CompTIA Pentest+

Ace your homework & exams now with Quizwiz!

Common Themes

Analyze vulnerability scans for __ that are recurring items ▪ Do the same vulnerabilities show up on many hosts? ▪ Do you see the same types of operating systems and applications being used across the network? ▪ Lack of best practices __● Common mis-configurations __● Weak passwords __● Poor security practices __● Logging disabled

Domain name squatting

Cybersquatting (also known as __ ), according to the United States federal law known as the Anticybersquatting Consumer Protection Act, is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else

White Box Support Resources

Generally provided only for a white box penetration test __● Architectural diagrams __● Sample application requests __● SDK documentation __● SOAP project files __● Swagger document __● WSDL/WADL __● XSD

Empire

PowerShell __ is a post-exploitation hacking tool built on cryptographically secure communications and a flexible architecture. ▪ PowerShell and Python post-exploitation agent

Mobile Devices

Weakness in Specialized Systems - __: ▪ Lack of updates (especially Android) ▪ Root/Jailbreak (especially iPhone) ▪ 3rd party applications ▪ Bluetooth, NFC, and WiFi ▪ Lack of Mobile Device Management in smaller organizations

ctime

__ (change time) is the timestamp of a file that indicates the time that it was changed. Now, the modification can be in terms of its content or in terms of its attributes.

What kind of information are we looking to find?

__ - Reconnaissance : ▪ Phone numbers ▪ Contact names ▪ Email addresses ▪ Security-related information ▪ Information systems used ▪ Job postings ▪ Resumes

Hopper

__ Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications. ▪ Hopper v3 for Linux requires Ubuntu 14.04, Arch Linux, Fedora 20 or higher, and a 64 bits processor.

Clear Text Credentials in LDAP

__ If SSL is not enabled for LDAP, credentials are sent over the network in clear text ▪ Use the Insecure LDAP Bind script to check for this in PowerShell o .\Query-InsecureLDAPBinds.ps1 -ComputerName dc1.contoso.com -Hours 24 ▪ You receive a CSV file as output showing which accounts are vulnerable o "IPAddress","Port","User","BindType" o "10.0.0.3","60901","CONTOSO\Administrator","Simple" o "[::1]","65445","CONTOSO\Administrator","Simple" ● Privilege Escalation (Windows)

Telnet (2)

__ Permits sending commands to remote devices ▪ Information is sent in plain text ▪ Should never be used over an insecure connection and is a huge security risk to use ▪ SSH should always be used instead

Metasploit

__ Project is a computer security project that shows the vulnerabilities and aids in Penetration Testing. ▪ Can be used to create security testing tools and exploit modules and also as a penetration testing system.

Industrial Control Systems (ICS)

__ a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.

Privilege Escalation in Linux

__ allows a user to run a program or process as a different user with additional permissions in a linux os. ▪ Set-User Identification (SUID) ▪ Set-Group Identification (SGID) ▪ Sticky Bit ▪ Unsecure SUDO ▪ Ret2libc

Privilege Escalation in Windows

__ allows a user to run a program or process as a different user with additional permissions in a windows OS. ▪ Cpassword ▪ Clear Text Credentials in LDAP ▪ Kerberoasting ▪ Credentials in LSASS ▪ Unattended Installation ▪ SAM Database ▪ DLL Hijacking ▪ Exploitable Services ▪ Unsecure File and Folder Permissions ▪ Keylogger ▪ Scheduled Tasks

Windows Remote Management (WinRM)

__ allows administrators to remotely run management scripts using the WS-Management Protocol (based on SOAP) ▪ Windows Remote Management is run on server ▪ Windows Remote Shell (WinRS) is run on client

Remote Desktop Protocol (RDP)

__ allows remote access to a machine over the network as if you were sitting right in front of it ▪ Provides GUI access through an RDP client

Apple Remote Desktop

__ allows remote access to a machine over the network through a GUI ▪ Recent versions allow for an encrypted AES 128-bit tunnel to be created from the machine being controlled

Kerberos Silver Tickets

__ allows services (low-level Operating System programs) to log in without double-checking that their token is actually valid, which hackers have exploited to create Silver Tickets. ▪ In the simplest terms, a Silver Ticket is a forged authentication ticket that allows you to log into some accounts ▪ Kerberos Ticket Granting Service (TGS) tickets ▪ Can only be used for a specific Kerberos service

NETBIOS Name Service

__ are 16 characters long, with the first 15 consisting of a unique name (for a single user or computer) or a group name (for a set of users or computers).

Daemons

__ are Background process that exists for the purpose of handling periodic service requests that a computer system expects to receive ▪ For example, sshd is the SSH daemon ▪ In Windows, these are called "services" ● Could be used to Persist on victim machine

passive infrared sensors

__ are alarm system that use infrared light to detect movement, changes in ambient temperature, and body heat.

Rules of Engagement (RoE)

__ are detailed guidelines and constraints regarding the execution of information security testing. The __ is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.

Legal Concepts (1)

__ are laws and regulations regarding cyber-crime vary from country to country, check the local laws before conducting an assessment.

Container

__ are like micro virtual machines ▪ Each container is built from the base Operating System image with unique applications run on top of them ▪ Requires less resources than a typical VM ▪ Docker, Puppet, and Vagrant are examples

Programming Comments

__ are lines in code that are not part of execution but used to describe or remove code ▪ Bash, Python, Ruby, and PowerShell all use a # to signify the code is commented

Credentialed Scans

__ are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. ▪ Scanner uses an authorized user or admin account ▪ Closer to the system administrator's perspective ▪ Finds more vulnerabilities ▪ More detailed, accurate information

Vulnerability Scans

__ are scans of a host, system, or network to determine what vulnerabilities exist ▪ Numerous tools used by both defenders and attackers to identify vulnerabilities ▪ Tools are only as good as their configuration

Programming Constants

__ are used to define a set value across the entire program and cannot be changed

Programming Variable

__ are used to represent any value and can be changed during the execution of the program

XSS DOM

__ arises when an application contains some client-side JavaScript that processes data from an un-trusted source in an unsafe way, usually by writing the data to a potentially dangerous sink within the DOM. ▪ Document Object Model (DOM) is vulnerable ▪ Victim's browser is exploited (client-side XSS)

Pass the Hash

__ attack is an expoit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

Spear Phishing

__ attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. __ attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information. ▪ Occurs when an attacker creates a message to appeal to a specific individual

Stealth Scan

__ attempt to avoid tripping defensive control thresholds. ▪ Conducts scans by sending a SYN packet and then analyzing the response ▪ If SYN/ACK is received, the destination is trying to establish the connection (port is open) and the scanner sends a packet with RST - nmap -sS <target>

Decompiler

__ attempts to convert executable instructions back into source code. ▪ Output is generally awkward to read at best

De-escalation

__ can decrease the severity, intensity, or magnitude of a security alert that is being reported ● Communication Reasons

Physical Security Attacks

__ describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks

Flow Control

__ determines how program execution should proceed.

Network Address Translation (NAT)

__ enables translation of a private (non-routable) network address to a public (routable) address.

Application Containers

__ encapsulate the files, dependencies and libraries of an application to run on an OS. __ enable the user to create and run a separate container for multiple independent applications or multiple services constitute a single application. ▪ Breaking out of a container can allow attackers to break into other systems

Non-credentialed Scans

__ enumerate ports, protocols, and services that are exposed on a host and identifies vulnerabilities and mis-configurations that could allow an attacker to compromise your network. ▪ Scanner doesn't have a user or admin account ▪ Closer to the hacker's perspective ▪ Fewer details, often used in early phases of attacks/tests

Target Selection - External

__ focuses on publicly facing targets ● Webservers in the DMZ ● Outside the protected LAN

Target Selection - Internal

__ focuses on targets inside the firewall ● Can be on-site or off-site ● Logically internal

Registers (memory registers)

__ frequently hold pointers that reference memory.

Network Basic Input/Output System (NetBIOS)

__ helps facilitate the communications of Microsoft applications over a network and provides services such as protocol management, messaging and data transfer, and hostname resolution.

Application Scanning - Dynamic Analysis

__ identifies vulnerabilities in a runtime environment. ▪ Automated tools provide flexibility on what to scan for. ▪ It allows for analysis of applications in which you do not have access to the actual code. ▪ It can be conducted against any application. ▪ Occurs while a program is running ▪ Program is run in a sandbox and changed noted

ad-hoc Mode

__ in this mode wireless clients are connected in a peer-to-peer mode. __ is commonly referred as an Independent Basic Service Set (IBSS)

Active Information Gathering

__ involves direct interaction with organizational assets to gather information rather than in-directed interaction via observation or details available via external parties.

Social Engineering

__ involves manipulating people to get information or to gain access. ▪ Often utilizes deception and lies

Packet Inspection

__ is Manual enumeration performed by analyzing the captured packets to determine information ▪ Capturing and analyzing network packets ▪ Tool - Wireshark

Keylogger

__ is Surveillance technology used to monitor and record the keystrokes of a victim user ▪ Can be software or hardware-based ● Privilege Escalation (Windows)

Kerberos Golden Tickets

__ is a Kerberos authentication token for the KRBTGT account, that can use a pass-the-hash technique to log into any account, allowing attackers to move around unnoticed inside the network. ▪ Kerberos Ticket-Granting Tickets (TGT) ▪ Can be used to access any Kerberos service

Red Team

__ is a Penetration test conducted by internal pentesters of an organization during security exercise to ensure defenders (blue team) can perform their jobs adequately

SSLyze

__ is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. ▪ Server certificate validation and revocation checking through OCSP stapling. ▪ Certificate Inspection Tool

Evil Twin Attack

__ is a Rogue access point that appears to be legitimate but is setup to eavesdrop on wireless communication.

Hping

__ is a TCP/IP packet assembler/analyzer, running on most *nix versions. It supports various protocols, including TCP, UDP and ICMP. ▪ Good guys commonly use it to scan ports for holes that bad guys try to exploit. ▪ It's also useful for testing network machines by firing precompiled exploits at them. ▪ is a Packet Crafting Tool

Rlogin

__ is a Unix program that allows users to log in on another host using a network. ▪ Rsh created as part of rlogin package in BSD Unix ▪ Allowed a user to login and issue commands on another Unix computer over a TCP/IP network

HTTP Parameter Pollution (HPP)

__ is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. ▪ In particular, some environments process such requests by concatenating the values taken from all instances of a parameter name within the request.

Scheduled Tasks (at)

__ is a Windows command-line program to schedule tasks ▪ Task Scheduler is the GUI version of the program ● Could be used to Persist on victim machine

Property Lists (plist)

__ is a XML-formatted files stored in binary or text format that provide configuration settings and property data for many kinds of Apple applications.

Searchsploit

__ is a a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. ▪ Note, The name of this utility is SearchSploit and as its name indicates, it will search for all exploits and shellcode. ▪ Command-line search tool for the Exploit-DB ▪ Allows for offline searches through local repo

telnet

__ is a a network protocol that allows a user on one computer to log into another computer that is part of the same network. ▪ Port 23 ▪ Can be used for Banner Grabbing

Dynamic Application Security Testing (DAST)

__ is a black-box security testing methodology in which an application is tested from the outside. ▪ A tester using SAST examines the application from the inside, searching its source code for conditions that indicate that a security vulnerability might be present.

Dictionary Attack

__ is a brute force attack that uses a dictionary of commonly used usernames and passwords. ▪ Weak passwords and passwords from previous data breaches make a great list

Lock Bumping

__ is a brute-force method of opening a pin tumbler lock with a bump key.

Bump Key

__ is a burglary tool, a generic key used along with another mechanism to apply force to open a lock

SQL Injection (Structured Query Language)

__ is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

Impacket

__ is a collection of Python classes for working with network protocols. ▪ Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. ▪ Collection of Python classes for working with network protocols ▪ Focused on low-level program access for SMB and MSRPC protocol implementation

Group Policy Object (GPO)

__ is a collection of settings that govern user and computer configurations within an Active Directory (AD) network.

Remote Shell (RSH)

__ is a command line program used to execute shell commands as another user on another computer over the network ▪ Is unsecure because it doesn't use encryption, therefore SSH should be used instead

Nslookup

__ is a command-line program in Windows used to determine exactly what information the DNS server is providing about a specific host name. ▪ is a Reconnaissance Tool

Aircrack-ng

__ is a complete suite of tools to assess WiFi network security. ▪ It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools. ▪ Wireless hacking suite that consists of scanner, packet sniffer, and password cracker

FTK or Forensic Toolkit

__ is a computer forensics software made by AccessData. ▪ It scans a hard drive looking for various information. It can, for example, locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.

