Ethical Hacker
UTF code for ../..
%C1%9C
The database file on a domain controller that stores passwords
%SystemRoot%\NTDS\Ntds.dit OR %SystemRoot%System32\Ntds.dit
Directory that contains a listing of port numbers for well known ports as defined by IANA
%windir%\system32\drivers\etc\services
Adding this after a process name indicates it should run in the background on Linux
&
Specifies a raw IP packet in hping2
-0 (or --rawip)
Specifies an ICMP packet in hping2
-1 (or --icmp)
Specifies a UDP packet in hping2
-2 (or --udp)
Configures Snort to log only the timestamp, alert message, source IP address and port, and destination IP address and port
-A fast option
Command for a full zone transfer.
-AXFR
Instructs G++ to stop after preprocessing and to output preprocessed C source code
-E option
Configures Netcat to accept inbound connections on a Unix host
-I flag
Command for an incremental zone transfer.
-IXFR
Configures Netcat to listen for inbound connections and to restart after an existing inbound session terminates (only available on MS Windows platforms)
-L flag
Configures grep to accept a regular expression pattern as a search term
-Le
Configures nmap to scan hosts that do not respond to ICMP pings
-P0
Older nmap parameters that can be used to disable ICMP pings and replaced with the -Pn parameter
-P0 and -PN
Instructs G++ to stop after compilation and to create an assembler file
-S option
Configures Snort to log packets in binary format, which is also called Tcpdump format
-b option
Instructs G++ to compile or assemble the source files and to output an object file but not to perform linking
-c option
Configures Snort to run in NIDS mode and uses the rules in a configuration file named snort.conf. Snort will evaluate each packet based on the rules located in the configuration file
-c snort.conf option
Command in netcat used to specify the program that should be executed when a session is established
-e flag
The switch that allows you to change the default packet size of an echo request leaving your machine. The default packet size leaving a Windows machine is 32 bytes.
-l
Enables packet logger mode in Snort
-l option
Instructs G++ to send output to a specific file (If not specified G++ will place an executable file in a.out, place an object file in source.o, place an assembler file in source.s, place a precompiled header in source.suffix.gch, or place preprocessed C source code on standard output
-o option
Command used to specify the TCP port on which Netcat should listen for inbound connections
-p flag
Enables Telnet negotiation in netcat
-t flag
Command that can be used to specify the UDP port on which Netcat should listen for inbound connections
-u flag
Directory with basic Linux commands
/bin
Directory with all administration files and passwords in Linux
/etc
Linux directory that holds the user home directories
/home
Linux directory that holds the access locations you have mounted
/mnt
Linux system binaries folder which holds more administrative commands
/sbin
Linux directory that holds almost all of the information, commands, and files unique to the users
/usr
Code in NetBIOS enumeration that indicates the domain name (group)
00
Code in NetBIOS enumeration that indicates the hostname (unique)
00
This software can be used for many purposes, such as bypassing firewalls and other similar security computers.
007 Shell
Code in NetBIOS enumeration that indicates the service running on the system
03
Netscape Administrator Interface port
10000
Diffie-Hellman Group Modulus 2
1024-bit
The IPv4 loopback address
127.0.0.1
Diffie-Hellman Group Modulus 5
1536-bit
A layer 3 directed broadcast address which is sent to all devices on a subnet
192.168.0.255
Code in NetBIOS enumeration that means domain master browser
1B
Code in NetBIOS enumeration that means domain controller
1C
Code in NetBIOS enumeration that means the master browser for a subnet
1D
Code in NetBIOS enumeration that indicates the server service running
20
Diffie-Hellman Group Module 14
2048-bit
Compaq Insight Manager port
2381
The layer 3 limited broadcast address which is sent to all devices on a broadcast domain
255.255.255.255
Logical Safeguards Administrative Safeguards Physical Safeguards
3 Components of Risk Assessment
Client/Presentation Layer Business Logic Layer Database Layer
3 Layers of Web Application Architecture
Device Attacks Network Attacks Datacenter (Cloud Attacks)
3 Main avenues of attack for mobile platforms
Preparation Assessment Post-Assessment
3 Phases of a Penetration Test
Diffie-Hellman Group Module 15
3072-bit
Symmetric Encryption Algorithm; 168 bit key; more effective than DES but much slower
3DES
Diffie-Hellman Group Module 16
4096-bit
Risk Identification Risk Assessment Risk Treatment Risk Tracking Risk Review
5 Phases of Risk Management
Cloud Carrier Cloud Provider Cloud Broker Cloud Consumer Cloud Auditor
5 Roles in Cloud Architecture as defined by NIST SP 500-292
Identify Security Objectives Application Overview Decompose Application Identify Threats Identify Vulnerabilities
5 Sections of Threat Modeling
Diffie-Hellman Group Module 17
6144-bit
BEA Weblogic port
7001
BEA Weblogic over SSL port
7002
Sun Java Web Server over SSL port
7070
Diffie-Hellman Group Modulus 1
768-bit
Apache Tomcat port
8005
54 Mbps; 5 GHz; OFDM Modulation Type wireless standard
802.11a
1000 Mbps; 5 GHz; QAM modulation type wireless standard
802.11ac
11 Mbps; 2.4 GHz; DSSS Modulation Type wireless standard
802.11b
Global use frequency wireless standard
802.11d
Wireless standard that was a QoS initiative for data and voice
802.11e
54 mbps; 2.4 GHz wireless standard
802.11g
WPA/WPA2 Encryption standard
802.11i
100+ Mpbs; 2.4-5 GHz wireless standard
802.11n
Defines the standards for Bluetooth
802.15.1
Defines the standards for Zigbee
802.15.4
Defines the standards for WiMAX
802.16
IEEE standard defined as a method to establish port-based Network Access Control (NAC) using EAP. It is designed to require authentication before allowing a client to access a network.
802.1X
Diffie-Hellman Group Module 18
8192-bit
Kerberos port
88
IBM Websphere admin client port
900
Sun Java Web Server Administration module port
9090
Maps a hostname to an IP address (forward record) in DNS
A (Address)
Ensures reliable access to your key network services by detecting and blocking external threats such as DDoS and other cyber-attacks before they escalate into costly service outages
A10 Thunder TPS
Used to map a host name to a 128-bit IPv6 address (like A record for IPv4)
AAAA record
Creates scripts not recognizable by signature files
ADMutate
Symmetric Encryption Algorithm; block cipher; 128, 192 or 256 bit key; replaces DES; much faster than DES or 3DES
AES
IANA group responsible for Asia Pacific region
APNIC
IANA group responsible for North America
ARIN
Resolves IP addresses to MAC addresses
ARP
Displays the ARP entries for the network interface specified by if_addr
ARP -N
Displays current ARP entries by interrogating the current protocol data.
ARP -a OR -g
Deletes the host specified by inet_addr in ARP, inet_addr may be wildcarded with * to delete all hosts.
ARP -d
Adds the host and associates the internet address inet_addr with the physical address eth_addr in ARP. The physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent.
ARP -s
Displays current ARP entries in verbose mode. All invalid entries and entries on the loop-back interface will be shown.
ARP -v
Attack involving sending malicious ARP packets to a default gateway in order to change the IP-to-MAC pairings in its table.
ARP Poisoning
A computer software tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairings of IP addresses with MAC addresses along with a timestamp of when the pairing appeared on the network.
ARPWatch
A Linux-based management center that acts as a centralized platform for THOR and SPARK scans. It can collect, forward, and analyze thousands of host-based system scans. If a response is required based on scan results, it can coordinate the response tasks. The hard appliance version can handle up to 20,000 end systems; the soft appliance version can handle up to 3,000 end systems.
ASGARD
First data handling, message identification and routing layer in IoT architecture
Access Gateway Layer
Checks web applications for SQL injections, XSS, and so on. Includes advanced penetration testing tools to ease manual security audit processes and creates professional security audit and regulatory compliance reports
Acunetix Web Vulnerability Scanner
A fast and free software for network scanning. It will allow you to quickly detect all network computers and obtain access to them. With a single click, you can turn a remote PC on and off, connect to it via Radmin, and more.
Advanced IP Scanner
IANA group responsible for Africa
AfriNIC
A utility for decrypting WEP encryption on an 802.11b network, that must gather roughly five to ten million encrypted packets from a wireless access point before it can attempt to recover the wireless key.
AirSnort
A resource for statistics about websites
Alexa.com
Provides a feature-rich open-source SIEM complete with event collection normalization and correlation. Provides one unified platform with many essential security capabilities including asset discovery, vulnerability assessment, intrusion detection, behaviorial monitoring, and SIEM event correlation
AlienVault OSSIM
X platform, open source, and robust website censorship circumvention tool that also maps cesnsorship patterns around the world
Alkasir
Allows attackers to simulate a DoS/DDoS attack on web servers from mobile phones
AnDOSid
A very fast IP address and port scanner. It can scan IP addresses in any range as well as their ports. It is cross-platform and lightweight, not requiring any installations, it can be freely copied and used anywhere.
Angry IP Scanner
Large number of hosts can receive
Anycast
Consume the resources necessary for an application to run
Application Attacks
Layer responsible for delivery of services and data to the user in IoT architecture
Application Layer
Firewall that works like a proxy, allowing specific services in and out; inspect the packets as well but commonly are specific to a particular protocol.
Application-Level Gateway
Provides cached websites from various dates which possibly have sensitive information that has now been removed.
Archive.org
Provides a toolset for zigbee devices.
Attify Zigbee
Verifies an IP packet's integrity and determines the validity of its source.
Authentication Header (AH) protocol
Core Impact CANVAS
Automated PEN Test Application Suites
A Blackberry-centric tool that's useful in an attack called Blackjacking
BB Proxy
TCP 179
BGP
The simplest type of PSK used in biometric passports and smart credit cards
BPSK
A well-known tool for finding and enumerating nearby bluetooth devices
BT Browser
Application that can perform inquiries and brute force scans on bluetooth devices.
BTScanner
Like device to cloud but adds abilities for parties to collect and use the data
Back-End Data Sharing
A browser that makes multiple simultaneous server requests in order to quickly download entire websites or part of a site including HTML, graphics, Java Applets, sound and other user definable files, and saves all the files in your hard drive, either in their native format, or as a compressed ZIP file you can view offline.
BackStreet Browser
Nessus drop-down options from the General Settings tab include these
Basic Port Scanning Performance Advanced
Hosts on the screened subnet designed to protect internal resources
Bastion Hosts
A secure state machine. The intent is to protect confidentiality. Does not allow write down, but can read up.
Bell-LaPadula
An interface to the data link layer of a system.
Berkeley Packet Filter (BPF)
Goal is data integrity. Three objectives in ensuring integrity: unauthorized parties cannot modify data; authorized parties cannot modify data without specific authorization; and data stored should be true and accurate. Data and people have classification levels (integrity levels). Does not allow write up, but can read down
Bilba Model
An example of an integrity attack where the outcome is not to gain information but to obscure the data from the actual user.
