doors and door frames, and windows and window frames that rely on continuous magnetic connection to monitor the state. can be used to trigger alarms.
Advanced Persistent Threat (APT)
__ is a sequence of actions perpetuated by an individual or group of individuals with the resources to establish persistent, stealthy, long-term footholds that target specific goals and specific victims utilizing opportunistic attacks.
Linear Search
__ is a sequential process of evaluation where every value is checked until the correct value has been identified.
Powersploit
__ is a series of Microsoft PowerShell scripts that can be used in post-exploitation scenarios during authorized penetration tests. ▪ Collection of Microsoft PowerShell modules for use in penetration testing ▪ Considered a post-exploitation framework
Adjudication
__ is a series of steps that determine which vulnerabilities are valid. ▪ Determine which results are valid __● False positives __● Filter out false positives
Protocol
__ is a set of formal rules that describe the functionality of how to send and receive data.
Group Policy Preferences (GPP)
__ is a set of optional extensions provided to expand the functionality of Group Policy Objects (GPOs). Allows Active DIrectory (AD) domain admins to create domain policies.
Docker
__ is a set of platform-as-a-service products that use OS-level virtualization to deliver software in packages called containers. ▪ Containers are isolated from one another and bundle their own software, libraries and configuration files. ▪ They can communicate with each other through well-defined channels.
Windows Management Instrumentation (WMI)
__ is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems
Static Application Security Testing (SAST)
__ is a set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. ▪ SAST solutions analyze an application from the "inside out" in a nonrunning state
Dynamic-Linked Library (DLL)
__ is a shared library concept implemented in Microsoft operating systems.
script
__ is a short program that is used to automate tasks
OpenVAS (Open-source Scanner)
__ is a software framework of several services and tools offering vulnerability scanning and vulnerability management. ▪ All OpenVAS products are free software, and most components are licensed under the GNU General Public License.
Application Scanning
__ is a software program which performs automatic black box testing on a web application and identifies security vulnerabilities. Scanners do not access the source code, they only perform functional testing and try to find security vulnerabilities
Dossier
__ is a specific collection of documents. ▪ is a Reconnaissance Tool
Medusa
__ is a speedy, parallel, and modular, login brute-forcer. ▪ The goal is to support as many services which allow remote authentication as possible. ▪ The author considers the following items as some of the key features of this application: Thread-based parallel testing. ▪ Supports numerous remote authentication protocols (rlogin, ssh, telnet, http, etc)
touch
__ is a standard command used in UNIX/Linux operating system which is used to create, change and modify timestamps of a file. ▪ touch (Linux, Unix, OSX) __● Updates time to the current time
Structured Query Language (SQL)
__ is a standard computer language for relational database management and data manipulation. ▪ Prevent this through input validation and using least privilege for SQL is used to query, insert, update and modify data.
File Transfer Protocol (FTP)
__ is a standard network protocol used for the transfer of computer files between a client and server on a computer network.
Peach
__ is a state-of-the-art fuzzing engine and a convenient graphical user interface come together to create the world's most advanced fuzzing tool. ▪ The Peach Fuzzer Platform uses automated generative and mutational modeling and intelligent test case generation to reveal the hidden bugs that other testing methods miss.
Identify assets
__ is a step in the threat modeling process that define critical elements that an organization needs to protect such as employees, facilities, servers, workstations, sensitive date, etc.
Architecture Overview
__ is a step in the threat modeling process that documents what an application or system does, describes how it is physically and logically implemented, and identifies the technologies that are in use.
Document the Threats
__ is a step in the threat modeling process where the organization will match each threat, threat actor, and respective vulnerability relevant to the organization.
Decomposed the Application
__ is a step in the threat modeling processes that breaks down the technologies and organizational assets and investigates the entry points and trust boundaries between interconnected systems.
Immunity debugger
__ is a straightforward application worth having when you need to write exploits, analyze malware and reverse engineer Win32 binaries. ▪ Because of its advanced options, Immunity Debugger will display a new window that enables you to choose your selected function. ▪ Used to write exploits, analyze malware, and reverse engineer binary files ▪ Supports Python APIs and execution
Advance Encryption Standard (AES)
__ is a symmetric block cipher used in both hardware and software to encrypt sensitive information.
Internet of Things (IoT)
__ is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
Methodology
__ is a system of methods used in a particular area of study or activity.
Supervisory Control and Data Acquisition (SCADA)
__ is a system of software and hardware elements that allows industrial organizations to: Control industrial processes locally or at remote locations. Monitor, gather, and process real-time data.
Lock Bypass
__ is a technique in lockpicking, of defeating a lock through unlatching the underlying locking mechanism without operating the lock at all. ▪ Pentester could jam a lock or bypass it by manipulating the locking function ▪ Stop a door from being shut fully by inserting a spacer or wedge
Timestomp
__ is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. ▪ touch (Linux, Unix, OSX) __● Updates time to the current time ▪ ctime (Linux, Unix, OSX) __● Change the time to a given date/time ▪ Meterpreter has built-in tool
Phishing
__ is a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail ▪ Lures people into providing sensitive data __● Personal identifiable information __● Banking information __● Passwords
Application Scanning - Static Analysis (SAST)
__ is a testing methodology that analyzes source code to find security vulnerabilities that make your organization's applications susceptible to attack. __ scans an application before the code is compiled. ▪ It's also known as white box testing. ▪ Performed in a non-runtime environment ▪ Inspects programming code for flaws/vulnerabilities ▪ Line by line inspection can be performed
Theharvester
__ is a tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources ▪ Gathers emails, subdomains, hosts, employee names, open ports, and banners
APKX
__ is a tool for reverse engineering 3rd party, closed, binary Android apps. ▪ It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. ▪ Python wrapper to extract Java source code directly from Android APK files
Proxychains
__ is a tool that forces any TCP connection made by any given application. to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. ▪ Tool that forces TCP connections from all applications to run through a proxy ▪ Can be TOR or other HTTP/SOCKS proxy ▪ Used in Evasion & Remote Access
Foca (Fingerprinting Organizations with Collected Archives)
__ is a tool used mainly to find metadata and hidden information in the documents its scans. ▪ Used to find metadata and hidden info in docs ▪ These documents may be on web pages, and can be downloaded and analyzed with FOCA.
Domain Dossier
__ is a tool used to investigate domains and IP address. ▪ It gathers registrant information, DNS records and other things, compiling it all into one report. ▪ is a Reconnaissance Tool
Email Dossier
__ is a tool used to investigate emails. ▪ is a Reconnaissance Tool
Cross-compiling Code
__ is a type of a compiler that can create an executable code for a platform other than the one on which the compiler is running. ▪ Many pentesters use Kali Linux but many victim systems are Windows-based ▪ Exploits for Windows can be compiled on Linux using tools like Mingw-w64
ARP spoofing
__ is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. ▪ This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.
Authentication Attack
__ is a type of attack that can occur when we fail to use strong authentication mechanisms for our applications
Deauthentication (DeAuth) Attack
__ is a type of denial of service that targets communication between a user and a wireless access point ▪ An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim.
Combination Lock
__ is a type of mechanical lock that requires a proper sequence of letters, numbers, symbols, or even directional movements using a joystick before the lock can open.
Shoulder Surfing
__ is a type of social engineering technique used to obtain information such as personal identification numbers, passwords and other confidential data by looking over the victim's shoulder. ▪ Reading the screen of another user ▪ Looking at a user entering a PIN or password
Joint Test Action Group (JTAG)
__ is a type of standard used for debugging and connecting to embedded devices on a circuit board.
Traceroute
__ is a utility application that monitors the network path of packet data sent to a remote computer. ▪ is a Reconnaissance Tool
SMS phishing (smishing)
__ is a variant of phishing email scams that instead utilizes Short Message Service (SMS) systems to send bogus text messages. ▪ Phishing that occurs over text message
Programmable Logic Controller (PLC)
__ is a very small dedicated computer in an industrial system that is capable of converting analog data to digital data. The __ works in real time, can control machinery, and is a critical component of the ICS (industrial control system).
False positives
__ is a vulnerability is identified by the scan but does not really exist on the system ▪ Should be filtered out of your scans
Rapid7's Nexpose
__ is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. ▪ It integrates with Rapid7's Metasploit for vulnerability exploitation.
Nikto
__ is a web server scanner is a security tool that will test a web site for thousands of possible security issues. ▪ Including dangerous files, mis-configured services, vulnerable scripts and other issues. ▪ It is open source and structured with plugins that extend the capabilities.
Hashcat
__ is a well-known password cracker. ▪ It is designed to break even the most complex passwords. ▪ To do this, it enables the cracking of a specific password in multiple ways, combined with versatility and speed.
RFID (radio frequency identification)
__ is a wireless communication standard that uses radio waves to read data stored on a tag from a distance.
Jamming
__ is a wireless denial of service attack that prevents devices from communicating with each other by occupying taking over frequency
iOS app sotre package (IPA)
__ is a zip-compressed archive containing the necessary files to run an application on the Apple iOS mobile architecture.