Packet Capture

__ is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is stored temporarily so that it can be analyzed.

Netcat (nc)

__ is a computer networking utility for reading from and writing to network connections using TCP or UDP. ▪ The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. ▪ Is a Packet Crafting Tool & Banner Grabbing Tool

Access Limiation

__ is a condition in which the penetration tester hjas restrictions on access when they begin testing.

Master Service Agreement (MSA)

__ is a contract where parties agree to most of the terms that will govern future actions. ▪ High level contract between a service provider and a client that specifies details of the business arrangement

APK Studio

__ is a cross-platform free and open-source tool that lets you decompile APK files and edit codes and resources and recompile it. ▪ You can call it IDE (Integrated Development Environment) which comes with complete user friendly GUI much like other common IDEs. ▪ Cross-platform IDE for reverse engineering and recompiling Android application binaries

(Security Account Manager) SAM Database

__ is a database file that stores the user passwords in Windows as a LM hash or NTLM hash ▪ File is used to authenticate local users and remote users ▪ Passwords can be cracked offline if the SAM file is stolen ● Privilege Escalation (Windows)

GDB

__ is a debugger is a program that runs other programs, allowing the user to exercise control over these programs, and to examine variables when problems arise. ▪ GNU Debugger, which is also called gdb, is the most popular debugger for UNIX systems to debug C and C++ programs. ▪ Runs on Unix and Linux systems

Discover.sh

__ is a discovery framework was developed to quickly and efficiently identify passive information about a company or network. ▪ This framework is through a tool called Discover-scripts ▪ is a Reconnaissance Tool

Pretexting (Pretext)

__ is a false context develop to justify other actions or make them believable to a victim

root bridge

__ is a feature of the Spanning Tree Protocol (STP) that serves as a reference point for all switches in a spanning tree topology.

Network File System (NFS)

__ is a file system and protocol that enables network file sharing for *NIX operating systems.

foremost

__ is a forensic data recovery program for Linux used to recover files using their headers, footers, and data structures through a process known as file carving. ▪ Although written for law enforcement use, it is freely available and can be used as a general data recovery tool.

DNS Cache Poisoning

__ is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address.

Vishing (Voice Phishing)

__ is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward. ▪ Phishing that occurs over a telephone ▪ Involves calling someone and pretending you are someone else

Statement of Work (SOW)

__ is a formal document stating scope of what will be performed during a penetration test. ▪ Clearly states what tasks are to be accomplished during an engagement

OpenVAS

__ is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. ▪ The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total.

iOS Simulator

__ is a function of the iOS developer tool kit (Xcode) that can mimic the basic behavior of an iDevice and how it interacts with an iOS application.

AFL

__ is a fuzzer, a tool for testing software by providing randomly-generated inputs, searching for those inputs which cause the program to crash. ▪ The native-code compiler "ocamlopt" can generate such instrumentation, allowing afl-fuzz to be used against programs written in OCaml.

Ncat (ncat)

__ is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. __ is suitable for interactive use or as a network-connected back end for other tools. ▪ is a Packet Crafting Tool

NCAT

__ is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. ▪ It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks. ▪ Is suitable for interactive use or as a network-connected back end for other tools. ▪ From makers of Nmap as update to Netcat

Contracting Officer

__ is a government employee with the authority to enter into, administer, and/or terminate contracts and make related determinations and findings

Array

__ is a group of elements of the same data type.

netgroup

__ is a group of users or hosts used for permission checking when permitting remote operation such as mounting file shares, remote logins, remote execution, in Linux and Unix network domain environments.

Microwave Sensor

__ is a high-frequencry radio wave, offering the ability to tranverse through building materials.

Redirect Attack

__ is a kind of vulnerability that redirects you to another page freely out of the original website when accessed, usually integrated with a phishing attack ▪ Sends user to login page to capture credentials

Pivoting

__ is a lateral movement technique that can allow an attacker to move from host to host using remote access tools such as SSH, Telnet, FTP, RDP, VNC.

Mimikatz

__ is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets. ▪ Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets. ▪ Targets Windows machines to extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from the machine's memory ▪ Can be used for pass-the-hash, pass-the-ticket, and creating Golden Tickets

Non-Disclosure Agreement (NDA)

__ is a legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it. ▪ Agreement that defines confidential material and restrictions on use and sharing sensitive information with other parties

Dynamic Link Library (DLL)

__ is a library that contains code and data that can be used by more than one program at the same time. ● Can be used for Privilege Escalation (Windows)

PsExec

__ is a light-weight telnet-replacement that lets you execute processes on other systems with full interactivity for console applications without having to manually install client software

Security Account Manager (SAM)

__ is a local database file that contains local account settings and password hashes for the host.

Cipher lock

__ is a lock opened via a programmable keypad designed to limit access to a controlled area.

Social Networking

__ is a means by which people use the Internet to communicate and share information among their immediate friends, and meet and connect with others through common interests, experiences, and friends. ▪ is a Reconnaissance Tool

X11 Forwarding

__ is a mechanism that allows a user to start up remote applications but forward the application display to your local Windows machine. ▪ X-windows/X-server is the GUI for Linux __● Known collectively as X11 ▪ X-windows/X-server over an SSH connection

Backdoors

__ is a method to bypass normal authentication or encryption in a computer system ▪ May take the form of a hidden part of a program (such as a trojan or rootkit) ▪ Default passwords are considered a backdoor when they are not changed by the user ● Could be used to Persist on victim machine

Persistence

__ is a method to maintain access to a victim machine.

Kerberoasting

__ is a method used to steal service account credentials. ▪ Any domain user account that has a service principal name (SPN) set can have a service ticket (TGS) ▪ Ticket can be requested by any user in the domain and allows for offline cracking of the service account plaintext password ● Privilege Escalation (Windows)

Rooting

__ is a mobile device exploitation that is the process of exploiting a software vulnerability in the operating system that enables low-level execution with elevated privileges and enables the user to make modifications to the operating system that were not necessarily intended by the manufacture.

Dirbuster

__ is a multi threaded java application designed to brute force directories and files names on web/application servers. ' ▪ Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. ▪ Brute-force tool for directories and file names on web/application servers

Patator

__ is a multi-purpose brute-forcer, with a modular design and a flexible usage. ▪ Multi-purpose brute-force attack tool ▪ Supports modules for different target services

WinDBG

__ is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. ▪ Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development.

Kerberos

__ is a network authentication protocol that leverages a ticketing system to allow hosts and user operating over the network to prove their identity to one another in a secure fashion.

kismet

__ is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. ▪ will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. ▪ The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. ▪ Wireless hacking suite that consists of scanner, packet sniffer, and IDS

Address Resolution Protocol (ARP)

__ is a network layer protocol used to convert an IP address into a physical address (called a DLC address), such as an Ethernet address. ▪ A host wishing to obtain a physical address broadcastsan ARP request onto the TCP/IP network.

Censys

__ is a new Search Engine for devices exposed on the Internet, it could be used by experts to assess the security they implement. ▪ Search engine for hosts and networks across the internet with data about their configuration ▪ Contains search interface, report builder, and SQL engine

Bully Tool

__ is a new implementation of the WPS brute force attack, written in C. ▪ It is conceptually identical to other programs, in that it exploits the (now well known) design flaw in the WPS specification.

Java Archive (JAR)

__ is a package file format that includes all of the necessary resources (i.e., class files, images, text, etc.) into one resource for a Java application to execute successfully.

Android Debug Bridge (ADB)

__ is a packaged file format that includes the necessary files to run an application on the Android operating system.

Hydra

__ is a password detection tool (cracking) that can be used in a wide range of situations, including authentication-based forms commonly used in web applications. ▪ When you need brute force cracking remote authentication. ▪ Brute-force network log-on cracking tool ▪ Repeatedly attempts to login to a system

Cain and Abel (Cain)

__ is a password recovery tool for Microsoft Windows. ▪ It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks.

Perimeter Barrier

__ is a physical security protection to help delay an attack or reduce damage to the facility, such as a gate, concrete barrier or fence.

QualysGuard Vulnerability Scanner

__ is a popular SaaS (software as a service) vulnerability management offering. It's web-based UI offers network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk.

John the Ripper

__ is a popular open source password cracking tool that combines several different cracking programs and runs in both brute force and dictionary attack modes.

Tableau

__ is a powerful and fastest growing data visualization tool used in the Business Intelligence Industry. ▪ It helps in simplifying raw data into the very easily understandable format. ▪ Data analysis is very fast with Tableau and the visualizations created are in the form of dashboards and worksheets.

Responder

__ is a powerful tool for quickly gaining credentials and possibly even remote system access. ▪ Has the ability to prompt users for credentials when certain network services are requested, resulting in clear text passwords. It can also perform pass-the-hash style attacks and provide remote shells ▪ LLMNR, NBT-NS, and MDNA poisoner ▪ Used to answer specific queries based on name suffix on the network

Rainbow Tables

__ is a pre-computed hash values of known usernames and passwords used for offline password file cracking

Local Security Authority Subsystem Service (LSASS)

__ is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. ● Privilege Escalation (Windows)

Compliance Auditing

__ is a process of evaluating organizational controls to determine their adherence to standards and regulations.

Communication

__ is a process through which you send messages to and receive messages from others. ▪ Lots of communication is needed before, during, and after a penetration test ▪ Therefore, it is important to understand: __● Communication paths __● What triggers communication to occur __● And the reason for communicating in the first place

Binary Search

__ is a process used to determine the middle element of the array and compare it to the target value. If the middle element matches, it is returned. However, if the value is greater than the middle element position, the lower-half of the array is discarded. This method can be used to help speed up SQL injection attacks.

remediation

__ is a process used to fix or resolve an unwanted deficiency.

Maltego

__ is a program that can be used to determine the relationships and real world links between: People. Groups of people (social networks) Companies ▪ Intelligence gathering and analysis platform ▪ is a Reconnaissance Tool

Distributed Component Object Model (DCOM)

__ is a proprietary Microsoft technology for communication between software components on networked computers

Link-Local Multicast Name Resolution (LLMNR)

__ is a protocol based on the Domain Name System packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.

Simple Mail Transfer Protocol (SMTP)

__ is a protocol for sending e-mail messages between servers. ▪ Standard protocol for transmitting email ▪ Open relay, local relay, phishing, spam, etc.

Microsoft Remote Procedure Call (MSRPC)

__ is a protocol that allows a remote user to call procedures on a remote system as though they were calling it from the local system.

Remote Procedure Call (RPC)

__ is a protocol used in Windows to allow the remote execution of code on a remote computer or server

Domain Name System (DNS)

__ is a protocol within a set of standards that is used to associate a computer name to an IP address.

Whois

__ is a public Internet database that contains information about Internet domain names and the people or organizations that registered the domains. ▪ It is a source of information that can be used to exploit system vulnerabilities. ▪ is a Reconnaissance Tool

WHOIS

__ is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. ▪ Query and response protocol for internet resources

Interrogation

__ is a question or an intense questioning session. ▪ Interviews used by law enforcement, military, or intelligence agencies ▪ Pentesters won't generally use this technique...

Tenable's Nessus Vulnerability Scanner

__ is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network.

Double Tagging

__ is a result of a switch port being configured to use native VLANs, where an attacker can craft a packet and pre-pend a false VLAN tag along with its native VLAN to bypass layer-3 access control.

CeWL

__ is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. ▪ Tool to create a custom wordlist or dictionary ▪ Searches a target website for words meeting criteria set as inputs

Credentialed Vulnerability Scanning

__ is a scan conducted by a vulnerability scanner that has been given access to the system with the same rights as an authorized user.

Google

__ is a search engine that can be used to find information about a target. ▪ is a Reconnaissance Tool

Shodan

__ is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. ▪ Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client. ▪ Search engine that lets you find webcams, routers, servers, and more on the internet

Data Execution Prevention (DEP)

__ is a security feature implemented in hardware and software that controls execution behavior on the stack and helps prevent against stack-based buffer overflows.