Bit Flipping
An internet tool that will allow you to carry out various functions, among them "sniffing" a website for downloadable content, scanning for email addresses, creating site maps and detecting errors.
Black Widow
A design in which a database or knowledgebase is established to solve a particular problem. A variety of expert or specialist sources can then contribute information to the database in an effort to solve the problem. Modern systems built on a this type of architecture are typically a form of artificial intelligence, such as Bayesian antispam techniques in which users contribute samples of spam in order to teach the application how to recognize it.
Blackboard Architecture
Hacker can inject malicious data or commands into intercepted communications in a TCP session, even if the victim disables source routing. Attacker guesses next ISN of a computer attempting to establish a conneciton. Attacker sends malicious data on command, such as password setting to allow access from another location on network, but attacker can never see the response
Blind Hijacking
An application designed and created for bluebugging.
Bloover
Symmetric Encryption Algorithm; fast block cipher; replaced by AES; 65 bit block size; 32 to 448 bit key; considered public domain
Blowfish
Tool from Sourceforge that does a great job of finding bluetooth devices around you, and can also try to extract and display as much information as possible
BlueScanner
Attack where the attacker sends data to a bluetooth device without having gone through the pairing process or without the user knowing about the pairing.
Bluejacking
Attacker denies access to a Bluetooth device. Similar to a ping of death except this attack relies on oversized Logical Link Control and Adaptation Layer Protocol (L2CAP) ping messages.
Bluesmack
The unauthorized access of information from a wireless device through a Bluetooth connection.
Bluesnarfing
Uses two types of phase-shift keying (PSK) digital modulation: pi/4-DQPSK and 8DPSK. The former when transmitting at 2 Mbps and the latter at 3bps
Bluetooth 2.0 with Enhanced Data Rate (EDR)
In blind-based SQL injection, an attacker uses a Boolean operation to generate database information. For example, a query can be run once with AND 1=2 (an always-false statement) and once with AND 1=1 (an always-true statement). An attacker can compare the results to determine whether the injection was successful.
Boolean-based
These attackers typically use IRC or HTTP as a CNC channel often forcing the infected computers to propagate malware or to launch a DoS attack against one or more victims
Botherders
The last address of a subnet
Broadcast address
GET /AAAAAAAAAAAA\x90\x90\x90\x83\xec\x27\xeb\x0c\xe7\xe1\xe6\xc1\sc0\xff 500
Buffer Overflow Attack
Integrated platform for performing security testing of web applications. Its various tools support entire testing process from initial mapping and analysis of an application's attack surface to finding and exploiting security vulnerabilities. Contains intercepting proxy, application aware spider, advanced web application scanner, intruder tool, repeater tool, sequencer tool, and CSRF PoC generator function
Burp Suite
Reviews business applications and services for signs of incidents. Checks audit logs of critical servers that are vulnerable to attacks. Gathers informaiton related to security incident according to request of ISO.
Business Applications and Onlline Sales Officer
This role is responsible for maintaining all management processes in organizations and making trade-off decisions in risk management process. Empowered with the authority to manage almost all processes in organization.
Business and Functional Managers
Location in Windows where the SAM file is stored (Registry location).
C:\Windows\System32\Config
Automated testing tool with hundreds of exploits, automated exploitation system, and extensive exploit development framework
CANVAS
The number after the forward slash is the number of bits used in the subnet mask
CIDR notation
This role is responsibile for executing policies and plans required for supporting IT and computer systems of organizations. Their main responsibility is to train employees and other executive management regarding possible risks in IT and its effect on the business. Also responsibile for IT planning, budgeting, and performance based on risk management program and plays a vital role in formation of basic plans and policies for risk management.
CIO
Maps a name to an A record in DNS. Also provides for aliases within the zone.
CNAME (Canonical Name)
A security standard that categorizes control objectives into domains, such as planning and organization or delivery and support. It is an IT management framework that was created by ISACA and the ITGI. It defines the following four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation.
COBIT
An IT governance framework and toolset created by ISACA and ITGI.
COBIT (Control Objectives for Information and related Technology)
HTTP request method reserved for use with proxy
CONNECT
A standard defined by the Object Management Group designed to facilitate the communication of systems that are deployed on diverse platforms not using XML.
CORBA
Finds vulnerabilities on an organization's web server. Allows user to evaluate security posture of a web server using the same techniques employed by today's cyber-criminals
CORE Impact
Client-side attack which exploits vulnerabilities present in data compression feature of protocols such as SSL/TLS, SPDY and HTTPS. Attacker tries to access the authentication cookie to hijack the victim's session
CRIME
An attack where the characters for a carriage return and line feed are inserted into a stream reading by an application. The attack can be a diversion or its main focus.
CRLF Injection
Configuring the web server to send random challenge tokens is the best mitigation for this attack
CSRF
An attack where the user is tricked into visiting a malicious website. While the user has an active authenticated session with the trusted website, the malicious website can then instruct the user's web browser to send a request to the target website.
CSRF (Cross Site Request Forgery)
A password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. It can also extract voice from VoIP data.
Cain and Abel
Viruses that overwrite unused portions of a file, but do not change their size.
Cavity
A document that specifies how an organization plans to use a PKI and how it will operate and function
Certificate Practice Statement (CPS)
A TOR-based botnet Trojan that uses a keylogger and memory scanner to target payment and POS systems.
ChewBacca
The integrity method used by WPA2. Created to correct vulnerabilities in TKIP, and fully implements the IEEE 802.11i standard. It creates a message integrity code that can be used to validate whether the message source or the payload data was altered in transit.
Cipher Block Chaining Message Authentication Code Protocol (CCMP)
Firewall that works on layer 5
Circuit-Level Gateway
DDoS mitigation appliance that employs the most advanced anomaly recognition, source verification, and anti-spoofing technology to identify and block individual attack flows while allowing legitimate transactions to pass
Cisco Guard XT5650
Does not rely on state machine or use subjects and objects. Instead it defines data items and only allows access through a small number of known programs
Clark-Wilson Integrity Model
A tool that profits from the Core Impact and Core Insight technologies to offer penetration-testing as a service from Amazon Web Services for EC2 users. Designed for AWS cloud subscribers and runs an automated, all-in-on testing suite specifically for your cloud subscription
CloudInspect
A tool that provides instant visibility and continuous protection for servers in any combination of data centers, private clouds, and public clouds
CloudPassage Halo
Tool that utilizes fuzz testing that learns the tested system automatically; allows for pen testers to enter new domains such as VoIP assessment, etc.
Codenomicon
Allows attacker to create custom network packets and helps security professionals assess network. Attacker can select TCP packet from provided templates and change parameters with editor. Also supports saving packets to packet files and sending packets to network. Audits networks and checks network protections against attacks and intruders.
Colasoft Packet Builder
Used to create custom network packets and fragmenting packets. Can create custom network pakcets such as Ethernet, ARP, IP, TCP, and UDP packets
Colasoft Packet Builder
Wireless network monitor and analyzer for 802.a/b/g/n networks. Captures packets to display important information such as list of AP's and stations, per-node and per-channel statistics, signal strength, list of packets and network connections, protocol distribution charts, and more. By providing this information, one can view and examine packets, pinpoint network problems, and troubleshoot software and hardware
CommView for WiFi
Web application attack in which the attacker gains shell access using Java or similar
Command Injection
Publicly available and free to use list or dictionary of standardized identifiers for common software vulnerabilities and exposures
Common Vulnerabilities and Exposures (CVE)
Published standard that provides open framework for communicating characteristics and impacts of IT vulnerabilities. Two common uses are prioritization of vulnerability remediation activities and in calculating severity of vulnerabilities disclosed on one's systems.
Common Vulnerability Scoring System (CVSS)
Controls used to supplement directive controls.
Compensating
In G++ involves the following stages: preprocessing, compilation, assembly, and linking
Compiling
Executive Summary of the organization's security posture. Names of all participants and dates of tests. List of all findings, presented in order or risk. Analysis of each finding and recommended mitigation steps. Log files and other evidence (screenshots, etc).
Comprehensive Report Parts for a Pen Test
An attack that takes advantage of web applications that communicate with databases by using semicolons to separate parameters. An attacker can end a parameter prematurely with a semicolon and then add his own code.
Connection String Parameter Pollution (CSPP) attack
Helps identify weak cookie generation and insecure implementations of session management by web applications. Works by collecting and analyzing cookies issued by web application for multiple users
Cookie Digger
Best known, all-inclusive automated testing framework; tests everything from web applications and individual systems to network devices and wireless
Core Impact Pro
Controls used to repair damage caused by malicious events.
Corrective
Dynamic ARP inspection using DHCP snooping XArp Default gateway MAC added permanently to each machine's cache
Countermeasures against ARP Poisoning
5th Hacking phase: Steps taken to conceal success and intrusion by an attacker on a system.
Covering Tracks
Steps taken to conceal success and intrusion of a system.
Covering Tracks (Phase 5 or Hacking)
A virus that infected systems on the ARPAnet but caused no actual damage
Creeper Virus
A method of federated identity management that enables participants to trust another participant's PKI.
Cross-Certification Trust Model
The encrypted version of netcat
Cryptcat
Can encrypt binary code in executables to hide malware like viruses, keyloggers, and RATs
Crypters
Application used to look at malware and what it may be up to.
Cutter
A remote control Trojan used to manage multiple servers in a target network.
CyberGate
Linux environment of GNU and Open Source tools that can run on Microsoft Window Platforms.
Cygwin
A proprietary Microsoft technology for communication among software components distributed across networked computers.
DCOM
Blocks DDoS attacks with multi-layered protection
DDoS Protector
HTTP request method that requests origin server delete resource
DELETE
Symmetric Encryption Algorithm; block cipher; 56 bit key
DES
UDP port 67
DHCP
Replacing a DLL in the application directory with your own version which gives you the access you need
DLL Hijacking
A layer 7 protocol that is used tomap hosts names and domain names to IP addresses
DNS
TCP/UDP port 53
DNS
A web server attack that uses recursive DNS to DoS a target; amplifies DNS answers to target until it cannot do anything
DNS Amplification
Changes cache on a machine to redirect requests to a malicious server
DNS Poisoning
Also known as cache poisoning
DNS Spoofing
Helps prevent DNS poisoning by encrypting records
DNSSEC
Affects SSL and TLS services and allows attackers to break the encryption and steal sensitive data using flaws in SSL v2
DROWN
The process of detecting and recovering data that has been intentionally hidden on a computer. Detecting and recovering hidden data can reveal the intent, ownership, and knowledge of an attacker.