Scanning
__ is actively connecting to the system and get a response to identify open ports and services
Enumeration
__ is actively connecting to the systems to determine open shares, user accounts, software versions, and other detailed info
Packet Crafting
__ is also known as packet manipulation ▪ Sending modified packet headers to gather information from a system or host ▪ Creating specific network packets to gather information or carry out attacks ▪ Tools - netcat, nc, ncat, hping
Relay Attack
__ is an Attack occurs when the attacker is able to become the man-in-the-middle and acts as a middle man in a communication session
Replay Attack
__ is an Attack occurs when valid data is captured by an attacker and is repeated or delayed ▪ For example, they could capture a wireless authentication handshake and replay it to gain access to the wireless network as an authenticated client
Downgrade Attack
__ is an Attack that attempts to have a client or server abandon a higher security mode to use a lower security mode ▪ TLS 1.2 is more secure than SSL 2.0 __● Downgrade attack will cause session to attempt to establish an SSL 2.0 connection
SSL stripping attack
__ is an Attack where a website's encryption is tricked into presenting the user with a HTTP connection instead of a HTTPS connection
Session hijacking
__ is an Attacks the web session control mechanism by taking over a session by guessing session token
Simple Network Management Protocol (SNMP)
__ is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. ▪ Used to query and manage IP devices
Nikto (Web Application Scanner)
__ is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.
Deception
__ is an act of being deceived. Used in SE attacks.
Meterpreter
__ is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at run-time. ▪ It communicates over the stager socket and provides a comprehensive client-side Ruby API. ▪ It features command history, tab completion, channels, and more.
Reaver Tool
__ is an application for Android that provides us from a simple interface the tools we need to audit WPA WiFi networks and get their passwords.
RESTful API
__ is an application program interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data.
Representational State Transfer (REST)
__ is an architectural style for developing web services. __ is popular due to its simplicity and the fact that it builds upon existing systems and features of the internet's Hypertext Transfer Protocol (HTTP) in order to achieve its objectives, as opposed to creating new standards, frameworks and technologies.
Ret2libc
__ is an attack technique that relies on overwriting the program stack to create a new stack frame that calls the system function ▪ Stands for "return to library call" ● Privilege Escalation (Linux)
Directory traversal
__ is an attack that allows access to restricted directories and for command execution outside of the webserver's root directory
Denial of Service (DoS)
__ is an attack that attempts to prevent a system from performing its normal functions. ▪ Called a stress test in penetration testing ▪ Attack that denies resources or a service to an authorized user by exhausting resources
Karma Attack
__ is an attack that exploits a behaviour of some Wi-Fi devices, combined with the lack of access point authentication in numerous WiFi protocols. ▪ Karma Attacks Radio Machines Automatically ▪ Devices listen for SSID requests and respond as if they ▪ were the legitimate access point
Credential Harvesting
__ is an attack that focuses on collecting usernames and passwords from its victims ▪ In wireless, this is usually performed by creating a fake Captive Portal ▪ ESPortalV2 can be used to setup a fake portal and redirect all WiFi devices connected to the portal for authentication
cross-site request forgery (XSRF)
__ is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ▪ CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
File Inclusion
__ is an attack that includes a file into a targeted application by exploiting a dynamic file inclusion mechanism ▪ Usually occurs due to improper input validation by application ▪ File can be included __● Local ----o ../../uploads/malware.exe __● Remote ----o https://www.xyz.com/malware.exe
Cross-Site Scripting (XSS)
__ is an attack that injects scripts into a Web application server to direct attacks at clients.
DNS Poisoning
__ is an attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.
Cookie Manipulation
__ is an attack that uses DOM-based cookie manipulation that allows a script to write data into the value of a client-stored cookie
Clickjacking
__ is an attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page. ▪ Conceals hyperlinks under legitimate clickable content
Network Access Control (NAC) Bypass
__ is an attack where a malicious attacker bypasses the NAC to gain access to the network without authorization. ▪ NAC can prevent you from gaining access to the network ▪ NAC can often be bypassed by spoofing the MAC address of a VOIP device __● Many VOIP devices don't support 802.1x __● Their MAC addresses are often whitelisted for NAC
distributed denial-of-service (DDoS) attack
__ is an attack where many computers collaborate to shut down a target, usually by keeping it busy or overwhelming it with incoming requests.
Whaling Phishing
__ is an attack, is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company, as those that hold higher positions within the company typically have complete access ▪ Form of spear phishing that directly targets the CEO, CFO, CIO, CSO, or other high-value targets
Scheduled Tasks
__ is an attacker uses the Windows Task Scheduler to create callbacks and retain persistence ▪ Arbitrary code could be executed at a certain time or in response to an event. ● Privilege Escalation (Windows)
Local Security Authority (LSA)
__ is an authentication model in Windows operating system that provides additional beneficial features and options, such as supporting for multi-factor authentication (smart cards), custom security packages a, and credential management in order to support interaction with non-Microsoft products such as network or databases.
WiFite(2)
__ is an automated Wireless Attack tool. ▪ To attack multiple WEP, WPA, and WPS encrypted networks in a row. ▪ Is tool is customizable to be automated with only a few arguments. ▪ Automated wireless attack tool
Nmap Scripting Engine (NSE)
__ is an embedded Lua programming language interpreter that provides features that help automate various tasks such as information discovery and exploitation techniques.
Certificate Authority (CA)
__ is an entity trusted by one or more users as an authority in a network that issues, revokes, and manages digital certificates.
Broadcast Storms
__ is an excessive amount of broadcast traffic that occurs within a short period of time, such that i may disrupt normal operation and cause loops in the networks, where a broadcast frame is bounced back and forth between switches, due to redundant paths.
Burp Suite
__ is an integrated platform for performing security testing of web applications. ▪ Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. ▪ Graphical tool for web application security ▪ Allows for the interception, inspection, and modification of raw traffic passing through it
Access Control Point
__ is an intentionally selected point of ingress or egress that is restricted by design, monitoring, or physical limitation that allows a facility owner to control entrance or exit for a physical location.
Embedded Devices
__ is an object that contains a special-purpose computing system. ▪ The system, which is completely enclosed by the object, may or may not be able to connect to the Internet.
Legal Representation
__ is an official appointed by an organization to ensure that legal obligations and commitments are upheld by all parties, including the vendor providing the penetration testing services.
TCPDump
__ is an open source command-line tool for monitoring (sniffing) network traffic. __ works by capturing and displaying packet headers and matching them against a set of criteria.
SQLmap
__ is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. ▪ Support to dump database tables entirely, a range of entries or specific columns as per user's choice.
Puppet
__ is an open source software configuration management and deployment tool. ▪ It's most commonly used on Linux and Windows to pull the strings on multiple application servers at once.
Wireshark
__ is an open source tool for profiling network traffic and analyzing packets. ▪ This information can be useful for evaluating security events and troubleshooting network security device issues. __ will typically display information in three panels.
SET (Social Engineer Toolkit)
__ is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. ▪ Is aimed at leveraging advanced technological attacks in a social-engineering type environment.
SonarQube
__ is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages
YASCA (Yet Another Source Code Analyzer)
__ is an open-source static analysis tool that I wrote around 2008-2010 to detect security vulnerabilities in application source code. ▪ It's written in PHP, but run as a command-line tool.
W3AF
__ is an open-source web application security scanner. ▪ The project provides a vulnerability scanner and exploitation tool for Web applications. ▪ It provides information about security vulnerabilities for use in penetration testing engagements.
Real-Time Operating System (RTOS)
__ is an operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. ▪ Usually found in embedded systems ▪ Security is not a primary concern during their development ▪ Usually a stripped-down version of Linux ▪ Uses limited resources on the machine and can be subjected easily to attacks
Nessus Attack Scripting Language (NASL)
__ is an proprietary language developed by Tenable used to develop Nessus plugins, which contain vulnerability information, remediation details, and the logic to determine the presence of a security weakness.
Ollydbg
__ is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. ▪ It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. ▪ Assembler level debugger for Windows ▪ Useful for binary code analysis without source code being available
Trojans
__ is any malicious computer program that misleads users to their true intent ▪ A piece of software that pretends to be a game but allows the attacker access to the system ▪ Used as a technical form of social engineering ● Could be used to Persist on victim machine
Network Access Control (NAC)
__ is built from the principles of IEEE 802.1x and control what devices allowed to connect to a network by implementing a set of protocols and policies that enforce requirements for authentication during connection to the network, such as posture checking or whitelisting.
Segmentation Fault (segfault)
__ is caused by a software program attempting to read or overwrite a restricted area of memory.
Evasion
__ is challenging a security control successfully, such as deploying malware in a location on a hard drive that does not get scanned by antivirus software.
Clearing the Log Files
__ is cleaning up traces of our activities in various log files to cover your tracks. ▪ Windows __● System logs, Application logs, Security logs, Event logs ▪ Linux __● Logs are usually stored in /var/logs ▪ IMPORTANT __● Penetration testers DO NOT usually modify or delete any of the logs...check your scope of work!