Fuzzing

__ is a security testing technique that sends unexpected , random data to a input control within a application or network service to generate errors in hopes of discovering or exposing security weaknesses that could be exploited.

Magnetic Switches

__ is a sensor that can be installed between doors and door frames, and windows and window frames that rely on continuous magnetic connection to monitor the state. can be used to trigger alarms.

Advanced Persistent Threat (APT)

__ is a sequence of actions perpetuated by an individual or group of individuals with the resources to establish persistent, stealthy, long-term footholds that target specific goals and specific victims utilizing opportunistic attacks.

Linear Search

__ is a sequential process of evaluation where every value is checked until the correct value has been identified.

Powersploit

__ is a series of Microsoft PowerShell scripts that can be used in post-exploitation scenarios during authorized penetration tests. ▪ Collection of Microsoft PowerShell modules for use in penetration testing ▪ Considered a post-exploitation framework

Adjudication

__ is a series of steps that determine which vulnerabilities are valid. ▪ Determine which results are valid __● False positives __● Filter out false positives

Protocol

__ is a set of formal rules that describe the functionality of how to send and receive data.

Group Policy Preferences (GPP)

__ is a set of optional extensions provided to expand the functionality of Group Policy Objects (GPOs). Allows Active DIrectory (AD) domain admins to create domain policies.

Docker

__ is a set of platform-as-a-service products that use OS-level virtualization to deliver software in packages called containers. ▪ Containers are isolated from one another and bundle their own software, libraries and configuration files. ▪ They can communicate with each other through well-defined channels.

Windows Management Instrumentation (WMI)

__ is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems

Static Application Security Testing (SAST)

__ is a set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. ▪ SAST solutions analyze an application from the "inside out" in a nonrunning state

Dynamic-Linked Library (DLL)

__ is a shared library concept implemented in Microsoft operating systems.

script

__ is a short program that is used to automate tasks

OpenVAS (Open-source Scanner)

__ is a software framework of several services and tools offering vulnerability scanning and vulnerability management. ▪ All OpenVAS products are free software, and most components are licensed under the GNU General Public License.

Application Scanning

__ is a software program which performs automatic black box testing on a web application and identifies security vulnerabilities. Scanners do not access the source code, they only perform functional testing and try to find security vulnerabilities

Dossier

__ is a specific collection of documents. ▪ is a Reconnaissance Tool

Medusa

__ is a speedy, parallel, and modular, login brute-forcer. ▪ The goal is to support as many services which allow remote authentication as possible. ▪ The author considers the following items as some of the key features of this application: Thread-based parallel testing. ▪ Supports numerous remote authentication protocols (rlogin, ssh, telnet, http, etc)

touch

__ is a standard command used in UNIX/Linux operating system which is used to create, change and modify timestamps of a file. ▪ touch (Linux, Unix, OSX) __● Updates time to the current time

Structured Query Language (SQL)

__ is a standard computer language for relational database management and data manipulation. ▪ Prevent this through input validation and using least privilege for SQL is used to query, insert, update and modify data.

File Transfer Protocol (FTP)

__ is a standard network protocol used for the transfer of computer files between a client and server on a computer network.

Peach

__ is a state-of-the-art fuzzing engine and a convenient graphical user interface come together to create the world's most advanced fuzzing tool. ▪ The Peach Fuzzer Platform uses automated generative and mutational modeling and intelligent test case generation to reveal the hidden bugs that other testing methods miss.

Identify assets

__ is a step in the threat modeling process that define critical elements that an organization needs to protect such as employees, facilities, servers, workstations, sensitive date, etc.

Architecture Overview

__ is a step in the threat modeling process that documents what an application or system does, describes how it is physically and logically implemented, and identifies the technologies that are in use.

Document the Threats

__ is a step in the threat modeling process where the organization will match each threat, threat actor, and respective vulnerability relevant to the organization.

Decomposed the Application

__ is a step in the threat modeling processes that breaks down the technologies and organizational assets and investigates the entry points and trust boundaries between interconnected systems.

Immunity debugger

__ is a straightforward application worth having when you need to write exploits, analyze malware and reverse engineer Win32 binaries. ▪ Because of its advanced options, Immunity Debugger will display a new window that enables you to choose your selected function. ▪ Used to write exploits, analyze malware, and reverse engineer binary files ▪ Supports Python APIs and execution

Advance Encryption Standard (AES)

__ is a symmetric block cipher used in both hardware and software to encrypt sensitive information.

Internet of Things (IoT)

__ is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Methodology

__ is a system of methods used in a particular area of study or activity.

Supervisory Control and Data Acquisition (SCADA)

__ is a system of software and hardware elements that allows industrial organizations to: Control industrial processes locally or at remote locations. Monitor, gather, and process real-time data.

Lock Bypass

__ is a technique in lockpicking, of defeating a lock through unlatching the underlying locking mechanism without operating the lock at all. ▪ Pentester could jam a lock or bypass it by manipulating the locking function ▪ Stop a door from being shut fully by inserting a spacer or wedge

Timestomp

__ is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. ▪ touch (Linux, Unix, OSX) __● Updates time to the current time ▪ ctime (Linux, Unix, OSX) __● Change the time to a given date/time ▪ Meterpreter has built-in tool

Phishing

__ is a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail ▪ Lures people into providing sensitive data __● Personal identifiable information __● Banking information __● Passwords

Application Scanning - Static Analysis (SAST)

__ is a testing methodology that analyzes source code to find security vulnerabilities that make your organization's applications susceptible to attack. __ scans an application before the code is compiled. ▪ It's also known as white box testing. ▪ Performed in a non-runtime environment ▪ Inspects programming code for flaws/vulnerabilities ▪ Line by line inspection can be performed

Theharvester

__ is a tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources ▪ Gathers emails, subdomains, hosts, employee names, open ports, and banners

APKX

__ is a tool for reverse engineering 3rd party, closed, binary Android apps. ▪ It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. ▪ Python wrapper to extract Java source code directly from Android APK files

Proxychains

__ is a tool that forces any TCP connection made by any given application. to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. ▪ Tool that forces TCP connections from all applications to run through a proxy ▪ Can be TOR or other HTTP/SOCKS proxy ▪ Used in Evasion & Remote Access

Foca (Fingerprinting Organizations with Collected Archives)

__ is a tool used mainly to find metadata and hidden information in the documents its scans. ▪ Used to find metadata and hidden info in docs ▪ These documents may be on web pages, and can be downloaded and analyzed with FOCA.

Domain Dossier

__ is a tool used to investigate domains and IP address. ▪ It gathers registrant information, DNS records and other things, compiling it all into one report. ▪ is a Reconnaissance Tool

Email Dossier

__ is a tool used to investigate emails. ▪ is a Reconnaissance Tool

Cross-compiling Code

__ is a type of a compiler that can create an executable code for a platform other than the one on which the compiler is running. ▪ Many pentesters use Kali Linux but many victim systems are Windows-based ▪ Exploits for Windows can be compiled on Linux using tools like Mingw-w64

ARP spoofing

__ is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. ▪ This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.

Authentication Attack

__ is a type of attack that can occur when we fail to use strong authentication mechanisms for our applications

Deauthentication (DeAuth) Attack

__ is a type of denial of service that targets communication between a user and a wireless access point ▪ An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim.

Combination Lock

__ is a type of mechanical lock that requires a proper sequence of letters, numbers, symbols, or even directional movements using a joystick before the lock can open.

Shoulder Surfing

__ is a type of social engineering technique used to obtain information such as personal identification numbers, passwords and other confidential data by looking over the victim's shoulder. ▪ Reading the screen of another user ▪ Looking at a user entering a PIN or password

Joint Test Action Group (JTAG)

__ is a type of standard used for debugging and connecting to embedded devices on a circuit board.

Traceroute

__ is a utility application that monitors the network path of packet data sent to a remote computer. ▪ is a Reconnaissance Tool

SMS phishing (smishing)

__ is a variant of phishing email scams that instead utilizes Short Message Service (SMS) systems to send bogus text messages. ▪ Phishing that occurs over text message

Programmable Logic Controller (PLC)

__ is a very small dedicated computer in an industrial system that is capable of converting analog data to digital data. The __ works in real time, can control machinery, and is a critical component of the ICS (industrial control system).

False positives

__ is a vulnerability is identified by the scan but does not really exist on the system ▪ Should be filtered out of your scans

Rapid7's Nexpose

__ is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. ▪ It integrates with Rapid7's Metasploit for vulnerability exploitation.

Nikto

__ is a web server scanner is a security tool that will test a web site for thousands of possible security issues. ▪ Including dangerous files, mis-configured services, vulnerable scripts and other issues. ▪ It is open source and structured with plugins that extend the capabilities.

Hashcat

__ is a well-known password cracker. ▪ It is designed to break even the most complex passwords. ▪ To do this, it enables the cracking of a specific password in multiple ways, combined with versatility and speed.

RFID (radio frequency identification)

__ is a wireless communication standard that uses radio waves to read data stored on a tag from a distance.

Jamming

__ is a wireless denial of service attack that prevents devices from communicating with each other by occupying taking over frequency

iOS app sotre package (IPA)

__ is a zip-compressed archive containing the necessary files to run an application on the Apple iOS mobile architecture.

Scanning

__ is actively connecting to the system and get a response to identify open ports and services

Enumeration

__ is actively connecting to the systems to determine open shares, user accounts, software versions, and other detailed info

Packet Crafting

__ is also known as packet manipulation ▪ Sending modified packet headers to gather information from a system or host ▪ Creating specific network packets to gather information or carry out attacks ▪ Tools - netcat, nc, ncat, hping

Relay Attack

__ is an Attack occurs when the attacker is able to become the man-in-the-middle and acts as a middle man in a communication session

Replay Attack

__ is an Attack occurs when valid data is captured by an attacker and is repeated or delayed ▪ For example, they could capture a wireless authentication handshake and replay it to gain access to the wireless network as an authenticated client

Downgrade Attack

__ is an Attack that attempts to have a client or server abandon a higher security mode to use a lower security mode ▪ TLS 1.2 is more secure than SSL 2.0 __● Downgrade attack will cause session to attempt to establish an SSL 2.0 connection

SSL stripping attack

__ is an Attack where a website's encryption is tricked into presenting the user with a HTTP connection instead of a HTTPS connection

Session hijacking

__ is an Attacks the web session control mechanism by taking over a session by guessing session token

Simple Network Management Protocol (SNMP)

__ is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. ▪ Used to query and manage IP devices

Nikto (Web Application Scanner)

__ is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.

Deception

__ is an act of being deceived. Used in SE attacks.

Meterpreter

__ is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at run-time. ▪ It communicates over the stager socket and provides a comprehensive client-side Ruby API. ▪ It features command history, tab completion, channels, and more.

Reaver Tool

__ is an application for Android that provides us from a simple interface the tools we need to audit WPA WiFi networks and get their passwords.

RESTful API

__ is an application program interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data.

Representational State Transfer (REST)

__ is an architectural style for developing web services. __ is popular due to its simplicity and the fact that it builds upon existing systems and features of the internet's Hypertext Transfer Protocol (HTTP) in order to achieve its objectives, as opposed to creating new standards, frameworks and technologies.

