Pentest+
Common Themes
Analyze vulnerability scans for __ that are recurring items ▪ Do the same vulnerabilities show up on many hosts? ▪ Do you see the same types of operating systems and applications being used across the network? ▪ Lack of best practices __● Common mis-configurations __● Weak passwords __● Poor security practices __● Logging disabled
Enumerate NFS Share Information
Showmount command can be used to __ from a Unix or Linux NFS file server. Nfs-showmount.nse can be used with the Nmap Scripting Engine to __ over the network.
Mobile Devices
Weakness in Specialized Systems - __: ▪ Lack of updates (especially Android) ▪ Root/Jailbreak (especially iPhone) ▪ 3rd party applications ▪ Bluetooth, NFC, and WiFi ▪ Lack of Mobile Device Management in smaller organizations
CAPEC
__ (Common Attack Pattern Enumeration and Classification) helps by providing a comprehensive dictionary of known patterns of attack employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. ▪ It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.
ctime
__ (change time) is the timestamp of a file that indicates the time that it was changed. Now, the modification can be in terms of its content or in terms of its attributes.
What kind of information are we looking to find?
__ - Reconnaissance : ▪ Phone numbers ▪ Contact names ▪ Email addresses ▪ Security-related information ▪ Information systems used ▪ Job postings ▪ Resumes
Hopper
__ Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications. ▪ __ v3 for Linux requires Ubuntu 14.04, Arch Linux, Fedora 20 or higher, and a 64 bits processor.
Industrial Control Systems (ICS)
__ a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.
Dictionary Attack
__ a is a automates password guessing by comparing encrypted passwords against a predetermined list of possible password values. __ is a password attack that creates encrypted versions of common dictionary words and compares them against those in a stolen password file.
Privilege Escalation in Windows
__ allows a user to run a program or process as a different user with additional permissions in a Windows OS. ▪ Cpassword ▪ Clear Text Credentials in LDAP ▪ Kerberoasting ▪ Credentials in LSASS ▪ Unattended Installation ▪ SAM Database ▪ DLL Hijacking ▪ Exploitable Services ▪ Unsecure File and Folder Permissions ▪ Keylogger ▪ Scheduled Tasks
Privilege Escalation in Linux
__ allows a user to run a program or process as a different user with additional permissions in a linux os. ▪ Set-User Identification (SUID) ▪ Set-Group Identification (SGID) ▪ Sticky Bit ▪ Unsecure SUDO ▪ Ret2libc
Windows Remote Management (WinRM)
__ allows administrators to remotely run management scripts using the WS-Management Protocol (based on SOAP) ▪ Windows Remote Management is run on server ▪ Windows Remote Shell (WinRS) is run on client
Insecure Direct Object Reference (IDOR)
__ allows attackers to manipulate references to gain access to unauthorized data. ▪ It refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control.
Remote file inclusion (RFI)
__ allows files or even whole pages to be displayed inside the vulnerable web page from another location, such as a web server.
Remote Desktop Protocol (RDP)
__ allows remote access to a machine over the network as if you were sitting right in front of it ▪ Provides GUI access through an RDP client
Kerberos Silver Tickets
__ allows services (low-level Operating System programs) to log in without double-checking that their token is actually valid, which hackers have exploited to create __. ▪ In the simplest terms, a __ is a forged authentication ticket that allows you to log into some accounts
Apple Remote Desktop (ARD)
__ allows users to remotely control or monitor other computers over a network. ▪ Recent versions allow for an encrypted AES 128-bit tunnel to be created from the machine being controlled
Cross-Site Request Forgery (XSRF)
__ also sometimes called sea surf or session riding, refers to an attack against authenticated web applications using cookies. ▪ The attacker is able to trick the victim into making a request that the victim did not intend to make.
Vulnerability Scanner
__ analyzes the response received from a service during a scan/probe, it can determine if the vulnerability exists on the given service on a server.
NETBIOS Name Service
__ are 16 characters long, with the first 15 consisting of a unique name (for a single user or computer) or a group name (for a set of users or computers).
Unquoted service paths
__ are a direct result of the CreateProcess function in Windows operating systems, where the name of a directory or program in the search path is truncated when the function identifies a blank space in the path. ▪ Windows will attempt to load each truncated executable until it finds the correct one.
Passive Infrared Sensors
__ are alarm system that use infrared light to detect movement, changes in ambient temperature, and body heat.
Container
__ are like micro virtual machines. ▪ Each container is built from the base Operating System image with unique applications run on top of them ▪ Requires less resources than a typical VM ▪ Docker, Puppet, and Vagrant are examples
Programming Comments
__ are lines in code that are not part of execution but used to describe or remove code ▪ Bash, Python, Ruby, and PowerShell all use a # to signify the code is commented
Credentialed Scans
__ are scans in which the scanning computer has an authorized account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. ▪ Scanner uses an authorized user or admin account ▪ Closer to the system administrator's perspective ▪ Finds more vulnerabilities ▪ More detailed, accurate information
Vulnerability Scans
__ are scans of a host, system, or network to determine what vulnerabilities exist ▪ Numerous tools used by both defenders and attackers to identify vulnerabilities ▪ Tools are only as good as their configuration
Point-of-Sale (POS) Systems
__ are typically a cash register (which in recent times comprises a computer, monitor, cash drawer, receipt printer, customer display and a barcode scanner) and the majority of retail POS systems also include a debit/credit card reader.
NTLMv2 hashes
__ are used for network authentication and are based on a user's NTLM hash and derived from a challenge/response algorithm, cannot be replayed over the network.
Programming Constants
__ are used to define a set value across the entire program and cannot be changed
Programming Variable
__ are used to represent any value and can be changed during the execution of the program
XSS DOM
__ arises when an application contains some client-side JavaScript that processes data from an un-trusted source in an unsafe way, usually by writing the data to a potentially dangerous sink within the DOM. ▪ Document Object Model (DOM) is vulnerable ▪ Victim's browser is exploited (client-side XSS)
Health Insurance Portability and Accountability Act (HIPAA)
__ assessment is for organizations that manage personal health information (PHI). __ does not require a pentest per se, but does require information systems that contain PHI data to be evaluated for security risks.
Payment Card Industry Data Security Standard (PCI DSS)
__ assessment is required for organizations who accept, process, or store payment card information for consumers and merchants.
Red Team
__ assessment is used to simulate advanced persistent threats (APTs) on an organization's network.
Federal Information Security Management Act (FISMA)
__ assessments are for organizations that use government networks and are mandated under U.S. federal regulations.
Pass the Hash (PtH)
__ attack is an exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.
Spear Phishing
__ attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. __ attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information. ▪ Occurs when an attacker creates a message to appeal to a specific individual
Local file inclusion (LFI)
__ attacks include files outside of the web root and render the contents of local operating system files to the browser window. EX: POST /request.php?id=php://input&cmd=cat%20/etc/passwd HTTP/1.1
Stealth Scan
__ attempt to avoid tripping defensive control thresholds meaning the scan must minimal. ▪ Conducts scans by sending a SYN packet and then analyzing the response ▪ If SYN/ACK is received, the destination is trying to establish the connection (port is open) and the scanner sends a packet with RST - nmap -sS <target>
Decompiler
__ attempts to convert executable instructions back into source code. ▪ Output is generally awkward to read at best
Directory Traversal
__ browses outside of the web root, and would not be used to execute a command such as the one found in the example `cmd=` parameter. EX: POST /request.php?id=php://input&cmd=cat%20/etc/passwd HTTP/1.1
De-escalation
__ can decrease the severity, intensity, or magnitude of a security alert that is being reported ● Communication Reasons
Chained Exploit
__ combines several programs into one, including writing to a temporary file, netcat usage, and ftp usage. __ integrate more than one form of attack to accomplish their goal.
echo
__ command in Linux is not useful, as it will only repeat the single line of text when the binary filename is passed as an argument to the command. ▪ For example, `echo binary` will print the word "binary" to the terminal and nothing more.
`cat` (or "concat")
__ command in Linux will concatenate files and print on the standard output. This would not be a very useful tool/command to use when reading a binary file as there are a number of nonprintable characters in a binary that would fill the terminal window up with yucky, unreadable characters and make it difficult to read the printable strings.
binwalk
__ command is a fast and easy-to-use tool for analyzing and reverse-engineering executables and firmware images, such as those loaded on embedded devices (Wi-Fi routers, IoT, and so on).
strings
__ command is a useful utility in Linux to print the strings of printable characters in files (that is, ASCII characters) that are at least four characters in length.
Persistence
__ consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. ▪ The adversary is trying to maintain their foothold.
Issues section
__ describes any technical or administrative issue that negatively impacted the execution of the testing activities. Alternatively, you might mention "no issues or incidents to report" to the customer, to help send a positive message that reassures senior leadership that everyone was able to work together to accomplish the objective(s).
Physical Security Attacks
__ describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks
Flow Control
__ determines how program execution should proceed.
Rules of Engagement (ROE)
__ document puts into writing the guidelines and constraints regarding the execution of a pentest and typically elaborates on subjects defined in the SOW, such as the testing methodology, target selection, etc.
Network Address Translation (NAT)
__ enables translation of a private (non-routable) network address to a public (routable) address.
Application Containers
__ encapsulate the files, dependencies and libraries of an application to run on an OS. __ enable the user to create and run a separate container for multiple independent applications or multiple services constitute a single application. ▪ Breaking out of a container can allow attackers to break into other systems
Non-credentialed Scans
__ enumerate ports, protocols, and services that are exposed on a host and identifies vulnerabilities and mis-configurations that could allow an attacker to compromise your network. ▪ Scanner doesn't have a user or admin account ▪ Closer to the hacker's perspective ▪ Fewer details, often used in early phases of attacks/tests
Connection string parameter pollution (CSPP)
__ exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. ▪ If carried out successfully, can be used to steal user identities and hijack web credentials. ▪ Is a high risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact).
nmap -SP
__ flag is used for TCP SYN discovery to declare ports
Compliance Scan
__ for specific known vulnerabilities that would make a system non-compliant. ▪ Used to identify vulnerabilities that may affect compliance with regulations or policies ▪ Commonly setup as a scanning template in your vulnerability scanner (PCI-DSS)
Registers (memory registers)
__ frequently hold pointers that reference memory.
Network Basic Input/Output System (NetBIOS)
__ helps facilitate the communications of Microsoft applications over a network and provides services such as protocol management, messaging and data transfer, and hostname resolution.
Application Scanning - Dynamic Analysis (DAST)
__ identifies vulnerabilities in a runtime environment. ▪ Automated tools provide flexibility on what to scan for. ▪ It allows for analysis of applications in which you do not have access to the actual code. ▪ It can be conducted against any application. ▪ Occurs while a program is running ▪ Program is run in a sandbox and changed noted
Reaver Tool
__ implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases __ has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
Reaver
__ implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in this paper. __ has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
ad-hoc Mode
__ in this mode wireless clients are connected in a peer-to-peer mode. __ is commonly referred as an Independent Basic Service Set (IBSS)
Active Information Gathering
__ involves direct interaction with organizational assets to gather information rather than in-directed interaction via observation or details available via external parties.
Social Engineering
__ involves manipulating people to get information or to gain access. ▪ Often utilizes deception and lies
searchsploit
__ is a Kali Linux command that can search through local `exploit-db` contents to look for public exploit code.
sudo -l
__ is a Linux command to run programs as another user or as the root user and when the sub command of -l is added will only report the permissions available to the given user.
sudo -v
__ is a Linux command to run programs as another user or as the root user and when the sub command of -v is added displays the version of sudo on the host.
SSLyze
__ is a Python tool that can analyze the SSL configuration of a server by connecting to it. ▪ Is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. ▪ Server certificate validation and revocation checking through OCSP stapling. ▪ Certificate Inspection Tool
QualysGuard Vulnerability Scanner
__ is a SaaS (software as a service) vulnerability management offering. ▪ It's web-based UI offers network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk.
Censys
__ is a Search Engine for devices exposed on the Internet, it could be used by experts to assess the security they implement. ▪ Search engine for hosts and networks across the internet with data about their configuration ▪ Contains search interface, report builder, and SQL engine
Hping
__ is a TCP/IP packet assembler/analyzer, running on most *nix versions. It supports various protocols, including TCP, UDP and ICMP. ▪ Good guys commonly use it to scan ports for holes that bad guys try to exploit. ▪ It's also useful for testing network machines by firing precompiled exploits at them. ▪ is a Packet Crafting Tool
Rlogin
__ is a Unix program that allows users to log in on another host using a network. ▪ Rsh was created as part of __ package in BSD Unix ▪ Allowed a user to login and issue commands on another Unix computer over a TCP/IP network
HTTP Parameter Pollution (HPP)
__ is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information.
HTTP Parameter Pollution (HPP)
__ is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. ▪ In particular, some environments process such requests by concatenating the values taken from all instances of a parameter name within the request.
Scheduled Tasks (at)
__ is a Windows command-line program to schedule tasks ▪ Task Scheduler is the GUI version of the program ● Could be used to Persist on victim machine
Property Lists (plist)
__ is a XML-formatted files stored in binary or text format that provide configuration settings and property data for many kinds of Apple applications.
telnet
__ is a a network protocol that allows a user on one computer to log into another computer that is part of the same network. ▪ Port 23 ▪ Can be used for Banner Grabbing
Kerberos Golden Tickets
__ is a authentication token for the KRBTGT account, that can use a pass-the-hash technique to log into any account, allowing attackers to move around unnoticed inside the network.
Dynamic Application Security Testing (DAST)
__ is a black-box security testing methodology in which an application is tested from the outside. ▪ A tester using SAST examines the application from the inside, searching its source code for conditions that indicate that a security vulnerability might be present.
Dictionary Attack
__ is a brute force attack that uses a dictionary of commonly used usernames and passwords. ▪ Weak passwords and passwords from previous data breaches make a great list
Lock Bumping
__ is a brute-force method of opening a pin tumbler lock with a bump key.
Bump Key
__ is a burglary tool, a generic key used along with another mechanism to apply force to open a lock
Subscriber Identity Module (SIM)
__ is a card that identifies a phone with a user and a number. __ is a integrated circuit card that, when inserted into a mobile device, programs it for a customer's use on a cellular network.