Data-Hiding Analysis
A program to extract (reverse engineer) data points from a graph
DataThief
Nessus drop-down options from the Preferences tab when creating a new policy in Nessus 5.2 include these
Database Compliance Checks Cisco IOS Compliance Checks Global Variable Settings
Firewall that looks beyond the headers and into the payload of hte packet, therefore, providing the ability to inspect higher layer protocols
Deep Packet Inspection
Controls used to monitor and alert on malicious or unauthorized activity.
Detective
Controls that are used to dissuade potential attackers.
Deterrent
IoT device communicates directly to a cloud service
Device to Cloud
Communicates directly with other IoT devices
Device to Device
IoT device communicates with a gateway before sending to the cloud
Device to Gateway
Assymmetric Encryption Algorithm; developed as a key exchange protocol; used in SSL and IPSec; if digital signatures are waived, vulnerable to MitM attacks
Diffie-Hellman
Controls also known as procedural because they deal with company procedures such as security policies, operations plans, and guidelines.
Directive
A web server attack that requests a file that should not be accessible from the web server (e.g. ../)
Directory Transversal
GET /scripts/..%255c../windows/system32/cmd.exe?/c+dir HTTP/1.1 200
Directory Traversal Attack
Converts operations codes to mnemonics
Disassembly
A technique used for recovering password-protected files that utilizes unused processing power of machines across the network to decrypt passwords
Distributed Network Attack (DNA)
Searching for and publishing information about an individual usually with malicious intent.
Doxing
Android application for security analysis in wireless networks and capturing Facebook, Twitter, LinkedIn, and other accounts
DroidSniff
Used for session hijacking on Android devices connected on common wireless network. Gets session ID of active user and uses it to access website as an authorized user
Droidsheep
many-to-many address mapping in NAT
Dynamic NAT
An attack in which a valid 802.1x EAP exchange is observed. The attacker then sends the client a forged EAP-failure message
EAP-Failure attack
SEC database that stores all public filings associated with a company. Includes the 10-K annual report, 10-Q quarterly reports, 11-K including details about employee stock option plans, and Schedule 14-A proxy statement
EDGAR
Provides confidentiality for IPSec by encrypting each packet
ESP
Provides actual delivery address of mailing list and aliases in SMTP
EXPN
Enterprise configuration audit and analytics solution that analyzes a system's current configuration state.
Ecora
Consists of sensors, RFID tags, readers and the IoT devices
Edge Technology Layer
Assymmetric Encryption Algorithm; not based on prime number factoring; uses solving of discrete logarithmic problems
El Gamal
Tool that allows attackers to break complex passwords, recover strong encryption keys, and unlock documents in a production environment
Elcomsoft distributed Password Recovery
An example of a wrapper program that can be used to bind a Trojan to a legitimate software application.
EliteWrap
First virus on the PC - it just copied itself
Elk Cloner
Assymmetric Encryption Algorithm; uses ponts on elliptical curve along with logarithmic problems; uses less processing power; good for mobile devices
Elliptic Curve Cryptosystem (ECC)
In trasnport mode, encrypts only the IP payload. In tunnel mode, encrypts the entire packet
Encapsulating Security Payload (ESP)
This should be configured if you want to mitigate IP spoofing attacks
Encrypted VPN
Process that determines how systems work within an organization
Enterprise Information Security Architecture (EISA)
Floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so you can sniff all traffic on the network.
EtherFlood
An application that can perform ARP spoofing in a console or GUI mode as well as act as a sniffer that can also run man-in-the-middle attacks and DNS spoofing.
Ettercap
Website where researchers and developers post exploit code and proof of concept code that works against identified vulnerabilities
Exploit-db.org
The layer 2 Ethernet broadcast address sent to all nodes on a switch but not forwarded to routers
FF:FF:FF:FF:FF:FF
A 2013 bill that was intended to change the framework that determines how the US government purchases technology.
FITARA
Contained sections that were made US law as part of the National Defense Authorization Act (NDAA) for Fiscal Year 2015.
FITARA
Capable fo scanning a wide variety of documents
FOCA
MitM attack that forces a downgrade of RSA key to a weaker length
FREAK
TCP Port 20, 21
FTP
Android application that allows you to sniff and intercept web session profiles over wifi that mobile session is connectedd to. WiFi cannot be using EAP
Faceniff
A law updated in 2004 to codify the authority of the DHS with regard to implementation of information security policies.
Federal Information Security Management Act of 2002 (FISMA)
The process of providing access to a company's data resources to organizations or parties that are not owned by the company. There are two federated identity management models: the trusted third-party certification model and the cross-certification model.
Federated Identity Management
Version Serial number Signature Algorithm Algorithm ID Issuer Subject Public Key Information Public Key algorithm Key Usage
Fields of an X.509 certificate
Web application attack in which attacker injects a pointer in a web form to an exploit hosted elsewhere
File Injection
Mobile application for Android and iOS that scans and provides complete network information such as IP address, MAC address, device vendor, and ISP location
Fing
These are all multihomed devices
Firewalls
Performs security assessments in IoT networks.
Firmalyzer
1. Acquisition 2. Identification 3. Analyzing 4. Evaluation 5. Generating Reports
Five phases/steps of a vulnerability assessment
The organized research and investigation of Internet addresses owned or controlled by a target organization. Searching for high-level information on a target.
Footprinting
A type of Man-in-the-Middle attack possible when the crypto nonce is reused while establishing an HTTPS session with the server
Forbidden Attack
An application that leverages passive sniffer devices to reconstruct a visual and textual representation of network information to support real-world IoT applications where other means of debug (cable or network-based monitoring) are too costly or impractical.
Foren6
Surgically removes network and application layer DDoS attacks while letting legitimate traffic flow without being impacted
FortiDDoS-1200B
Know the Security Posture Reduce the Focus Area Identify Vulnerabilities Draw a Network Map
Four Main Focuses of Reconnaissance
An attack that sends a large number of UDP packets to the broadcast address of the subnet with source IP spoofed as the target; entire subnet responds exhausting the target
Fraggle Attack
Attacks that take advantage of the system's ability to reconstruct fragmented packets
Fragmentation Attacks
An application used to intercept, modify, and rewrite egress traffic destined for a specified host. It features a simple rule-set language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior. Basically used to mangle captured packets before they are sent to a target you specify.
Fragroute
HTTP request method that retrieves whatever information is in the URL; sending data is done in URL
GET
A complete vulnerability management solution, which allows you to scan, detect, assess and rectify security vulnerabilities on your network.
GFI Languard
3rd Hacking phase: Attacks are leveled against the system in order to gain access.
Gaining Access
Attacks are leveled in order to gain access to a system
Gaining Access (Phase 3 of Hacking)
A special packet to update an ARP cache even without a request. Can be used to poison the cache on other machines.
Gratuitous ARP
Configures grep to search for files that do not contain the specified search term
Grep -L
HTTP request method identical to get except for no body return
HEAD
The HTTP request to perform banner grabbing
HEAD / HTTP/1.0
The resource type on a DNS server that configures the OS type of a particular DNS record
HINFO
Registry with information on file associates and OLE classes
HKEY_CLASSSES_ROOT (HKCR)
A pointer to the current configuration in the registry system.
HKEY_CURRENT_CONFIG (HKCC)
Registry with profile information on the current user including preferences
HKEY_CURRENT_USER (HKCU)
Registry with information on hardware and software
HKEY_LOCAL_MACHINE (HKLM)
Layer 7 attack where attacker uses time delayed HTTP holder to hold on to HTTP connection and exhaust web server resources
HTTP GET Attack
Layer 7 attack where attacker sends HTTP requests with complete headers but incomplete message body to targetweb server or application
HTTP POST Attack
An attack that adds header response data into the input field so that the server splits the response into two responses.
HTTPS Response Splitting Attack
A free and open-source Web crawler and offline browser, developed by Xavier Roche and licensed under the GNU General Public License Version 3. Allows users to download World Wide Web sites from the Internet to a local computer.
HTTrack
Offline browser utility that downloads Website from Internet to local directory, building all directories recursively, getting HTML, images, and other files from the server
HTTrack
An attack where the attacker hacks IoT devices in order to shut down air conditioning services
HVAC Attack
Perceived value or worth of a target as seen by the attacker.
Hack value
Tool used in rolling code attacks
HackRFone
Multi-OS, multi-platform compatible cracker that can perform multi-hash and multi-device password cracking
Hashcat
Injects code into the heap, which is where dynamically allocated memory is taken from
Heap Spraying Attack
An SSL vulnerability that exploits the heartbeat issue in data transfer.
Heartbleed
In blind-based SQL injection, retrieves a large amount of data, requiring time for the database to execute, which can simulate a time-based blind-based SQL injection.
Heavy Query
A CLI tool that could be used to determine the security state of computers on a network. It was integrated into previous versions of MBSA but is not supported in the latest version of MBSA. Uses a file downloaded from the Microsoft Download Center Website, not WUA, to scan the security state of network computers.
Hfnetchk
A web server attack that modifies hidden form fields producing unintended results
Hidden Field Tampering
Network stress and Dos/DDoS attack application written in BASIC. Designed to attack 256 target URL's simultaneously. Sends HTTP POST and GET requests at computer that uses lulz inspired GUI's
High Orbit Ion Cannon (HOIC)
Lightweight, low-interaction, portable, and generic honeypot for mobile devices that aims at the detection of malicious, wireless network environments
HosTaGe
An area of a hard drive that is protected from the OS so that it does not show up in the directory structure.
Host-Protected Area (HPA)
1. Create a hash of the message 2. Encrypt the hash with your private key 3. Encrypt the message with the recipient's public key
How to create a digital signature on a message
Manages and secures Windows OS's. Features active task matching options, group member matrix, and active editor improvements
Hyena
The first AD management product to support customizable Active Directory queries at every object level. Define your own queries, or use any of the predefined queries to display custom 'views' of exactly what directory attributes you want to see for organizational units, users, groups, or computers.
Hyena
Sends a large number of ICMP echo request packets to a target host in an attempt to saturate the target's network or resource capacity. Typically, an attacker will send the messages with spoofed source IP addresses or will send the messages from zombies in order to free the attacking device of the burden of processing the ICMP Echo Request messages.
ICMP Flood Attack
A telnet-like protocol that allows users to connect to a remote host and to open a shell using only ICMP to send and receive data. Written in C for the UNIX environment.
ICMP Shell (ISH)
Echo Reply
ICMP Type 0
Time exceeded (Code 0 is TTL expired)
ICMP Type 11
Destination network unreachable.
ICMP Type 3 Code 0
Destination host unreachable
ICMP Type 3 Code 1
Host administratively prohibited
ICMP Type 3 Code 10
Destination network Unreachable for Type of Service
ICMP Type 3 Code 11
Destination Host unreachable for type of service
ICMP Type 3 Code 12
Code that shows traffic is being blocked by a firewall
ICMP Type 3 Code 13
Communications administratively prohibited. Indicates a poorly configured firewall.