Elicitation
__ is collecting intelligence information from people as part of human intelligence (intelligence collection) ▪ Usually uses a series of questions to get employees to tell you valuable or sensitive information ▪ If you can compromise one email account then you can elicit more information from other employees by acting like that person
Dumpster Diving
__ is combing through trash to identify valuable assets. ▪ Pentester looks through the trash of an organization ▪ Looking for paperwork, disks, USB drives, badges, files, manuals
Programming
__ is creating a sequence of instructions to tell a computer how to perform a specific task
Open-Source Intelligence (OSINT)
__ is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources. It is not related to open-source software or collective intelligence.
OSINT (Open Source Intelligence)
__ is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources. ▪ It is not related to open-source software or collective intelligence.
Kerberos Authentication
__ is designed to provide strong authentication for client/server applications by using secret-key cryptography. ▪ It uses secret key cryptography ▪ Ticket granting server (TGS)
Banner Grabbing
__ is gathering information from messages that a service transmits when another program connects to it. ▪ Manual enumeration and fingerprinting ▪ Use telnet or Netcat to connect to target host ▪ Commonly used for FTP, SSH, Telnet, & HTTP
Fingerprinting
__ is identification of the operating system, service, software versions being used by a host ▪ Determining OS type and version a target is running
Injection Attacks
__ is insertion of additional information or code via a data input from a client to the application ▪ Most commonly done as SQL inject, but can also be HTML, Command, or Code ▪ Prevent this through input validation and using least privilege for the databases
NETCAT
__ is known as the TCP/IP swiss army knife. ▪ From the tools man page: __ is a simple unix utility which reads and writes data across network connections, using TCP or UDP protocol. ▪ It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.
Fragmentation Attack
__ is nn attack that exploits vulnerabilities in the fragment reassembly functionality of the TCP/IP protocol stack. ▪ Attacker exploits a network by using datagram fragmentation mechanisms against it ▪ A small amount of keying material is obtained from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP) ▪ If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet
Web Proxies
__ is one method for hiding your IP address from the websites you visit. EX: o When you request the Lifewire site through an online proxy, all you're really doing is telling the proxy server to access Lifewire for you, and then when they receive the page you want, they send it back to you.
OWASP Zed Attack Proxy (ZAP)
__ is one of the world's most popular web application security testing tools. ▪ The tool can be used during web application development by web developers or by experienced security experts during penetration tests to assess web applications for vulnerabilities.
IDA Pro or IDA (Interactive Disassembler)
__ is primarily a multi-platform, multi-processor dis-assembler that translates machine executable code into assembly language source code for purpose of debugging and reverse engineering ▪ It can be used as a local or as a remote debugger on various platforms. ▪ Generates assembly language code from executable code ▪ Graphical user interface and supports executables from multiple operating systems
IDA or IDA Pro
__ is primarily a multi-platform, multi-processor dis-assembler that translates machine executable code into assembly language source code for purpose of debugging and reverse engineering. ▪ It can be used as a local or as a remote debugger on various platforms.
Sticky Bit
__ is primarily used on shared directories. ▪ Used for shared folders like /tmp ▪ Allows users to create files, read, and execute files owned by other users ▪ Attack cannot remove files owned by others EX: o # ls -ld /var/tmp o drwxrwxrwt 2 sys sys 512 Jan 26 11:02 /var/tmp o - T refers to when the execute permissions are off. o - t refers to when the execute permissions are on. ● Privilege Escalation (Linux)
Compliance-based Assessment
__ is really a gap assessment. You are looking to identify gaps between your existing control environment and what is required. ▪ Mandated by standard, regulation, or legislation __● Ex: PCI-DSS
Erase, Modify, or Disable the Evidence
__ is removing any unneeded files or tools that were added to the victim's machine to cover your tracks. ▪ Hiding other files and resources in hidden or uncommon locations ▪ Linux, Unix, OS X __● Create a folder beginning with . ▪ Windows __● Hide stuff in the System32 or User folders __● Apply hidden attribute __● Use alternate Data Streams ▪ Hide files in the slack space
Bluejacking
__ is sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, or laptops
BeEF
__ is short for The Browser Exploitation Framework. ▪ It is a penetration testing tool that focuses on the web browser. ▪ Unlike other security frameworks, it looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser.
Set-Group Identification (SGID)
__ is similar to the SUID permission, only difference is - when the script or command with SGID on is run, it runs as if it were a member of the same group in which the file is a member. EX: o # ls -l /usr/bin/write o -r-xr-sr-x 1 root tty 11484 Jan 15 17:55 /usr/bin/write ▪ The setgid permission displays as an "s" in the group's execute field. The first s stands for the SUID and the second one stands for SGID. ● Privilege Escalation (Linux)
Impersonation
__ is someone who imitates or copies the behavior or actions of another. __ is an act of pretending to be someone else in order to gain access or gather information
Server Message Block (SMB)
__ is the Internet standard protocol Windows uses to share files, printers, and serial ports. ▪ It can also communicate with any server program that is set up to receive an SMB client request. ▪ Uses TCP ports 139 and 445
Bluesnarfing
__ is the Theft of information from a wireless device through a Bluetooth connection
Badge Cloning
__ is the act of cloning an official badge to bypass security. ▪ Identification badges are required by many organizations ▪ Snap a photo using a digital camera and reproduce the security badge __● Works visually but won't make it past a reader ▪ Badge cloners can reproduce magnetic swipe or RFID badges
Lock Picking
__ is the art of opening a lock without a key. ▪ Many areas that the pentester needs access to are locked ▪ Learning lock picking is a valuable skill for a pentester who focuses on physical security
Drozer
__ is the combination of two key components: ▪ The Agent: a lightweight Android app that runs on the device or emulator being used for testing. ▪ The Console: a command-line interface running on your PC that allows you to interact with the Dalvik VM through the Agent. ▪ Provides tools to use and share public exploits for the Android operating system ▪ Complete security audit and attack framework
False Positive
__ is the condition identified during automated or manual testing that results in the incorrect identification of an issue.
rate the threats
__ is the final state int he threat modeling process, and probably the most subjective, used to quantify the risk based on probability and damage potential.
Biometrics
__ is the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting ▪ Fingerprint readers and other __ aren't foolproof security measures
Risk appetite
__ is the level of risk the organization is willing to accept in order to achieve its goals.
Virtual Local Area Network (VLAN) Hopping
__ is the malicious act of attacking different hosts on a VLAN. ▪ VLANs are often used as logical separation ▪ Attack host on a different VLAN to gain access ▪ Double tagging the VLAN tag in 802.1Q ▪ Switch Spoofing __● Attempt to auto negotiate with a targeted switch by setting your device to act as a switch __● Switches get copies of all VLAN traffic and separate them based on tags
Cpassword
__ is the name of the attribute that stores the passwords in a Group Policy preference item ▪ Stored in the SYSVOL folder on the Domain Controllers in encrypted XML file ▪ Easily decrypted by any authenticated user in the domain ● Privilege Escalation (Windows)
Backdoor
__ is the persistence mechanism that allows an attacker to maintain control of a target if the remote connection is dropping temporarily.
passive information gathering
__ is the process of assessing a target to collect preliminary knowledge about the system, software, network, and people without actively engaging a target or its assets.
Normalization of Data
__ is the process of combining data from multiple sources and in different formats into a common and consistent event format. ▪ Teams collect a lot of data during a test ▪ Each tool collects and store data differently ▪ All the data must be aggregated, normalized, and correlated in order for it to "make sense"
Deconfliction
__ is the process of distinguishing pentest artifacts form artifacts of an actual compromise or other activity to help resolve contradictory conclusion or response.
Binary Analysis
__ is the process of examining the functions and purpose of a compiled program or application at the architecture instruction level.
bluebugging
__ is the process of exploiting a bug in older phones models with Bluetooth technology that enables complete command and control of the mobile device.
Jailbreaking
__ is the process of exploiting a software vulnerability in iOS that enables low-level execution with elevated privileges in order to remove restrictions imposed by Apply to customize the device and install unapproved applications.
Debugging
__ is the process of finding and resolving defects or problems within a computer program that prevent correct operation of computer software or a system. ▪ Used to identify and remove errors from hardware, software, or systems Tools - windbg
Decompiling
__ is the process of reverse-engineering source code from the binary. ▪ Reverse engineering of software using a decompiler ▪ Reverses the processes of a compiler but not as cleanly ▪ Decompilers cannot always turn executables back into their source code but can it back to byte code or assembly
Exfiltrate (exfil)
__ is the process of unauthorized data movement from inside a protected space to outside of it, Whether by copying, transferring, or retrieval.
Authorization
__ is the process or action involved with determining the appropriate access levels that should be granted to a user or process.
Authentication
__ is the process or action of confirming an identity used to interact with or log in to an information system.
EnCase
__ is the shared technology within a suite of digital investigations products by Guidance Software (now acquired by OpenText). ▪ Encase allows the investigator to conduct in depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.
Google hacking
__ is the technique of using advanced operators in the Google search engine to locate specific strings of text within search results, including strings that identify software vulnerabilities and mis-configurations. ▪ is a Reconnaissance Tool
Cryptographic Inspection
__ is to determine the encryption is being used during your information gathering ▪ Do they have web servers with SSL or TLS? ▪ What about Wireless Networks using WEP, WPA, WPA2, or a WPS handshake? ▪ Are files encrypted on the network shares?