SQL Injection (Structured Query Language)
__ is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.
Impacket
__ is a collection of Python classes for working with network protocols. ▪ Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. ▪ Collection of Python classes for working with network protocols ▪ Focused on low-level program access for SMB and MSRPC protocol implementation
Group Policy Object (GPO)
__ is a collection of settings that govern user and computer configurations within an Active Directory (AD) network.
Remote Shell (RSH)
__ is a command line program used to execute shell commands as another user on another computer over the network ▪ Is unsecure because it doesn't use encryption, therefore SSH should be used instead
Searchsploit
__ is a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. ▪ Note, The name of this utility is __ and as its name indicates, it will search for all exploits and shellcode. ▪ Command-line search tool for the Exploit-DB ▪ Allows for offline searches through local repo
ldapsearch
__ is a command that can be used to look for querying the LDAP server.
systeminfo
__ is a command that returns details on the OS name, version, security hot-fixes, and BIOS information for a given Windows host which is used to exploit the system.
Address Resolution Protocol (ARP)
__ is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. ▪ This mapping is a critical function in the Internet protocol suite. ▪ A host wishing to obtain a physical address broadcasts an __ request onto the TCP/IP network.
CWE Categories
__ is a community-developed list of common software security weaknesses. ▪ It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. ▪ Research Concepts ▪ Development Concepts ▪ Architectural Concepts
FTK or Forensic Toolkit
__ is a computer forensics software made by AccessData. ▪ Scans a hard drive looking for various information. ▪ for example, locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
Packet Capture
__ is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. ▪ Once a packet is captured, it is stored temporarily so that it can be analyzed.
NETCAT
__ is a computer networking utility for reading from and writing to network connections using TCP or UDP. __ is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. ▪ It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.
Netcat (nc)
__ is a computer networking utility for reading from and writing to network connections using TCP or UDP. ▪ The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. ▪ Is a Packet Crafting Tool & Banner Grabbing Tool
Metasploit Project
__ is a computer security project that shows the vulnerabilities and aids in Penetration Testing. ▪ Can be used to create security testing tools and exploit modules and also as a penetration testing system.
Access Limiation
__ is a condition in which the penetration tester has restrictions on access when they begin testing.
Nondisclosure Agreement (NDA)
__ is a confidentiality agreement that protects a business's competitive advantage by protecting its intellectual property and proprietary information.
Serial Console
__ is a connection over the RS-232 or serial port connection that allows a person access to a computer or network device console. ▪ If attacker can get physical access to the device then they can connect to the device over the serial port ▪ Lower security enabled (if any) on these ports ● Privilege Escalation
APK Studio
__ is a cross-platform free and open-source tool that lets you decompile APK files and edit codes and resources and recompile it. ▪ You can call it IDE (Integrated Development Environment) which comes with complete user friendly GUI much like other common IDEs. ▪ Cross-platform IDE for reverse engineering and recompiling Android application binaries
(Security Account Manager) SAM Database
__ is a database file that stores the user passwords in Windows as a LM hash or NTLM hash ▪ File is used to authenticate local users and remote users ▪ Passwords can be cracked offline if the SAM file is stolen ● Privilege Escalation (Windows)
GDB
__ is a debugger is a program that runs other programs, allowing the user to exercise control over these programs, and to examine variables when problems arise. ▪ GNU Debugger, which is also called gdb, is the most popular debugger for UNIX systems to debug C and C++ programs. ▪ Runs on Unix and Linux systems
Pretexting (Pretext)
__ is a false context develop to justify other actions or make them believable to a victim
Root Bridge
__ is a feature of the Spanning Tree Protocol (STP) that serves as a reference point for all switches in a spanning tree topology.
Network File System (NFS)
__ is a file system and protocol that enables network file sharing for *NIX operating systems.
foremost
__ is a forensic data recovery program for Linux used to recover files using their headers, footers, and data structures through a process known as file carving. ▪ Although written for law enforcement use, it is freely available and can be used as a general data recovery tool.
SMS Phishing (smishing)
__ is a form of criminal phone fraud, using Social Engineering and Short Message Service (SMS) systems to send bogus text messages. ▪ Involves texting someone and pretending you are someone else
Vishing (Voice Phishing)
__ is a form of criminal phone fraud, using Social Engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward. ▪ Involves calling someone and pretending you are someone else for malicious gain.
OpenVAS
__ is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. ▪ The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total.
iOS Simulator
__ is a function of the iOS developer tool kit (Xcode) that can mimic the basic behavior of an iDevice and how it interacts with an iOS application.
AFL
__ is a fuzzer, a tool for testing software by providing randomly-generated inputs, searching for those inputs which cause the program to crash. ▪ The native-code compiler "ocamlopt" can generate such instrumentation, allowing afl-fuzz to be used against programs written in OCaml.
NCAT
__ is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. __ is suitable for interactive use or as a network-connected back end for other tools. ▪ is a Packet Crafting Tool
NCAT
__ is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. ▪ It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks. ▪ Is suitable for interactive use or as a network-connected back end for other tools. ▪ From makers of Nmap as update to Netcat
Contracting Officer
__ is a government employee with the authority to enter into, administer, and/or terminate contracts and make related determinations and findings
Array
__ is a group of elements of the same data type.
netgroup
__ is a group of users or hosts used for permission checking when permitting remote operation such as mounting file shares, remote logins, remote execution, in Linux and Unix network domain environments.
Hping
__ is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. ▪ Was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. __ is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities.
Microwave Sensor
__ is a high-frequencry radio wave, offering the ability to tranverse through building materials.
Redirect Attack
__ is a kind of vulnerability that redirects you to another page freely out of the original website when accessed, usually integrated with a phishing attack ▪ Sends user to login page to capture credentials
Pivoting
__ is a lateral movement technique that can allow an attacker to move from host to host using remote access tools such as SSH, Telnet, FTP, RDP, VNC.
nmap -sP
__ is a legacy (and depreciated) command for a ping scan.
Dynamic Link Library (DLL)
__ is a library that contains code and data that can be used by more than one program at the same time. __ provides a method for sharing code and allows a program to upgrade its functionality without requiring re-linking or recompiling of the application ● Can be used for Privilege Escalation (Windows)
PsExec
__ is a light-weight telnet-replacement that lets you execute processes on other systems with full interactivity for console applications without having to manually install client software
Security Account Manager (SAM)
__ is a local database file that contains local account settings and password hashes for the host.
accesschk.exe
__ is a local operating system console program used to identify users or groups that have access to specific resources, such as files, directories, Windows services, etc.
Cipher lock
__ is a lock opened via a programmable keypad designed to limit access to a controlled area.
Watering Hole (Waterholing) Attack
__ is a malware attack in which the attacker observes the websites often visited by a victim or a particular group, and infects those sites with malware. __ has the potential to infect the members of the targeted victim group.
X11 Forwarding
__ is a mechanism that allows a user to start up remote applications but forward the application display to your local Windows machine. ▪ X-windows/X-server is the GUI for Linux __● Known collectively as X11 ▪ X-windows/X-server over an SSH connection
Backdoors
__ is a method to bypass normal authentication or encryption in a computer system ▪ May take the form of a hidden part of a program (such as a trojan or rootkit) ▪ Default passwords are considered a backdoor when they are not changed by the user ● Could be used to Persist on victim machine
Kerberoasting
__ is a method used to steal service account credentials. ▪ Any domain user account that has a service principal name (SPN) set can have a service ticket (TGS) ▪ Ticket can be requested by any user in the domain and allows for offline cracking of the service account plaintext password ● Privilege Escalation (Windows)
Rooting
__ is a mobile device exploitation that is the process of exploiting a software vulnerability in the operating system that enables low-level execution with elevated privileges and enables the user to make modifications to the operating system that were not necessarily intended by the manufacture.
Dirbuster
__ is a multi threaded java application designed to brute force directories and files names on web/application servers. ▪ Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. ▪ Brute-force tool for directories and file names on web/application servers
IDA Pro or IDA (Interactive Disassembler)
__ is a multi-platform, multi-processor dis-assembler that translates machine executable code into assembly language source code for purpose of debugging and reverse engineering. ▪ It can be used as a local or as a remote debugger on various platforms ▪ Generates assembly language code from executable code ▪ GUI and supports executables from multiple operating systems
Patator
__ is a multi-purpose brute-forcer, with a modular design and a flexible usage. ▪ Multi-purpose brute-force attack tool ▪ Supports modules for different target services
WinDBG
__ is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. ▪ Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development.
Kerberos
__ is a network authentication protocol that leverages a ticketing system to allow hosts and user operating over the network to prove their identity to one another in a secure fashion.
Airbase-ng
__ is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. ▪ It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.
Bully Tool
__ is a new implementation of the WPS brute force attack, written in C. ▪ It is conceptually identical to other programs, in that it exploits the (now well known) design flaw in the WPS specification.
John the Ripper
__ is a open source password cracking tool that combines several different cracking programs and runs in both brute force and dictionary attack modes.
Java Archive (JAR)
__ is a package file format that includes all of the necessary resources (i.e., class files, images, text, etc.) into one resource for a Java application to execute successfully.
Scapy
__ is a packet manipulation tool for computer networks, written in Python. ▪ It can forge or decode packets, send them on the wire, capture them, and match requests and replies. ▪ It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery.
Hashcat
__ is a password cracker. ▪ It is designed to break even the most complex passwords. ▪ To do this, it enables the cracking of a specific password in multiple ways, combined with versatility and speed.
Hydra
__ is a password detection tool (cracking) that can be used in a wide range of situations, including authentication-based forms commonly used in web applications. ▪ When you need brute force cracking remote authentication. ▪ Brute-force network log-on cracking tool ▪ Repeatedly attempts to login to a system
Cain and Abel (Cain)
__ is a password recovery tool for Microsoft Windows. ▪ It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalys is attacks.
BeEF (Browser Exploitation Framework)
__ is a pentesting utility focused upon exploitation of and by the web browser. ▪ Unlike other security frameworks, it looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser.
Sticky Bit
__ is a permission bit that is set on a file or a directory that lets only the owner of the file/directory or the root user to delete or rename the file. ▪ No other user is given privileges to delete the file created by some other user. ▪ Used for shared folders like /tmp ▪ Attack cannot remove files owned by others EX: __● # ls -ld /var/tmp __● drwxrwxrwt 2 sys sys 512 Jan 26 11:02 /var/tmp __● "- T" refers to when the execute permissions are off. __● "- t" refers to when the execute permissions are on. ● Privilege Escalation (Linux)
Perimeter Barrier
__ is a physical security protection to help delay an attack or reduce damage to the facility, such as a gate, concrete barrier or fence.
Mimikatz
__ is a post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets. ▪ Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets. ▪ Targets Windows machines to extract plain-text passwords, hashes, PIN codes, and Kerberos tickets from the machine's memory ▪ Can be used for pass-the-hash, pass-the-ticket, and creating Golden Tickets
Tableau
__ is a powerful and fastest growing data visualization tool used in the Business Intelligence Industry. ▪ It helps in simplifying raw data into the very easily understandable format. ▪ Data analysis is very fast with __ and the visualizations created are in the form of dashboards and worksheets.
EnCase
__ is a powerful investigation platform that collects digital data, performs analysis, reports on findings and preserves them in a court validated, forensically sound format __ allows the investigator to conduct in depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.
Responder
__ is a powerful tool for quickly gaining credentials and possibly even remote system access. ▪ Has the ability to prompt users for credentials when certain network services are requested, resulting in clear text passwords. It can also perform pass-the-hash style attacks and provide remote shells ▪ LLMNR, NBT-NS, and MDNA poisoner ▪ Used to answer specific queries based on name suffix on the network
Rainbow Tables
__ is a pre-computed hash values of known usernames and passwords used for offline password file cracking
Local Security Authority Subsystem Service (LSASS)
__ is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. ▪ It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. ● Privilege Escalation (Windows)Unattended installations
Compliance Auditing
__ is a process of evaluating organizational controls to determine their adherence to standards and regulations.
Communication
__ is a process through which you send messages to and receive messages from others. ▪ Lots of __ is needed before, during, and after a penetration test ▪ Therefore, it is important to understand: __● __ paths __● What triggers __ to occur __● And the reason for communicating in the first place
Binary Search
__ is a process used to determine the middle element of the array and compare it to the target value. ▪ If the middle element matches, it is returned. However, if the value is greater than the middle element position, the lower-half of the array is discarded. ▪ This method can be used to help speed up SQL injection attacks.
Remediation
__ is a process used to fix or resolve an unwanted deficiency.
Distributed Component Object Model (DCOM)
__ is a proprietary Microsoft technology for communication between software components on networked computers
Link-Local Multicast Name Resolution (LLMNR)
__ is a protocol based on the Domain Name System packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. ▪ Port: UDP 137, UDP 138, TCP 139, TCP 5355, and UDP 5355
Simple Mail Transfer Protocol (SMTP)
__ is a protocol for sending e-mail messages between servers. ▪ Standard protocol for transmitting email ▪ Open relay, local relay, phishing, spam, etc. ▪ Port: 25 or 2525 or 587
Microsoft Remote Procedure Call (MSRPC)
__ is a protocol that allows a remote user to call procedures on a remote system as though they were calling it from the local system.
Remote Procedure Call (RPC)
__ is a protocol used in Windows to allow the remote execution of code on a remote computer or server
Domain Name System (DNS)
__ is a protocol within a set of standards that is used to associate a computer name to an IP address.
WHOIS
__ is a public Internet database that contains information about Internet domain names and the people or organizations that registered the domains. ▪ It is a source of information that can be used to exploit system vulnerabilities. ▪ Is a Reconnaissance Tool
Full Disclosure
__ is a public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community.
PowerShell Empire
__ is a pure post-exploitation agent built on cryptologically-secure communications and a flexible architecture. __ implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.
WHOIS
__ is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. ▪ Query and response protocol for internet resources
Interrogation
__ is a question or an intense questioning session. ▪ Interviews used by law enforcement, military, or intelligence agencies ▪ Pentesters won't generally use this technique...
Tenable's Nessus Vulnerability Scanner
__ is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network.
Double Tagging
__ is a result of a switch port being configured to use native VLANs, where an attacker can craft a packet and pre-pend a false VLAN tag along with its native VLAN to bypass layer-3 access control. ▪ Attack is unidirectional ▪ A type of VLAN hopping attack aimed at gaining unauthorized access to a VLAN.