Ret2libc

__ is an attack technique that relies on overwriting the program stack to create a new stack frame that calls the system function ▪ Stands for "return to library call" ● Privilege Escalation (Linux)

Directory traversal

__ is an attack that allows access to restricted directories and for command execution outside of the webserver's root directory

Denial of Service (DoS)

__ is an attack that attempts to prevent a system from performing its normal functions. ▪ Called a stress test in penetration testing ▪ Attack that denies resources or a service to an authorized user by exhausting resources

Karma Attack

__ is an attack that exploits a behaviour of some Wi-Fi devices, combined with the lack of access point authentication in numerous WiFi protocols. ▪ Karma Attacks Radio Machines Automatically ▪ Devices listen for SSID requests and respond as if they ▪ were the legitimate access point

Credential Harvesting

__ is an attack that focuses on collecting usernames and passwords from its victims ▪ In wireless, this is usually performed by creating a fake Captive Portal ▪ ESPortalV2 can be used to setup a fake portal and redirect all WiFi devices connected to the portal for authentication

cross-site request forgery (XSRF)

__ is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ▪ CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

File Inclusion

__ is an attack that includes a file into a targeted application by exploiting a dynamic file inclusion mechanism ▪ Usually occurs due to improper input validation by application ▪ File can be included __● Local ----o ../../uploads/malware.exe __● Remote ----o https://www.xyz.com/malware.exe

Cross-Site Scripting (XSS)

__ is an attack that injects scripts into a Web application server to direct attacks at clients.

DNS Poisoning

__ is an attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.

Cookie Manipulation

__ is an attack that uses DOM-based cookie manipulation that allows a script to write data into the value of a client-stored cookie

Clickjacking

__ is an attack that uses multiple transparent layers to trick a user into clicking on a button or link on a page when they were intending to click on the actual page. ▪ Conceals hyperlinks under legitimate clickable content

Network Access Control (NAC) Bypass

__ is an attack where a malicious attacker bypasses the NAC to gain access to the network without authorization. ▪ NAC can prevent you from gaining access to the network ▪ NAC can often be bypassed by spoofing the MAC address of a VOIP device __● Many VOIP devices don't support 802.1x __● Their MAC addresses are often whitelisted for NAC

distributed denial-of-service (DDoS) attack

__ is an attack where many computers collaborate to shut down a target, usually by keeping it busy or overwhelming it with incoming requests.

Whaling Phishing

__ is an attack, is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company, as those that hold higher positions within the company typically have complete access ▪ Form of spear phishing that directly targets the CEO, CFO, CIO, CSO, or other high-value targets

Scheduled Tasks

__ is an attacker uses the Windows Task Scheduler to create callbacks and retain persistence ▪ Arbitrary code could be executed at a certain time or in response to an event. ● Privilege Escalation (Windows)

Local Security Authority (LSA)

__ is an authentication model in Windows operating system that provides additional beneficial features and options, such as supporting for multi-factor authentication (smart cards), custom security packages a, and credential management in order to support interaction with non-Microsoft products such as network or databases.

WiFite(2)

__ is an automated Wireless Attack tool. ▪ To attack multiple WEP, WPA, and WPS encrypted networks in a row. ▪ Is tool is customizable to be automated with only a few arguments. ▪ Automated wireless attack tool

Nmap Scripting Engine (NSE)

__ is an embedded Lua programming language interpreter that provides features that help automate various tasks such as information discovery and exploitation techniques.

Certificate Authority (CA)

__ is an entity trusted by one or more users as an authority in a network that issues, revokes, and manages digital certificates.

Broadcast Storms

__ is an excessive amount of broadcast traffic that occurs within a short period of time, such that i may disrupt normal operation and cause loops in the networks, where a broadcast frame is bounced back and forth between switches, due to redundant paths.

Burp Suite

__ is an integrated platform for performing security testing of web applications. ▪ Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. ▪ Graphical tool for web application security ▪ Allows for the interception, inspection, and modification of raw traffic passing through it

Access Control Point

__ is an intentionally selected point of ingress or egress that is restricted by design, monitoring, or physical limitation that allows a facility owner to control entrance or exit for a physical location.

Embedded Devices

__ is an object that contains a special-purpose computing system. ▪ The system, which is completely enclosed by the object, may or may not be able to connect to the Internet.

Legal Representation

__ is an official appointed by an organization to ensure that legal obligations and commitments are upheld by all parties, including the vendor providing the penetration testing services.

TCPDump

__ is an open source command-line tool for monitoring (sniffing) network traffic. __ works by capturing and displaying packet headers and matching them against a set of criteria.

SQLmap

__ is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. ▪ Support to dump database tables entirely, a range of entries or specific columns as per user's choice.

Puppet

__ is an open source software configuration management and deployment tool. ▪ It's most commonly used on Linux and Windows to pull the strings on multiple application servers at once.

Wireshark

__ is an open source tool for profiling network traffic and analyzing packets. ▪ This information can be useful for evaluating security events and troubleshooting network security device issues. __ will typically display information in three panels.

SET (Social Engineer Toolkit)

__ is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. ▪ Is aimed at leveraging advanced technological attacks in a social-engineering type environment.

SonarQube

__ is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages

YASCA (Yet Another Source Code Analyzer)

__ is an open-source static analysis tool that I wrote around 2008-2010 to detect security vulnerabilities in application source code. ▪ It's written in PHP, but run as a command-line tool.

W3AF

__ is an open-source web application security scanner. ▪ The project provides a vulnerability scanner and exploitation tool for Web applications. ▪ It provides information about security vulnerabilities for use in penetration testing engagements.

Real-Time Operating System (RTOS)

__ is an operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. ▪ Usually found in embedded systems ▪ Security is not a primary concern during their development ▪ Usually a stripped-down version of Linux ▪ Uses limited resources on the machine and can be subjected easily to attacks

Nessus Attack Scripting Language (NASL)

__ is an proprietary language developed by Tenable used to develop Nessus plugins, which contain vulnerability information, remediation details, and the logic to determine the presence of a security weakness.

Ollydbg

__ is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. ▪ It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. ▪ Assembler level debugger for Windows ▪ Useful for binary code analysis without source code being available

Trojans

__ is any malicious computer program that misleads users to their true intent ▪ A piece of software that pretends to be a game but allows the attacker access to the system ▪ Used as a technical form of social engineering ● Could be used to Persist on victim machine

Network Access Control (NAC)

__ is built from the principles of IEEE 802.1x and control what devices allowed to connect to a network by implementing a set of protocols and policies that enforce requirements for authentication during connection to the network, such as posture checking or whitelisting.

Segmentation Fault (segfault)

__ is caused by a software program attempting to read or overwrite a restricted area of memory.

Evasion

__ is challenging a security control successfully, such as deploying malware in a location on a hard drive that does not get scanned by antivirus software.

Clearing the Log Files

__ is cleaning up traces of our activities in various log files to cover your tracks. ▪ Windows __● System logs, Application logs, Security logs, Event logs ▪ Linux __● Logs are usually stored in /var/logs ▪ IMPORTANT __● Penetration testers DO NOT usually modify or delete any of the logs...check your scope of work!

Elicitation

__ is collecting intelligence information from people as part of human intelligence (intelligence collection) ▪ Usually uses a series of questions to get employees to tell you valuable or sensitive information ▪ If you can compromise one email account then you can elicit more information from other employees by acting like that person

Dumpster Diving

__ is combing through trash to identify valuable assets. ▪ Pentester looks through the trash of an organization ▪ Looking for paperwork, disks, USB drives, badges, files, manuals

Programming

__ is creating a sequence of instructions to tell a computer how to perform a specific task

Open-Source Intelligence (OSINT)

__ is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources. It is not related to open-source software or collective intelligence.

OSINT (Open Source Intelligence)

__ is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources. ▪ It is not related to open-source software or collective intelligence.

Kerberos Authentication

__ is designed to provide strong authentication for client/server applications by using secret-key cryptography. ▪ It uses secret key cryptography ▪ Ticket granting server (TGS)

Banner Grabbing

__ is gathering information from messages that a service transmits when another program connects to it. ▪ Manual enumeration and fingerprinting ▪ Use telnet or Netcat to connect to target host ▪ Commonly used for FTP, SSH, Telnet, & HTTP

Fingerprinting

__ is identification of the operating system, service, software versions being used by a host ▪ Determining OS type and version a target is running

Injection Attacks

__ is insertion of additional information or code via a data input from a client to the application ▪ Most commonly done as SQL inject, but can also be HTML, Command, or Code ▪ Prevent this through input validation and using least privilege for the databases

NETCAT

__ is known as the TCP/IP swiss army knife. ▪ From the tools man page: __ is a simple unix utility which reads and writes data across network connections, using TCP or UDP protocol. ▪ It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.

Fragmentation Attack

__ is nn attack that exploits vulnerabilities in the fragment reassembly functionality of the TCP/IP protocol stack. ▪ Attacker exploits a network by using datagram fragmentation mechanisms against it ▪ A small amount of keying material is obtained from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP) ▪ If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet

Web Proxies

__ is one method for hiding your IP address from the websites you visit. EX: o When you request the Lifewire site through an online proxy, all you're really doing is telling the proxy server to access Lifewire for you, and then when they receive the page you want, they send it back to you.

OWASP Zed Attack Proxy (ZAP)

__ is one of the world's most popular web application security testing tools. ▪ The tool can be used during web application development by web developers or by experienced security experts during penetration tests to assess web applications for vulnerabilities.

IDA Pro or IDA (Interactive Disassembler)

__ is primarily a multi-platform, multi-processor dis-assembler that translates machine executable code into assembly language source code for purpose of debugging and reverse engineering ▪ It can be used as a local or as a remote debugger on various platforms. ▪ Generates assembly language code from executable code ▪ Graphical user interface and supports executables from multiple operating systems

IDA or IDA Pro

__ is primarily a multi-platform, multi-processor dis-assembler that translates machine executable code into assembly language source code for purpose of debugging and reverse engineering. ▪ It can be used as a local or as a remote debugger on various platforms.

Sticky Bit

__ is primarily used on shared directories. ▪ Used for shared folders like /tmp ▪ Allows users to create files, read, and execute files owned by other users ▪ Attack cannot remove files owned by others EX: o # ls -ld /var/tmp o drwxrwxrwt 2 sys sys 512 Jan 26 11:02 /var/tmp o - T refers to when the execute permissions are off. o - t refers to when the execute permissions are on. ● Privilege Escalation (Linux)

Compliance-based Assessment

__ is really a gap assessment. You are looking to identify gaps between your existing control environment and what is required. ▪ Mandated by standard, regulation, or legislation __● Ex: PCI-DSS

Erase, Modify, or Disable the Evidence

__ is removing any unneeded files or tools that were added to the victim's machine to cover your tracks. ▪ Hiding other files and resources in hidden or uncommon locations ▪ Linux, Unix, OS X __● Create a folder beginning with . ▪ Windows __● Hide stuff in the System32 or User folders __● Apply hidden attribute __● Use alternate Data Streams ▪ Hide files in the slack space

Bluejacking

__ is sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, or laptops

BeEF

__ is short for The Browser Exploitation Framework. ▪ It is a penetration testing tool that focuses on the web browser. ▪ Unlike other security frameworks, it looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser.

Set-Group Identification (SGID)

__ is similar to the SUID permission, only difference is - when the script or command with SGID on is run, it runs as if it were a member of the same group in which the file is a member. EX: o # ls -l /usr/bin/write o -r-xr-sr-x 1 root tty 11484 Jan 15 17:55 /usr/bin/write ▪ The setgid permission displays as an "s" in the group's execute field. The first s stands for the SUID and the second one stands for SGID. ● Privilege Escalation (Linux)

Impersonation

__ is someone who imitates or copies the behavior or actions of another. __ is an act of pretending to be someone else in order to gain access or gather information

Server Message Block (SMB)

__ is the Internet standard protocol Windows uses to share files, printers, and serial ports. ▪ It can also communicate with any server program that is set up to receive an SMB client request. ▪ Uses TCP ports 139 and 445

Bluesnarfing

__ is the Theft of information from a wireless device through a Bluetooth connection

Badge Cloning

__ is the act of cloning an official badge to bypass security. ▪ Identification badges are required by many organizations ▪ Snap a photo using a digital camera and reproduce the security badge __● Works visually but won't make it past a reader ▪ Badge cloners can reproduce magnetic swipe or RFID badges

Lock Picking

__ is the art of opening a lock without a key. ▪ Many areas that the pentester needs access to are locked ▪ Learning lock picking is a valuable skill for a pentester who focuses on physical security

Drozer

__ is the combination of two key components: ▪ The Agent: a lightweight Android app that runs on the device or emulator being used for testing. ▪ The Console: a command-line interface running on your PC that allows you to interact with the Dalvik VM through the Agent. ▪ Provides tools to use and share public exploits for the Android operating system ▪ Complete security audit and attack framework

False Positive

__ is the condition identified during automated or manual testing that results in the incorrect identification of an issue.

rate the threats

__ is the final state int he threat modeling process, and probably the most subjective, used to quantify the risk based on probability and damage potential.