ICMP Type 3 Code 13
Host Precedence Violation
ICMP Type 3 Code 14
Precedence cutoff in effect
ICMP Type 3 Code 15
Code that tells you the client itself has the port closed
ICMP Type 3 Code 3
Fragmentation needed and "don't fragment" was set
ICMP Type 3 Code 4
Source Route Failed
ICMP Type 3 Code 5
Network unknown
ICMP Type 3 Code 6
Host unknown
ICMP Type 3 Code 7
Source Host Isolated
ICMP Type 3 Code 8
Network administratively prohibited.
ICMP Type 3 Code 9
Source Quench Congestion control message
ICMP Type 4
Redirect datagram for the network
ICMP Type 5 Code 0
Redirect datagram for the host
ICMP Type 5 Code 1
Echo Request
ICMP type 8
Symmetric Encryption Algorithm; block cipher; 128 bit key; originally used in PGP 2.0
IDEA
Simple Internet server identification utility
IDServe
An IPSec VPN scanning, fingerprinting, and testing tool.
IKE Scan
TCP port 143
IMAP
Version Header Length Type of Service Total Length Identifdication Flags Fragment Offset TTL Protocol Source and Destination Address
IP Header Fields
IP scanner for iOS that scans the local network to determine identity of all its active machines and Internet devices
IP Scanner
Useful in gaining unauthorized access to a computer with the help of a trusted host's IP address. Allows attackers to create their own acceptable packets to insert into the TCP session
IP Spoofing: Source Routed Packets
Share used for interprocess communications between hosts
IPC$
These are dynamic link library (DLL) files that enhance the functionality of a webserver. Data passes through these filters until the filter finds something relevant to process. However, they are notoriously insecure and can expose the webserver to threats.
ISAPI filters
A security standard based on the British BS 17799 standard that focuses on security governance.
ISO 27001
Standards based on BS 17799 but focus on security objectives and provide security controls based on industry best practicies.
ISO 27002 and 17799
Describes how to best manage security risks using an organized and systematic approach.
ISO 27005
Describes audits and certifications for security managmenet systems
ISO 27006
This role protects personnel and physical and information systems in organization. Responsible for implementing security controls.
IT Security Practitioners
This role is responsible for the organizations Information Security programs and provides the required support to IS owners with selection of security controls for protecting systems. They plan an important role in the selection and amendment of security controls in the organization.
IT Security Program Managers and Computer Security Officers (ISSO)
A method that provides network resources such as storage and allows the client to deploy software and add network components such as firewalls. (Amazon EC2 is one example)
IaaS (Infrastructure as a Service)
In this attack user identities are captured from clear tesxt 802.1x Identity Response packets
Identity Theft attack
Technical experts in their particular area who apply appropriate technology and try to eradicate and recover from incident
Incident Analyst
Acts as link between various groups affected by incidents. Plays vital role between security teams and networking groups. Helps in communication process and keeps everyone updated.
Incident Coordinator
CIRT role that focuses on incident and analyzes manner in which to handle it from a management and technical point of view. Responsible for actions performed by incident analysts and reports information to incident coordinator. Must be a technical expert with understanding of security and incident management.
Incident Manager
What solutions does Foundstone provide
Incident response Security Training Security Assessment
CIRT role that identifies the nature and scope of computer security incident. Communicates with information security specialists as well as with other team members. Provides incident handling training to members. Examines details of investigation. Makes sure evidence is gathered and the chain of custody is followed and evidence is stored correctly. Prepares report of incident and takes corrective action.
Informaiton Security Officer
CIRT role that acts as communication point for various computer security incidents. Notifies information security officer to provide IRT to carry out necessary operations. Ensures incident managment team and other activated teams are supported via available technology.
Informaiton Technology Officer
CIRT role that coordinates activities with ISO. Prepares documentation for different types of data that may have been breached. Helps individuals in discussing investigation issues related to customer privacy and employee PII. Provides guidance for creating communication among affected agencies. Monitors need for altering practices, privacy policies, and procedures as a result of security incident.
Information Privacy Officer
Spouse, friend or client of an employee who uses the employee's credentials to gain access
Insider Affiliate
Someone with limited authorized access such as a contractor, guard or cleaning service person
Insider Associate
Person search site with detailed information; searchable by name but not username
Intelius
Checks whether information systems are in compliance with security policies and controls. Performs audit test to make sure that patches and service packs are current with mission critical systems. Identifies and reports any security loopholes to management for necessary actions.
Internal Auditor
Crucial layer which serves as main component to allow communication in IoT architecture
Internet Layer
TCP port 631
Internet Printing Protocol (IPP) and Common UNIX Printing Gateway Protocol (CUPS)
Translates scripting-language source code into machine code every time the script is executed
Interpreter
A signal that indicates that an event has occurred, it can cause an application to stop, but it does not necessarily
Interrupt
Flooding tool
Inundator
I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
IoT Vulnerabilities and Attacks
HIDS that acts as a honeypot to attract and detect hackers and worms by simulating vulnerable systems, services and Trojans
KFSensor
A built-in sniffer and password cracker looking for port 88 Kerberos traffic
KerbCrack
A replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven.
Key Reinstallation Attack (KRACK)
A keylogger
KeyLlama
A wireless packet analyzer/sniffer that can be used for discovery. Works without sending any packets and can detect access points that have not been configured. Works by channel hopping.
Kismet
Designed to audit password and recover applications. recovers last MS Windows Password with help of dictionary, hybrid, rainbow table, and brute-force attacks; also checks strength of password
L0phtCrack
IANA group responsible for Latin America
LACNIC
An authentication method used on early versions of Windows (i.e. 98 and 95) that expands all passwords to 14 characters, converts them to uppercase, splits them into two separate seven-character strings, and then creates a 16-character hexadecimal hash for each string independently. Fills out anything that is not 14 characters long with empty spaces. Therefore, a DES hash of seven blank characters will always be AAD3B435B51404EE.
LAN Manager (LM)
Sends a SYN packet to the target with a spoofed IP that matches the target; if vulnerable, target loops endlessly and crashesTake
LAND attack
TCP/UDP port 389
LDAP
Web application attack that exploits applications that construct LDAP statements. Format includes )(&)
LDAP Injection
In this attack user credentials are recovered from captured 802.1x LEAP packets using a dictionary attack tool
LEAP Cracking attack
A .NET program that can run on Windows as well as Linux systems that have the Mono package installed. The application runs DoS attacks - blasts requests to both URL and IP addresses (TCP, UDP, or HTTP requests).
LOIC (Low Orbit Ion Cannon)
A open-source scanner that checks for the presence of indicators of compromise (IOC). IOCs are derived from incident reports, YARA rules, hashes, or file names. It consists of only three modules, so it is not as fully featured as SPARK or THOR. Installation files are available for Windows, Linux, and Mac OS.
LOKI
Sniffers operate at what two layers of the OSI model. One layer provides for physical addressing and framing (MAC addresses, Ethernet frames, and so on) and the other layer handles the packets and payloads (IP addressing and such)
Layer 2 and Layer 3
Packet filtering firewalls work at what layer.
Layer 3
Stateful firewalls work at what layer.
Layer 4
Circuit level firewalls work at what layer.
Layer 5
Application-Level Firewalls work at what layer.
Layer 7
The packet capture library/drive used by virtually every sniffing and scanning tool on Linux machines
Libpcap
48 bits long and displayed as 12 hex characters separated by colons. Includes an organizationally unique identifier and the physical address of a NIC
MAC Address
Designed to scan and locate a variety of security issues on Windows products including missing patches, weak passwords, and security misconfigurations.
MBSA
Hash Algorithm; produces 128 bit hash expressed as 32 digit hex number; has serious flaws; still used for file download verification
MD5
Takes a message of arbitrary length as input and produces a 128-bit hash value output.
MD5
The resource type that is used to display email mailbox information
MINFO
A type of switching that enables any one of several Layer 2 protocols to carry multiple types of Layer 3 protocols. One of its benefits is the ability to use packet-switched technologies over traditionally circuit-switched networks. Can also create end-to-end paths that act like circuit-switched connections.
MPLS (Multiprotocol Label Switching)
Label, Traffic Class (TC), Bottom-of-Stacks (S), and TTL.
MPLS fields
Lists email servers in DNS
MX (Mail Exchange)
4th Hacking phase: Items are put in place to ensure the attacker has future access to the system.
Maintaining Access
Items are put in place to ensure future access to a system.
Maintaining Access (Phase 4 of Hacking)
Displays relational information by using graphs and links. It is a data mining tool that can analyze relationships from information found on the Internet. Information that can be harvested and correlated includes names, email addresses, companies, websites, domains, IP addresses, documents, and files. It captures this information from a variety of sources, including search engines, social networks, DNS records, and WHOIS records. The information is then presented by graphically linking the associated relationships.
Maltego
Software used for open-source intelligence and forensics, developed by Paterva. It focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining. A unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. It's unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.
Maltego
Virtual database containing formal description of all network objects that SNMP manages. Collection of hierarchicaly organized information. Provides information as Object ID (OID) which includes object's type, access level, service restrictions, and range information converted to human intelligible informaiton by SNMP manager
Management Information Basse (MIB)
A port scanner that will scan as fast as your system and network connection will allow it to go; uses --rate=[#] to indicate packets/second; can also grab banners with the --banners parameter.
Masscan
A GUI based tool that runs under Windows. The tool incorporates several functions into a single interface including a ping scan, port scanning, and other enumeration utilities. Port scans can be ran with preselected port selections.
MegaPing
Process deployed by Apple that leads to tricking the process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution
Meltdown Vulnerability
A fixed-length value that is generated by running the entire message through a cryptographic algorithm and outputs a hash
Message Authentication Code
A feature of WPA that provides integrity checking and helps protect against man-in-the-middle attacks. It adds a new field that includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them.
Message Integrity Check (MIC)
Viruses that rewrite themselves each time they infect a new file.
Metamorphic
A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits. Developed as an exploit framework and now has over 1000 auxiliary modules, many of which are scanners for reconnaissance and enumeration. The program can import scans from OpenVAS, Nessus, and Nexpose.
Metasploit
An OS agnostic shell language payload within the Metasploit Framework that provides control to run a number of commands on a target system. Once loaded, the application resides completely in the memory of the exploited host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques.
Meterpreter
Creates a listener port on port 31337 that can be connected to in order to get a meterpreter shell
Metsvc
Layer that sits between the application and hardware in IoT architecture; handles data device managment, data analysis and aggregation
Middleware Layer
A utility metasploit module that could be used to extract passwords from a compromised system
Mimikatz
Monitors application permissions, sorting them into three categories by privacy-risk level
Mobile Privacy Shield
Helps in taking control of mobile applications; easily allow/block application connectivity and block background application activitiy. Generates alerts when new applications access the Internet
Mobiwol
One way that attackers attempt to hide data on a computer.