Evil Twin Attack
__ is a rogue access point that appears to be legitimate but is setup to eavesdrop on wireless communication.
CeWL
__ is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. ▪ Tool to create a custom wordlist or dictionary ▪ Searches a target website for words meeting criteria set as inputs
Credentialed Vulnerability Scanning
__ is a scan conducted by a vulnerability scanner that has been given access to the system with the same rights as an authorized user.
Shodan
__ is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. ▪ Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client. ▪ Search engine that lets you find webcams, routers, servers, and more on the internet
Data Execution Prevention (DEP)
__ is a security feature implemented in hardware and software that controls execution behavior on the stack and helps prevent against stack-based buffer overflows.
Fuzzing
__ is a security testing technique that sends unexpected , random data to a input control within a application or network service to generate errors in hopes of discovering or exposing security weaknesses that could be exploited.
Magnetic Switches
__ is a sensor that can be installed between doors and door frames, and windows and window frames that rely on continuous magnetic connection to monitor the state. ▪ Can be used to trigger alarms.
Advanced Persistent Threat (APT)
__ is a sequence of actions perpetuated by an individual or group of individuals with the resources to establish persistent, stealthy, long-term footholds that target specific goals and specific victims utilizing opportunistic attacks.
Linear Search
__ is a sequential process of evaluation where every value is checked until the correct value has been identified.
Powersploit
__ is a series of Microsoft PowerShell scripts that can be used in post-exploitation scenarios during authorized penetration tests. ▪ Collection of Microsoft PowerShell modules for use in penetration testing ▪ Considered a post-exploitation framework
Adjudication
__ is a series of steps that determine which vulnerabilities are valid. ▪ Determine which results are valid __● Filter out False Positives
Protocol
__ is a set of formal rules that describe the functionality of how to send and receive data.
Group Policy Preferences (GPP)
__ is a set of optional extensions provided to expand the functionality of Group Policy Objects (GPOs). ▪ Allows Active DIrectory (AD) domain admins to create domain policies.
Docker
__ is a set of platform-as-a-service products that use OS-level virtualization to deliver software in packages called containers. ▪ Containers are isolated from one another and bundle their own software, libraries and configuration files. ▪ They can communicate with each other through well-defined channels.
Windows Management Instrumentation (WMI)
__ is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems
Static Application Security Testing (SAST)
__ is a set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. __ solutions analyze an application from the "inside out" in a nonrunning state
SYSVOL
__ is a shared directory used to store logon scripts, Group Policy data, and other domain-wide data that is viewable by any user who is a member of the domain.
Dynamic-Linked Library (DLL)
__ is a shared library concept implemented in Microsoft operating systems.
script
__ is a short program that is used to automate tasks
System on a Chip (SoC)
__ is a single chip containing all the computer circuits an embedded device such as a microwave needs to control it. __ modern microprocessor that contain the CPU, memory, and peripheral interfaces; a miniature computer; an example is the Raspberry Pi or Smartphone or Tablet.
SQLmap
__ is a single-purpose vulnerability scanner, serving to detect and exploit database vulnerabilities, thereby automating the process of exploiting SQL injection flaws and the taking over of database servers.
OpenVAS (Open-source Scanner)
__ is a software framework of several services and tools offering vulnerability scanning and vulnerability management. ▪ All __ products are free software, and most components are licensed under the GNU General Public License.
Application Scanning
__ is a software program which performs automatic black box testing on a web application and identifies security vulnerabilities. ▪ Scanners do not access the source code, they only perform functional testing and try to find security vulnerabilities
Whaling Phishing
__ is a specific and targeted Social Engineering attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company, as those that hold higher positions within the company typically have complete access
Reflected XSS
__ is a specific type of XSS whose malicious script bounces off of another website to the victim's browser. It is passed in the query, typically, in the URL. ▪ It makes exploitation as easy as tricking a user to click on a link.
Medusa
__ is a speedy, parallel, and modular, login brute-forcer. ▪ The goal is to support as many services which allow remote authentication as possible. ▪ The author considers the following items as some of the key features of this application: Thread-based parallel testing. ▪ Supports numerous remote authentication protocols (rlogin, ssh, telnet, http, etc)
touch
__ is a standard command used in UNIX/Linux operating system which is used to create, change and modify timestamps of a file. __ (Linux, Unix, OSX) __● Updates time to the current time
Structured Query Language (SQL)
__ is a standard computer language for relational database management and data manipulation. ▪ Prevent this through input validation and using least privilege for SQL is used to query, insert, update and modify data.
JTAG Debug
__ is a standard for verifying designs and testing printed circuit boards __● Diagnostic connection ▪ Port use for debugging, probing, and programming ▪ With breakpoints setup, the __ can be used to read registers from motherboard and read arbitrary memory locations ● Privilege Escalation
File Transfer Protocol (FTP)
__ is a standard network protocol used for the transfer of computer files between a client and server on a computer network. ▪ Port: 21
Peach
__ is a state-of-the-art fuzzing engine and a convenient graphical user interface come together to create the world's most advanced fuzzing tool. ▪ The __ Fuzzer Platform uses automated generative and mutational modeling and intelligent test case generation to reveal the hidden bugs that other testing methods miss.
Identify assets
__ is a step in the threat modeling process that define critical elements that an organization needs to protect such as employees, facilities, servers, workstations, sensitive date, etc.
Architecture Overview
__ is a step in the threat modeling process that documents what an application or system does, describes how it is physically and logically implemented, and identifies the technologies that are in use.
Document the Threats
__ is a step in the threat modeling process where the organization will match each threat, threat actor, and respective vulnerability relevant to the organization.
Decomposed the Application
__ is a step in the threat modeling processes that breaks down the technologies and organizational assets and investigates the entry points and trust boundaries between interconnected systems.
Immunity debugger
__ is a straightforward application worth having when you need to write exploits, analyze malware and reverse engineer Win32 binaries. ▪ Because of its advanced options, Immunity Debugger will display a new window that enables you to choose your selected function. ▪ Used to write exploits, analyze malware, and reverse engineer binary files ▪ Supports Python APIs and execution
Stack Smashing
__ is a subcategory of buffer overflow that occurs when a program writes data to memory that is not allocated for the data structure in question.
Aircrack-ng
__ is a suite of tools to assess WiFi network security. ▪ Wireless hacking suite that consists of scanner, packet sniffer, and password cracker ▪ It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools.
Keylogger
__ is a surveillance technology used to monitor and record the keystrokes of a victim user which can be software or hardware-based ● Privilege Escalation (Windows)
Advance Encryption Standard (AES)
__ is a symmetric block cipher used in both hardware and software to encrypt sensitive information.
Internet of Things (IoT)
__ is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
Supervisory Control and Data Acquisition (SCADA)
__ is a system of software and hardware elements that allows industrial organizations to: Control industrial processes locally or at remote locations. Monitor, gather, and process real-time data.
MAC flooding
__ is a technique employed to compromise the security of switched network devices. ▪ The attack forcing legitimate MAC addresses out of the table of contents in the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go.
Lock Bypass
__ is a technique in lockpicking, of defeating a lock through unlatching the underlying locking mechanism without operating the lock at all. ▪ Pentester could jam a lock or bypass it by manipulating the locking function ▪ Stop a door from being shut fully by inserting a spacer or wedge
Heap Spray
__ is a technique that consists of sending large blocks of byte-code to the memory of a target process (its heap), attempting to get a particular byte sequence into a specific location.
Timestomp
__ is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. ▪ touch (Linux, Unix, OSX) __● Updates time to the current time ▪ ctime (Linux, Unix, OSX) __● Change the time to a given date/time ▪ Meterpreter has built-in tool
Phishing
__ is a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail. ▪ Lures people into providing sensitive data __● Personal identifiable information __● Banking information __● Passwords
NOP Slide
__ is a technique used in buffer overflow attacks. The NOP instruction indicates that no action should be taken by the processor, effectively sliding the instruction pointer down the stack until it reaches an instruction pair that can be acted upon.
Application Scanning - Static Analysis (SAST)
__ is a testing methodology that analyzes source code to find security vulnerabilities that make your organization's applications susceptible to attack. __ scans an application before the code is compiled. ▪ It's also known as white box testing. ▪ Performed in a non-runtime environment ▪ Inspects programming code for flaws/vulnerabilities ▪ Line by line inspection can be performed
Robots.txt
__ is a text file webmasters create to instruct web robots (typically search engine robots) how to crawl pages on their website. ▪ Very valuable to an attacker and PenTester.
theHarvester
__ is a tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources ▪ Gathers emails, subdomains, hosts, employee names, open ports, and banners
APKX
__ is a tool for reverse engineering 3rd party, closed, binary Android apps. ▪ Can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. ▪ Python wrapper to extract Java source code directly from Android APK files
Proxychains
__ is a tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. ▪ Tool that forces TCP connections from all applications to run through a proxy ▪ Can be TOR or other HTTP/SOCKS proxy ▪ Used in Evasion & Remote Access
FOCA (Fingerprinting Organizations with Collected Archives)
__ is a tool used mainly to find metadata and hidden information in the documents its scans. ▪ Used to find metadata and hidden info in docs ▪ These documents may be on web pages, and can be downloaded and analyzed with __.
Hydra
__ is a tool used to help automate the login process, which can allow the pentester to make the most efficient use of his time.
CeWL
__ is a tool used to scrape web pages to derive a wordlist with which to target specific organizations.
Blind SQL injection
__ is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the application's response. ▪ This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
Switch Spoofing
__ is a type of VLAN hopping attack, A switch interface which is connected to an end device (a computer or a printer) are normally in access mode and that end device will have access to its own VLAN. ▪ Attempt to auto negotiate with a targeted switch by setting your device to act as a switch ▪ Switches get copies of all VLAN traffic and separate them based on tags
Cross-Compiling Code
__ is a type of a compiler that can create an executable code for a platform other than the one on which the compiler is running. ▪ Many pentesters use Kali Linux but many victim systems are Windows-based ▪ Exploits for Windows can be compiled on Linux using tools like Mingw-w64
ARP spoofing
__ is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. ▪ This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.
Authentication Attack
__ is a type of attack that can occur when we fail to use strong authentication mechanisms for our applications
Credential Stuffing
__ is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
Deauthentication (DeAuth) Attack
__ is a type of denial of service that targets communication between a user and a wireless access point ▪ An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim.
HTML Injection
__ is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.
Combination Lock
__ is a type of mechanical lock that requires a proper sequence of letters, numbers, symbols, or even directional movements using a joystick before the lock can open.
Master Service Agreement (MSA)
__ is a type of overarching contract between two or more parties where each party agrees to most terms that will govern all other future transactions and agreements, such as payment terms, dispute resolution, social responsibility, business ethics, network and facility access, etc.
egress sensor
__ is a type of passive infrared sensor (PIR) that organizations can use to release a magnetic locking mechanism to allow an individual to exit through a doorway.
Shoulder Surfing
__ is a type of social engineering technique used to obtain information such as personal identification numbers, passwords and other confidential data by looking over the victim's shoulder. ▪ Reading the screen of another user ▪ Looking at a user entering a PIN or password
Joint Test Action Group (JTAG)
__ is a type of standard used for debugging and connecting to embedded devices on a circuit board.
traceroute
__ is a utility application that monitors the network path of packet data sent to a remote computer. ▪ Is a Reconnaissance Tool
Android Debug Bridge (ADB)
__ is a versatile command-line tool that lets you communicate with a device. __ command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.
Programmable Logic Controller (PLC)
__ is a very small dedicated computer in an industrial system that is capable of converting analog data to digital data. The __ works in real time, can control machinery, and is a critical component of the ICS (industrial control system).
False Positives
__ is a vulnerability identified by the scan but does not really exist on the system. ▪ Should be filtered out of your scans
Rapid7's Nexpose
__ is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. ▪ It integrates with Rapid7's Metasploit for vulnerability exploitation.
DLL Hijacking
__ is a way for attackers to execute unexpected code on your machine. ▪ This means that if an attacker can get a file on your machine (by social engineering, remote control, etc.) that file could be executed when the user runs an application that is vulnerable to __. ▪ Commonly used by malware to achieve persistence on the victim machine ● Privilege Escalation (Windows)
Nikto
__ is a web server scanner and is a security tool that will test a web site for thousands of possible security issues. ▪ Including dangerous files, mis-configured services, vulnerable scripts and other issues. ▪ It is open source and structured with plugins that extend the capabilities.
RFID (radio frequency identification)
__ is a wireless communication standard that uses radio waves to read data stored on a tag from a distance.
Jamming
__ is a wireless denial of service attack that prevents devices from communicating with each other by occupying taking over frequency.
Kismet
__ is a wireless network detector (scanner), packet sniffer, and Intrusion Detection System (IDS) for 802.11 wireless LAN's. ▪ Will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. ▪ The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X.
iOS app sotre package (IPA)
__ is a zip-compressed archive containing the necessary files to run an application on the Apple iOS mobile architecture.
When to Dispose a PenTest Report
__ is after the customer confirms receipt of the pentest report, based on agreed-upon terms in the RoE is correct. ▪ Once the customer has provided confirmation of successfully receiving and extracting the report, all remaining digital or written copies of the report should be marked for proper disposal and deletion, based on agreed-upon methods outlined in the rules of engagement (RoE).
Packet Crafting
__ is also known as packet manipulation ▪ Sending modified packet headers to gather information from a system or host ▪ Creating specific network packets to gather information or carry out attacks ▪ Tools - netcat, nc, ncat, hping
Simple Network Management Protocol (SNMP)
__ is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. ▪ Used to query and manage IP devices ▪ Port: 161, 162
Nikto (Web Application Scanner)
__ is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.
Open Relay
__ is an Simple Mail Transfer Protocol (SMTP) email server that allows anyone on the Internet to send messages through it while hiding or obscuring the source of the messages being sent.
Deception
__ is an act of being deceived. Used in SE attacks.
Host Discovery
__ is an active scanning technique used to aid in the process of information gathering, with the goal of identifying host that are alive and listen on the network.