Biometrics

__ is the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting ▪ Fingerprint readers and other __ aren't foolproof security measures

Risk appetite

__ is the level of risk the organization is willing to accept in order to achieve its goals.

Virtual Local Area Network (VLAN) Hopping

__ is the malicious act of attacking different hosts on a VLAN. ▪ VLANs are often used as logical separation ▪ Attack host on a different VLAN to gain access ▪ Double tagging the VLAN tag in 802.1Q ▪ Switch Spoofing __● Attempt to auto negotiate with a targeted switch by setting your device to act as a switch __● Switches get copies of all VLAN traffic and separate them based on tags

Cpassword

__ is the name of the attribute that stores the passwords in a Group Policy preference item ▪ Stored in the SYSVOL folder on the Domain Controllers in encrypted XML file ▪ Easily decrypted by any authenticated user in the domain ● Privilege Escalation (Windows)

Backdoor

__ is the persistence mechanism that allows an attacker to maintain control of a target if the remote connection is dropping temporarily.

passive information gathering

__ is the process of assessing a target to collect preliminary knowledge about the system, software, network, and people without actively engaging a target or its assets.

Normalization of Data

__ is the process of combining data from multiple sources and in different formats into a common and consistent event format. ▪ Teams collect a lot of data during a test ▪ Each tool collects and store data differently ▪ All the data must be aggregated, normalized, and correlated in order for it to "make sense"

Deconfliction

__ is the process of distinguishing pentest artifacts form artifacts of an actual compromise or other activity to help resolve contradictory conclusion or response.

Binary Analysis

__ is the process of examining the functions and purpose of a compiled program or application at the architecture instruction level.

bluebugging

__ is the process of exploiting a bug in older phones models with Bluetooth technology that enables complete command and control of the mobile device.

Jailbreaking

__ is the process of exploiting a software vulnerability in iOS that enables low-level execution with elevated privileges in order to remove restrictions imposed by Apply to customize the device and install unapproved applications.

Debugging

__ is the process of finding and resolving defects or problems within a computer program that prevent correct operation of computer software or a system. ▪ Used to identify and remove errors from hardware, software, or systems Tools - windbg

Decompiling

__ is the process of reverse-engineering source code from the binary. ▪ Reverse engineering of software using a decompiler ▪ Reverses the processes of a compiler but not as cleanly ▪ Decompilers cannot always turn executables back into their source code but can it back to byte code or assembly

Exfiltrate (exfil)

__ is the process of unauthorized data movement from inside a protected space to outside of it, Whether by copying, transferring, or retrieval.

Authorization

__ is the process or action involved with determining the appropriate access levels that should be granted to a user or process.

Authentication

__ is the process or action of confirming an identity used to interact with or log in to an information system.

EnCase

__ is the shared technology within a suite of digital investigations products by Guidance Software (now acquired by OpenText). ▪ Encase allows the investigator to conduct in depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.

Google hacking

__ is the technique of using advanced operators in the Google search engine to locate specific strings of text within search results, including strings that identify software vulnerabilities and mis-configurations. ▪ is a Reconnaissance Tool

Cryptographic Inspection

__ is to determine the encryption is being used during your information gathering ▪ Do they have web servers with SSL or TLS? ▪ What about Wireless Networks using WEP, WPA, WPA2, or a WPS handshake? ▪ Are files encrypted on the network shares?

Covering Your Tracks

__ is to do things that hide your activities from other people, so that they cannot find out what you have been doing.

Attestation of Findings

__ is to provide evidence of your findings to the client ▪ Provide them detailed reports, explanations, and ensure they understand the risks involved

Post-Engagement Cleanup

__ is to remove shells, tools, and credentials created

Query throttling

__ is to slow down test iterations to avoid exceeding bandwidth ▪ nmap -T

Egress Sensor

__ is tricking a sensor to a door to open. ▪ Door will automatically unlock and open when a person approaches ▪ Sensors could be tricked to allow the door to be opened ▪ Some of these "fail open" when power is lost

Point-of-Sale (POS) Systems

__ is typically includes a cash register (which in recent times comprises a computer, monitor, cash drawer, receipt printer, customer display and a barcode scanner) and the majority of retail POS systems also include a debit/credit card reader.

Findsecbugs

__ is used for static code analysis. It can be integrated as an IDE plugin, or its maven plugin can be added to the pom.xml file of a project source code. ▪ Then the container scans the source code and provides access to a generated report through an API. ▪ Used to conduct security audits of Java apps before deployment

De-confliction

__ is used to Determine if detected activity is a hacker or an authorized penetration tester ● Communication Reasons

Repeating

__ is used to capture the existing wireless signal and rebroadcast it to extend the range ▪ If not properly configured by the network administrators, this can be an attack vector

Situational Awareness

__ is used to create a shared common understanding of the network and its current security state ● Communication Reasons

Set-User Identification (SUID)

__ is used to describe a file option that lets a program or script run with elevated privileges to perform certain tasks EX: o # ls -lrt /usr/bin/passwd o -r-sr-sr-x 1 root sys 31396 Jan 20 2014 /usr/bin/passwd ▪ If you check carefully, you would find the 2 S's in the permission field. The first s stands for the SUID and the second one stands for SGID. ● Privilege Escalation (Linux)

DNS Forward Lookup

__ is used to query the DNS server and request the IP address of a host that corresponds to a fully qualified domain name (FQDN)

DNS Reverse Lookup

__ is used to query the DNS server and request the fully qualified domain (FQDN) of a host that corresponds to a given IP address.

Eavesdropping

__ is used to refer to the interception of communication between two parties by a malicious third party. ▪ Radio Frequency monitoring can be performed to determine the type of devices used in the facility (Cellular, WiFi, Bluetooth, etc) ▪ Radio frequencies can be captured and analyzed using specialized tools

Scheduled Jobs (cron jobs)

__ is used to schedule commands at a specific time. ▪ Cron jobs are used in Unix, Linux, and OS X ▪ Allows a script or command to be run at periodic times, dates, or intervals ▪ Export_dump.sh is run Every Saturday (6) @ 23:45 ● Could be used to Persist on victim machine

Fake Cellphone Towers

__ is when a malicious attacker captures the International Mobile Subscriber Identity (IMSI) number. ▪ Can be used to create a man-in-the-middle

WPS Implementation Weakness

__ is when a malicous attacker is able to attack because Wi-Fi Protected Setup (WPS) uses a push button configuration method to setup devices. ▪ Uses an 8-digit WPS Pin to configure them ▪ Can be easily brute force attacked because the PIN is authenticated by breaking it in two ▪ Reaver and Bully are common attack tools

Indicators of Prior Compromise

__ is when a pentester detects attack signatures have been detected and the network has been previously hacked and then must message company about issue. ● Communication Triggers

Fence Jumping

__ is when a person physical goes over the fence to bypass security measures. ▪ Fences provide a physical security boundary for the organization ▪ Pentester can go over (or under) a fence to avoid a checkpoint

Weak Credentials Attack

__ is when a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on the user name or common variations on these themes. ▪ Easy to crack using dictionary or brute force

Cold Boot Attack

__ is when a user or malicious attacker is able to retrieve the encryption keys from a running operating system after using a cold reboot to restart the machine ▪ A side channel attack where an attacker has physical access to the system ● Privilege Escalation

Critical Findings

__ is when a vulnerability is found that causes significant risk to occur to the security of the network and then the pentester communicates there is a major issue. ● Communication Triggers

Sandbox Escape - Virtual Machines

__ is when an Escaping the VM sandbox can lead to exploit of the underlying hardware and puts other hosted VMs are risk ● Privilege Escalation

RFID Cloning

__ is when an attacker captures the Radio Frequency (RF) signal from a badge or device and can copy it for reuse

cross-site request forgery (XSRF)

__ is when an attacker forces a user to execute actions on web server which they authenticated ▪ Attacker cannot see web server's response but this attack can be used to have victim transfer funds, change their password, and more

Exploitable Services

__ is when an attacker uses the way services normally operate to cause an unintended program to run Examples ▪ Unquoted service path call in file system o C:\Dion\My Files\server.exe Normal o C:\Dion\My\server.exe Malicious ▪ Writable services o Using PSExec, a service can be replaced with a custom service that runs a command shell (cmd.exe) ● Privilege Escalation (Windows)

Security Misconfiguration

__ is when an attacks that rely on the application or server using insecure settings.

Man-in-the-middle (MITM) attack

__ is when an hacker placing himself between a client and a host to intercept network traffic; also called session hijacking.

Sandbox Escape - Shell upgrade

__ is when restricted shells (like rbash) are exploited to gain an upgraded shell ● Privilege Escalation

USB Key Drop

__ is when someone leave USB devices for people to find and plug into their computers.Malicious code — In the most basic of USB drop attacks, the user clicks on one of the files on the drive. ▪ Pentester loads up a USB with malware, backdoors, or a keylogger ▪ Drop the USB drive in the parking lot near the organization

comparision operator

__ is when something compares one value to another Value1 == Value2

Credential brute forcing

__ is when the attacker tries to try to log in to the application using every username and password. ▪ There are a number of tools and techniques the attacker can use to speed up or automate the process.

Client Acceptance

__ is when the client agrees you have fulfilled the scope of work? ▪ Is formal acceptance required by the contract?

Race Condition

__ is when two separate inputs compete on the basis of time for processing a single target such that the order of processing may produce unexpected or undesirable results.

Sniffing Network Traffic

__ is when you Intercepts and logs network traffic that can be seen via the wired or wireless network interface. ▪ If you gain access to one host computer, you could use it to capture traffic on other parts of the network, too!

Stages

__ lead to Communication and occur as the assessment moves from one phase to another ● Communication Triggers

Port Scan - Open

__ means the Application is accepting connections

Port Scan - Closed

__ means the no application is listening to connections

Insecure Direct Object Reference

__ occur when an application provides direct access to objects based on user-supplied input. ▪ Allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object.

Reflected Cross-site Scripting (XSS)

__ occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself ▪ It is non-persistent and only impacts users who open a maliciously crafted link or third-party web page ▪ Non-persistent, activated through link on site

Piggybacking/Tailgating

__ occurs when a pentester follows an authorized individual into a secure location ▪ Authorized person may or may not be complicit

Virtual Network Computing (VNC)

__ operates much like RDP, but a cross-platform solution for Windows, Linux, and OS X ▪ Originally used in thin client architectures

Recon-NG

__ provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. ▪ Open-source web reconnaissance framework written in Python

Sandbox Escape - Container

__ refers to If you can compromise that system, you can compromise every container that relies upon it ● Privilege Escalation

Legal Concepts (2)

__ refers to consulting your attorney before performing any penetration testing work to ensure you are within the legal bounds for the countries laws where you are operating.

Information Gathering - Reconnaissance

__ refers to the systematic attempt to locate, gather, identify, and record information about a target ▪ Also known as footprinting the organization

Lateral Movement

__ refers to the techniques cyber attackers, or "threat actors", use to progressively move through a network as they search for the key data and assets that are ultimately the target of their attack campaigns.

Mitigation Strategies

__ report should contain a list of not just findings, but recommendations on how to mitigate a vulnerability

Vagrant

__ s an open-source software product for building and maintaining portable virtual software development environments, e.g. for VirtualBox, KVM, Hyper-V, Docker containers, VMware, and AWS. ▪ It tries to simplify software configuration management of virtualizations in order to increase development productivity.

Compliance Scan

__ scan for specific known vulnerabilities that would make a system non-compliant. ▪ Used to identify vulnerabilities that may affect compliance with regulations or policies ▪ Commonly setup as a scanning template in your vulnerability scanner (PCI-DSS)

Full Scan

__ scans ports, services, and vulnerabilities. ▪ In-depth scan including port, services, and vulnerabilities ▪ Easy to see in network traffic when performed nmap -A <target>

Ping

__ sends a message from one computer to another to check whether it is reachable and active. ▪ is a Reconnaissance Tool

Programming Arrays (Basic or Indexed)

__ store multiple values and be referenced from a single name (like a list of variables)

Data Mining

__ the process of analyzing large data sets to reveal patterns or hidden anomalies.

Compiler

__ translates source code into executable instructions.

Nmap

__ use raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. ▪ is a Packet Crafting Tool

Discovery Scan

__ used to find potential targets. ▪ Identity/info gathering early on ▪ Least intrusive scan (like a ping sweep) ▪ Used to create a network map to show connected devices in the architecture ▪ nmap ping sweep nmap -sP target

XSS Stored/Persistent

__ vulnerability is a more devastating variant of a cross-site scripting flaw. ▪ It occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. ▪ Data provided by attacker is saved on server

Default Credentials Attack

__ vulnerability is a type of vulnerability that is most commonly found to affect the devices like modems, routers, digital cameras, and other devices having some pre-set (default) administrative credentials to access all configuration settings.