Covering Your Tracks
__ is to do things that hide your activities from other people, so that they cannot find out what you have been doing.
Attestation of Findings
__ is to provide evidence of your findings to the client ▪ Provide them detailed reports, explanations, and ensure they understand the risks involved
Post-Engagement Cleanup
__ is to remove shells, tools, and credentials created
Query throttling
__ is to slow down test iterations to avoid exceeding bandwidth ▪ nmap -T
Egress Sensor
__ is tricking a sensor to a door to open. ▪ Door will automatically unlock and open when a person approaches ▪ Sensors could be tricked to allow the door to be opened ▪ Some of these "fail open" when power is lost
Point-of-Sale (POS) Systems
__ is typically includes a cash register (which in recent times comprises a computer, monitor, cash drawer, receipt printer, customer display and a barcode scanner) and the majority of retail POS systems also include a debit/credit card reader.
Findsecbugs
__ is used for static code analysis. It can be integrated as an IDE plugin, or its maven plugin can be added to the pom.xml file of a project source code. ▪ Then the container scans the source code and provides access to a generated report through an API. ▪ Used to conduct security audits of Java apps before deployment
De-confliction
__ is used to Determine if detected activity is a hacker or an authorized penetration tester ● Communication Reasons
Repeating
__ is used to capture the existing wireless signal and rebroadcast it to extend the range ▪ If not properly configured by the network administrators, this can be an attack vector
Situational Awareness
__ is used to create a shared common understanding of the network and its current security state ● Communication Reasons
Set-User Identification (SUID)
__ is used to describe a file option that lets a program or script run with elevated privileges to perform certain tasks EX: o # ls -lrt /usr/bin/passwd o -r-sr-sr-x 1 root sys 31396 Jan 20 2014 /usr/bin/passwd ▪ If you check carefully, you would find the 2 S's in the permission field. The first s stands for the SUID and the second one stands for SGID. ● Privilege Escalation (Linux)
DNS Forward Lookup
__ is used to query the DNS server and request the IP address of a host that corresponds to a fully qualified domain name (FQDN)
DNS Reverse Lookup
__ is used to query the DNS server and request the fully qualified domain (FQDN) of a host that corresponds to a given IP address.
Eavesdropping
__ is used to refer to the interception of communication between two parties by a malicious third party. ▪ Radio Frequency monitoring can be performed to determine the type of devices used in the facility (Cellular, WiFi, Bluetooth, etc) ▪ Radio frequencies can be captured and analyzed using specialized tools
Scheduled Jobs (cron jobs)
__ is used to schedule commands at a specific time. ▪ Cron jobs are used in Unix, Linux, and OS X ▪ Allows a script or command to be run at periodic times, dates, or intervals ▪ Export_dump.sh is run Every Saturday (6) @ 23:45 ● Could be used to Persist on victim machine
Fake Cellphone Towers
__ is when a malicious attacker captures the International Mobile Subscriber Identity (IMSI) number. ▪ Can be used to create a man-in-the-middle
WPS Implementation Weakness
__ is when a malicous attacker is able to attack because Wi-Fi Protected Setup (WPS) uses a push button configuration method to setup devices. ▪ Uses an 8-digit WPS Pin to configure them ▪ Can be easily brute force attacked because the PIN is authenticated by breaking it in two ▪ Reaver and Bully are common attack tools
Indicators of Prior Compromise
__ is when a pentester detects attack signatures have been detected and the network has been previously hacked and then must message company about issue. ● Communication Triggers
Fence Jumping
__ is when a person physical goes over the fence to bypass security measures. ▪ Fences provide a physical security boundary for the organization ▪ Pentester can go over (or under) a fence to avoid a checkpoint
Weak Credentials Attack
__ is when a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on the user name or common variations on these themes. ▪ Easy to crack using dictionary or brute force
Cold Boot Attack
__ is when a user or malicious attacker is able to retrieve the encryption keys from a running operating system after using a cold reboot to restart the machine ▪ A side channel attack where an attacker has physical access to the system ● Privilege Escalation
Critical Findings
__ is when a vulnerability is found that causes significant risk to occur to the security of the network and then the pentester communicates there is a major issue. ● Communication Triggers
Sandbox Escape - Virtual Machines
__ is when an Escaping the VM sandbox can lead to exploit of the underlying hardware and puts other hosted VMs are risk ● Privilege Escalation
RFID Cloning
__ is when an attacker captures the Radio Frequency (RF) signal from a badge or device and can copy it for reuse
cross-site request forgery (XSRF)
__ is when an attacker forces a user to execute actions on web server which they authenticated ▪ Attacker cannot see web server's response but this attack can be used to have victim transfer funds, change their password, and more
Exploitable Services
__ is when an attacker uses the way services normally operate to cause an unintended program to run Examples ▪ Unquoted service path call in file system o C:\Dion\My Files\server.exe Normal o C:\Dion\My\server.exe Malicious ▪ Writable services o Using PSExec, a service can be replaced with a custom service that runs a command shell (cmd.exe) ● Privilege Escalation (Windows)
Security Misconfiguration
__ is when an attacks that rely on the application or server using insecure settings.
Man-in-the-middle (MITM) attack
__ is when an hacker placing himself between a client and a host to intercept network traffic; also called session hijacking.
Sandbox Escape - Shell upgrade
__ is when restricted shells (like rbash) are exploited to gain an upgraded shell ● Privilege Escalation
USB Key Drop
__ is when someone leave USB devices for people to find and plug into their computers.Malicious code — In the most basic of USB drop attacks, the user clicks on one of the files on the drive. ▪ Pentester loads up a USB with malware, backdoors, or a keylogger ▪ Drop the USB drive in the parking lot near the organization
comparision operator
__ is when something compares one value to another Value1 == Value2
Credential brute forcing
__ is when the attacker tries to try to log in to the application using every username and password. ▪ There are a number of tools and techniques the attacker can use to speed up or automate the process.
Client Acceptance
__ is when the client agrees you have fulfilled the scope of work? ▪ Is formal acceptance required by the contract?
Race Condition
__ is when two separate inputs compete on the basis of time for processing a single target such that the order of processing may produce unexpected or undesirable results.
Sniffing Network Traffic
__ is when you Intercepts and logs network traffic that can be seen via the wired or wireless network interface. ▪ If you gain access to one host computer, you could use it to capture traffic on other parts of the network, too!
Stages
__ lead to Communication and occur as the assessment moves from one phase to another ● Communication Triggers
Port Scan - Open
__ means the Application is accepting connections
Port Scan - Closed
__ means the no application is listening to connections
Insecure Direct Object Reference
__ occur when an application provides direct access to objects based on user-supplied input. ▪ Allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object.
Reflected Cross-site Scripting (XSS)
__ occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself ▪ It is non-persistent and only impacts users who open a maliciously crafted link or third-party web page ▪ Non-persistent, activated through link on site
Piggybacking/Tailgating
__ occurs when a pentester follows an authorized individual into a secure location ▪ Authorized person may or may not be complicit
Virtual Network Computing (VNC)
__ operates much like RDP, but a cross-platform solution for Windows, Linux, and OS X ▪ Originally used in thin client architectures
Recon-NG
__ provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. ▪ Open-source web reconnaissance framework written in Python
Sandbox Escape - Container
__ refers to If you can compromise that system, you can compromise every container that relies upon it ● Privilege Escalation
Legal Concepts (2)
__ refers to consulting your attorney before performing any penetration testing work to ensure you are within the legal bounds for the countries laws where you are operating.
Information Gathering - Reconnaissance
__ refers to the systematic attempt to locate, gather, identify, and record information about a target ▪ Also known as footprinting the organization
Lateral Movement
__ refers to the techniques cyber attackers, or "threat actors", use to progressively move through a network as they search for the key data and assets that are ultimately the target of their attack campaigns.
Mitigation Strategies
__ report should contain a list of not just findings, but recommendations on how to mitigate a vulnerability
Vagrant
__ s an open-source software product for building and maintaining portable virtual software development environments, e.g. for VirtualBox, KVM, Hyper-V, Docker containers, VMware, and AWS. ▪ It tries to simplify software configuration management of virtualizations in order to increase development productivity.
Compliance Scan
__ scan for specific known vulnerabilities that would make a system non-compliant. ▪ Used to identify vulnerabilities that may affect compliance with regulations or policies ▪ Commonly setup as a scanning template in your vulnerability scanner (PCI-DSS)
Full Scan
__ scans ports, services, and vulnerabilities. ▪ In-depth scan including port, services, and vulnerabilities ▪ Easy to see in network traffic when performed nmap -A <target>
Ping
__ sends a message from one computer to another to check whether it is reachable and active. ▪ is a Reconnaissance Tool
Programming Arrays (Basic or Indexed)
__ store multiple values and be referenced from a single name (like a list of variables)
Data Mining
__ the process of analyzing large data sets to reveal patterns or hidden anomalies.
Compiler
__ translates source code into executable instructions.
Nmap
__ use raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. ▪ is a Packet Crafting Tool
Discovery Scan
__ used to find potential targets. ▪ Identity/info gathering early on ▪ Least intrusive scan (like a ping sweep) ▪ Used to create a network map to show connected devices in the architecture ▪ nmap ping sweep nmap -sP target
XSS Stored/Persistent
__ vulnerability is a more devastating variant of a cross-site scripting flaw. ▪ It occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. ▪ Data provided by attacker is saved on server
Default Credentials Attack
__ vulnerability is a type of vulnerability that is most commonly found to affect the devices like modems, routers, digital cameras, and other devices having some pre-set (default) administrative credentials to access all configuration settings.