Meterpreter
__ is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at run-time. ▪ It communicates over the stager socket and provides a comprehensive client-side Ruby API. ▪ It features command history, tab completion, channels, and more.
RESTful API
__ is an application program interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data.
Service Oriented Architecture (SOA)
__ is an architectural paradigm and its aim is to achieve a loose coupling amongst interacting distributed systems. __ is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. __ is affected by several security vulnerabilities, thus affecting the speed of its deployment in organizations. __ is most commonly vulnerable to a XML denial of service.
Representational State Transfer (REST)
__ is an architectural style for developing web services. __ is popular due to its simplicity and the fact that it builds upon existing systems and features of the internet's Hypertext Transfer Protocol (HTTP) in order to achieve its objectives, as opposed to creating new standards, frameworks and technologies.
Cookie Manipulation
__ is an attack methodology that targets session management and authentication on a web server. __ arises when a script writes controllable data into the value of a cookie.
Exploit
__ is an attack on a computer system, especially one that takes advantage of a particular vulnerability the system offers to intruders. ▪ Does not show up in a Vulnerability Scan.
Rainbow Tables
__ is an attack on a password that uses a large pregenerated data set of hashes from nearly every possible password ▪ In password cracking, a set of precalculated encrypted passwords located in a lookup table.
Session hijacking
__ is an attack on the web session control mechanism by taking over a session by guessing session token
Ret2libc
__ is an attack technique that relies on overwriting the program stack to create a new stack frame that calls the system function ▪ Stands for "return to library call" ● Privilege Escalation (Linux)
Directory Traversal
__ is an attack that allows access to restricted directories and for command execution outside of the webserver's root directory
Downgrade Attack
__ is an attack that attempts to have a client or server abandon a higher security mode to use a lower security mode. ▪ TLS 1.2 is more secure than SSL 2.0 __● Downgrade attack will cause session to attempt to establish an SSL 2.0 connection
Denial of Service (DoS)
__ is an attack that attempts to prevent a system from performing its normal functions. ▪ Called a stress test in penetration testing ▪ Attack that denies resources or a service to an authorized user by exhausting resources
Karma Attack
__ is an attack that exploits a behavior of some Wi-Fi devices, combined with the lack of access point authentication in numerous WiFi protocols. ▪ It is a variant of the evil twin attack.
Credential Harvesting
__ is an attack that focuses on collecting usernames and passwords from its victims ▪ In wireless, this is usually performed by creating a fake Captive Portal ▪ ESPortalV2 can be used to setup a fake portal and redirect all WiFi devices connected to the portal for authentication
Cross-Site Request Forgery (XSRF)
__ is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. __ attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
File Inclusion
__ is an attack that includes a file into a targeted application by exploiting a dynamic file inclusion mechanism ▪ Usually occurs due to improper input validation by application ▪ File can be included __● Local ----o ../../uploads/malware.exe __● Remote ----o https://www.xyz.com/malware.exe
Cross-Site Scripting (XSS)
__ is an attack that injects scripts into a Web application server to direct attacks at clients.
Replay Attack
__ is an attack that occurs when valid data is captured by an attacker and is repeated or delayed. ▪ Example: An attacker could capture a wireless authentication handshake and replay it to gain access to the wireless network as an authenticated client
Clickjacking
__ is an attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page. ▪ Conceals hyperlinks under legitimate clickable content
Network Access Control (NAC) Bypass
__ is an attack where a malicious attacker bypasses the NAC to gain access to the network without authorization. ▪ NAC can prevent you from gaining access to the network ▪ NAC can often be bypassed by spoofing the MAC address of a VOIP device __● Many VOIP devices don't support 802.1x __● Their MAC addresses are often whitelisted for NAC
SSL Stripping
__ is an attack where a website's encryption is tricked into presenting the user with a HTTP connection instead of a HTTPS connection.
Distributed Denial-Of-Service (DDoS) attack
__ is an attack where many computers collaborate to shut down a target, usually by keeping it busy or overwhelming it with incoming requests. ▪ Normally a collection of systems (Bot Network) carries out the attack
DOM-Based XSS
__ is an attack wherein the attack payload is executed as a result of modifying the DOM "environment" in the victim's browser used by the original client side script, so that the client side code runs in an "unexpected" manner.
Local Security Authority (LSA)
__ is an authentication model in Windows operating system that provides additional beneficial features and options. ▪ Such as supporting for multi-factor authentication (smart cards), custom security packages and credential management in order to support interaction with non-Microsoft products such as network or databases. ▪ Used for authenticates and creates logon Session to the Local Computer.
WiFite
__ is an automated Wireless Attack tool. ▪ To attack multiple WEP, WPA, and WPS encrypted networks in a row. ▪ Is tool is customizable to be automated with only a few arguments. ▪ Automated wireless attack tool
Nmap Scripting Engine (NSE)
__ is an embedded Lua programming language interpreter that provides features that help automate various tasks such as information discovery and exploitation techniques.
Certificate Authority (CA)
__ is an entity trusted by one or more users as an authority in a network that issues, revokes, and manages digital certificates.
Broadcast Storms
__ is an excessive amount of broadcast traffic that occurs within a short period of time, such that it may disrupt normal operation and cause loops in the networks, where a broadcast frame is bounced back and forth between switches, due to redundant paths.
Timeline
__ is an important part for senior leadership to understand because it puts findings into perspective, such as how long it took to find the vulnerability, the time it took to exploit it, and so on.
Burp Suite
__ is an integrated platform for performing security testing of web applications. ▪ Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. ▪ Graphical tool for web application security ▪ Allows for the interception, inspection, and modification of raw traffic passing through it
Access Control Point
__ is an intentionally selected point of ingress or egress that is restricted by design, monitoring, or physical limitation that allows a facility owner to control entrance or exit for a physical location.
Embedded Devices
__ is an object that contains a special-purpose computing system. ▪ The system, which is completely enclosed by the object, may or may not be able to connect to the Internet.
Legal Representation
__ is an official appointed by an organization to ensure that legal obligations and commitments are upheld by all parties, including the vendor providing the penetration testing services.
TCPDump
__ is an open source command-line tool for monitoring (Sniffing) network traffic. ▪ Works by capturing and displaying packet headers and matching them against a set of criteria.
SQLmap
__ is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. ▪ Support to dump database tables entirely, a range of entries or specific columns as per user's choice.
YASCA (Yet Another Source Code Analyzer)
__ is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code
Puppet
__ is an open source software configuration management and deployment tool. __ provides the ability to define which software and configuration a system requires and then maintain a specified state after an initial setup. ▪ It's most commonly used on Linux and Windows to pull the strings on multiple application servers at once.
Wireshark
__ is an open source tool for profiling network traffic and analyzing packets. ▪ The capture traffic can be useful for evaluating security events and troubleshooting network security device issues. ▪ Will typically display information in three panels.
SET (Social Engineer Toolkit)
__ is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. ▪ Is aimed at leveraging advanced technological attacks in a social-engineering type environment.
SonarQube
__ is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages
Vagrant
__ is an open-source software product for building and maintaining portable virtual software development environments, e.g. for VirtualBox, KVM, Hyper-V, Docker containers, VMware, and AWS. ▪ It tries to simplify software configuration management of virtualizations in order to increase development productivity.
OWASP Zed Attack Proxy (ZAP)
__ is an open-source web application security scanner. ▪ It is intended to be used by both those new to application security as well as professional penetration testers. ▪ The tool can be used during web application development by web developers or by experienced security experts during penetration tests to assess web applications for vulnerabilities.
W3AF
__ is an open-source web application security scanner. ▪ The project provides a vulnerability scanner and exploitation tool for Web applications. ▪ It provides information about security vulnerabilities for use in penetration testing engagements.
Real-Time Operating System (RTOS)
__ is an operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. ▪ Usually found in embedded systems ▪ Security is not a primary concern during their development ▪ Usually a stripped-down version of Linux ▪ Uses limited resources on the machine and can be subjected easily to attacks
Nessus Attack Scripting Language (NASL)
__ is an proprietary language developed by Tenable used to develop Nessus plugins, which contain vulnerability information, remediation details, and the logic to determine the presence of a security weakness.
Ollydbg
__ is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. ▪ It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. ▪ Assembler level debugger for Windows ▪ Useful for binary code analysis without source code being available
Trojans
__ is any malicious computer program that misleads users to their true intent. ▪ A piece of software that pretends to be a game but allows the attacker access to the system. ▪ Used as a technical form of social engineering ● Could be used to Persist on victim machine
Network Access Control (NAC)
__ is built from the principles of IEEE 802.1x and control what devices allowed to connect to a network by implementing a set of protocols and policies that enforce requirements for authentication during connection to the network, such as posture checking or whitelisting.
Segmentation Fault (segfault)
__ is caused by a software program attempting to read or overwrite a restricted area of memory.
Evasion
__ is challenging a security control successfully, such as deploying malware in a location on a hard drive that does not get scanned by antivirus software.
Elicitation
__ is collecting intelligence information from people as part of human intelligence (intelligence collection) ▪ Usually uses a series of questions to get employees to tell you valuable or sensitive information ▪ If you can compromise one email account then you can elicit more information from other employees by acting like that person
Dumpster Diving
__ is combing through trash to identify valuable assets. ▪ Pentester looks through the trash of an organization ▪ Looking for paperwork, disks, USB drives, badges, files, manuals
Programming
__ is creating a sequence of instructions to tell a computer how to perform a specific task
OSINT (Open Source Intelligence)
__ is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources. ▪ It is not related to open-source software or collective intelligence.
Open-Source Intelligence (OSINT)
__ is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources. ▪ It is not related to open-source software or collective intelligence.
Kerberos Authentication
__ is designed to provide strong authentication for client/server applications by using secret-key cryptography. ▪ It uses secret key cryptography ▪ Ticket granting server (TGS)
Injection Attacks
__ is insertion of additional information or code via a data input from a client to the application ▪ Most commonly done as SQL inject, but can also be HTML, Command, or Code ▪ Prevent this through input validation and using least privilege for the databases
Packet Inspection
__ is manual enumeration performed by analyzing the captured packets to determine information ▪ Capturing and analyzing network packets ▪ Tool - Wireshark
Web Proxies
__ is one method for hiding your IP address from the websites you visit. EX: o When you request the Lifewire site through an online proxy, all you're really doing is telling the proxy server to access Lifewire for you, and then when they receive the page you want, they send it back to you.
IDA Pro or IDA (Interactive Disassembler)
__ is primarily a multi-platform, multi-processor dis-assembler that translates machine executable code into assembly language source code for purpose of debugging and reverse engineering. ▪ It can be used as a local or as a remote debugger on various platforms.
Compliance-based Assessment
__ is really a gap assessment. You are looking to identify gaps between your existing control environment and what is required. ▪ Mandated by standard, regulation, or legislation __● Ex: PCI-DSS
Erase, Modify, or Disable the Evidence
__ is removing any unneeded files or tools that were added to the victim's machine to cover your tracks. ▪ Hiding other files and resources in hidden or uncommon locations (Hide files in the slack space). ▪ Linux, Unix, OS X __● Create a folder beginning with . ▪ Windows __● Hide stuff in the System32 or User folders __● Apply hidden attribute __● Use alternate Data Streams
Bluejacking
__ is sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, or laptops ▪ Essentially harmless as it only transmits data to the target device
Set-Group Identification (SGID)
__ is similar to the SUID permission, only difference is - when the script or command with SGID on is run, it runs as if it were a member of the same group in which the file is a member. EX: __● # ls -l /usr/bin/write __● -r-xr-sr-x 1 root tty 11484 Jan 15 17:55 /usr/bin/write ▪ The setgid permission displays as an "s" in the group's execute field. The first s stands for the SUID and the second one stands for SGID. ● Privilege Escalation (Linux)
Impersonation
__ is someone who imitates or copies the behavior or actions of another. __ is an act of pretending to be someone else in order to gain access or gather information
NTLM hash
__ is stored in the Security Account Manager (SAM) database on the local computer, or the NTDS.dit database on the Domain Controller. __ can be used for remote authentication, which is permitted with relay or pass the hash (PtH) methods of attack.
Server Message Block (SMB)
__ is the Internet standard protocol Windows uses to share files, printers, and serial ports. ▪ It can also communicate with any server program that is set up to receive an SMB client request. ▪ Port: 139, 445
Clearing the Log Files
__ is the act of cleaning up traces of your activities in various log files to cover your tracks. ▪ Windows __● System logs, Application logs, Security logs, Event logs ▪ Linux __● Logs are usually stored in /var/logs ▪ IMPORTANT __● Penetration testers DO NOT usually modify or delete any of the logs... Check Your Scope Of Work!
Badge Cloning
__ is the act of cloning an official badge to bypass security. ▪ Identification badges are required by many organizations ▪ Snap a photo using a digital camera and reproduce the security badge __● Works visually but won't make it past a reader ▪ Badge cloners can reproduce magnetic swipe or RFID badges
Lock Picking
__ is the art of opening a lock without a key. ▪ Many areas that the pentester needs access to are locked ▪ Learning lock picking is a valuable skill for a pentester who focuses on physical security
Drozer
__ is the combination of two key components. ▪ 1. Agent: a lightweight Android app that runs on the device or emulator being used for testing. ▪ 2. Console: a command-line interface running on your PC that allows you to interact with the Dalvik VM through the Agent. ▪ Provides tools to use and share public exploits for the Android operating system. ▪ Complete security audit and attack framework.
False Positive
__ is the condition identified during automated or manual testing that results in the incorrect identification of an issue.
Rate The Threats
__ is the final state in the threat modeling process, and probably the most subjective, used to quantify the risk based on probability and damage potential.
Code Injection
__ is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. ▪ This type of attack exploits poor handling of untrusted data.
Biometrics
__ is the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting ▪ Fingerprint readers and other __ aren't foolproof security measures
Unattended Installation
__ is the installation of a program without requiring the user to select options or click Next at the end of each step. __ often use a file of predefined answers so that after starting the installation, it runs to completion without further user intervention. ▪ Clear text credentials of Preboot Execution Environment (PXE) could be captured using network sniffers ● Privilege Escalation (Windows)
Risk appetite
__ is the level of risk the organization is willing to accept in order to achieve its goals.
VLAN Hopping
__ is the malicious act of attacking different hosts on a VLAN. ▪ VLANs are often used as logical separation ▪ Attack hosts on a different VLAN to gain access. ▪ Uses Double Tagging or Switch Spoofing
Network Information Gathering
__ is the methodology used to enumerate useful information from a target over the network, which includes scanning, fingerprinting, and vulnerability identification.