(PowerShell) PS Remoting

__ will allow a computer to receive Windows PowerShell remote commands

SSH (Secure Shell)

__ works like telnet, but uses encryption to create a secure channel between the client and the server ▪ SSH should always be used instead of telnet

Planning a Penetration Test

__, Questions to ask: ▪ Why Is Planning Important? ▪ Who is the Target Audience? ▪ Budgeting ▪ Resources and Requirements ▪ Communication Paths ▪ What is the End State? ▪ Technical Constraints ▪ Disclaimers

DNS Poisoning Steps

__: --1. Inject Fake DNS record --2. Visitor request DNS for Bank --3. Visitor gets IP for Fake Bank server instead

Tiers of Adversaries

__: 1 - Little Money & Rely on off-the-shell tools/known exploits 2 - Little Money & invested in own tools against known vulners 3 - Invests Lots of money to find vulners to steal for profit 4 - Organized, Technical, proficient, funded, working in teams 5 - Nation states investing tons of money to finding/creating vulners 6 - Nation stats investing tons to carry out military ops

NIST SP 800-115 Methodology

__: 1. Planning 2. Discovery 3. Attack 4. Reporting

Pentest Methodology

__: 1. Planning & Scoping 2. Info Gathering & Vulnerability ID 3. Attacks & Exploits 4. Reporting & Communication

Serial Console

__: Many network devices still have serial console connections (routers and switches) ▪ If attacker can get physical access to the device then they can connect to the device over the serial port ▪ Lower security enabled (if any) on these ports ● Privilege Escalation

Packet Capture Techniques

__: Use Wireshark or TCPDump to conduct packet capturing of wired or wireless networks ▪ Connect to a mirrored port to capture wired network traffic ▪ Wireless networks can be captured and their encryption cracked to access the data using Aircrack-ng

Port Scan - Filtered

__: __● Probes aren't reaching the port __● Usually indicates a firewall

Nmap -oA

__: ▪ -oA Combined format with all of the above __● nmap -oA outputfile target

Nmap -oG

__: ▪ -oG Grepable output format __● nmap -oG outputfile.txt target

Nmap -oX

__: ▪ -oX XML output format __● nmap -oX outputfile.xml target

Threat Actors

__: ▪ Advanced Persistent Threat (APT) ▪ Hacktivist ▪ Insider Threat ▪ Script Kiddies

Finding: Plain Text Passwords

__: ▪ All passwords must be stored as hashes or another encrypted format

Unsecure Code Practices - Unauthorized use of function/unprotected API

__: ▪ Allows anyone with network access to send your application a request ▪ Designers should implement function-level access control

Threat Actors - Insider Threat

__: ▪ Already have authorized user access to the networks, making them extremely dangerous ▪ May be a skilled or unskilled attacker ▪ Might be a former or current employee

Unsecure Code Practices - Lack of error handling

__: ▪ Applications should fail cleanly on errors ▪ Prevents information leakage about the server

Target Selection - First-party or Third-party

__: ▪ Are the targets hosted by the organization or by a third-party service provider? ▪ DionTraining.com is hosted by Thinkific and might be outside the penetration test scope

RoE: Time Restrictions

__: ▪ Are there certain times that aren't authorized? ▪ What about days of the week? ▪ What about holidays?

Target Selection - Physical

__: ▪ Are we contracted to test physical security? ▪ Should we attempt to break into the facility?

Target Selection - Applications

__: ▪ Are we focused on a particular application? ▪ Is a particular application mission critical and cannot be targeted? __● Credit card processing system __● Health care system

Pass the Hash Breakdown

__: ▪ Attack against the NT LAN Manager (NTLM) authentication system ▪ Attacker steals a hashed user credential and reuses it in the Windows authentication system to create a new authenticated session

Creating New Users

__: ▪ Attacker creates new user accounts __● Can be created as regular or admin level users ● Could be used to Persist on victim machine

Credential Brute Forcing

__: ▪ Attempt to crack a password or authentication system to gain access ▪ Attempt to crack passwords from a hash file ▪ Conduct password guessing to login

Premerger Assessment

__: ▪ Before two companies perform a merger, it is common to conduct penetration tests on them to identify weaknesses being inherited ▪ Can be a part of the due diligence efforts

Penetration Testing Strategies

__: ▪ Black Box ▪ Gray Box ▪ White Box

Analyzing Vuln Scans - Asset Categorization

__: ▪ Categorize by Operating System or function ▪ Ideally, we identify high-value assets __● Domain Controllers, Web Servers, Databases, etc. ▪ Identify and rank assets by relative value ▪ Categorize by most vulnerabilities ▪ Categorize by the most critical vulnerability ▪ Vulnerable assets with little value could be a waste of time

Unattended Installation

__: ▪ Clear text credentials of Preboot Execution Environment (PXE) could be captured using network sniffers ● Privilege Escalation (Windows)

Physical Service Security

__: ▪ Cold boot attack ▪ JTAG debug ▪ Serial console ● Privilege Escalation

Reconnaissance Tools Breakdown

__: ▪ Collecting information before attacking an IT system ▪ Usually conducted using open source research or passive collection ▪ Tools __● Whois, Nslookup, Theharvester, Shodan, Recon-NG, Censys, Aircrack-NG, Kismet, WiFite(2), Wireshark, Hping, SET, Nmap, Metasploit framework

Creating New Users - Shell (Linux)

__: ▪ Command Line (Linux) __● su - __● useradd hacked __● passwd hacked __● New password: hacked123 __● Retype new password: hacked123 ● Could be used to Persist on victim machine

Creating New Users - Windows

__: ▪ Command Line (Windows) __● net user /add [username] [password] ----o Net localgroup administrators [username] /add ● Could be used to Persist on victim machine

Scoping Considerations - Scope Creep

__: ▪ Condition when a client requests additional services after the SOW and project scope have been agreed to and signed ▪ How will scope be contained? ▪ Document any changes to the scope of test ▪ Recommend signing a change order to SOW

Threat Actors - Hacktivist

__: ▪ Conduct activities against governments, corporations, or individuals ▪ Can be an individual or member of a group

Information Gathering and Vulnerability Identification

__: ▪ Conducting information gathering ▪ Performing vulnerability scanning ▪ Analyzing results of vulnerability scans ▪ Leveraging information for exploitation ▪ Weaknesses in specialized systems

Prioritize the Vulnerabilities

__: ▪ Consider the most critical vulnerabilities first ▪ What target should we focus on first?

Containers Require Security

__: ▪ Containers still contain applications which can contain vulnerabilities ▪ Still need to be scanned for vulnerabilities ▪ If an OS vulnerability is found, it will apply to multiple containers (all based on same OS) and can lead to a large level of exploitation

Planning a Penetration Test - Budgeting

__: ▪ Controls many factors in a test ▪ If you have a large budget, you can perform a more in-depth test __● Increased timeline for testing __● Increased scope __● Increased resources (people, tech, etc.)

§ 1030 Fraud and related activity with computers

__: ▪ Covers just about any computer or device connected to a network ▪ Mandates penalties for anyone who accesses a computer in an unauthorized manner or exceeds one's access rights ▪ Can be used to prosecute employees using capability and accesses provided by their company to conduct fraudulent activity

Privilege Escalation in Windows Breakdown

__: ▪ Cpassword ▪ Clear Text Credentials in LDAP ▪ Kerberoasting ▪ Credentials in LSASS ▪ Unattended Installation ▪ SAM Database ▪ DLL Hijacking ▪ Exploitable Services ▪ Unsecure File and Folder Permissions ▪ Keylogger ▪ Scheduled Tasks

Common Attack Techniques

__: ▪ Cross-compiling code ▪ Exploit modification ▪ Exploit chaining ▪ Proof-of-concept development ▪ Social engineering ▪ Credential brute forcing ▪ Dictionary attacks ▪ Rainbow tables ▪ Deception

Handling and Disposal

__: ▪ Data from the assessment should always be handled with due diligence and care ▪ Findings and recommendations are sensitive in nature and should be treated as confidential

Decompiling vs Debugging

__: ▪ Decompiling uses a static analysis of code ▪ Debugging often uses a dynamic approach that allows code to be run __● Code is run step by step through the program __● Code can be run until a break point ▪ Both techniques can be useful when conducting a penetration test or assessment of custom-built applications

Default Account Settings

__: ▪ Default administrator accounts can be exploited ▪ Guest accounts should be disabled, but are enabled by default on most systems ● Privilege Escalation

Types of Vulnerability Scans

__: ▪ Discovery scan ▪ Full scan ▪ Stealth scan ▪ Compliance scan

Lessons Learned

__: ▪ Documented information of both the positive and negative experiences that occurred ▪ What did you do great on? ▪ What could have gone better? ▪ How can it go better next time

Mobile Tools

__: ▪ Drozer ▪ APKX ▪ APK Studio

DLL Hijacking

__: ▪ Dynamic Link Library (DLL) provides a method for sharing code and allows a program to upgrade its functionality without requiring re-linking or recompiling of the application ▪ Hijacking is a technique used to load a malicious DLL in the place of an accepted DLL ▪ Commonly used by malware to achieve persistence on the victim machine ● Privilege Escalation (Windows)

Scanning Considerations - What Protocols Will Be Used?

__: ▪ Each protocol scanned takes time/resources ▪ Will you scan every port and services? ▪ Consult scope of assessment and objectives

Nmap -O

__: ▪ Enables OS detection by using fingerprinting of the TCP/UDP packet received

Configuration Compliance Tools Breakdown

__: ▪ Ensuring a system meets a given security baseline or policy ▪ Tools __● Nikto, OpenVAS, Nessus, SQLmap, Nmap

Covering Your Tracks Breakdown

__: ▪ Erase, Modify, or Disable the Evidence ▪ Clear Log Files ▪ Hiding files and folders

Unsecure Code Practices - Verbose error handling

__: ▪ Errors can display too much information ▪ Great for debugging...horrible for security

Enumeration Tools Breakdown

__: ▪ Establishes an active connection to the targets to discover potential attack vectors ▪ Usually conducted active techniques and fingerprinting ▪ Tools __● Nslookup, Wireshark, Hping, Nmap

Wireless-based Vulnerabilities

__: ▪ Evil Twin ▪ Deauthentication attacks ▪ Fragmentation attacks ▪ Credential harvesting ▪ WPS implementation weakness ▪ Bluejacking ▪ Bluesnarfing ▪ RFID cloning ▪ Jamming ▪ Repeating

Written Report of Findings

__: ▪ Executive Summary ▪ Methodology ▪ Findings and Remediation __● Consider the risk appetite ▪ Metrics and Measures __● Including risk ratings ▪ Conclusion

Unsecure Code Practices - Race conditions

__: ▪ Flaw that produces unexpected results when the timing of actions can impact other actions ▪ Can occur when multi-threaded operations are occurring on the same piece of data

White Box (Full Knowledge Test)

__: ▪ Full knowledge of network, systems, and the infrastructure ▪ Spend more time probing vulnerabilities and less time gathering information ▪ Tester is given support resources from the organization

Software Assurance Tools Breakdown

__: ▪ Fuzzing __● Peach and AFL ▪ Security Testing __● Static Application Security Testing (SAST) __● Dynamic Application Security Testing (DAST) __● Findsecbugs, SonarQube, and YASCA (Yet Another Source Code Analyzer)

White Box Sample Application Requests

__: ▪ Generally used for testing web applications or other applications developed by organization

Types of Pentest Assessments

__: ▪ Goal-based Pentests ▪ Objective-based ▪ Premerger ▪ Supply Chain ▪ Red Team

Threat Actors - What is the Intent?