Modifying File Extensions
A tool used to automate SQL injection attacks
Mole
Used to automate SQL injection attacks
Mole tool
Uses a combination of volumetric, protocol, and application-layer attacks to take down target system or service
Multi-Vector Attack
Firewall that has two or more interfaces
Multi-homed
Addressed for multiple host interfaces
Multicast
Viruses that attempt to infect both files and the boot sector at the same time.
Multipartite
Web application security scanner that searches for vulnerabilities such as clickjacking, XSS, and SQL injection
N-STalker Web Application Security Scanner
Distributes process across multiple servers; normally as three-tiers: Presentation (web), Logic (application), and data (database)
N-Tier Architecture
This architecture allows each tier to be modified independently of the other tiers
N-tier
Often implemented on a network by connecting it to the switched port analyzer (SPAN) port on a switch.
NIDS device
Older tool for fragmenting bits
NIDSbench
Standard that catalogs the security and privacy controls for federal information systems; created to assist the implementation of FISMA.
NIST SP 800-53
An open source firewall for the NetBSD operating system
NPF
Lists the nameservers for a namespace in DNS
NS (Nameserver)
Provides authentication, encryption, and message encryption. It is a management protocol used to synchronize the clock on network devices. You can configure it to ensure that only specified devices are used for time synchronization. It supports DES encryption for message integrity and authentication. It uses UDP port 123.
NTP
UDP Port 123
NTP
US Government repository of standards based vulnerability management data represented using the SCAP. Enables automation of vulnerability management, security measurements, and compliance
National Vulnerability Database (NVD)
A CLI tool that is available for both Linux and windows hosts that can generate many types of packets and inject packets at Layer 2 or 3. It can generate ARP, Ethernet, TCP and UDP packets as well.
Nemesis
The most commonly-deployed vulnerability assessment solution which helps you perform high-speed asset discovery, target profiling, configuration auditing, malware detection, sensitive data discovery and so much more.
Nessus
TCP/UDP port 137, UDP port 138, TCP port 139
NetBIOS
Full-featured advanced Android no-root firewall used to fully control mobile device network. Can create network rules based on application, IP address, domain name, and more
NetPatch Firewall
Investigation tool that allows one to troubleshoot, monitor, discover, and detect devices on network. Gathers information about local LAN, Internet users, IP addresses, ports, and more. Finds vulnerabilities and exposed ports in a system. combines many network tools and utilities catogorized by their function.
NetScan Tools Pro
SMTP email generation tool tests process of sending email message through an SMTP server
NetScan Tools Pro
A Windows tool that facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. It can also collect and decrypt the wireless packets.
NetStumbler
A tool for Windows that has similar features to NetStumbler and Kismet and does not require special drivers
NetSurveyor
A simple Unix/Linux utility which reads and writes data across network connections using TCP or UDP protocols. There is also a binary available for Windows platforms. Commonly embedded in Trojan payloads.
Netcat
Networking utility that reads and writes data acrosss network connections using TCP/IP protocol
Netcat
A search engine that provides information about websites and possibly OS information.
Netcraft
Determines OS of queried host by looking in detail at network characteristics of HTTP response received from website. Identifies vulnlerabilities in web server via indirect methods
Netcraft
Tools that can assist in protecting against phishing. These two tools can help in identifying risky sites and phishing behavior.
Netcraft Toolbar PhishTank Toolbar
Finds and reports web application vulnerabilities such as SQL injection and XSS on all types of web apps regardless of platform and technology they are built with
Netsparker
Used for Network statistics
Netstat
Examines computer network traffic for signs of incidents/attacks. Uses tracer tools to identify incidents. Contacts ISP and seeks their assistance in handling incidents. Performs necessary actions required to block network traffic from suspected intruder
Network Administrator
Android application with automated network analysis and network honeypot for guarding your network
Network Guard
Special port on a switch that allows the connected device to see all traffic
Network Tap
A command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.
Nikto
Can save or log information to Metasploit, CSV, NBE, HTML, text, and XML format.
Nikto
Vulnerability scanner used extensively to identify potential vulnerabilities in web applications and servers
Nikto2
Creates a portable XML output of a scan in nmap
Nmap --webxml
An exploit that pushes a CPU's instruction execution to a desired location when the exact target branch instruction is unpredictable.
No Operation (NOP) slide/sled
Network security auditing tool suite, includes more than 45 network tools and utilities for network security auditing, network scanning, network monitoring and more.
Nsauditor
Works similiar to a XMAS scan but Windows boxes will respond as well
Null and FIN scans
A proprietary technology developed by Microsoft that allows embedding and linking to documents and other objects.
OLE
Nmap has a database of fingerprints containing details about how each OS behaves including how IP identification field is generated, the initial sequence number, the initial windows size, and several other details. Must find at least 1 open and 1 closed port.
OS Scanning
Uses open source intelligence to get information about a target
OSRFramework
Methodology manual maintained by ISECOM and defines three types of compliance (Legislative, Contractual, Standards Based).
OSSTMM
Interactive Controls including authentication, indemnification, subjugation, continuity, and resilience.
OSSTMM Class A
Process Controls including non-repudiation, confidentiality, privacy, integrity, and alarm.
OSSTMM Class B
M1 Improper Platform Usage M2 Insecure Data Storage M3 Insecure Communication M4 Insecure Authentication M5 Insufficient Cryptography M6 Insecure Authorization M7 Client Code Quality M8 Code Tampering M9 Reverse Engineering M10 Extraneous Functionality
OWASP Top 10 Mobile Risks
A1. Injection Flaws A2. Broken Authentication and Session Management A3. Sensitive Data Exposure A4. XML External Entities (XXE) A5. Broken Access Control A6. Security Misconfiguration A7. Cross-Site Scripting A8. Insecure Deserialization A9. Using Components with Known Vulnerabilities A10. Insufficient Logging and Monitoring
OWASP Web Top 10
When using this application, you should address code injection, buffer overflow, string formatting, and thread racing vulnerabilities.
Objective-C
Provides a graphical interface to analyze and troubleshoot enterprise networks. Offers real-time visibility and analysis into every part of the network from a single interface
OmniPeek enterprise
A switch port and IP address management software that can manage IP addresses, map switch ports, detect rogue devices, monitor bandwidth usage, monitor DHCP server, backup Cisco configuration files, view SNMP traps, get MAC IP list, and more.
OpUtils
Allows for browsing websites smoothly and anonymously
OpenDoor
A software framework of several services and tools offering vulnerability scanning and vulnerability management. All products are free software, and most components are licensed under the GNU General Public License.
OpenVAS
Proxy app that allows other apps to use Internet more securely. Uses Tor to encrypt Internet traffic, then hides it by bouncing through series of computers around the world. Creates truly private Internet connection.
Orbot
Someone outside the organization who uses an open access channel to gain access to an organization's resources
Outside Affiliate
many-to-one address mapping in NAT
PAT (Port Address Translation)
Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirement 1
Track and Monitor all access to network resources and cardholder data
PCI DSS Requirement 10
Regularly test security systems and processes
PCI DSS Requirement 11
Maintain a policy that addresses information security for all personnel
PCI DSS Requirement 12
Do not use vendor-supplied defaults for system passwords and other security parameters
PCI DSS Requirement 2
Protect stored cardholder data
PCI DSS Requirement 3
Encrypt transmission of cardholder data across open, public networks
PCI DSS Requirement 4
Use and regularly update antivirus software or programs
PCI DSS Requirement 5
Develop and maintain secure systems and applications
PCI DSS Requirement 6
Restrict access to cardholder data by business need to know
PCI DSS Requirement 7
Assign a unique ID to each person with computer access
PCI DSS Requirement 8
Restrict physical access to cardholder data
PCI DSS Requirement 9
A free data encryption program that requires no management of server services and provides privacy and authentication for data communication. Can encrypt disks as well as emails and other data.
PGP (Pretty Good Privacy)
Man-in-the-middle exploit which takes advantage of the Internet and security software clients' fallback to SSL 3.0.
POODLE
TCP port 110
POP3
HTTP request method that sends data via body - data not shown in URL or in history
POST
A tunneling protocol that operates at the Data Link layer (Layer 2).
PPTP (Point to Point Tunneling Protocol)
A system used by the NSA to wiretap external data coming into the US
PRISM
Monitors all systems, devices, traffic, and applications of IT infrastructure using various technologies such as SNMP, WMI, SSH, and others
PRTG Network Monitor
Helps to control and manage remote systems from CLI using multiple commands
PSTools Suite
Maps an IP to a hostname (Reverse record) in DNS
PTR (Pointer)
HTTP request method that requests data to be stored at the URL
PUT
Geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software
PaaS
An application that uses a GUi approach to packet crafting.
PackETH
Programs that can deliver malware; obscure the actual program code because the only executable function is one designed to extract and decompress the real malware
Packers
The area at the bottom of Wireshark display that contains hexadecimal characters.
Packet Bytes Pane
Firewall that only looks at the headers; makes determination about disposition of packets based on protocol, ports, and addresses.
Packet-filtering
Used to create encrypted packets that can subsequently be used for injection
Packetforge-ng
A web server attack that manipulates parameters with URL to achieve escalation or other changes
Parameter Tampering (URL Tampering)
A network policy that locks everything down.
Paranoid
By default, Snort IDS rules are evaluated in this order
Pass, Drop, Alert, Log
Windows password recovery tool
Passware Kit Forensic
Kismet, L0phtCrack, Nmap, Ngrep, Snort, Tcpdump, and Wireshark all use what as their packet capture library
Pcap
The packet capture library/drive used by virtually every sniffing and scanning tool on Windows
Pcap
A search application that allows one to search for people by name or username.
PeekYou
Network policy that blocks only known dangerous sites/objects.
Permissive
Redirects victims by modifying the host configuration or DNS
Pharming
A DoS attack that causes permanent damage to a system; also called bricking a system
Phlashing
Good for spyware on a Blackberry
PhoneSnoop
An attack that uses fragmented ICMP messages to disable a target host when the messages are reassembled
Ping of Death
A suite of network troubleshooting utilities packaged in an intuitive, easy to use user interface. It can continuously ping multiple hosts at the same time, perform forward & reverse DNS lookups as well as traceroute automatically. Results can be logged to disk or copied to the clipboard.
Pinkie
Type of IDS evasion technique which hides commonly used strings with a simple technique like XOR, so that the payload bypasses signature-based IDSes looking for them. The payload also includes a stub that decodes and executes the hidden shellcode differently each time. Is often used to hide NOP sleds/slides used by buffer overflow attacks.