Exploit Modification
__ is the modification of an exploit to get pass an organizations security controls. ▪ Encrypting or encoding an exploit to avoid detection by anti-virus.
Cpassword
__ is the name of the attribute that stores the passwords in a Group Policy preference item ▪ Stored in the SYSVOL folder on the Domain Controllers in encrypted XML file ▪ Easily decrypted by any authenticated user in the domain ● Privilege Escalation (Windows)
Android application package (APK)
__ is the package file format used by the Android operating system for distribution and installation of mobile apps and middleware. __ file contains all of a program's code (such as .dex files), resources, assets, certificates, and manifest file.
Backdoor
__ is the persistence mechanism that allows an attacker to maintain control of a target if the remote connection is dropping temporarily.
Passive Information Gathering
__ is the process of assessing a target to collect preliminary knowledge about the system, software, network, and people without actively engaging a target or its assets.
Normalization of Data
__ is the process of combining data from multiple sources and in different formats into a common and consistent event format. ▪ Teams collect a lot of data during a test ▪ Each tool collects and store data differently ▪ All the data must be aggregated, normalized, and correlated in order for it to "make sense"
Deconfliction
__ is the process of distinguishing pentest artifacts form artifacts of an actual compromise or other activity to help resolve contradictory conclusion or response.
Binary Analysis
__ is the process of examining the functions and purpose of a compiled program or application at the architecture instruction level.
bluebugging
__ is the process of exploiting a bug in older phones models with Bluetooth technology that enables complete command and control of the mobile device.
Jailbreaking
__ is the process of exploiting a software vulnerability in iOS that enables low-level execution with elevated privileges in order to remove restrictions imposed by Apple, to customize the device and install unapproved applications.
Enumeration
__ is the process of finding all available information on a target system or service in support of developing a plan of attack. ▪ Where as Fingerprinting is the process of finding names and versions of services.
Debugging
__ is the process of finding and resolving defects or problems within a computer program that prevent correct operation of computer software or a system. ▪ Used to identify and remove errors from hardware, software, or systems Tools - windbg
Local File Inclusions (LFI)
__ is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application
Packet Injection
__ is the process of injecting arbitrary data into a wireless network in order to generate traffic to and from the wireless AP. __ is one way hackers try to disrupt or intercept packets from already established network connections.
Decompiling
__ is the process of reverse-engineering source code from the binary. ▪ Reverse engineering of software using a decompiler ▪ Reverses the processes of a compiler but not as cleanly ▪ Decompilers cannot always turn executables back into their source code but can it back to byte code or assembly
Exfiltrate (exfil)
__ is the process of unauthorized data movement from inside a protected space to outside of it, Whether by copying, transferring, or retrieval.
Authorization
__ is the process or action involved with determining the appropriate access levels that should be granted to a user or process.
Authentication
__ is the process or action of confirming an identity used to interact with or log in to an information system.
Covering Your Tracks
__ is the process to hide your activities from other people, so that they cannot find out what you have been doing.
Bluesnarfing
__ is the unauthorized access (Theft) of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs (personal digital assistant). ▪ Is the theft of information from the target device.
Cryptographic Inspection
__ is to determine the encryption is being used during your information gathering ▪ Do they have web servers with SSL or TLS? ▪ What about Wireless Networks using WEP, WPA, WPA2, or a WPS handshake? ▪ Are files encrypted on the network shares?
Attestation of Findings
__ is to provide evidence of your findings to the client ▪ Provide them detailed reports, explanations, and ensure they understand the risks involved
Post-Engagement Cleanup
__ is to remove shells, tools, and credentials created
Query throttling
__ is to slow down test iterations to avoid exceeding bandwidth ▪ nmap -T
Egress Sensor
__ is tricking a sensor to a door to open. ▪ Door will automatically unlock and open when a person approaches ▪ Sensors could be tricked to allow the door to be opened ▪ Some of these "fail open" when power is lost
Port 515
__ is used as a LPR/LPD port for most printers and older print servers.
Port 9100
__ is used as a RAW port for most printers and is also known as the direct-IP port for printing.
Single quote character (')
__ is used because this is the character limiter in SQL. ▪ With a __ you delimit strings and therefore you can test whether the strings are properly escaped in the targeted application or not. ▪ If they are not escaped directly you can end any string supplied to the application and add other SQL code after that, which is a common technique for SQL injections.
sc query
__ is used by Windows to display information about the running service. It is part of the Service Control command line tool, known as sc.
Port 631
__ is used for a IPP port for most modern printers and CUPS-based print servers.
Airbase-ng
__ is used for many purposes, but broadly it allows an attacker to target wireless clients rather than attacking an access point itself.
Findsecbugs
__ is used for static code analysis. It can be integrated as an IDE plugin, or its maven plugin can be added to the pom.xml file of a project source code. ▪ Then the container scans the source code and provides access to a generated report through an API. ▪ Used to conduct security audits of Java apps before deployment
Syntax Error Exception
__ is used in Python to catch parsing errors in the input, such as when using the following characters in the sample program: `$%^&*`.
net group
__ is used in Windows operating systems to list the local groups the host knows about.
Statement of Work (SOW)
__ is used to address contractual subjects such as the problem to be solved, the work activities, the project deliverables, and the timeline for when the work is to be completed.
Repeating
__ is used to capture the existing wireless signal and rebroadcast it to extend the range. ▪ If not properly configured by the network administrators, this can be an attack vector
nmap -O
__ is used to conduct fingerprinting of the operating system based on the responses received during scanning.
Situational Awareness
__ is used to create a shared common understanding of the network and its current security state ● Communication Reasons
Set-User Identification (SUID)
__ is used to describe a file option that lets a program or script run with elevated privileges to perform certain tasks EX: __● # ls -lrt /usr/bin/passwd __● -r-sr-sr-x 1 root sys 31396 Jan 20 2014 /usr/bin/passwd ▪ If you check carefully, you would find the 2 S's in the permission field. The first s stands for the SUID and the second one stands for SGID. ● Privilege Escalation (Linux)
De-confliction
__ is used to determine if detected activity is a hacker or an authorized penetration tester ● Communication Reasons
nmap -sO
__ is used to determine which IP protocols (TCP, UDP, ICMP, IGMP, etc) are supported and open on the targeted machine and is the correct answer.
IPC$ share
__ is used to provide information about the domain, but can be accessed through null sessions (i.e., anonymously). __ also known as the null session share, allows anonymous hosts on the network to perform certain activities such as enumerating domain accounts and network shares.
DNS Forward Lookup
__ is used to query the DNS server and request the IP address of a host that corresponds to a fully qualified domain name (FQDN)
DNS Reverse Lookup
__ is used to query the DNS server and request the fully qualified domain (FQDN) of a host that corresponds to a given IP address.
Eavesdropping
__ is used to refer to the interception of communication between two parties by a malicious third party. ▪ Radio Frequency monitoring can be performed to determine the type of devices used in the facility (Cellular, WiFi, Bluetooth, etc) ▪ Radio frequencies can be captured and analyzed using specialized tools
Scheduled Jobs (Cron Jobs)
__ is used to schedule commands at a specific time. __ are used in Unix, Linux, and OS X ▪ Allows a script or command to be run at periodic times, dates, or intervals ▪ Export_dump.sh is run Every Saturday (6) @ 23:45 ● Could be used to Persist on victim machine
Fake Cellphone Towers
__ is when a malicious attacker sets up devices designed to intercept the traffic of a mobile phone and track the movements of the user's phone pretending to be a "legitimate" cell tower. ▪ Can be used to create a man-in-the-middle
WPS Implementation Weakness
__ is when a malicous attacker is able to attack because Wi-Fi Protected Setup (WPS) uses a push button configuration method to setup devices. ▪ Uses an 8-digit WPS Pin to configure them ▪ Can be easily brute force attacked because the PIN is authenticated by breaking it in two ▪ Reaver and Bully are common attack tools
Indicators of Prior Compromise
__ is when a pentester detects attack signatures have been detected and the network has been previously hacked and then must message company about issue. ● Communication Triggers
Fence Jumping
__ is when a person physically goes over the fence to bypass security measures. ▪ Fences provide a physical security boundary for the organization ▪ Pentester can go over (or under) a fence to avoid a checkpoint
Weak Credentials Attack
__ is when a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on the user name or common variations on these themes. ▪ Easy to crack using dictionary or brute force
Cold Boot Attack
__ is when a user or malicious attacker is able to retrieve the encryption keys from a running operating system after using a cold reboot to restart the machine ▪ A side channel attack where an attacker has physical access to the system ● Privilege Escalation
Critical Findings
__ is when a vulnerability is found that causes significant risk to occur to the security of the network and then the pentester communicates there is a major issue. ● Communication Triggers
LLMNR/NBT-NS Poisoning
__ is when adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system.
Sandbox Escape - Virtual Machines
__ is when an Escaping the VM sandbox can lead to exploit of the underlying hardware and puts other hosted VMs are risk ● Privilege Escalation
Security Misconfiguration
__ is when an attack relies on the application or server using insecure settings.
RFID Cloning
__ is when an attacker captures the Radio Frequency (RF) signal from a badge or device and can copy it for reuse.
Cross-Site Request Forgery (XSRF)
__ is when an attacker forces a user to execute actions on web server which they authenticated ▪ Attacker cannot see web server's response but this attack can be used to have victim transfer funds, change their password, and more
Exploitable Services
__ is when an attacker uses the way services normally operate to cause an unintended program to run Examples ▪ Unquoted service path call in file system __● C:\Dion\My Files\server.exe Normal __● C:\Dion\My\server.exe Malicious ▪ Writable services __● Using PSExec, a service can be replaced with a custom service that runs a command shell (cmd.exe) ● Privilege Escalation (Windows)
Man-in-the-middle (MITM) attack
__ is when an hacker placing himself between a client and a host to intercept network traffic. ▪ Also called session hijacking.
Sandbox Escape - Shell upgrade
__ is when restricted shells (like rbash) are exploited to gain an upgraded shell ● Privilege Escalation
Top-Down Management Approach
__ is when senior management dictates goals and objectives regarding a project or task. ▪ To dictate goals and objectives
USB Key Drop
__ is when someone leave USB devices for people to find and plug into their computers. ▪ Malicious code — In the most basic of USB drop attacks, the user clicks on one of the files on the drive. ▪ Pentester loads up a USB with malware, backdoors, or a keylogger ▪ Drop the USB drive in the parking lot near the organization
comparision operator
__ is when something compares one value to another ▪ Value1 == Value2
Credential brute forcing
__ is when the attacker tries to try to log in to the application using every username and password. ▪ There are a number of tools and techniques the attacker can use to speed up or automate the process.
Client Acceptance
__ is when the client agrees you have fulfilled the scope of work? ▪ Is formal acceptance required by the contract?
Race Condition
__ is when two separate inputs compete on the basis of time for processing a single target such that the order of processing may produce unexpected or undesirable results.
Sniffing Network Traffic
__ is when you Intercepts and logs network traffic that can be seen via the wired or wireless network interface. ▪ If you gain access to one host computer, you could use it to capture traffic on other parts of the network, too!
Stages
__ lead to Communication and occur as the assessment moves from one phase to another ● Communication Triggers
Port Scan - Open
__ means the application is accepting connections
Port Scan - Closed
__ means the no application is listening to connections
Rules of Engagement (ROE)
__ mirrors some of the contents of the SOW and includes technical constraints regarding the execution of the pentest, such as what is and is not authorized during the pentest.
Insecure Direct Object Reference (IDOR)
__ occur when an application provides direct access to objects based on user-supplied input. ▪ In such cases, the attacker can manipulate those references to get access to unauthorized data.
Reflected Cross-site Scripting (XSS)
__ occur when an attacker injects browser executable code within a single HTTP response. ▪ The injected attack is not stored within the application itself ▪ It is non-persistent and only impacts users who open a maliciously crafted link or third-party web page ▪ Non-persistent, activated through link on site
Relay Attack
__ occurs when a cybercriminal eavesdrops on a secure network communication, intercepts it, and then fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants.
Remote File Inclusion (RFI)
__ occurs when a file from a remote web server is inserted into a web page. ▪ Instead of accessing a file on the local machine, the attacker is able to execute code hosted on their own machine.
Piggybacking/Tailgating
__ occurs when a pentester follows an authorized individual into a secure location. ▪ Authorized person may or may not be complicit
Code Injection
__ occurs when a user or attacker is able to break the execution sequence of an applications programming and insert their own lines of code into the program changing the output of the application or code in question.
Insecure Direct Object Reference
__ occurs when an application provides direct access to objects based on user-supplied input. ▪ Allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object.
HTML Injection
__ occurs when improper user input sensitization allows an attacker to add arbitrary HTML code to a web page.
Hping
__ often allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. __ doesn't support IPv6, though, so the creators of NMAP have created Nping to fill this gap and serve as an updated variant of Hping.
Virtual Network Computing (VNC)
__ operates much like RDP, but a cross-platform solution for Windows, Linux, and OS X ▪ Originally used in thin client architectures
DNS Poisoning (or DNS Cache Poisioning)
__ or is an attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device. __ is a form of computer security hacking in which corrupt DNS data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address.
Telnet
__ permits sending commands to remote devices. ▪ Information is sent in plain text ▪ Should never be used over an insecure connection and is a huge security risk to use. ▪ SSH should always be used instead
Recon-NG
__ provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. ▪ Open-source web reconnaissance framework written in Python
NIST SP 800-115
__ provides a technical guide to information security testing and how to conduct these types of tests.
Sandbox Escape - Container
__ refers to If you can compromise that system, you can compromise every container that relies upon it ● Privilege Escalation
DNS Hijacking
__ refers to any attack that tricks the end user into thinking he or she is communicating with a legitimate domain name when in reality it is communicating with a domain name or IP address that the attacker has set up. ▪ Sometimes, we use the term DNS Hijacking and DNS Spoofing interchangeably. ▪ This is also sometimes called DNS Redirection.