(PowerShell) PS Remoting
__ will allow a computer to receive Windows PowerShell remote commands
SSH (Secure Shell)
__ works like telnet, but uses encryption to create a secure channel between the client and the server ▪ SSH should always be used instead of telnet
Planning a Penetration Test
__, Questions to ask: ▪ Why Is Planning Important? ▪ Who is the Target Audience? ▪ Budgeting ▪ Resources and Requirements ▪ Communication Paths ▪ What is the End State? ▪ Technical Constraints ▪ Disclaimers
DNS Poisoning Steps
__: --1. Inject Fake DNS record --2. Visitor request DNS for Bank --3. Visitor gets IP for Fake Bank server instead
Tiers of Adversaries
__: 1 - Little Money & Rely on off-the-shell tools/known exploits 2 - Little Money & invested in own tools against known vulners 3 - Invests Lots of money to find vulners to steal for profit 4 - Organized, Technical, proficient, funded, working in teams 5 - Nation states investing tons of money to finding/creating vulners 6 - Nation stats investing tons to carry out military ops
NIST SP 800-115 Methodology
__: 1. Planning 2. Discovery 3. Attack 4. Reporting
Pentest Methodology
__: 1. Planning & Scoping 2. Info Gathering & Vulnerability ID 3. Attacks & Exploits 4. Reporting & Communication
Serial Console
__: Many network devices still have serial console connections (routers and switches) ▪ If attacker can get physical access to the device then they can connect to the device over the serial port ▪ Lower security enabled (if any) on these ports ● Privilege Escalation
Packet Capture Techniques
__: Use Wireshark or TCPDump to conduct packet capturing of wired or wireless networks ▪ Connect to a mirrored port to capture wired network traffic ▪ Wireless networks can be captured and their encryption cracked to access the data using Aircrack-ng
Port Scan - Filtered
__: __● Probes aren't reaching the port __● Usually indicates a firewall
Nmap -oA
__: ▪ -oA Combined format with all of the above __● nmap -oA outputfile target
Nmap -oG
__: ▪ -oG Grepable output format __● nmap -oG outputfile.txt target
Nmap -oX
__: ▪ -oX XML output format __● nmap -oX outputfile.xml target
Threat Actors
__: ▪ Advanced Persistent Threat (APT) ▪ Hacktivist ▪ Insider Threat ▪ Script Kiddies
Finding: Plain Text Passwords
__: ▪ All passwords must be stored as hashes or another encrypted format
Unsecure Code Practices - Unauthorized use of function/unprotected API
__: ▪ Allows anyone with network access to send your application a request ▪ Designers should implement function-level access control
Threat Actors - Insider Threat
__: ▪ Already have authorized user access to the networks, making them extremely dangerous ▪ May be a skilled or unskilled attacker ▪ Might be a former or current employee
Unsecure Code Practices - Lack of error handling
__: ▪ Applications should fail cleanly on errors ▪ Prevents information leakage about the server
Target Selection - First-party or Third-party
__: ▪ Are the targets hosted by the organization or by a third-party service provider? ▪ DionTraining.com is hosted by Thinkific and might be outside the penetration test scope
RoE: Time Restrictions
__: ▪ Are there certain times that aren't authorized? ▪ What about days of the week? ▪ What about holidays?
Target Selection - Physical
__: ▪ Are we contracted to test physical security? ▪ Should we attempt to break into the facility?
Target Selection - Applications
__: ▪ Are we focused on a particular application? ▪ Is a particular application mission critical and cannot be targeted? __● Credit card processing system __● Health care system
Pass the Hash Breakdown
__: ▪ Attack against the NT LAN Manager (NTLM) authentication system ▪ Attacker steals a hashed user credential and reuses it in the Windows authentication system to create a new authenticated session
Creating New Users
__: ▪ Attacker creates new user accounts __● Can be created as regular or admin level users ● Could be used to Persist on victim machine
Credential Brute Forcing
__: ▪ Attempt to crack a password or authentication system to gain access ▪ Attempt to crack passwords from a hash file ▪ Conduct password guessing to login
Premerger Assessment
__: ▪ Before two companies perform a merger, it is common to conduct penetration tests on them to identify weaknesses being inherited ▪ Can be a part of the due diligence efforts
Penetration Testing Strategies
__: ▪ Black Box ▪ Gray Box ▪ White Box
Analyzing Vuln Scans - Asset Categorization
__: ▪ Categorize by Operating System or function ▪ Ideally, we identify high-value assets __● Domain Controllers, Web Servers, Databases, etc. ▪ Identify and rank assets by relative value ▪ Categorize by most vulnerabilities ▪ Categorize by the most critical vulnerability ▪ Vulnerable assets with little value could be a waste of time
Unattended Installation
__: ▪ Clear text credentials of Preboot Execution Environment (PXE) could be captured using network sniffers ● Privilege Escalation (Windows)
Physical Service Security
__: ▪ Cold boot attack ▪ JTAG debug ▪ Serial console ● Privilege Escalation
Reconnaissance Tools Breakdown
__: ▪ Collecting information before attacking an IT system ▪ Usually conducted using open source research or passive collection ▪ Tools __● Whois, Nslookup, Theharvester, Shodan, Recon-NG, Censys, Aircrack-NG, Kismet, WiFite(2), Wireshark, Hping, SET, Nmap, Metasploit framework
Creating New Users - Shell (Linux)
__: ▪ Command Line (Linux) __● su - __● useradd hacked __● passwd hacked __● New password: hacked123 __● Retype new password: hacked123 ● Could be used to Persist on victim machine
Creating New Users - Windows
__: ▪ Command Line (Windows) __● net user /add [username] [password] ----o Net localgroup administrators [username] /add ● Could be used to Persist on victim machine
Scoping Considerations - Scope Creep
__: ▪ Condition when a client requests additional services after the SOW and project scope have been agreed to and signed ▪ How will scope be contained? ▪ Document any changes to the scope of test ▪ Recommend signing a change order to SOW
Threat Actors - Hacktivist
__: ▪ Conduct activities against governments, corporations, or individuals ▪ Can be an individual or member of a group
Information Gathering and Vulnerability Identification
__: ▪ Conducting information gathering ▪ Performing vulnerability scanning ▪ Analyzing results of vulnerability scans ▪ Leveraging information for exploitation ▪ Weaknesses in specialized systems
Prioritize the Vulnerabilities
__: ▪ Consider the most critical vulnerabilities first ▪ What target should we focus on first?
Containers Require Security
__: ▪ Containers still contain applications which can contain vulnerabilities ▪ Still need to be scanned for vulnerabilities ▪ If an OS vulnerability is found, it will apply to multiple containers (all based on same OS) and can lead to a large level of exploitation
Planning a Penetration Test - Budgeting
__: ▪ Controls many factors in a test ▪ If you have a large budget, you can perform a more in-depth test __● Increased timeline for testing __● Increased scope __● Increased resources (people, tech, etc.)
§ 1030 Fraud and related activity with computers
__: ▪ Covers just about any computer or device connected to a network ▪ Mandates penalties for anyone who accesses a computer in an unauthorized manner or exceeds one's access rights ▪ Can be used to prosecute employees using capability and accesses provided by their company to conduct fraudulent activity
Privilege Escalation in Windows Breakdown
__: ▪ Cpassword ▪ Clear Text Credentials in LDAP ▪ Kerberoasting ▪ Credentials in LSASS ▪ Unattended Installation ▪ SAM Database ▪ DLL Hijacking ▪ Exploitable Services ▪ Unsecure File and Folder Permissions ▪ Keylogger ▪ Scheduled Tasks
Common Attack Techniques
__: ▪ Cross-compiling code ▪ Exploit modification ▪ Exploit chaining ▪ Proof-of-concept development ▪ Social engineering ▪ Credential brute forcing ▪ Dictionary attacks ▪ Rainbow tables ▪ Deception
Handling and Disposal
__: ▪ Data from the assessment should always be handled with due diligence and care ▪ Findings and recommendations are sensitive in nature and should be treated as confidential
Decompiling vs Debugging
__: ▪ Decompiling uses a static analysis of code ▪ Debugging often uses a dynamic approach that allows code to be run __● Code is run step by step through the program __● Code can be run until a break point ▪ Both techniques can be useful when conducting a penetration test or assessment of custom-built applications
Default Account Settings
__: ▪ Default administrator accounts can be exploited ▪ Guest accounts should be disabled, but are enabled by default on most systems ● Privilege Escalation
Types of Vulnerability Scans
__: ▪ Discovery scan ▪ Full scan ▪ Stealth scan ▪ Compliance scan
Lessons Learned
__: ▪ Documented information of both the positive and negative experiences that occurred ▪ What did you do great on? ▪ What could have gone better? ▪ How can it go better next time
Mobile Tools
__: ▪ Drozer ▪ APKX ▪ APK Studio
DLL Hijacking
__: ▪ Dynamic Link Library (DLL) provides a method for sharing code and allows a program to upgrade its functionality without requiring re-linking or recompiling of the application ▪ Hijacking is a technique used to load a malicious DLL in the place of an accepted DLL ▪ Commonly used by malware to achieve persistence on the victim machine ● Privilege Escalation (Windows)
Scanning Considerations - What Protocols Will Be Used?