__: ▪ Greed or monetary gain ▪ Power, revenge, or blackmail ▪ Thrills, reputation, or recognition ▪ Espionage or political motivation

Threat Actors - Advanced Persistent Threat (APT)

__: ▪ Group with great capability and intent to hack a particular network or system ▪ Target organizations for business or political motives and usually funded by nation states ▪ Conduct highly covert hacks over long periods of time

Unsecure Code Practices - Hidden elements

__: ▪ HTML forms often use hidden elements __● Fields using <INPUT TYPE=HIDDEN> ▪ Could allow sensitive data to be stored in the DOM

Crimes and Criminal Procedure

__: ▪ Hacking is covered under United States Code, Title 18, Chapter 47, Sections 1029 and 1030

Evasion Tools Breakdown

__: ▪ Hide from system administrators or defenders ▪ Tools __● Proxychains, SET, Metasploit Framework, Route

Types of Enumeration

__: ▪ Hosts ▪ Networks ▪ Domains ▪ Users/Groups ▪ Network shares ▪ Web pages ▪ Applications ▪ Services ▪ Tokens ▪ Social networks

Types of Scanning

__: ▪ Hosts ▪ Systems ▪ Networks ▪ Computers ▪ Mobile Devices ▪ Applications ▪ Printers

RoE: Timeline

__: ▪ How long will the test be conducted? _● A week, a month, a year ▪ What tasks will be performed and how long will each be planned for?

Scanning Considerations - Bandwidth Limitations

__: ▪ How much bandwidth is dedicated to the scan? ▪ Throttle the queries if needed __● Nmap -T option sets the timing

SocEngin Motivation Factors - Urgency

__: ▪ Humans want to please others by nature... ▪ We want to be helpful... ▪ I only have a few minutes before the big presentation, can you print this for me?

Third-Party Authorization

__: ▪ If servers and services are hosted in the cloud, you must request permission from the provider prior to conducting a penetration test __● Ex: from a Cloud service provider

Exploit Modification

__: ▪ If the organization has added security, you may need to modify exploits to get past it ▪ Encrypting or encoding an exploit to avoid detection by anti-virus

SocEngin Motivation Factors - Fear

__: ▪ If you don't do _____ then ______ will happen ▪ Use threats or demands ▪ Anti-virus scams & Ransomware are examples

Finding: No Multifactor Authentication

__: ▪ Implement multifactor authentication __● Something you know __● Something you have __● Something you are __● Something you do

Vulnerability Scanning Tools Breakdown

__: ▪ In-depth scanning of a target to determine its vulnerabilities ▪ Uses automated tools to determine missing patches and incorrect configurations ▪ Tools __● Nikto, OpenVAS, Nessus, SQLmap, W3AF, OWASP ZAP, Nmap, Metasploit Framework

Application-based Vulnerabilities

__: ▪ Injections ▪ Authentication ▪ Authorization ▪ Cross-site scripting (XSS) ▪ Cross-site request forgery (CSRF/XSRF) ▪ Clickjacking ▪ Security misconfiguration ▪ File inclusion ▪ Unsecure coding practices

Target Selection

__: ▪ Internal or External ▪ First-party or Third-party hosted ▪ Physical ▪ Users ▪ SSIDs ▪ Applications

Information Gathering - Reconnaissance Techniques

__: ▪ Internet or open-source research ▪ Social engineering ▪ Dumpster diving ▪ Email harvesting

Simple Mail Transfer Protocol (SMTP) Breakdown

__: ▪ Internet standard for electronic mail transmissions ▪ Focus can be on: __● Direct exploits of the protocol __● Using open relays __● Using local relays __● Phishing

Scoping Considerations - Security Exceptions

__: ▪ Intrusion Prevention System (IPS) ▪ Web Application Firewall (WAF) ▪ Network Access Control ▪ Certificate Pinning __● Required if the organization relies on digital certificates as part of their security ▪ Company policies

Exploit Chaining

__: ▪ Involves layering exploits in a series ▪ Exploit chain example: -- 1. Bypass the firewall -- 2. Gain access to user system -- 3. Escalate privileges

Target Selection - Users

__: ▪ Is social engineering authorized? ▪ Are particular users being targeted or not considered part of the assessment?

Target Selection - Wireless and SSIDs

__: ▪ Is wireless pentesting being conducted? ▪ Are any SSID's out of scope? __● Guest or public network

JTAG Debug

__: ▪ JTAG is a standard for verifying designs and testing printed circuit boards __● Diagnostic connection ▪ Port use for debugging, probing, and programming ▪ With breakpoints setup, the JTAG can be used to read registers from motherboard and read arbitrary memory locations ● Privilege Escalation

Credentials in LSASS

__: ▪ Local Security Authority Subsystem Service ▪ Process in Windows that enforces the security policy of the system ▪ Verifies users when logging on to a computer or server ▪ Performs password changes ▪ Creates access token (ie, Kerberos) ● Privilege Escalation (Windows)

Modifying the Log Files

__: ▪ Log files are just text (they can be edited) ▪ Timestamp can be used to modify the access time of a file ▪ Change the files ownership to original user ▪ IMPORTANT __● Penetration testers DO NOT usually modify or delete any of the logs...check your scope of work!

Threat Actors - Script Kiddies

__: ▪ Low-skilled attackers who use other's tools ▪ Use freely available vulnerability assessment and hacking tools to conduct attacks

Persistence Tools Breakdown

__: ▪ Maintaining a foothold into the network or victim system ▪ Tools __● SET, BeEF, SSH, NCAT, NETCAT, Drozer, Powersploit, Empire, Metasploit framework

Finding: Weak Password Complexity

__: ▪ Minimum password requirements/filters ▪ Passwords Must... __● Be at least 14 characters __● Contain letters, numbers, and special characters __● Not have repeating characters or digits

White Box Architectural Diagrams

__: ▪ Network diagrams, software flow charts, physical maps of organizational facilities ▪ Assists the tester in mapping out network topologies, location of switch closets, and where key information systems are located

Scanning Considerations - Where Do You Scan From?

__: ▪ Network topology is important, are you inside or outside the network? ▪ PCI-DSS requires both internal and external scanning to be performed

Proof-of-Concept Development

__: ▪ New or custom exploits require testing before using in a pentest ▪ Build a virtual machine based on the specifications you earned during enumeration

Packet Crafting Tools

__: ▪ Nmap ▪ Netcat (nc) ▪ Ncat (ncat) ▪ Hping

Black Box (No Knowledge Test)

__: ▪ No prior knowledge of target or network ▪ Simulates an outsider attack ▪ Only focuses on what external attacks see and ignores the insider threat ▪ Takes more time and is much more expensive

Report Writing

__: ▪ Normalization of Data ▪ Written Report of Findings ▪ How Long Do I Keep the Report? ▪ Handling and Disposal?

Threat Actors - Tiers of Adversaries

__: ▪ Not all threat actors are created equal ▪ Some are structured, some are unstructured ▪ Some are more skilled than others

Reconnaissance Tools

__: ▪ Nslookup ▪ Traceroute ▪ Ping ▪ Whois ▪ Domain Dossier ▪ Email Dossier ▪ Google ▪ Social Networking ▪ Discover.sh ▪ Maltego

Web Proxies Tools

__: ▪ OWASP ZAP ▪ Burp Suite

Objective-based Assessment (1)

__: ▪ Objective-based pentests seek to ensure the information remains secure ▪ Testing occurs using all methods and more accurately simulates a real attack ▪ Compliance-based ▪ Risk-based compliance assessment that is required to ensure policies or

Objective-based Assessment (2)

__: ▪ Objective-based pentests seek to ensure the information remains secure regulations are being followed properly ▪ Regulations and policies provide checklists, for example the PCI-DSS compliance assessment ▪ Objectives are clearly defined ▪ Focus is on password policies, data isolation, limited network/storage access, and key management

Credential Attacks Tools Breakdown

__: ▪ Offline password cracking __● John the Ripper, Mimikatz, Cain and Abel, Hashcat, AirCrack-NG ▪ Brute-forcing services __● SQLmap (for databases), Medusa, Hydra, W3AF, Mimikatz, Cain and Abel, Patator, Aircrack-NG

NETBIOS Name Service Breakdown

__: ▪ Often called WINS on Windows systems ▪ NetBIOS Name Service (NBNS) is part of the NetBIOS-over-TCP protocol suite ▪ NETBIOS name is the host name of a system

Unsecure File and Folder Permissions

__: ▪ Older versions of Windows allow administrators to access any non-admin user's files and folders ▪ Can lead to DLL hijacking and malicious file installations on a non-admin targeted user ● Privilege Escalation (Windows)

Port Scan Results

__: ▪ Open __● Application is accepting connections ▪ Closed __● No application is listening ▪ Filtered __● Probes aren't reaching the port __● Usually indicates a firewall

White Box Swagger Document

__: ▪ Open-source framework with a large system of tools to help design, build, document, test, and standardize REST Web Services ▪ Representational State Transfer (REST) has been replacing SOAP in most web applications in recent years ▪ REST is a web application architectural style based on HTTP

Gray Box (Partial Knowledge Test)

__: ▪ Partial knowledge of target ▪ Can be used as an internal test to simulate an insider attack with minimal knowledge ▪ Can also be used to decrease the information gathering stage so more time can be spent on identifying vulnerabilities EX: IP Range provided or Company Emails for Phishing

Supply Chain Assessment

__: ▪ Pentest may be required of your suppliers to ensure they are meeting their cybersecurity requirements ▪ Can be required prior to allowing an interconnection between the supplier's systems and your organization's systems ▪ Minimize risk by purchasing only from trusted vendors

SocEngin Motivation Factors - Authority

__: ▪ People are more willing to comply with a request when they think it is coming from someone in authority __● CEO or manager __● Important client __● Government agencies __● Financial institutions

Planning a Penetration Test - Disclaimers

__: ▪ Point-in-Time Assessment __● Results were accurate when the pentest occurred ▪ Comprehensiveness __● How complete was the test? __● Did you test the entire organization or only specific objectives?

Post-Report Activities

__: ▪ Post-Engagement Cleanup ▪ Attestation of Findings ▪ Client Acceptance ▪ Follow-up Actions or Retests ▪ Lessons Learned

Debugging Tools Breakdown

__: ▪ Process of finding and resolving defects in a computer program ▪ Tools __● Ollydbg, Immunity debugger, GDB, WinDBG, IDA Pro, APK Studio, APKX

Unsecure Code Practices - Comments in source code

__: ▪ Programmers are taught to fully document code ▪ Great for developers for maintainability ▪ Horrible for security

§ 1029 Fraud & related activity w/ access devices

__: ▪ Prosecute those who knowingly and with intent to defraud produce, use, or traffic in one or more counterfeit access devices. ▪ Access devices can be an application or hardware that is created specifically to generate any type of access credentials

Link-Local Multicast Name Resolution (LLMNR) Breakdown

__: ▪ Protocol based on the DNS packet format allowing both IPv4 and IPv6 hosts to perform name resolution for hosts on same local link ▪ Often used when there is not DNS server on the network ▪ Included in Windows Vista and newer versions ▪ Linux implements LLMNR using system ▪ Useful when a temporary network is created, such as Ad-Hoc WiFi networks

Vulnerability Scanner Tools

__: ▪ QualysGuard Vulnerability Scanner ▪ Tenable's Nessus Vulnerability Scanner ▪ Rapid7's Nexpose ▪ OpenVAS (Open-source Scanner) ▪ Nikto (Web Application Scanner)

Finding: Shared Local Admin Credentials

__: ▪ Randomize credentials __● Every system uses a different password ▪ Local Administrator Password Solution (LAPS) __● Microsoft tool that provides centralized storage of passwords in Active Directory __● Manages the passwords for each workstation when logon without domain credentials is necessary

Use Cases for Tools

__: ▪ Reconnaissance ▪ Enumeration ▪ Vulnerability Scanning ▪ Credential Attacks ▪ Persistence ▪ Configuration Compliance ▪ Evasion ▪ Decompilation ▪ Forensics ▪ Debugging ▪ Software Assurance

Reporting and Communication

__: ▪ Report writing and handling best practices ▪ Explain post-report delivery activities ▪ Recommend mitigation strategies for discovered vulnerabilities ▪ Communication during the penetration testing process

Decompilation Tools Breakdown

__: ▪ Reversing an executable into human readable code ▪ Tools __● IDA, Hopper, Immunity debugger, APK Studio, APKX

Remote Access Tools

__: ▪ SSH ▪ Netcat ▪ Ncat ▪ Proxychains

Unsecured SUDO

__: ▪ SUDO is a program for Unix/Linux systems ▪ Allows users to run programs with the privileges of another user ▪ By default, the other user is 'root' ▪ Works like "Run as Administrator" on Windows ● Privilege Escalation (Linux)

Nmap -sS

__: ▪ SYN Scan (default and most popular) ▪ Can scan 1000 ports per second ▪ Never completes the TCP connection ▪ Nothing in the logs cause never completes connection

Finding: SQL Injection

__: ▪ Sanitize user input __● User data checked for expected input type __● Escape data to avoid SQL injections ▪ Parameterize queries __● Better than user input sanitization __● Allow prepared statements to be used with bounded variables to access database __● Each piece of SQL code is static but receives parameters from a separate section of code

Nmap -iL

__: ▪ Scan targets from a text file

Scanning Considerations - When Do You Run the Scans?