DNS Spoofing
__ refers to any attack that tries to change the DNS records returned to a querier to a response the attacker chooses. ▪ This can include some of the techniques described in DNS Hijacking, the use of cache poisoning, or some type of man-in-the-middle style attack. ▪ Sometimes, we use the term DNS Hijacking and DNS Spoofing interchangeably.
Legal Concepts (2)
__ refers to consulting your attorney before performing any penetration testing work to ensure you are within the legal bounds for the countries laws where you are operating.
Lateral Movement
__ refers to the techniques cyber attackers, or "threat actors", use to progressively move through a network as they search for the key data and assets that are ultimately the target of their attack campaigns.
Mitigation Strategies
__ report should contain a list of not just findings, but recommendations on how to mitigate a vulnerability
Full Scan
__ scans all ports, services, and vulnerabilities to provide as much information as possible. ▪ In-depth scan including port, services, and vulnerabilities. ▪ Easy to see in network traffic when performed nmap -A <target>
Compliance-based assessments
__ seek to validate a system against a given checklist. ▪ This could validate organizational policies, be risk-based, or to validate PCI-DSS compliance.
ping
__ sends a message from one computer to another to check whether it is reachable and active. ▪ Is a Reconnaissance Tool
Programming Arrays (Basic or Indexed)
__ stores multiple values and be referenced from a single name (like a list of variables)
Application Layer DOS Attack
__ target the application layer of the Internet in order to disrupt the normal flow of traffic to a website or service. __ are those meant to crash a specific service entirely, and the severity or intensity of such an attack is measured in request per second (Rps)
set type=ns
__ tells nslookup to only report information on name servers.
set type=mx
__ tells nslookup to receive information only about mail exchange servers.
Data Mining
__ the process of analyzing large data sets to reveal patterns or hidden anomalies.
Compiler
__ translates source code into executable instructions.
nmap
__ use raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. ▪ Is a Packet Crafting Tool
Discovery Scan
__ used to find potential targets. ▪ Identity/info gathering early on ▪ Least intrusive scan (like a ping sweep) ▪ Used to create a network map to show connected devices in the architecture ▪ nmap ping sweep nmap -sP target
Local File Inclusions (LFI)
__ vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine.
XSS Stored/Persistent
__ vulnerability is a more devastating variant of a cross-site scripting flaw. ▪ It occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. ▪ Data provided by attacker is saved on server
Default Credentials Attack
__ vulnerability is a type of vulnerability that is most commonly found to affect the devices like modems, routers, digital cameras, and other devices having some pre-set (default) administrative credentials to access all configuration settings.
(PowerShell) PS Remoting
__ will allow a computer to receive Windows PowerShell remote commands
nmap -sS
__ will only scan TCP ports using a SYN scan.
nmap -sU
__ will only scan UDP ports.
HTTPOnly attribute
__ will prevent a user (or attacker) from accessing the cookie value from a JavaScript request, such as through JavaScript's Document.cookie API
wmic qfe
__ will provide details on the hot-fixes present on a target Windows system which can be used to exploit the OS.
SSH (Secure Shell)
__ works like telnet, but uses encryption to create a secure channel between the client and the server ▪ SSH should always be used instead of telnet
IP Fragmentation Attack
__'s are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. ▪ Attacker exploits a network by using datagram fragmentation mechanisms against it. ▪ If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet.
Daemon
__'s are background process that exists for the purpose of handling periodic service requests that a computer system expects to receive ▪ For example, sshd is the SSH __ ▪ In Windows, these are called "services" ● Could be used to Persist on victim machine
Steps in the NIST SP 800-115 Methodology
__, there are four steps are Planning, Discovery, Attack, and Reporting.
DNS Poisoning (or DNS Cache Poisioning) Steps
__: --1. Inject Fake DNS record --2. Visitor request DNS for Bank --3. Visitor gets IP for Fake Bank server instead
NIST SP 800-115 Methodology
__: 1. Planning 2. Discovery 3. Attack 4. Reporting
Port Scan - Filtered
__: __● Probes aren't reaching the port __● Usually indicates a firewall
Nmap -oA
__: ▪ -oA Combined format with all of the above __● nmap -oA = outputfile target
Nmap -oG
__: ▪ -oG Grepable output format __● nmap -oG = outputfile.txt target
Nmap -oX
__: ▪ -oX XML output format __● nmap -oX = outputfile.xml target
Finding: Plain Text Passwords
__: ▪ All passwords must be stored as hashes or another encrypted format
Unsecure Code Practices - Unauthorized use of function/unprotected API
__: ▪ Allows anyone with network access to send your application a request ▪ Designers should implement function-level access control
Unsecure Code Practices - Lack of error handling
__: ▪ Applications should fail cleanly on errors ▪ Prevents information leakage about the server
Pass the Hash (PtH) Breakdown
__: ▪ Attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. ▪ Is an attack against the NT LAN Manager (NTLM) authentication system
Creating New Users
__: ▪ Attacker creates new user accounts __● Can be created as regular or admin level users ● Could be used to Persist on victim machine
Credential Brute Forcing
__: ▪ Attempt to crack a password or authentication system to gain access ▪ Attempt to crack passwords from a hash file ▪ Conduct password guessing to login
Premerger Assessment
__: ▪ Before two companies perform a merger, it is common to conduct penetration tests on them to identify weaknesses being inherited ▪ Can be a part of the due diligence efforts
Penetration Testing Strategies
__: ▪ Black Box ▪ Gray Box ▪ White Box
Analyzing Vuln Scans - Asset Categorization
__: ▪ Categorize by Operating System or function ▪ Ideally, we identify high-value assets __● Domain Controllers, Web Servers, Databases, etc. ▪ Identify and rank assets by relative value ▪ Categorize by most vulnerabilities ▪ Categorize by the most critical vulnerability ▪ Vulnerable assets with little value could be a waste of time
Physical Service Security
__: ▪ Cold boot attack ▪ JTAG debug ▪ Serial console ● Privilege Escalation
Reconnaissance Tools Breakdown
__: ▪ Collecting information before attacking an IT system ▪ Usually conducted using open source research or passive collection ▪ Tools __● WHOIS, Nslookup, Theharvester, Shodan, Recon-NG, Censys, Aircrack-NG, Kismet, WiFite, Wireshark, Hping, SET, Nmap, Metasploit Framework
Creating New Users - Shell (Linux)
__: ▪ Command Line (Linux) __● su - __● useradd hacked __● passwd hacked __● New password: hacked123 __● Retype new password: hacked123 ● Could be used to Persist on victim machine
Creating New Users - Windows
__: ▪ Command Line (Windows) __● net user /add [username] [password] ----o Net localgroup administrators [username] /add ● Could be used to Persist on victim machine
Threat Actors - Hacktivist
__: ▪ Conduct activities against governments, corporations, or individuals ▪ Can be an individual or member of a group
Information Gathering and Vulnerability Identification
__: ▪ Conducting information gathering ▪ Performing vulnerability scanning ▪ Analyzing results of vulnerability scans ▪ Leveraging information for exploitation ▪ Weaknesses in specialized systems
Prioritize the Vulnerabilities
__: ▪ Consider the most critical vulnerabilities first ▪ What target should we focus on first? ▪ What will cause the biggest Impact ▪ How long will it take to fix? ▪ What is the Cost to fix it and can we afford that right now?
Containers Require Security
__: ▪ Containers still contain applications which can contain vulnerabilities ▪ Still need to be scanned for vulnerabilities ▪ If an OS vulnerability is found, it will apply to multiple containers (all based on same OS) and can lead to a large level of exploitation
Privilege Escalation in Windows Breakdown
__: ▪ Cpassword ▪ Clear Text Credentials in LDAP ▪ Kerberoasting ▪ Credentials in LSASS ▪ Unattended Installation ▪ SAM Database ▪ DLL Hijacking ▪ Exploitable Services ▪ Unsecure File and Folder Permissions ▪ Keylogger ▪ Scheduled Tasks
Common Attack Techniques
__: ▪ Cross-compiling code ▪ Exploit modification ▪ Exploit chaining ▪ Proof-of-concept development ▪ Social engineering ▪ Credential brute forcing ▪ Dictionary attacks ▪ Rainbow tables ▪ Deception
Handling and Disposal
__: ▪ Data from the assessment should always be handled with due diligence and care ▪ Findings and recommendations are sensitive in nature and should be treated as confidential
Decompiling vs Debugging
__: ▪ Decompiling uses a static analysis of code ▪ Debugging often uses a dynamic approach that allows code to be run __● Code is run step by step through the program __● Code can be run until a break point ▪ Both techniques can be useful when conducting a penetration test or assessment of custom-built applications
Default Account Settings
__: ▪ Default administrator accounts can be exploited ▪ Guest accounts should be disabled, but are enabled by default on most systems ● Privilege Escalation
Types of Vulnerability Scans
__: ▪ Discovery scan ▪ Full scan ▪ Stealth scan ▪ Compliance scan
Lessons Learned
__: ▪ Documented information of both the positive and negative experiences that occurred ▪ What did you do great on? ▪ What could have gone better? ▪ How can it go better next time
Mobile Tools
__: ▪ Drozer ▪ APKX ▪ APK Studio
Scanning Considerations - What Protocols Will Be Used?
__: ▪ Each protocol scanned takes time/resources ▪ Will you scan every port and services? ▪ Consult scope of assessment and objectives
Nmap -O
__: ▪ Enables OS detection by using fingerprinting of the TCP/UDP packet received
Configuration Compliance Tools Breakdown
__: ▪ Ensuring a system meets a given security baseline or policy ▪ Tools __● Nikto, OpenVAS, Nessus, SQLmap, Nmap
Covering Your Tracks Breakdown
__: ▪ Erase, Modify, or Disable the Evidence ▪ Clear Log Files ▪ Hiding files and folders
Unsecure Code Practices - Verbose error handling
__: ▪ Errors can display too much information ▪ Great for debugging...horrible for security
Enumeration Tools Breakdown
__: ▪ Establishes an active connection to the targets to discover potential attack vectors ▪ Usually conducted active techniques and fingerprinting ▪ Tools __● Nslookup, Wireshark, Hping, Nmap
Wireless-based Vulnerabilities
__: ▪ Evil Twin ▪ Deauthentication attacks ▪ Fragmentation attacks ▪ Credential harvesting ▪ WPS implementation weakness ▪ Bluejacking ▪ Bluesnarfing ▪ RFID cloning ▪ Jamming ▪ Repeating
Written Report of Findings
__: ▪ Executive Summary ▪ Methodology ▪ Findings and Remediation __● Consider the risk appetite ▪ Metrics and Measures __● Including risk ratings ▪ Conclusion
Unsecure Code Practices - Race conditions
__: ▪ Flaw that produces unexpected results when the timing of actions can impact other actions ▪ Can occur when multi-threaded operations are occurring on the same piece of data
White Box (Full Knowledge Test)
__: ▪ Full knowledge of network, systems, and the infrastructure ▪ Spend more time probing vulnerabilities and less time gathering information ▪ Tester is given support resources from the organization
Software Assurance Tools Breakdown
__: ▪ Fuzzing Tools __● Peach and AFL ▪ Security Testing __● Static Application Security Testing (SAST) __● Dynamic Application Security Testing (DAST) ▪ Security Testing Tools __● Findsecbugs, SonarQube, and YASCA
White Box Sample Application Requests
__: ▪ Generally used for testing web applications or other applications developed by organization
Types of Pentest Assessments
__: ▪ Goal-based Pentests ▪ Objective-based ▪ Premerger ▪ Supply Chain ▪ Red Team
Unsecure Code Practices - Hidden elements
__: ▪ HTML forms often use hidden elements __● Fields using <INPUT TYPE=HIDDEN> ▪ Could allow sensitive data to be stored in the DOM
Evasion Tools Breakdown
__: ▪ Hide from system administrators or defenders ▪ Tools __● Proxychains, SET, Metasploit Framework, Route
Scanning Considerations - Bandwidth Limitations
__: ▪ How much bandwidth is dedicated to the scan? ▪ Can the network handle the scan? ▪ Can we schedule the scan during offline hours? ▪ Throttle the queries if needed __● Nmap -T option sets the timing
SocEngin Motivation Factors - Urgency
__: ▪ Humans want to please others by nature... ▪ We want to be helpful... ▪ I only have a few minutes before the big presentation, can you print this for me?
SocEngin Motivation Factors - Fear
__: ▪ If you don't do _____ then ______ will happen ▪ Use threats or demands ▪ Anti-virus scams & Ransomware are examples
Finding: No Multifactor Authentication
__: ▪ Implement multifactor authentication __● Something you know __● Something you have __● Something you are __● Something you do
Vulnerability Scanning Tools Breakdown
__: ▪ In-depth scanning of a target to determine its vulnerabilities ▪ Uses automated tools to determine missing patches and incorrect configurations ▪ Tools __● Nikto, OpenVAS, Nessus, SQLmap, W3AF, OWASP ZAP, Nmap, Metasploit Framework
Application-based Vulnerabilities
__: ▪ Injections ▪ Authentication ▪ Authorization ▪ Cross-site scripting (XSS) ▪ Cross-site request forgery (CSRF/XSRF) ▪ Clickjacking ▪ Security misconfiguration ▪ File inclusion ▪ Unsecure coding practices
Simple Mail Transfer Protocol (SMTP) Breakdown
__: ▪ Internet standard for electronic mail transmissions ▪ Focus can be on: __● Direct exploits of the protocol __● Using open relays __● Using local relays __● Phishing ▪ Port: 25 or 2525 or 587
Exploit Chaining
__: ▪ Involves layering exploits in a series ▪ Exploit chain example: -- 1. Bypass the firewall -- 2. Gain access to user system -- 3. Escalate privileges
Modifying the Log Files
__: ▪ Log files are just text (they can be edited) ▪ Timestamp can be used to modify the access time of a file ▪ Change the files ownership to original user ▪ IMPORTANT __● Penetration testers DO NOT usually modify or delete any of the logs... Check Your Scope Of Work!
Persistence Tools Breakdown
__: ▪ Maintaining a foothold into the network or victim system ▪ Tools __● SET, BeEF, SSH, NCAT, NETCAT, Drozer, Powersploit, Empire, Metasploit Framework
Finding: Weak Password Complexity
__: ▪ Minimum password requirements/filters ▪ Passwords Must... __● Be at least 14 characters __● Contain letters, numbers, and special characters __● Not have repeating characters or digits
Scanning Considerations - Where Do You Scan From?