__: ▪ Each protocol scanned takes time/resources ▪ Will you scan every port and services? ▪ Consult scope of assessment and objectives
Nmap -O
__: ▪ Enables OS detection by using fingerprinting of the TCP/UDP packet received
Configuration Compliance Tools Breakdown
__: ▪ Ensuring a system meets a given security baseline or policy ▪ Tools __● Nikto, OpenVAS, Nessus, SQLmap, Nmap
Covering Your Tracks Breakdown
__: ▪ Erase, Modify, or Disable the Evidence ▪ Clear Log Files ▪ Hiding files and folders
Unsecure Code Practices - Verbose error handling
__: ▪ Errors can display too much information ▪ Great for debugging...horrible for security
Enumeration Tools Breakdown
__: ▪ Establishes an active connection to the targets to discover potential attack vectors ▪ Usually conducted active techniques and fingerprinting ▪ Tools __● Nslookup, Wireshark, Hping, Nmap
Wireless-based Vulnerabilities
__: ▪ Evil Twin ▪ Deauthentication attacks ▪ Fragmentation attacks ▪ Credential harvesting ▪ WPS implementation weakness ▪ Bluejacking ▪ Bluesnarfing ▪ RFID cloning ▪ Jamming ▪ Repeating
Written Report of Findings
__: ▪ Executive Summary ▪ Methodology ▪ Findings and Remediation __● Consider the risk appetite ▪ Metrics and Measures __● Including risk ratings ▪ Conclusion
Unsecure Code Practices - Race conditions
__: ▪ Flaw that produces unexpected results when the timing of actions can impact other actions ▪ Can occur when multi-threaded operations are occurring on the same piece of data
White Box (Full Knowledge Test)
__: ▪ Full knowledge of network, systems, and the infrastructure ▪ Spend more time probing vulnerabilities and less time gathering information ▪ Tester is given support resources from the organization
Software Assurance Tools Breakdown
__: ▪ Fuzzing __● Peach and AFL ▪ Security Testing __● Static Application Security Testing (SAST) __● Dynamic Application Security Testing (DAST) __● Findsecbugs, SonarQube, and YASCA (Yet Another Source Code Analyzer)
White Box Sample Application Requests
__: ▪ Generally used for testing web applications or other applications developed by organization
Types of Pentest Assessments
__: ▪ Goal-based Pentests ▪ Objective-based ▪ Premerger ▪ Supply Chain ▪ Red Team
Threat Actors - What is the Intent?
__: ▪ Greed or monetary gain ▪ Power, revenge, or blackmail ▪ Thrills, reputation, or recognition ▪ Espionage or political motivation
Threat Actors - Advanced Persistent Threat (APT)
__: ▪ Group with great capability and intent to hack a particular network or system ▪ Target organizations for business or political motives and usually funded by nation states ▪ Conduct highly covert hacks over long periods of time
Unsecure Code Practices - Hidden elements
__: ▪ HTML forms often use hidden elements __● Fields using <INPUT TYPE=HIDDEN> ▪ Could allow sensitive data to be stored in the DOM
Crimes and Criminal Procedure
__: ▪ Hacking is covered under United States Code, Title 18, Chapter 47, Sections 1029 and 1030
Evasion Tools Breakdown
__: ▪ Hide from system administrators or defenders ▪ Tools __● Proxychains, SET, Metasploit Framework, Route
Types of Enumeration
__: ▪ Hosts ▪ Networks ▪ Domains ▪ Users/Groups ▪ Network shares ▪ Web pages ▪ Applications ▪ Services ▪ Tokens ▪ Social networks
Types of Scanning
__: ▪ Hosts ▪ Systems ▪ Networks ▪ Computers ▪ Mobile Devices ▪ Applications ▪ Printers
RoE: Timeline
__: ▪ How long will the test be conducted? _● A week, a month, a year ▪ What tasks will be performed and how long will each be planned for?
Scanning Considerations - Bandwidth Limitations
__: ▪ How much bandwidth is dedicated to the scan? ▪ Throttle the queries if needed __● Nmap -T option sets the timing
SocEngin Motivation Factors - Urgency
__: ▪ Humans want to please others by nature... ▪ We want to be helpful... ▪ I only have a few minutes before the big presentation, can you print this for me?
Third-Party Authorization
__: ▪ If servers and services are hosted in the cloud, you must request permission from the provider prior to conducting a penetration test __● Ex: from a Cloud service provider
Exploit Modification
__: ▪ If the organization has added security, you may need to modify exploits to get past it ▪ Encrypting or encoding an exploit to avoid detection by anti-virus
SocEngin Motivation Factors - Fear
__: ▪ If you don't do _____ then ______ will happen ▪ Use threats or demands ▪ Anti-virus scams & Ransomware are examples
Finding: No Multifactor Authentication
__: ▪ Implement multifactor authentication __● Something you know __● Something you have __● Something you are __● Something you do
Vulnerability Scanning Tools Breakdown
__: ▪ In-depth scanning of a target to determine its vulnerabilities ▪ Uses automated tools to determine missing patches and incorrect configurations ▪ Tools __● Nikto, OpenVAS, Nessus, SQLmap, W3AF, OWASP ZAP, Nmap, Metasploit Framework
Application-based Vulnerabilities
__: ▪ Injections ▪ Authentication ▪ Authorization ▪ Cross-site scripting (XSS) ▪ Cross-site request forgery (CSRF/XSRF) ▪ Clickjacking ▪ Security misconfiguration ▪ File inclusion ▪ Unsecure coding practices
Target Selection
__: ▪ Internal or External ▪ First-party or Third-party hosted ▪ Physical ▪ Users ▪ SSIDs ▪ Applications
Information Gathering - Reconnaissance Techniques
__: ▪ Internet or open-source research ▪ Social engineering ▪ Dumpster diving ▪ Email harvesting
Simple Mail Transfer Protocol (SMTP) Breakdown
__: ▪ Internet standard for electronic mail transmissions ▪ Focus can be on: __● Direct exploits of the protocol __● Using open relays __● Using local relays __● Phishing
Scoping Considerations - Security Exceptions
__: ▪ Intrusion Prevention System (IPS) ▪ Web Application Firewall (WAF) ▪ Network Access Control ▪ Certificate Pinning __● Required if the organization relies on digital certificates as part of their security ▪ Company policies
Exploit Chaining
__: ▪ Involves layering exploits in a series ▪ Exploit chain example: -- 1. Bypass the firewall -- 2. Gain access to user system -- 3. Escalate privileges
Target Selection - Users
__: ▪ Is social engineering authorized? ▪ Are particular users being targeted or not considered part of the assessment?
Target Selection - Wireless and SSIDs
__: ▪ Is wireless pentesting being conducted? ▪ Are any SSID's out of scope? __● Guest or public network
JTAG Debug
__: ▪ JTAG is a standard for verifying designs and testing printed circuit boards __● Diagnostic connection ▪ Port use for debugging, probing, and programming ▪ With breakpoints setup, the JTAG can be used to read registers from motherboard and read arbitrary memory locations ● Privilege Escalation
Credentials in LSASS
__: ▪ Local Security Authority Subsystem Service ▪ Process in Windows that enforces the security policy of the system ▪ Verifies users when logging on to a computer or server ▪ Performs password changes ▪ Creates access token (ie, Kerberos) ● Privilege Escalation (Windows)
Modifying the Log Files
__: ▪ Log files are just text (they can be edited) ▪ Timestamp can be used to modify the access time of a file ▪ Change the files ownership to original user ▪ IMPORTANT __● Penetration testers DO NOT usually modify or delete any of the logs...check your scope of work!
Threat Actors - Script Kiddies
__: ▪ Low-skilled attackers who use other's tools ▪ Use freely available vulnerability assessment and hacking tools to conduct attacks
Persistence Tools Breakdown
__: ▪ Maintaining a foothold into the network or victim system ▪ Tools __● SET, BeEF, SSH, NCAT, NETCAT, Drozer, Powersploit, Empire, Metasploit framework
Finding: Weak Password Complexity
__: ▪ Minimum password requirements/filters ▪ Passwords Must... __● Be at least 14 characters __● Contain letters, numbers, and special characters __● Not have repeating characters or digits
White Box Architectural Diagrams
__: ▪ Network diagrams, software flow charts, physical maps of organizational facilities ▪ Assists the tester in mapping out network topologies, location of switch closets, and where key information systems are located
Scanning Considerations - Where Do You Scan From?