__: ▪ Scanning the systems can take up valuable resources and slow down the network ▪ Are you trying to be sneaky? ▪ When is the best time to run the scans?

Unsecure Service and Protocol Configuration

__: ▪ Services and daemons run programs constantly in the background of the OS ▪ Unsecure services are vulnerable __● FTP, Telnet, TFTP, and many others ▪ Mis-configurations introduce vulnerabilities in secure protocols __● SSH downgraded to support SSHv1 __● SNMPv3 downgraded to support SMPv1 __● Using WPA instead of WPA2 __● Allow webservers to autonegotiate

Privilege Escalation in Linux Breakdown

__: ▪ Set-User Identification (SUID) ▪ Set-Group Identification (SGID) ▪ Sticky Bit ▪ Unsecure SUDO ▪ Ret2libc

Nmap -T

__: ▪ Sets the timing for the scan ▪ T0 - Paranoid (one port every five minutes) ▪ T1 - Sneaky (one port every 15 seconds) ▪ T2 - Polite ▪ T3 - Normal ▪ T4 - Aggressive ▪ T5 - Insane

Scanning Considerations - Fragile or Non-Traditional Systems

__: ▪ Should we scan these? ▪ Should we exempt these? ▪ How to avoid impacting fragile mission critical systems?

White Box SOAP Project File

__: ▪ Simple Objective Access Protocol (SOAP) is a messaging protocol specification for exchanging structured information in the implementation of web services ▪ SOAP project files are created from WSDL files or a single service call

Communication Reasons

__: ▪ Situational Awareness ▪ De-confliction ▪ De-escalation

Nmap -Pn

__: ▪ Skips the host discovery ▪ Treats all hosts in the range as online ▪ First Fine all Open Ports then do this command because it takes a long time to run the command

SocEngin Motivation Factors - Social Proof

__: ▪ Social engineering through Facebook or Twitter can be useful __● Lots of Likes or Shares add to social proof __● People are more likely to click the link ▪ We crave social group interaction and have a need to be included ▪ Sometimes we don't fully understand what the inclusion means for us or why we are performing an action

SocEngin Motivation Factors - Likeability

__: ▪ Social engineers are friendly and likeable __● People will want to help them ▪ Find common ground and shared interests

White Box SDK Documentation

__: ▪ Software Developer's Kit (SDK) provides a set of tools, libraries, documentation, code samples, processes, or guides to allow faster development of a new app on a platform ▪ SDK provides code libraries for use

Unsecure Code Practices - Hard-coded credentials

__: ▪ Source code of a web application has the username and password written into the code instead of using an inclusion file ▪ Common issue for applications using PHP, databases, or WordPress

Goal-based Pentests Assessment

__: ▪ Specific goals are defined before testing starts ▪ Pentester may attempt to find many unique methods to achieve thespecific goals

Nmap -p

__: ▪ Specifies the port to scan (override defaults) ▪ Can specify specific ports or exclude

Communications Triggers

__: ▪ Stages ▪ Critical Findings ▪ Indicators of Prior Compromise

Pentest Contracts

__: ▪ Statement of Work (SOW) ▪ Master Service Agreement (MSA) ▪ Non-Disclosure Agreement (NDA)

Finding: Unnecessary Open Services

__: ▪ System hardening __● Securing a computer or server by reducing its attack surface __● Disable unneeded services __● Close unused ports __● Uninstall unused programs

Nmap -sT

__: ▪ TCP Connect Scan ▪ Uses the Operating System to send packets ▪ Completes the TCP connection (less stealthy) ▪ Shows in logs the connection

SocEngin Motivation Factors - Scarcity

__: ▪ Technique that works well to get people to act fast ▪ Signup now for a special offer... supplies are limited!

Mitigation Solutions

__: ▪ Technology __● Add a multifactor authentication system ▪ Processes __● Proper employee off-boarding to minimize an insider threat ▪ People __● Employee cybersecurity training __● Hire qualified and certified IT professionals

Simple Network Management Protocol (SNMP) Breakdown

__: ▪ Three versions of SNMP exist ▪ SNMPv1 has port security and includes authentication using a shared "community string" sent in cleartext when set to "public" ▪ Community string operates like a password and is valid for EVERY node on the network

Rules of Engagement (RoE) Overview

__: ▪ Timeline ▪ Locations ▪ Time restrictions ▪ Transparency ▪ Test boundaries

Forensics Tools Breakdown

__: ▪ Tools used to collect and analyze digital evidence for crimes and analysis ▪ Tools __● foremost, FTK, EnCase, Tableau

Server Message Block (SMB) Breakdown

__: ▪ Transport protocol used by Windows machines for many purposes __● File sharing __● Printer sharing __● Access to remote Windows services ▪ Operates over TCP ports 139 and 445 ▪ EternalBlue exploits and WannaCry ransomware utilized flaws in the SMB protocol

Kernel Exploits

__: ▪ Unpatched Windows and Linux systems are vulnerable to many different exploits ▪ Search CVE's for various versions of Windows or Linux to determine what exploits exist ▪ Metasploit has a library of existing exploits ● Privilege Escalation

How Do We Scan and Enumerate?

__: ▪ Use specialized scanning/enumeration tools and public information sources

Nmap -sV

__: ▪ Version Detection Mode ▪ Attempts to determine the version of the services and applications being run on ports

File Transfer Protocol (FTP) Breakdown

__: ▪ Was the internet standard for file sharing? ▪ Insecure protocol that sends data and authentication in cleartext over the network ▪ Overall insecure protocol for transferring files ▪ No encryption for transfers and credentials (i.e. in the clear) ▪ Easy for attackers to use for data exfiltration if FTP is available

Export Restrictions

__: ▪ Wassenaar Agreement precludes the transfer of technologies considered "dual-use" ▪ Strong encryption falls under this restriction ▪ Penetration testing tools could be considered surveillance tools and fall under these rules

White Box WADL

__: ▪ Web Application Description Language __● XML-based machine-readable description of HTTP-based web services __● Easier to write than WSDL but not as flexible __● Typically used for REST services

White Box WSDL

__: ▪ Web Services Description Language __● XML-based interface definition language used for describing the functionality offered by a web service such as a SOAP server __● Flexible and allows binding options __● Not useful for REST services with WSDL 1.1

Certificate Inspection

__: ▪ Web-servers will identify the type of encryption they support (SSL 2.0, SSL 3.0, or TLS) ▪ Tools exists to automate this process SSLyze script comes with Kali Linux

Corporate Policies

__: ▪ What do corporate policies allow you to do? ▪ Have employees waived their privacy? ▪ What policies should be tested? __●Password strength/reuse __● Bring Your Own Device (BYOD) __● Encryption __● Update frequency

Follow-up Actions or Retests

__: ▪ What follow-up actions are you required to perform? ▪ Will a retest be conducted after 30 or 90 days?

Scoping Considerations - Tolerance to Impact

__: ▪ What is the impact to operations going to be? ▪ Balance the assessment needs with the operational needs of the organization by placing things in or out of scope

Scoping Considerations - Risk

__: ▪ What is the risk tolerance of the organization? ▪ Avoidance __● Actions taken to eliminate risk completely ▪ Transference __● Risk is moved to another entity ▪ Mitigation __● Controls and countermeasures are put into place ▪ Acceptance __● Risk is identified, analyzed, and within limits

Planning a Penetration Test - What is the End State?

__: ▪ What kind of report will be provided after test? ▪ Will you provide an estimate of how long remediations would take?

Planning a Penetration Test - Resources and Requirements

__: ▪ What resources will the assessment require? ▪ What requirements will be met in the testing? __● Confidentiality of findings __● Known vs. unknown vulnerabilities __● Compliance-based assessment

Threat Actors - Threat Modeling

__: ▪ What threat are you trying to emulate? ▪ Will you use open-source and openly available tools like a script kiddie, or create custom hacks like an Advanced Persistent Threat? ▪ Will you be given insider knowledge or perform a white box penetration test?

Prioritize Efforts for Pentest

__: ▪ What will be attacked first? ▪ What exploits will we use? __● Do we need custom made exploits? ▪ Does Metasploit or Nmap already have known exploits for the vulnerabilities? __● Use the 'search' function in Metasploit

RoE: Boundaries

__: ▪ What will be tested? ▪ Is social engineering allowed to be used? ▪ What about physical security testing? ▪ How invasive can the pentest be?

RoE: Locations

__: ▪ Where will the testers be located? _● On-site or remote location ▪ Does organization have numerous locations? ▪ Does it cross international borders?

Obtain Written Authorization

__: ▪ White hat hackers always get permission ▪ This is your get out of jail free card... ▪ Penetration tests can expose confidential information so permission must be granted ▪ Third-party authorization when necessary __● Ex: from a Cloud service provider

Planning a Penetration Test - Communication Paths

__: ▪ Who do we communicate with about the test? ▪ What info will be communicated and when? ▪ Who is a trusted agent if testing goes wrong?

RoE: Transparency

__: ▪ Who will know about the pentest? ▪ Will the organization provide resources to the testers (white box test)?

Scoping Considerations - Schedule

__: ▪ Will the timing of the penetration test be known by the organization's defenders? ▪ Will it be performed during peak or off-peak hours? ▪ What about holidays?

Scoping Considerations - Whitelist vs Blacklist

__: ▪ Will your pentest systems be put on a list? ▪ Whitelist will allow you access, but blacklist will prevent your system from connecting

Networking Tools

__: ▪ Wireshark ▪ Hping

Unsecure Code Practices - Lack of code signing

__: ▪ Without code signing it is easy for an attacker to modify the code and it go unnoticed ▪ Code signing ensures it is digitally signed, which uses a hash digest that is encrypted with a private key certificate to ensure changes have not occurred

White Box XML Schema Definition (XSD)

__: ▪ World Wide Web Consortium (W3C) recommendation that specifies how to formally describe elements in an Extensible Markup Language (XML) document

Nmap -oN

__: ▪ oN Normal output format __● nmap -oN outputfile.txt target

Nmap Output

__: ▪ oN Normal output format __● nmap -oN outputfile.txt target ▪ -oG Grepable output format __● nmap -oG outputfile.txt target ▪ -oX XML output format __● nmap -oX outputfile.xml target ▪ -oA Combined format with all of the above __● nmap -oA outputfile target

Planning a Penetration Test - Technical Constraints

__: ▪ What constraints limited your ability to test? ▪ Provide the status in your report __● Tested __● Not Tested __● Can't Be Tested

egress sensor

__is a type of passive infrared sensor (PIR) that organizations can use to release a magnetic locking mechanism to allow an individual to exit through a doorway.


Related study sets

APUSH Chapter 16 - No multiple answers

View Set

PJP Quarter 1 Practice Assessment

View Set

INTRO TO COMPUTER TECHNOLOGY MIDTERM

View Set

Business Law 2 Final Study Guide

View Set

Chapter 48: Next Generation - NGN

View Set

RN Concept-Based Assessment Level 2 Online Practice B

View Set

Chapter 7 Ionic and Metallic Bonding

View Set