Polymorphic Shellcode
Translates multiple private IP addresses to a single public IP address; this is also referred to as Network Address Translation (NAT) overload
Port Address Translation (PAT)
Allows traffic from a specific MAC address to enter to a port
Port Security
Controls used to stop potential attacks by preventing users from performing specific actions.
Preventive
TCP Port 515
Printer Listening Service
Hosts internal hosts that only respond to requests from within that zone
Private Zone
An attacker who exploits a flaw in an application to bypass the security of the application has performed what?
Privilege Escalation Attack
A wide open network policy.
Promiscuous
A set of security requirements and objects for the type of product to be tested
Protection Profile (PP)
It is primarily used to hide the source of a network connection. It terminates the connection with the source device and initiates a new connection with the destination device, thereby hiding the true source of the traffic. When the reply comes from the destination source, it forwards the reply to the original source device.
Proxy Firewall
Proxy server that displays data passing through it in real time and allows drilling into particular TCP/IP connections, view their history, save data to file, and view socket connection diagram.
Proxy Workbench
Application to help set proxy on Android devices
ProxyDroid
Allows one to surf the Internet anonymously without disclosing IP address. Helps access various blocked sites in organization.
ProxySwitcher
A network policy that blocks most sites and only allows things for business purposes.
Prudent
Lightweight telnet replacement that can execute processes on other systems, complete witt full interactivity for console apps, without having to manually install client software
PsFile
CLI tool that gathers key information about local/remote legacy WinNT/2000 systems including type of installation, kernel build, registered organization and owner, number of processors and type, amount of physical memory, installation date of system, and expiration date
PsInfo
Kill utility that can kill processes on remote systems and terminate processes on local computer
PsKill
CLI tool that displays information about process, CPU, and memory information of threat statistics
PsList
Clone of elogdump except that it can log into remote systems in situations where user's security credentials would not permit access to event log and retrieves message strings from computer on which event log resides
PsLogList
Applet that displays both locally logged on users and users logged on via resources for either local/remote computer
PsLoggedOn
Can change account password on local/remote systems, enabling administrators to create batch files that run against computers they manage in order to perform mass change of administrator password
PsPasswd
Can shutdown/reboot local/remote computers
PsShutdown
An anonymizer like Proxify and Tor
Psiphon
Circumvention tool that utilizes VPN, SSH, and HTTP proxy technology to provide open and uncensored access to Internet content; does not increase online privacy and is not an online security tool
Psiphon
Employee with all rights and access associated with being an employee
Pure Insider
Doubles the data rate of BPSK but requires slightly more complex transmitters and receivers. It is used for code division multiple access (CDMA) cellular networks and for 802.11b wireless networks DBPSK is used for basic-rate 802.11b.
QPSK
Allows organizations to proactively scan their websites for malware, providing automated alerts and in-depth reporting to enable prompt identification and resolution
Qualys Guard Malware Detection Service
A cloud service that gives you instantaneous, global visibility to where your IT systems might be vulnerable to the latest Internet threats and how to protect against them.
Qualys Vulnerability Management
Starves a webserver by keeping sessions open as long as possible. It does this by sending a HTTPS POST request that tells the webserver that a long packet is coming. It then sends the data one byte at a time at 10-s intervals. The connection to the webserver will remain open while the date is being received. It will create several of these slow POST requests, thereby consuming all of a webserver's available connections, leaving none for legitimate users.
R-U-Dead-Yet (RUDY)
Syskey utilizes this form of encryption
RC4
Symmetric Encryption Algorithm; block cipher; variable key length up to 2040 bits; latest version uses 128 bit blocks and 4 bit working registers
RC6
Defines recipients in SMTP
RCPT TO
A binary value in the registry system
REG_BINARY
A 32-bit unsigned integer in the registry system
REG_DWORD
Expandable string value in registry system
REG_EXPAND_SZ
A symbolic link to another key int he registry system
REG_LINK
Character string in a registry
REG_SZ
IANA group responsible for Europe and the Middle East
RIPE
Hash Algorithm; works through 80 stages, executing 5 blocks 16 times each; uses modulo 32 addition
RIPEMD-#
TCP Port 514
RLogin Access
TCP port 135
RPC
TCP/UDP port 135. A protocol that works on the Application layer and is used to share files, serial ports, printers, and communications devices, including mail slots and named pipes, between computers.
RPC
Assymmetric Encryption Algorithm; achieves strong encryption through the use of two large prime numbers; factoring these create key sizes up to 4096 bits; modern de facto standard
RSA
Specifically vulnerable to chosen-cipher-text attacks because it uses a public key to encrypt and a private key to decrypt, so an attacker could use the public key to encrypt tons of things for analysis
RSA
Involves injecting an authentic-looking RST packet using spoofed source address and predicting the ACK number. Hacker can reset the victim's connection if it uses an accurate ACK number.
RST Hijacking
Uses API's to collect information about target system
Recon-Dog
Built as a web reconnaissance framework with independent modules, database interaction, built-in convenience functions, interactive help, and command completing that provides environment in which open source web-based reconnaissance can be conducted.
Recon-ng
1st Hacking phase: Attacker gathers information about targets.
Reconnaissance
Gathering evidence about targets
Reconnaissance (Phase 1 of Hacking)
Cain can crack a variety of passwords, as well as perform these tasks
Record and extract VoIP conversations; capture and decrypt RDP traffic; collect server certificates and prepare them for a MitM attack; poison ARP tables; start, stop, pause, continue, and remove Windows services; calculate RSA SecurID tokens; remotely manipulate Windows registry parameters; detect 802.11 wireless LANs (WLANs); reveal passwords in text boxes; and enumerate network devices and extract Security Identifiers (SIDs).
Entity responsible for receiving the subject's request and verifying the subject's identity in PKI.
Registration Authority (RA)
Remotely installs applications, executes programs/scripts and updates files/folders on Windows systems throughout network. Allows attacker to modify registry, change local admin passwords, disable local accounts, and copy/update/delete files
RemoteExec
The best way to increase security on a webserver
Remove Internet Serices Application Programming Interface (ISAPI) filters
Provides a secure and automated solution for performing authenticated scans with continuously rotating privileged credentials.
Retina CS
Attempts to hide traces of unauthorized access by modifying drivers or kernel modules and discarding active processes. Replace certain OS calls and utilities with own modified versions that in turn undermine security of target system by executing malicious functions. The functions GetFileAttributesEx( ) and GetFileInformationByHandle( ) are used for these purposes
Rootkits
Hash Algorithm; developed by NSA; 160 bit value output
SHA-1
Takes a message of arbitrary length and produces a 160-bit hash value output
SHA-1
Hash Algorithm; four separate hash functions; produce outputs of 224, 256, 384 and 512 bits; not widely used
SHA-2
Hash Algorithm; uses sponge construction
SHA-3
The Windows implementation of RPC. TCP port 445.
SMB
When an organization implements this, it protects against an attacker using a sniffer to capture SMB password hashes and then using those hashes for offline cracking
SMB Signing
TCP port 25
SMTP
Enumerates OS level user accounts on Solaris via SMTP service
SMTP-user-enum
UDP port 161, 162
SNMP
Gets information about the system in SNMP
SNMP GET
Sets information about the system in SNMP
SNMP SET
Identifies SNMP-enabled devices on a network.
SNScan
Indicates the authoritative NS for a namespace in DNS
SOA (Start of Authority)
Web application attack in which the attacker injects query strings in order to bypass authentication
SOAP Injection
Considered to be the little brother of THOR. Like THOR, this is an APT scanner that checks for the presence of hacking tools and attacker activity. It also requires no installation. However, it consists of only nine modules, whereas THOR consists of 26. In addition, it can run on Windows, Linux, and Mac OS. It is written in GO.
SPARK
SQL Injector SQL Ninja Havij Pangolin Absinthe
SQL Injection Tools
Points to a specific service in DNS records
SRV (Service)
TCP port 22
SSH
Operates above the transport layer. is not protected against CBC attacks. Encrypts the entire communication channel, not each message independently.
SSL
Application developed to grab messages and strip the encryption from them.
SSLStrip
Takes advantage of a 3-way handshake. A SYN message alone will consume a connection buffer at the OS
SYN Flood Attack
UDP port 514
SYSLOG
Used to find security vulnerabilities in a website or a web server. Can generate comprehensive test reports and also can assist in fixing security problems that might exist in company's website or web server
ScanMyServer
Obtaining more in-depth information about targets
Scanning & Enumeration (Phase 2 of Hacking)
Check for live systems Check for open ports Scan beyond IDS Perform banner grabbing Scan for vulnerabilities Draw network diagrams Prepare proxies
Scanning Methodology
1. Perform host discovery 2. Perform port scanning 3. Scan beyond IDS and firewall 4. Perform banner grabbing and OS fingerprinting 5. Draw network diagrams 6. Document all the findings
Scanning and Enumeration steps
Specifically looks for Windows authentication traffic on the wire and has a password cracker
ScoopLM
Typically requires an interpreter
Scripting Language
Perl Python Ruby
Scripting Languages
This role is reponsible for developing and providing appropriate training programs on risk management process and IT security awareness in organization. They will be SME's and validate proper content included in program.
Security Awareness Trainers
The documentation for a system or product that is to be tested
Security Target (ST)
Designed for checking lists of HTTPS and SOCKS proxies for "honeypots"
Send-Safe Honeypot Hunter
This role's involvment is required for effective risk managment. Responsibility to supervise risk management plans carried out in organization, development of policies and techniques required to handle commonly occurring risks. Through their expertise can design steps required for handling future risk.
Senior Management
An IDS technique that helps to mitigate session splicing attacks by reassembling the smaller packets before performing expression matching.
Session Reconstruction
The process of delivering pieces of payload by using multiple packets
Session Splicing
High performance x-platform secured sock5 proxy
Shadowsocks
The process of analyzing suspect files for viruses and other malware
Sheep Dipping
A Linux vulnerability that allows an attacker to cause vulnerable versions of Bash to execute arbitrary commands.
Shellshock (Bashdoor) Attack
Website used to look for IoT devices; query language is similar to Google with additional keywords that can be used to identify network traffic and may include part numbers.
Shodan
These IDSs have a low false positive rate because they search network traffic for specific strings of text to determine whether the traffic is malicious in nature
Signature-matching
A platform independent XML-based communication protocol used to provide a way to communicate between applications running on different OS's with different technologies and programming languages. Generally over HTTP (or the Internet).
Simple Object Access Protocol (SOAP)
Used to determine the location of known Wi-Fi access points based on a worldwide database, not to discover nearby Wi-Fi networks and devices. Uses the Wi-Fi Positioning System (WPS) and GPS to locate positioning of devices within 10 to 20 meters.