__: ▪ Network topology is important, are you inside or outside the network? ▪ PCI-DSS requires both internal and external scanning to be performed
Proof of Concept (POC)
__: ▪ New or custom exploits require testing before using in a pentest ▪ Build a virtual machine based on the specifications you earned during enumeration ▪ Is a small exercise to test the design idea or assumption. The main purpose of developing a __ is to demonstrate the functionality and to verify a certain concept or theory that can be achieved in development
Packet Crafting Tools
__: ▪ Nmap ▪ Netcat (nc) ▪ NCAT ▪ Hping
Report Writing
__: ▪ Normalization of Data ▪ Written Report of Findings ▪ How Long Do I Keep the Report? ▪ Handling and Disposal?
Web Proxies Tools
__: ▪ OWASP ZAP ▪ Burp Suite
Credential Attacks Tools Breakdown
__: ▪ Offline password cracking __● John the Ripper, Mimikatz, Cain and Abel, Hashcat, AirCrack-NG ▪ Brute-forcing services __● SQLmap (for databases), Medusa, Hydra, W3AF, Mimikatz, Cain and Abel, Patator, Aircrack-NG
NETBIOS Name Service Breakdown
__: ▪ Often called WINS on Windows systems ▪ NetBIOS Name Service (NBNS) is part of the NetBIOS-over-TCP protocol suite ▪ NETBIOS name is the host name of a system ▪ Port: 137, 138, 139
Unsecure File and Folder Permissions
__: ▪ Older versions of Windows allow administrators to access any non-admin user's files and folders ▪ Can lead to DLL hijacking and malicious file installations on a non-admin targeted user ● Privilege Escalation (Windows)
Port Scan Results
__: ▪ Open __● Application is accepting connections ▪ Closed __● No application is listening ▪ Filtered __● Probes aren't reaching the port __● Usually indicates a firewall
Supply Chain Assessment
__: ▪ Pentest may be required of your suppliers to ensure they are meeting their cybersecurity requirements ▪ Can be required prior to allowing an interconnection between the supplier's systems and your organization's systems ▪ Minimize risk by purchasing only from trusted vendors
SocEngin Motivation Factors - Authority
__: ▪ People are more willing to comply with a request when they think it is coming from someone in authority __● CEO or manager __● Important client __● Government agencies __● Financial institutions
Planning a Penetration Test - Disclaimers
__: ▪ Point-in-Time Assessment __● Results were accurate when the pentest occurred ▪ Comprehensiveness __● How complete was the test? __● Did you test the entire organization or only specific objectives?
Post-Report Activities
__: ▪ Post-Engagement Cleanup ▪ Attestation of Findings ▪ Client Acceptance ▪ Follow-up Actions or Retests ▪ Lessons Learned
Credentials in LSASS (Local Security Authority Subsystem Service)
__: ▪ Process in Windows that enforces the security policy of the system ▪ Verifies users when logging on to a computer or server ▪ Performs password changes ▪ Creates access token (ie, Kerberos) ● Privilege Escalation (Windows)
Debugging Tools Breakdown
__: ▪ Process of finding and resolving defects in a computer program ▪ Tools __● Ollydbg, Immunity debugger, GDB, WinDBG, IDA Pro, APK Studio, APKX▪ Tools __●
Unsecure Code Practices - Comments in source code
__: ▪ Programmers are taught to fully document code ▪ Great for developers for maintainability ▪ Horrible for security
Link-Local Multicast Name Resolution (LLMNR) Breakdown
__: ▪ Protocol based on the DNS packet format allowing both IPv4 and IPv6 hosts to perform name resolution for hosts on same local link. ▪ Often used when there is not DNS server on the network. ▪ Linux implements LLMNR using system ▪ Useful when a temporary network is created, such as Ad-Hoc WiFi networks.
Vulnerability Scanner Tools
__: ▪ QualysGuard Vulnerability Scanner ▪ Tenable's Nessus Vulnerability Scanner ▪ Rapid7's Nexpose ▪ OpenVAS (Open-source Scanner) ▪ Nikto (Web Application Scanner)
Finding: Shared Local Admin Credentials
__: ▪ Randomize credentials __● Every system uses a different password ▪ Local Administrator Password Solution (LAPS) __● Microsoft tool that provides centralized storage of passwords in Active Directory __● Manages the passwords for each workstation when logon without domain credentials is necessary
Use Cases for Tools
__: ▪ Reconnaissance ▪ Enumeration ▪ Vulnerability Scanning ▪ Credential Attacks ▪ Persistence ▪ Configuration Compliance ▪ Evasion ▪ Decompilation ▪ Forensics ▪ Debugging ▪ Software Assurance
Reporting and Communication
__: ▪ Report writing and handling best practices ▪ Explain post-report delivery activities ▪ Recommend mitigation strategies for discovered vulnerabilities ▪ Communication during the penetration testing process
Decompilation Tools Breakdown
__: ▪ Reversing an executable into human readable code ▪ Tools __● IDA, Hopper, Immunity Debugger, APK Studio, APKX
Remote Access Tools
__: ▪ SSH ▪ Netcat ▪ Ncat ▪ Proxychains
Unsecured SUDO
__: ▪ SUDO is a program for Unix/Linux systems ▪ Allows users to run programs with the privileges of another user ▪ By default, the other user is 'root' ▪ Works like "Run as Administrator" on Windows ● Privilege Escalation (Linux)
Nmap -sS
__: ▪ SYN Scan (default and most popular) ▪ Can scan 1000 ports per second ▪ Never completes the TCP connection ▪ Nothing in the logs cause never completes connection
Finding: SQL Injection
__: ▪ Sanitize user input __● User data checked for expected input type __● Escape data to avoid SQL injections ▪ Parameterize queries __● Better than user input sanitization __● Allow prepared statements to be used with bounded variables to access database __● Each piece of SQL code is static but receives parameters from a separate section of code
Nmap -iL
__: ▪ Scan targets from a text file
Scanning Considerations - When Do You Run the Scans?
__: ▪ Scanning the systems can take up valuable resources and slow down the network ▪ Are you trying to be sneaky? ▪ When is the best time to run the scans?
Unsecure Service and Protocol Configuration
__: ▪ Services and daemons run programs constantly in the background of the OS ▪ Unsecure services are vulnerable __● FTP, Telnet, TFTP, and many others ▪ Mis-configurations introduce vulnerabilities in secure protocols __● SSH downgraded to support SSHv1 __● SNMPv3 downgraded to support SMPv1 __● Using WPA instead of WPA2 __● Allow webservers to autonegotiate
Privilege Escalation in Linux Breakdown
__: ▪ Set-User Identification (SUID) ▪ Set-Group Identification (SGID) ▪ Sticky Bit ▪ Unsecure SUDO ▪ Ret2libc
Nmap -T
__: ▪ Sets the timing for the scan ▪ T0 - Paranoid (one port every five minutes) ▪ T1 - Sneaky (one port every 15 seconds) ▪ T2 - Polite ▪ T3 - Normal ▪ T4 - Aggressive ▪ T5 - Insane
Scanning Considerations - Fragile or Non-Traditional Systems
__: ▪ Should we scan these? ▪ Should we exempt these? ▪ How to avoid impacting fragile mission critical systems?
White Box SOAP Project File
__: ▪ Simple Objective Access Protocol (SOAP) is a messaging protocol specification for exchanging structured information in the implementation of web services ▪ SOAP project files are created from WSDL files or a single service call
Communication Reasons
__: ▪ Situational Awareness ▪ De-confliction ▪ De-escalation
Nmap -Pn
__: ▪ Skips the host discovery ▪ Treats all hosts in the range as online ▪ First Find all Open Ports then do this command because it takes a long time to run the command
SocEngin Motivation Factors - Social Proof
__: ▪ Social engineering through Facebook or Twitter can be useful __● Lots of Likes or Shares add to social proof __● People are more likely to click the link ▪ We crave social group interaction and have a need to be included ▪ Sometimes we don't fully understand what the inclusion means for us or why we are performing an action
SocEngin Motivation Factors - Likeability
__: ▪ Social engineers are friendly and likeable __● People will want to help them ▪ Find common ground and shared interests
White Box SDK Documentation
__: ▪ Software Developer's Kit (SDK) provides a set of tools, libraries, documentation, code samples, processes, or guides to allow faster development of a new app on a platform ▪ SDK provides code libraries for use
Unsecure Code Practices - Hard-coded credentials
__: ▪ Source code of a web application has the username and password written into the code instead of using an inclusion file ▪ Common issue for applications using PHP, databases, or WordPress
Goal-based Pentests Assessment
__: ▪ Specific goals are defined before testing starts ▪ Pentester may attempt to find many unique methods to achieve thespecific goals
Nmap -p
__: ▪ Specifies the port to scan (override defaults) ▪ Can specify specific ports or exclude
Communications Triggers
__: ▪ Stages ▪ Critical Findings ▪ Indicators of Prior Compromise
Pentest Contracts
__: ▪ Statement of Work (SOW) ▪ Master Service Agreement (MSA) ▪ Non-Disclosure Agreement (NDA)
Finding: Unnecessary Open Services
__: ▪ System hardening __● Securing a computer or server by reducing its attack surface __● Disable unneeded services __● Close unused ports __● Uninstall unused programs
Nmap -sT
__: ▪ TCP Connect Scan ▪ Uses the Operating System to send packets ▪ Completes the TCP connection (less stealthy) ▪ Shows in logs the connection
SocEngin Motivation Factors - Scarcity
__: ▪ Technique that works well to get people to act fast ▪ Signup now for a special offer... supplies are limited!
Mitigation Solutions
__: ▪ Technology __● Add a multifactor authentication system ▪ Processes __● Proper employee off-boarding to minimize an insider threat ▪ People __● Employee cybersecurity training __● Hire qualified and certified IT professionals
Simple Network Management Protocol (SNMP) Breakdown
__: ▪ Three versions of SNMP exist ▪ SNMPv1 has port security and includes authentication using a shared "community string" sent in cleartext when set to "public" ▪ Community string operates like a password and is valid for EVERY node on the network ▪ Port: 161, 162
HEAD / HTTP/1.1
__: ▪ To conduct a banner grab using telnet, you first must connect to the server using "telnet webserver 80". ▪ Once the connection is established, you will receive a blank prompt and you issue the command "__", which requests the document header from the server. ▪ This will provide information such as the server software version and the operating system of the server.
Forensics Tools Breakdown
__: ▪ Tools used to collect and analyze digital evidence for crimes and analysis ▪ Tools __● Foremost, FTK, EnCase, Tableau
Server Message Block (SMB) Breakdown
__: ▪ Transport protocol used by Windows machines for many purposes __● File sharing __● Printer sharing __● Access to remote Windows services ▪ Operates over TCP ports 139 and 445 ▪ EternalBlue exploits and WannaCry ransomware utilized flaws in the SMB protocol
Kernel Exploits
__: ▪ Unpatched Windows and Linux systems are vulnerable to many different exploits ▪ Search CVE's for various versions of Windows or Linux to determine what exploits exist ▪ Metasploit has a library of existing exploits ● Privilege Escalation
Packet Capture Techniques
__: ▪ Use Wireshark or TCPDump to conduct packet capturing of wired or wireless networks ▪ Connect to a mirrored port to capture wired network traffic ▪ Wireless networks can be captured and their encryption cracked to access the data using Aircrack-ng
How Do We Scan and Enumerate?
__: ▪ Use specialized scanning/enumeration tools and public information sources
Nmap -sV
__: ▪ Version Detection Mode ▪ Attempts to determine the version of the services and applications being run on ports
File Transfer Protocol (FTP) Breakdown
__: ▪ Was the internet standard for file sharing. ▪ Overall insecure protocol protocol that sends data and authentication in cleartext over the network ▪ No encryption for transfers and credentials (i.e. in the clear) ▪ Easy for attackers to use for data exfiltration if FTP is available ▪ Port: 21
Export Restrictions
__: ▪ Wassenaar Agreement precludes the transfer of technologies considered "dual-use" ▪ Strong encryption falls under this restriction ▪ Penetration testing tools could be considered surveillance tools and fall under these rules
White Box WADL
__: ▪ Web Application Description Language __● XML-based machine-readable description of HTTP-based web services __● Easier to write than WSDL but not as flexible __● Typically used for REST services
Certificate Inspection
__: ▪ Web-servers will identify the type of encryption they support (SSL 2.0, SSL 3.0, or TLS) ▪ Tools exists to automate this process SSLyze script comes with Kali Linux
Follow-up Actions or Retests
__: ▪ What follow-up actions are you required to perform? ▪ Will a retest be conducted after 30 or 90 days?
Prioritize Efforts for Pentest
__: ▪ What will be attacked first? ▪ What exploits will we use? __● Do we need custom made exploits? ▪ Does Metasploit or Nmap already have known exploits for the vulnerabilities? __● Use the 'search' function in Metasploit
Networking Tools
__: ▪ Wireshark ▪ Hping
Unsecure Code Practices - Lack of code signing
__: ▪ Without code signing it is easy for an attacker to modify the code and it go unnoticed ▪ Code signing ensures it is digitally signed, which uses a hash digest that is encrypted with a private key certificate to ensure changes have not occurred
Nmap -oN
__: ▪ oN Normal output format __● nmap -oN = outputfile.txt target
Nmap Output
__: ▪ oN Normal output format __● nmap -oN outputfile.txt target ▪ -oG Grepable output format __● nmap -oG outputfile.txt target ▪ -oX XML output format __● nmap -oX outputfile.xml target ▪ -oA Combined format with all of the above __● nmap -oA outputfile target
Clear Text Credentials in LDAP
__: ▪ If SSL is not enabled for LDAP, credentials are sent over the network in clear text ▪ Use the Insecure LDAP Bind script to check for this in PowerShell __● .\Query-InsecureLDAPBinds.ps1 -ComputerName dc1.contoso.com -Hours 24 ▪ You receive a CSV file as output showing which accounts are vulnerable __● "IPAddress","Port","User","BindType" __● "10.0.0.3","60901","CONTOSO\Administrator","Simple" __● "[::1]","65445","CONTOSO\Administrator","Simple" ● Privilege Escalation (Windows)
Planning a Penetration Test - Technical Constraints
__: ▪ What constraints limited your ability to test? ▪ Provide the status in your report __● Tested __● Not Tested __● Can't Be Tested
Rules of Engagement (RoE) Overview
__: ▪ Timeline ▪ Locations ▪ Time restrictions ▪ Transparency ▪ Test boundaries
RoE: Boundaries
__: ▪ What will be tested? ▪ Is social engineering allowed to be used? ▪ What about physical security testing? ▪ How invasive can the pentest be?