__: ▪ Network topology is important, are you inside or outside the network? ▪ PCI-DSS requires both internal and external scanning to be performed
Proof-of-Concept Development
__: ▪ New or custom exploits require testing before using in a pentest ▪ Build a virtual machine based on the specifications you earned during enumeration
Packet Crafting Tools
__: ▪ Nmap ▪ Netcat (nc) ▪ Ncat (ncat) ▪ Hping
Black Box (No Knowledge Test)
__: ▪ No prior knowledge of target or network ▪ Simulates an outsider attack ▪ Only focuses on what external attacks see and ignores the insider threat ▪ Takes more time and is much more expensive
Report Writing
__: ▪ Normalization of Data ▪ Written Report of Findings ▪ How Long Do I Keep the Report? ▪ Handling and Disposal?
Threat Actors - Tiers of Adversaries
__: ▪ Not all threat actors are created equal ▪ Some are structured, some are unstructured ▪ Some are more skilled than others
Reconnaissance Tools
__: ▪ Nslookup ▪ Traceroute ▪ Ping ▪ Whois ▪ Domain Dossier ▪ Email Dossier ▪ Google ▪ Social Networking ▪ Discover.sh ▪ Maltego
Web Proxies Tools
__: ▪ OWASP ZAP ▪ Burp Suite
Objective-based Assessment (1)
__: ▪ Objective-based pentests seek to ensure the information remains secure ▪ Testing occurs using all methods and more accurately simulates a real attack ▪ Compliance-based ▪ Risk-based compliance assessment that is required to ensure policies or
Objective-based Assessment (2)
__: ▪ Objective-based pentests seek to ensure the information remains secure regulations are being followed properly ▪ Regulations and policies provide checklists, for example the PCI-DSS compliance assessment ▪ Objectives are clearly defined ▪ Focus is on password policies, data isolation, limited network/storage access, and key management
Credential Attacks Tools Breakdown
__: ▪ Offline password cracking __● John the Ripper, Mimikatz, Cain and Abel, Hashcat, AirCrack-NG ▪ Brute-forcing services __● SQLmap (for databases), Medusa, Hydra, W3AF, Mimikatz, Cain and Abel, Patator, Aircrack-NG
NETBIOS Name Service Breakdown
__: ▪ Often called WINS on Windows systems ▪ NetBIOS Name Service (NBNS) is part of the NetBIOS-over-TCP protocol suite ▪ NETBIOS name is the host name of a system
Unsecure File and Folder Permissions
__: ▪ Older versions of Windows allow administrators to access any non-admin user's files and folders ▪ Can lead to DLL hijacking and malicious file installations on a non-admin targeted user ● Privilege Escalation (Windows)
Port Scan Results
__: ▪ Open __● Application is accepting connections ▪ Closed __● No application is listening ▪ Filtered __● Probes aren't reaching the port __● Usually indicates a firewall
White Box Swagger Document
__: ▪ Open-source framework with a large system of tools to help design, build, document, test, and standardize REST Web Services ▪ Representational State Transfer (REST) has been replacing SOAP in most web applications in recent years ▪ REST is a web application architectural style based on HTTP
Gray Box (Partial Knowledge Test)
__: ▪ Partial knowledge of target ▪ Can be used as an internal test to simulate an insider attack with minimal knowledge ▪ Can also be used to decrease the information gathering stage so more time can be spent on identifying vulnerabilities EX: IP Range provided or Company Emails for Phishing
Supply Chain Assessment
__: ▪ Pentest may be required of your suppliers to ensure they are meeting their cybersecurity requirements ▪ Can be required prior to allowing an interconnection between the supplier's systems and your organization's systems ▪ Minimize risk by purchasing only from trusted vendors
SocEngin Motivation Factors - Authority
__: ▪ People are more willing to comply with a request when they think it is coming from someone in authority __● CEO or manager __● Important client __● Government agencies __● Financial institutions
Planning a Penetration Test - Disclaimers
__: ▪ Point-in-Time Assessment __● Results were accurate when the pentest occurred ▪ Comprehensiveness __● How complete was the test? __● Did you test the entire organization or only specific objectives?
Post-Report Activities
__: ▪ Post-Engagement Cleanup ▪ Attestation of Findings ▪ Client Acceptance ▪ Follow-up Actions or Retests ▪ Lessons Learned
Debugging Tools Breakdown
__: ▪ Process of finding and resolving defects in a computer program ▪ Tools __● Ollydbg, Immunity debugger, GDB, WinDBG, IDA Pro, APK Studio, APKX
Unsecure Code Practices - Comments in source code
__: ▪ Programmers are taught to fully document code ▪ Great for developers for maintainability ▪ Horrible for security
§ 1029 Fraud & related activity w/ access devices
__: ▪ Prosecute those who knowingly and with intent to defraud produce, use, or traffic in one or more counterfeit access devices. ▪ Access devices can be an application or hardware that is created specifically to generate any type of access credentials
Link-Local Multicast Name Resolution (LLMNR) Breakdown
__: ▪ Protocol based on the DNS packet format allowing both IPv4 and IPv6 hosts to perform name resolution for hosts on same local link ▪ Often used when there is not DNS server on the network ▪ Included in Windows Vista and newer versions ▪ Linux implements LLMNR using system ▪ Useful when a temporary network is created, such as Ad-Hoc WiFi networks
Vulnerability Scanner Tools
__: ▪ QualysGuard Vulnerability Scanner ▪ Tenable's Nessus Vulnerability Scanner ▪ Rapid7's Nexpose ▪ OpenVAS (Open-source Scanner) ▪ Nikto (Web Application Scanner)
Finding: Shared Local Admin Credentials
__: ▪ Randomize credentials __● Every system uses a different password ▪ Local Administrator Password Solution (LAPS) __● Microsoft tool that provides centralized storage of passwords in Active Directory __● Manages the passwords for each workstation when logon without domain credentials is necessary
Use Cases for Tools
__: ▪ Reconnaissance ▪ Enumeration ▪ Vulnerability Scanning ▪ Credential Attacks ▪ Persistence ▪ Configuration Compliance ▪ Evasion ▪ Decompilation ▪ Forensics ▪ Debugging ▪ Software Assurance
Reporting and Communication
__: ▪ Report writing and handling best practices ▪ Explain post-report delivery activities ▪ Recommend mitigation strategies for discovered vulnerabilities ▪ Communication during the penetration testing process
Decompilation Tools Breakdown
__: ▪ Reversing an executable into human readable code ▪ Tools __● IDA, Hopper, Immunity debugger, APK Studio, APKX
Remote Access Tools
__: ▪ SSH ▪ Netcat ▪ Ncat ▪ Proxychains
Unsecured SUDO
__: ▪ SUDO is a program for Unix/Linux systems ▪ Allows users to run programs with the privileges of another user ▪ By default, the other user is 'root' ▪ Works like "Run as Administrator" on Windows ● Privilege Escalation (Linux)
Nmap -sS
__: ▪ SYN Scan (default and most popular) ▪ Can scan 1000 ports per second ▪ Never completes the TCP connection ▪ Nothing in the logs cause never completes connection
Finding: SQL Injection
__: ▪ Sanitize user input __● User data checked for expected input type __● Escape data to avoid SQL injections ▪ Parameterize queries __● Better than user input sanitization __● Allow prepared statements to be used with bounded variables to access database __● Each piece of SQL code is static but receives parameters from a separate section of code
Nmap -iL
__: ▪ Scan targets from a text file
Scanning Considerations - When Do You Run the Scans?
__: ▪ Scanning the systems can take up valuable resources and slow down the network ▪ Are you trying to be sneaky? ▪ When is the best time to run the scans?
Unsecure Service and Protocol Configuration
__: ▪ Services and daemons run programs constantly in the background of the OS ▪ Unsecure services are vulnerable __● FTP, Telnet, TFTP, and many others ▪ Mis-configurations introduce vulnerabilities in secure protocols __● SSH downgraded to support SSHv1 __● SNMPv3 downgraded to support SMPv1 __● Using WPA instead of WPA2 __● Allow webservers to autonegotiate
Privilege Escalation in Linux Breakdown
__: ▪ Set-User Identification (SUID) ▪ Set-Group Identification (SGID) ▪ Sticky Bit ▪ Unsecure SUDO ▪ Ret2libc
Nmap -T
__: ▪ Sets the timing for the scan ▪ T0 - Paranoid (one port every five minutes) ▪ T1 - Sneaky (one port every 15 seconds) ▪ T2 - Polite ▪ T3 - Normal ▪ T4 - Aggressive ▪ T5 - Insane