Skyhook
Tries to download a file in very small increments to keep a web server from serving legitimate requests
Slow Read Attack
Sends incomplete requests to a server
Slowloris Attack
Attack that sends a large number of pings to the broadcast address of the subnet with source IP spoofed as the target; entire subnet responds exhausting the target
Smurf Attack
Disabling the directed broadcast feature on a router will limit the damage and prevent this attack completely.
Smurf Attack
Includes sniffer, packet logger, and network IDS modes. An open-source NIDS that can analyze network traffic in real-time.
Snort
A searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering.
Social Engineering Framework (SEF)
An open-source Python penetration testing framework designed for social engineering by Dave Kennedy
Social-Engineer Toolkit (SET)
Works with active directory, Novell Directory services, Netswcape/IPlanet and provides a wide variety of features essential for LDAP development, deployment, and administration of directories
Softerra LDP Admin
A collection of 60-plus tools that let you discover, configure, monitor, and troubleshoot your network.
SolarWinds Engineer's Toolset
Switch configuration that makes the switch send a copy of all frames from other ports to a specific port. Not all switches have the ability and some modern switches do not allow them to send data only listen.
Span Port OR Port Mirroring
Layer 2 protocol that prevents switching loops by killing connecting ports along the way
Spanning Tree Protocol
Viruses that only fire when a specific condition is met.
Sparse Infector
Simulates a complete system and provides an appealing target to lure hackers away from production systems. Offers typical Internet services such as SMTP, FTP, POP3, HTTP, and Telnet which appear perfectly normal to attacker
Specter
Leads to tricking processor to exploit speculative execution to predict future to complete execution faster. Allows attacker to read information that they normally would not have access to
Spectre Vulnerability
Performs multiple attacks on a server, including UDP floods, ICMP floods, TCP SYN floods, and Smurf attacks. It combines the features of Trinoo with the features of Tribe Flood Network (TFN) and adds encryption.
Stacheldraht
SourceHost Contact Email Serial Number Refresh Time Expire Time TTL
Start of Authority (SOA) fields
Based on a finite state machine; at any point, machine is either at a single state or in a transition between two states
State Machine
Firewall that tracks the entire status of a connection; keeps track of the state of messages, so decisions are based on ports, addresses, and state of connection
Stateful Inspection
one-to-one address mapping in NAT
Static NAT
Analyzer for wired and wireless networks that captures terabytes of packet data. Traversing them is the first step for complete real-time and back-in-time analysis
Steel Central Packet Analyzer
1. Perform a Risk Assessment 2. Collect standard guidelines to use as guides 3. Include senior management in the policy development 4. Set clear penalties and enforce them 5. Make the final version of the policies available to the staff 6. Ensure every staff member reads, signs, and understands the policies. 7. Deploy tools to enforce the policies 8. Train and educate users about the policies 9. Review and update the policies on a regular basis
Steps for creating security policies
1. Prepare for incident handling and response 2. Detect and analyze 3. Classify and prioritize 4. Notify 5. Contain 6. Investigate 7. Eradicate and recover 8. Perform post-incident activities
Steps in the Incident Management Process
http://www.verigon.com/script.ext?template=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %0D%70%61%73%73%77%64 = passwd
Strange Unicode Request
Small executable that unpacks or decrypts the real program
Stub
The first address of a subnet
Subnet or Network address
Application designed for rooting an Android device
SuperOneClick
A free connect-based port scanning software designed to detect open TCP and UDP ports on a target computer, determine which services are running on those ports, and run queries such as whois, ping, ICMP traceroute, and Hostname lookups.
Superscan
Used to obfuscate binary code in an executable so that it is undetectable by anti-virus software. A full undetectable crypter that can also bind other files and spoof extensions.
SwayzCryptor
Tries to update information regarding a specific port in a race condition
Switch Port Stealing
Uses multiple forged identities to create the illusion of traffic in IoT
Sybil Attack
Automates web application security testing and guards organization's web infrastructure against web application security threats.
Syhunt Hybrid Web Application Security Scanner
Examines and updates service packages and patches available on critical systems. Examines backups for critical systems and inspects systems for logs for unusual activity.
System Administrator
Can be used to diagnose problems with the startup process on a computer.
System Configuration Utility (MSCONFIG)
This role mainly monitors plans and policies developed for IS. Responsible for appropriate security controls used to maintain confidentiality, integrity, and availability for IS
System and Information Owners
hping2 uses this to send packets by default
TCP
Packet capture program native to Linux that primarily displays layer 3 information.
TCP Dump
Source and Destination Ports Sequence Number Acknowledgement Number Data Offset Reserved Control Bits Windows Checksum Urgent Pointer Options
TCP Header Fields
Denial of Service attacks that go after load balancers, firewalls, and application servers by attempting to consumer their connection state tables.
TCP State-Exhaustion Attacks
What TTL fields are most often analyzed during passive OS fingerprinting
TCP window sizes DF flags ToS fields
Attacker intercepts an established connection between two communicating parties using spoofed packets and then pretends to be one of them
TCP/IP Hijacking
A host-based tool that displays TCP and UDP connections between the host and destination devices on Windows (Netstat can be used for Windows, Linux, and Unix). Information displayed by TCPView inclues the process ID, protocol, local and remote address, local and remote port, connection state, number of sent and received packets, and number of sent and received bytes for each connection. Devices can be displayed by host name or by IP address. It updates every second by default, but can be set to 1s, 2s, 5s, or Paused.
TCPView
A well-known sniffer and packet analyzer for Linux
TCPdump
UDP port 69
TFTP
A password cracking tool which utilizes a dictionary attack method.
THC Hydra
A full-featured APT scanner. Rather than focus on detecting malware, it detects hacking tools and attacker activity. Results are displayed by color-coded CLI output and can be output to ASCII, HTML, or Syslog. It can be run only on Windows; however, it does not require installation and does not require the .NET framework. It is written in Python
THOR
HTTP request method that requests application layer loopback of message
TRACE
The command line interface of Wireshark.
TShark
A live operating system that a usser can start on any computer from a DVD, USB, or SD card
Tails
Allows you to change the MAC address of your NIC instantly. Has very simple user interface and provides ample information regarding each NIC in the machine
Technitium MAC Address Changeer
An Internet tool for Windows that will allow you to perform different browsing functions, compile data, and view the structure of the website of your choosing.
Teleport Pro
TCP port 23
Telnet
The command in telnet for banner grabbing
Telnet <IPAddress> 80
In Wireshark display, the area between the packet list pane and the packet bytes pane
The Packet Details Pane
The main area in the Wireshark display.
The Packet List Pane
This character is used to denote a character string in SQL commands
The single quote (')
getElementByID( ) get ElementByTagName( )
The two primary object methods used in JavaScript for XSS defacement attacks.
A risk equation component that is best described as the frequency, or rate, of a potential negative event
Threat
In blind-based SQL injection, an attacker will insert a delay that occurs in response to a true or false query. If the delay occurs, an attacker can determine the result of the query. For example, an attacker can query whether a table named CARDNUMBERS exists and, if so, perform a 10-second delay. If the delay occurs, the table exists.
Time-Based
In-line threat protection that defends critical data and applications without affecting performance and productivity. Contains over 8700 security filters written to address 0-day and known vulnerabilities. Consists of both inbound/outbound traffic inspection, as well as applied security capabilities
TippingPoint
Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network
Tkjection-ng
This tool counts up the TTL as each hop out is made
Traceroute
Enables security professionals to audit and validate behavior of security devices by generating standard application traffic or attack traffic between two virtual machines. Can be used to assess, audit, and test behavioral characteristics fo any non-proxy packet filtering device
Traffic IQ Professional
Uses a single organization to manage the authentication and verification process for each company that is participating in the model.
Trusted Third-Party Model
AH provides authentication and integrity but not encryption in this mode for the encapsulated packet
Tunnel Mode
Symmetric Encryption Algorithm; block cipher; up to 256 bit key
Twofish
Protocol Unreachable
Type 3 Code 2
Port Unreachable
Type 3 Code 3
Destination and Source Ports Checksum Length
UDP Header Fields
Hijacker forges server reply to client UDP request before server can respond
UDP Hijacking
Sends out a message; closed ports should generate an ICMP port unreachable message and open ports may respond with something or just not at all
UDP Scanning
The resource type that is used to display user information
UINFO
Silently copies the files and folders from a USB when it is connected to the system
USB Dumper
A sniffer for Windows
USB Snoopy
A network sniffer, designed for capture and analysis of the packets going through the network. Using the packet driver, it requests all the packets from the network card driver (even the packets not addressed to this computer).
Ufasoft
Addressed and intended for one host interface
Unicast
In a blind-based SQL injection attack, an attacker uses the UNION command to join multiple SELECT queries, thereby revealing database information to the attacker.
Union-Based
In a host-protected area (HPA) would indicate that hidden data probably exists on a computer.
User-created data
Validates user in SMTP
VRFY
A third-party component that verifies or validates the certificates of entities when presented to the third party
Validation Authority (VA)
Connects to the port and issues correct protocol commands to get the application banner back
Version Scanning
Used to discover a nearby Wi-Fi network, but also supports GPS and live Google Earth tracking to help in GPS mapping
Vistumbler
Bandwidth attacks; consume all bandwidth for the system or service
Volumetric Attacks
A risk equation component that is best described as the likelihood that a threat against a company will be successful
Vulnerability
PTW, FMS, and Korek are valid options in aircrack-ng against what wireless encryption only.
WEP
Wireless Encryption that uses RC4
WEP
IIS server resource kit tool that allows attacker to fully customize an HTTP request and send it to a web server to see the raw HTTP request and response data. Allows attacker to test performance of websites that contain new elements such as active server pages (ASP) or wireless protocols
WFETCH
Lets you peform a domain search, IP lookup and search database for relevant information on domain registry and availability
WHOis
Allows you to find all the devices connected to a network giving data such as IP, manufacturer, device name, and MAC address. Also allows saving a list of known devices with custom name and finds intruders in a short period
WIFi Inspector
Consolidates location and information of wireless networks worldwide to a central database and provides user-friendly Java, Windows, and web applications that can map, query, and update the database via the web. Creates a map for wireless networks
WIGLE
The resource type that is used to display information about a well-known service defined for the host on the DNS server
WKS
Wireless encryption using TKIP with a 128-bit key that it transfers back and forth during an EAP; changes the key every 10,000 packets
WPA
Wireless encryption that uses AES for encryption and can tie to an EAP or RADIUS server in Enterprise mode or uses a pre-shared key in Personal mode
WPA2
The purpose of this web services specification is to advertise security, Quality of Service (QoS), and other policies for web services. Web services and web service consumers can indicate the security tokens they require, the encryption methods they support, and the privacy rules that must be enforced during a communication session.
WS-Policy
The purpose of this web services specification is to create security contexts for faster message exchanges. It establishes a session key that is used for the duration of the web connection. Using it is faster than using WS-Security; in fact, messages are processed twice as fast.