RoE: Locations
__: ▪ Where will the testers be located? _● On-site or remote location ▪ Does organization have numerous locations? ▪ Does it cross international borders?
RoE: Transparency
__: ▪ Who will know about the pentest? ▪ Will the organization provide resources to the testers (white box test)?
Domain name squatting
__ also known as Cybersquatting, is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else
Rules of Engagement (RoE)
__ are detailed guidelines and constraints regarding the execution of information security testing. __ is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.
Legal Concepts (1)
__ are laws and regulations regarding cyber-crime vary from country to country, check the local laws before conducting an assessment.
Scheduled Tasks
__ can be used as an attack that uses the Windows Task Scheduler to create callbacks and retain persistence ▪ Arbitrary code could be executed at a certain time or in response to an event. ● Privilege Escalation (Windows)
Target Selection - External
__ focuses on publicly facing targets ● Webservers in the DMZ ● Outside the protected LAN
Target Selection - Internal
__ focuses on targets inside the firewall ● Can be on-site or off-site ● Logically internal
White Box Support Resources
__ generally provided only for a white box penetration test: __● Architectural diagrams __● Sample application requests __● SDK documentation __● SOAP project files __● Swagger document __● WSDL/WADL __● XSD
nslookup
__ is a command-line program in Windows used to determine exactly what information the DNS server is providing about a specific host name. ▪ Is a Reconnaissance Tool
Master Service Agreement (MSA)
__ is a contract where parties agree to most of the terms that will govern future actions. ▪ High level contract between a service provider and a client that specifies details of the business arrangement
Discover.sh
__ is a discovery framework that was built to quickly and efficiently identify passive information about a company or network. ▪ This framework is used through a tool called Discover-scripts ▪ Is a Reconnaissance Tool
Statement of Work (SOW)
__ is a formal document stating scope of what will be performed during a penetration test. ▪ Clearly states what tasks are to be accomplished during an engagement
Non-Disclosure Agreement (NDA)
__ is a legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it. ▪ Agreement that defines confidential material and restrictions on use and sharing sensitive information with other parties
Social Networking
__ is a means by which people use the Internet to communicate and share information among their immediate friends, and meet and connect with others through common interests, experiences, and friends. ▪ Is a Reconnaissance Tool
Red Team
__ is a penetration test conducted by internal pentesters of an organization during security exercise to ensure defenders (blue team) can perform their jobs adequately
Maltego
__ is a program that can be used to determine the relationships and real world links between: People. Groups of people (social networks) Companies ▪ Intelligence gathering and analysis platform ▪ Is a Reconnaissance Tool
__ is a search engine that can be used to find information about a target. ▪ Is a Reconnaissance Tool
Dossier
__ is a specific collection of documents. ▪ Is a Reconnaissance Tool
Methodology
__ is a system of methods used in a particular area of study or activity.
Domain Dossier
__ is a tool used to investigate domains and IP address. ▪ It gathers registrant information, DNS records and other things, compiling it all into one report. ▪ Is a Reconnaissance Tool
Email Dossier
__ is a tool used to investigate emails. ▪ Is a Reconnaissance Tool
HTTP Parameter Pollution (HPP)
__ is a type of application fuzzing that relies on the lack of guidance concerning the appropriate way to handle multiple HTTP parameters with the same name.
Scanning
__ is actively connecting to the system and get a response to identify open ports and services
Enumeration
__ is actively connecting to the systems to determine open shares, user accounts, software versions, and other detailed info
Banner Grabbing
__ is gathering information from messages that a service transmits when another program connects to it. ▪ Manual enumeration and fingerprinting ▪ Use telnet or Netcat to connect to target host ▪ Commonly used for FTP, SSH, Telnet, & HTTP
Fingerprinting
__ is identification of the operating system, service, software versions being used by a host ▪ Determining OS type and version a target is running
Google hacking
__ is the technique of using advanced operators in the search engine to locate specific strings of text within search results, including strings that identify software vulnerabilities and mis-configurations. ▪ Is a Reconnaissance Tool
Information Gathering - Reconnaissance
__ refers to the systematic attempt to locate, gather, identify, and record information about a target ▪ Also known as footprinting the organization
Planning a Penetration Test
__, Questions to ask: ▪ Why Is Planning Important? ▪ Who is the Target Audience? ▪ Budgeting ▪ Resources and Requirements ▪ Communication Paths ▪ What is the End State? ▪ Technical Constraints ▪ Disclaimers
Tiers of Adversaries
__: 1 - Little Money & Rely on off-the-shell tools/known exploits 2 - Little Money & invested in own tools against known vulners 3 - Invests Lots of money to find vulners to steal for profit 4 - Organized, Technical, proficient, funded, working in teams 5 - Nation states investing tons of money to finding/creating vulners 6 - Nation stats investing tons to carry out military ops
Pentest Methodology
__: 1. Planning & Scoping 2. Info Gathering & Vulnerability ID 3. Attacks & Exploits 4. Reporting & Communication
Threat Actors
__: ▪ Advanced Persistent Threat (APT) ▪ Hacktivist ▪ Insider Threat ▪ Script Kiddies
Target Selection - First-party or Third-party
__: ▪ Are the targets hosted by the organization or by a third-party service provider? ▪ DionTraining.com is hosted by Thinkific and might be outside the penetration test scope
RoE: Time Restrictions
__: ▪ Are there certain times that aren't authorized? ▪ What about days of the week? ▪ What about holidays?
Target Selection - Physical
__: ▪ Are we contracted to test physical security? ▪ Should we attempt to break into the facility?
Target Selection - Applications
__: ▪ Are we focused on a particular application? ▪ Is a particular application mission critical and cannot be targeted? __● Credit card processing system __● Health care system
Scoping Considerations - Scope Creep
__: ▪ Condition when a client requests additional services after the SOW and project scope have been agreed to and signed ▪ How will scope be contained? ▪ Document any changes to the scope of test ▪ Recommend signing a change order to SOW
Planning a Penetration Test - Budgeting
__: ▪ Controls many factors in a test ▪ If you have a large budget, you can perform a more in-depth test __● Increased timeline for testing __● Increased scope __● Increased resources (people, tech, etc.)
§ 1030 Fraud and related activity with computers
__: ▪ Covers just about any computer or device connected to a network ▪ Mandates penalties for anyone who accesses a computer in an unauthorized manner or exceeds one's access rights ▪ Can be used to prosecute employees using capability and accesses provided by their company to conduct fraudulent activity
Threat Actors - What is the Intent?
__: ▪ Greed or monetary gain ▪ Power, revenge, or blackmail ▪ Thrills, reputation, or recognition ▪ Espionage or political motivation
Threat Actors - Advanced Persistent Threat (APT)
__: ▪ Group with great capability and intent to hack a particular network or system ▪ Target organizations for business or political motives and usually funded by nation states ▪ Conduct highly covert hacks over long periods of time
Crimes and Criminal Procedure
__: ▪ Hacking is covered under United States Code, Title 18, Chapter 47, Sections 1029 and 1030
Types of Enumeration
__: ▪ Hosts ▪ Networks ▪ Domains ▪ Users/Groups ▪ Network shares ▪ Web pages ▪ Applications ▪ Services ▪ Tokens ▪ Social networks
Types of Scans
__: ▪ Hosts ▪ Systems ▪ Networks ▪ Computers ▪ Mobile Devices ▪ Applications ▪ Printers
RoE: Timeline
__: ▪ How long will the test be conducted? _● A week, a month, a year ▪ What tasks will be performed and how long will each be planned for?
Third-Party Authorization
__: ▪ If servers and services are hosted in the cloud, you must request permission from the provider prior to conducting a penetration test __● Ex: from a Cloud service provider
Target Selection
__: ▪ Internal or External ▪ First-party or Third-party hosted ▪ Physical ▪ Users ▪ SSIDs ▪ Applications
Information Gathering - Reconnaissance Techniques
__: ▪ Internet or open-source research ▪ Social engineering ▪ Dumpster diving ▪ Email harvesting
Scoping Considerations - Security Exceptions
__: ▪ Intrusion Prevention System (IPS) ▪ Web Application Firewall (WAF) ▪ Network Access Control (NAC) ▪ Certificate Pinning __● Required if the organization relies on digital certificates as part of their security ▪ Company policies
Threat Actors - Insider Threat
__: ▪ Is an authorized user with access to the networks, making them extremely dangerous ▪ Might be a former or current employee ▪ May be a skilled or unskilled attacker
Target Selection - Users
__: ▪ Is social engineering authorized? ▪ Are particular users being targeted or not considered part of the assessment?
Target Selection - Wireless and SSIDs
__: ▪ Is wireless pentesting being conducted? ▪ Are any SSID's out of scope? __● Guest or public network
Threat Actors - Script Kiddies
__: ▪ Low-skilled attackers who use other's tools ▪ Use freely available vulnerability assessment and hacking tools to conduct attacks
White Box Architectural Diagrams
__: ▪ Network diagrams, software flow charts, physical maps of organizational facilities ▪ Assists the tester in mapping out network topologies, location of switch closets, and where key information systems are located
Black Box (No Knowledge Test)
__: ▪ No prior knowledge of target or network ▪ Simulates an outsider attack ▪ Only focuses on what external attacks see and ignores the insider threat ▪ Takes more time and is much more expensive
Threat Actors - Tiers of Adversaries
__: ▪ Not all threat actors are created equal ▪ Some are structured, some are unstructured ▪ Some are more skilled than others
White Box Swagger Document
__: ▪ Open-source framework with a large system of tools to help design, build, document, test, and standardize REST Web Services ▪ Representational State Transfer (REST) has been replacing SOAP in most web applications in recent years ▪ REST is a web application architectural style based on HTTP
Gray Box (Partial Knowledge Test)
__: ▪ Partial knowledge of target ▪ Can be used as an internal test to simulate an insider attack with minimal knowledge ▪ Can also be used to decrease the information gathering stage so more time can be spent on identifying vulnerabilities EX: IP Range provided or Company Emails for Phishing
§ 1029 Fraud & related activity w/ access devices
__: ▪ Prosecute those who knowingly and with intent to defraud produce, use, or traffic in one or more counterfeit access devices. ▪ Access devices can be an application or hardware that is created specifically to generate any type of access credentials
White Box WSDL
__: ▪ Web Services Description Language __● XML-based interface definition language used for describing the functionality offered by a web service such as a SOAP server __● Flexible and allows binding options __● Not useful for REST services with WSDL 1.1
Corporate Policies
__: ▪ What do __ allow you to do? ▪ Have employees waived their privacy? ▪ What policies should be tested? __●Password strength/reuse __● Bring Your Own Device (BYOD) __● Encryption __● Update frequency
Scoping Considerations - Tolerance to Impact
__: ▪ What is the impact to operations going to be? ▪ Balance the assessment needs with the operational needs of the organization by placing things in or out of scope
Scoping Considerations - Risk
__: ▪ What is the risk tolerance of the organization? ▪ Avoidance __● Actions taken to eliminate risk completely ▪ Transference __● Risk is moved to another entity ▪ Mitigation __● Controls and countermeasures are put into place ▪ Acceptance __● Risk is identified, analyzed, and within limits
Planning a Penetration Test - What is the End State?
__: ▪ What kind of report will be provided after test? ▪ Will you provide an estimate of how long remediations would take?
Planning a Penetration Test - Resources and Requirements
__: ▪ What resources will the assessment require? ▪ What requirements will be met in the testing? __● Confidentiality of findings __● Known vs. unknown vulnerabilities __● Compliance-based assessment
Threat Actors - Threat Modeling
__: ▪ What threat are you trying to emulate? ▪ Will you use open-source and openly available tools like a script kiddie, or create custom hacks like an Advanced Persistent Threat? ▪ Will you be given insider knowledge or perform a white box penetration test?
Obtain Written Authorization
__: ▪ White hat hackers always get permission ▪ This is your get out of jail free card... ▪ Penetration tests can expose confidential information so permission must be granted ▪ Third-party authorization when necessary __● Ex: from a Cloud service provider
Planning a Penetration Test - Communication Paths
__: ▪ Who do we communicate with about the test? ▪ What info will be communicated and when? ▪ Who is a trusted agent if testing goes wrong?
Scoping Considerations - Schedule
__: ▪ Will the timing of the penetration test be known by the organization's defenders? ▪ Will it be performed during peak or off-peak hours? ▪ What about holidays?
Scoping Considerations - Whitelist vs Blacklist
__: ▪ Will your pentest systems be put on a list? ▪ Whitelist will allow you access, but blacklist will prevent your system from connecting
White Box XML Schema Definition (XSD)
__: ▪ World Wide Web Consortium (W3C) recommendation that specifies how to formally describe elements in an Extensible Markup Language (XML) document ▪ It can be used by programmers to verify each piece of item content in a document. ▪ They can check if it adheres to the description of the element it is placed in.
Objective-based Assessment (1)
__: ▪ __ or pentests seek to ensure the information remains secure ▪ Testing occurs using all methods and more accurately simulates a real attack ▪ Compliance-based ▪ Risk-based compliance assessment that is required to ensure policies or
Objective-based Assessment (2)
__: ▪ __ or pentests seek to ensure the information remains secure regulations are being followed properly ▪ Regulations and policies provide checklists, for example the PCI-DSS compliance assessment ▪ Objectives are clearly defined ▪ Focus is on password policies, data isolation, limited network/storage access, and key management
Reconnaissance Tools
__: ▪ nslookup ▪ traceroute ▪ ping ▪ WHOIS ▪ Domain Dossier ▪ Email Dossier ▪ Google ▪ Social Networking ▪ Discover.sh ▪ Maltego