Scanning Considerations - Fragile or Non-Traditional Systems
__: ▪ Should we scan these? ▪ Should we exempt these? ▪ How to avoid impacting fragile mission critical systems?
White Box SOAP Project File
__: ▪ Simple Objective Access Protocol (SOAP) is a messaging protocol specification for exchanging structured information in the implementation of web services ▪ SOAP project files are created from WSDL files or a single service call
Communication Reasons
__: ▪ Situational Awareness ▪ De-confliction ▪ De-escalation
Nmap -Pn
__: ▪ Skips the host discovery ▪ Treats all hosts in the range as online ▪ First Fine all Open Ports then do this command because it takes a long time to run the command
SocEngin Motivation Factors - Social Proof
__: ▪ Social engineering through Facebook or Twitter can be useful __● Lots of Likes or Shares add to social proof __● People are more likely to click the link ▪ We crave social group interaction and have a need to be included ▪ Sometimes we don't fully understand what the inclusion means for us or why we are performing an action
SocEngin Motivation Factors - Likeability
__: ▪ Social engineers are friendly and likeable __● People will want to help them ▪ Find common ground and shared interests
White Box SDK Documentation
__: ▪ Software Developer's Kit (SDK) provides a set of tools, libraries, documentation, code samples, processes, or guides to allow faster development of a new app on a platform ▪ SDK provides code libraries for use
Unsecure Code Practices - Hard-coded credentials
__: ▪ Source code of a web application has the username and password written into the code instead of using an inclusion file ▪ Common issue for applications using PHP, databases, or WordPress
Goal-based Pentests Assessment
__: ▪ Specific goals are defined before testing starts ▪ Pentester may attempt to find many unique methods to achieve thespecific goals
Nmap -p
__: ▪ Specifies the port to scan (override defaults) ▪ Can specify specific ports or exclude
Communications Triggers
__: ▪ Stages ▪ Critical Findings ▪ Indicators of Prior Compromise
Pentest Contracts
__: ▪ Statement of Work (SOW) ▪ Master Service Agreement (MSA) ▪ Non-Disclosure Agreement (NDA)
Finding: Unnecessary Open Services
__: ▪ System hardening __● Securing a computer or server by reducing its attack surface __● Disable unneeded services __● Close unused ports __● Uninstall unused programs
Nmap -sT
__: ▪ TCP Connect Scan ▪ Uses the Operating System to send packets ▪ Completes the TCP connection (less stealthy) ▪ Shows in logs the connection
SocEngin Motivation Factors - Scarcity
__: ▪ Technique that works well to get people to act fast ▪ Signup now for a special offer... supplies are limited!
Mitigation Solutions
__: ▪ Technology __● Add a multifactor authentication system ▪ Processes __● Proper employee off-boarding to minimize an insider threat ▪ People __● Employee cybersecurity training __● Hire qualified and certified IT professionals
Simple Network Management Protocol (SNMP) Breakdown
__: ▪ Three versions of SNMP exist ▪ SNMPv1 has port security and includes authentication using a shared "community string" sent in cleartext when set to "public" ▪ Community string operates like a password and is valid for EVERY node on the network
Rules of Engagement (RoE) Overview
__: ▪ Timeline ▪ Locations ▪ Time restrictions ▪ Transparency ▪ Test boundaries
Forensics Tools Breakdown
__: ▪ Tools used to collect and analyze digital evidence for crimes and analysis ▪ Tools __● foremost, FTK, EnCase, Tableau
Server Message Block (SMB) Breakdown
__: ▪ Transport protocol used by Windows machines for many purposes __● File sharing __● Printer sharing __● Access to remote Windows services ▪ Operates over TCP ports 139 and 445 ▪ EternalBlue exploits and WannaCry ransomware utilized flaws in the SMB protocol
Kernel Exploits
__: ▪ Unpatched Windows and Linux systems are vulnerable to many different exploits ▪ Search CVE's for various versions of Windows or Linux to determine what exploits exist ▪ Metasploit has a library of existing exploits ● Privilege Escalation
How Do We Scan and Enumerate?
__: ▪ Use specialized scanning/enumeration tools and public information sources
Nmap -sV
__: ▪ Version Detection Mode ▪ Attempts to determine the version of the services and applications being run on ports
File Transfer Protocol (FTP) Breakdown
__: ▪ Was the internet standard for file sharing? ▪ Insecure protocol that sends data and authentication in cleartext over the network ▪ Overall insecure protocol for transferring files ▪ No encryption for transfers and credentials (i.e. in the clear) ▪ Easy for attackers to use for data exfiltration if FTP is available
Export Restrictions
__: ▪ Wassenaar Agreement precludes the transfer of technologies considered "dual-use" ▪ Strong encryption falls under this restriction ▪ Penetration testing tools could be considered surveillance tools and fall under these rules
White Box WADL
__: ▪ Web Application Description Language __● XML-based machine-readable description of HTTP-based web services __● Easier to write than WSDL but not as flexible __● Typically used for REST services
White Box WSDL
__: ▪ Web Services Description Language __● XML-based interface definition language used for describing the functionality offered by a web service such as a SOAP server __● Flexible and allows binding options __● Not useful for REST services with WSDL 1.1
Certificate Inspection
__: ▪ Web-servers will identify the type of encryption they support (SSL 2.0, SSL 3.0, or TLS) ▪ Tools exists to automate this process SSLyze script comes with Kali Linux
Corporate Policies
__: ▪ What do corporate policies allow you to do? ▪ Have employees waived their privacy? ▪ What policies should be tested? __●Password strength/reuse __● Bring Your Own Device (BYOD) __● Encryption __● Update frequency
Follow-up Actions or Retests
__: ▪ What follow-up actions are you required to perform? ▪ Will a retest be conducted after 30 or 90 days?
Scoping Considerations - Tolerance to Impact
__: ▪ What is the impact to operations going to be? ▪ Balance the assessment needs with the operational needs of the organization by placing things in or out of scope
Scoping Considerations - Risk
__: ▪ What is the risk tolerance of the organization? ▪ Avoidance __● Actions taken to eliminate risk completely ▪ Transference __● Risk is moved to another entity ▪ Mitigation __● Controls and countermeasures are put into place ▪ Acceptance __● Risk is identified, analyzed, and within limits
Planning a Penetration Test - What is the End State?
__: ▪ What kind of report will be provided after test? ▪ Will you provide an estimate of how long remediations would take?
Planning a Penetration Test - Resources and Requirements
__: ▪ What resources will the assessment require? ▪ What requirements will be met in the testing? __● Confidentiality of findings __● Known vs. unknown vulnerabilities __● Compliance-based assessment
Threat Actors - Threat Modeling
__: ▪ What threat are you trying to emulate? ▪ Will you use open-source and openly available tools like a script kiddie, or create custom hacks like an Advanced Persistent Threat? ▪ Will you be given insider knowledge or perform a white box penetration test?
Prioritize Efforts for Pentest
__: ▪ What will be attacked first? ▪ What exploits will we use? __● Do we need custom made exploits? ▪ Does Metasploit or Nmap already have known exploits for the vulnerabilities? __● Use the 'search' function in Metasploit
RoE: Boundaries
__: ▪ What will be tested? ▪ Is social engineering allowed to be used? ▪ What about physical security testing? ▪ How invasive can the pentest be?
RoE: Locations
__: ▪ Where will the testers be located? _● On-site or remote location ▪ Does organization have numerous locations? ▪ Does it cross international borders?
Obtain Written Authorization
__: ▪ White hat hackers always get permission ▪ This is your get out of jail free card... ▪ Penetration tests can expose confidential information so permission must be granted ▪ Third-party authorization when necessary __● Ex: from a Cloud service provider
Planning a Penetration Test - Communication Paths
__: ▪ Who do we communicate with about the test? ▪ What info will be communicated and when? ▪ Who is a trusted agent if testing goes wrong?
RoE: Transparency
__: ▪ Who will know about the pentest? ▪ Will the organization provide resources to the testers (white box test)?
Scoping Considerations - Schedule
__: ▪ Will the timing of the penetration test be known by the organization's defenders? ▪ Will it be performed during peak or off-peak hours? ▪ What about holidays?
Scoping Considerations - Whitelist vs Blacklist
__: ▪ Will your pentest systems be put on a list? ▪ Whitelist will allow you access, but blacklist will prevent your system from connecting
Networking Tools
__: ▪ Wireshark ▪ Hping
Unsecure Code Practices - Lack of code signing
__: ▪ Without code signing it is easy for an attacker to modify the code and it go unnoticed ▪ Code signing ensures it is digitally signed, which uses a hash digest that is encrypted with a private key certificate to ensure changes have not occurred
White Box XML Schema Definition (XSD)
__: ▪ World Wide Web Consortium (W3C) recommendation that specifies how to formally describe elements in an Extensible Markup Language (XML) document
Nmap -oN
__: ▪ oN Normal output format __● nmap -oN outputfile.txt target
Nmap Output
__: ▪ oN Normal output format __● nmap -oN outputfile.txt target ▪ -oG Grepable output format __● nmap -oG outputfile.txt target ▪ -oX XML output format __● nmap -oX outputfile.xml target ▪ -oA Combined format with all of the above __● nmap -oA outputfile target
Planning a Penetration Test - Technical Constraints
__: ▪ What constraints limited your ability to test? ▪ Provide the status in your report __● Tested __● Not Tested __● Can't Be Tested
egress sensor
__is a type of passive infrared sensor (PIR) that organizations can use to release a magnetic locking mechanism to allow an individual to exit through a doorway.