WS-SecureConversation
The purpose of this web services specification is to provide integrity, encryption, and authentication for SOAP messages, which uses XML format. After a sender is identified, a security token is attached to the sender's messages. It can be used with many security token models, including X.509, Kerberos, and Security Assertion Markup Language (SAML)
WS-Security
The purpose of this web services specification is to create security tokens and to broker trust relationships between messaging participants. Windows Communication Foundation (WCF), Windows Identity Framework (WIF), and Web Services Interoperability Technology (WSIT) implement this.
WS-Trust
An extension for Chrome that can be used to identify technologies used in a web site. Used HTTP headers in the past, but does not identify the header.
Wappalyzer
Plugin for Fiddler HTTP proxy that passively audits web application to find security bugs and compliance issues automatically
Watcher Web Security Tool
A web server attack that replaces the cache on a box with a malicious version of it
Web Cache Poisoning
A tool that obtains information from the website such as pages, etc.
Web Spiders
A deliberately insecure application that allows developers to test vulnerabilities commonly found in Java-based applications that use common and popular open-source components. Maintained by OWASP.
WebGOAT
Framework for analyzing applications that communicate using HTTP and HTTPS protocols. Allows attackers to review and modify requests created by browser before they are sent to the server and to review and modify responses to the network from the server before they are received by the browser
WebScarab
An application that allows you to automatically download any file from a website. The program acts as an engine spider that crawls throughout the entire website with the objective of showing you all the multimedia files that you are interested in
Webripper
Incorporates a number of techniques to seamlessly obtain a WEP key in minutes
Wesside-ng
A computer program that retrieves content from web servers. It is part of the GNU Project. It supports downloading via HTTP, HTTPS, and FTP. Its features include recursive download, conversion of links for offline viewing of local HTML, and support for proxies.
Wget
A web based tool used to inquire about domains, IP addresses, block the IP address belongs to, the owner of the block, and technical contact.
Whois
Desktop OS designed for advanced security and privacy. Mitigates threat of common attack vectors while maintaining useability. Online anonymity realized via fail-safe, automatic, and desktop-wide use of Tor network
Whonix
802.11 network discovery tool designed for mobile platforms, Android in partiuclar. Collects information about nearby wireless access points and displays data in useful ways
WiFi Explorer
Helps find security leaks in WiFi network internet connection. Allows detection of intruder accessing network, WiFi, Internet connection without consent
WiFi Intruder Detector
A program that can scan, attack, detect, and protect computers on the local area network. Includes the ability to do an ARP flood attack among other tools.
WinArpAttacker
Nessus drop-down options from the Credentials tab include these
Windows Credentials SSH Settings Kerberos Configuration Cleartext Protocol Settings
These do not respond to ICMP Echo Request messages that are directed to a network address or a broadcast address
Windows OS's
A compatibility layer for running Windows applications on Linux, Mac OSX, and BSD platforms. Converts Windows API calls into similar methods provided by the native system API.
Wine
A common tool used to discover a nearby Wi-Fi network or device by detecting wireless signals, channels, and access points similar to NetStumbler.
WirelessMon
A GUI based application that captures and analyzes network packets.
Wireshark
This attack involves altering SOAP messages and replaying them as legitimate.
Wrapping Attack
An integrated development environment (IDE) for developing iOS mobile apps with the Objective-C language. Includes an iOS simulator for iPlatforms.
XCode
Open ports will not reply so you get filtered/open response; closed ports will respond with RST. Works only on Linux boxes
XMAS scan
Best described as programming code that can be used to harvest cookies stored on a user's computer
XSS
What type of attack is best mitigated by setting the HttpOnly flag in cookies
XSS
A network security/hacking tool for Unix-like operating systems, designed to take advantage of some weakness in different network protocols.
Yersinia
GUI overlay for nmap.
Zenmap
Malware designed to capture the phone itself, thus giving the attacker access to credentials and second authentication factors (sent via text).
ZitMO (Zeus-in-the-Mobile)
In DNS, the act of copying a primary name server's zone file to the secondary name server to ensure that both contain the same information.
Zone Transfer
A personal firewall
ZoneAlarm
This metacharacter in the regular expression configures grep to match only the beginning of a line
^
Linux command to add a user to the system
adduser
The object methods in JavaScript used to perform large-scale modifications at the node level of the document. Creates new document sections or rearranges existing content based on content retrieved from another web page.
adoptNode( ) importNode( ) renameNode( )
Captures WPA/WPA2 handshake and can act as an ad-hoc access point
airbase-ng
Decrypts WEP/WPA/WPA2 and can be used to strip wireless headers from WiFi packets
airdecap-ng
Provides status information about wireless drives on your system
airdriver-ng
Program used for targeted, rule-based deauthentication of users
airdrop-ng
Command in aircrack-ng to run a deauthentication attack. Format -0 [#] -a [mace address of BSSID] -c [mac address of station]
aireplay-ng
An application that works on Linux distributions and can be used for several types of wireless attacks.
airgeddon
Creates client to access point relationship and common probe graph from airodump file
airgraph-ng
Command in aircrack-ng to createa a monitor interface from a wireless interface allowing it to sniff wi-fi traffic.
airmon-ng
Command in aircrack-ng to sniff BSSID's and other information on wireless networks.
airodump-ng
Stores and manages ESSID and password lists used in WPA/WPA2 cracking
airolib-ng
Allows multiple programs to independently use a WiFi card via a client server TCP connection
airserv-ng
Injects frames into WPA TKIP network with quality of service and can recover MIC key and keystream from WIFi traffic
airtun-ng
Written by Dug Song. Used to inject ourselves between two systems on the network.
arpspoof
Designates the connection in arpspoof
arpspoof -c
Indicates reverse connections should be collected as well in arpspoof
arpspoof -r
Designates the target address in arpspoof
arpspoof -t
This file contains system authorization information as well as a list of user logins and the authentication mechanism that was used by each login. Read with any standard text editor
auth.log
Uses bluetooth to gain access to a phone in order to place a phone call - once the phone call is placed, the attacker has a remote listening device through the phone.
bluebugging
This file contains a list of failed login attempts on a Linux computer. You can read the file by issuing the lastb or last -f commands
btmp
A Windows command-line tool that can be used to assign, display or modify access control lists to files or folders. It cannot be used to take ownership of a file.
cacls.exe
Linux command to display the contents of a file
cat
Linux command to change the permissions of a folder or file
chmod
Look-up database for default passwords, credentials and ports
cirt.net
The meterpreter shell command to clear log files
clearev
Which file do you bind to an executable file using a wrapper tool to create a trojan.
compilation file (.exe)
C++, Java, and Visual basic are this type of language
compiled
Linux command to make copies
cp
A set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information.
dSniff
A layer 4 - 7 UDP message
datagram
This aircrack-ng option works when working to break the encryption of keys in WPA and WPA2
dictionary list
A tool for interrogating DNS name servers; performs DNS lookup and displays the answers returned from the name server on Linux.
dig
Software based WAF that protects website from malicious attacks
dotDefender
A tool that makes use of other, underlying tools to scan systems that have implemented SMB; can be used to enumerate shares or users
enum4linux
Specifies a physical address with ARP.
eth_addr
Utility for dumping passwords on NT/2000/XP/2003/Vista
fgdump
A C library function that performs bounds checking on its input. Bounds checking is a methodology used to verify that input from a data stream does not exceed the size of an available buffer; C and C++ are particularly vulnerable to buffer overflow attacks.
fgets() function
A Linux enumeration command that gives information on user and host machine
finger
An application designed to send ICMP requests to multiple systems; the parameters are a, e, and g for alive, elapsed time, and generate a list of targets from an address block respectively.
fping
A layer 1 message
frame
An open-source C++ compiler used to take source code files and generate runnable executables
g++
Method in JavaScript that retrieves an element based on its identifier.
getElementByID( )
JavaScript method to retrieve an array of element nodes based on the tag name.
getElementsByTagName( )
A tool that is primarily a packet crafting program allowing an attacker to initiate connections using different protocols with the header settings they want.
hping3
hping3 command to insert a file into packet's data
hping3 --file
Command in hping3 that sends packets as fast as possible without showing incoming replies.
hping3 --flood
Sets UDP mode in hping3.
hping3 -2
Sets the system to listen mode in hping3. Expects a signature (e.g. HTTP) and interface (-I eth0).
hping3 -9
Sets the ACK flag in hping3 command.
hping3 -A
Command to set the FIN flag in hping3
hping3 -F
Sets ICMP mode for hping3.
hping3 -I
Command to set the PUSH flag in hping3.
hping3 -P
Command to collect sequence numbers generated by the host in hping3.
hping3 -Q
Sets the RST flag in hping3.
hping3 -R
Command to set the SYN flag in hping3
hping3 -S
Sets the URG flag in an hping3 scan.
hping3 -U
sets the hostname in hping3 (spoof command)
hping3 -a
Command to set the data-size packet body size in hping3
hping3 -d
Sets the scan mode in hping3. Command expects a port range without the -p flag.
hping3 -i
Sets the port number in hping3.
hping3 -p
Tool for advanced web server fingerprinting. Performs banner-grabbing attacks, status code enumeration, and header ordering analysis on target web server
httprecon
If present, this specifies the internet address of the interface whose address translation table should be modified in ARP. If not present, the first applicable interface will be used.
if_addr
Linux command to display network configuration information
ifconfig
A replacement for NetStumbler that supports Apple OS X, in addition to Microsoft Windows and often used in wardriving attacks, verifying network connections and detecting coverage issues.
inSSIDer
WiFi optimization and troubleshooting tool. Scans for wireless networks with your WiFi adapter, so you can visualize their signal strength and what channels they are using. Lists a lot of useful information about each network
inSSIDer Office
Specifies an internet address in ARP
inet_addr
Linux firewall for Linux kernel v 2.2.x. Added the ability to filter for packet fragments.
ipchains
This command configures IP masquerading
ipchains -A forward -s 192.168.51.0/24 -d 0/0 -j MASQ
The first version of the Linux kernel firewall used to control packet filtering or firewall capabilities in versions 1.2.x and 2.0.x
ipfwadm
Linux commands that are all capable of configuring IP masquerading on a Linux-based firewall. All of these commands are also capable of denying traffic from unknown hosts and the configuration of static NAT.
ipfwadm, ipchains, iptables
The latest version of the Linux kernel firewall. Required for kernel 2.4x and above.
iptables
Linux command to kill a running process
kill
A Perl module that supports IDS evasion techniques, such as session splicing
libwhisker
Linux command to display the contents of a folder
ls
nslookup command that lists aliases of computers in the DNS domain
ls -a OR ls -t CNAME
nslookup command that lists all records for the specified DNS domain by initiating a zone transfer
ls -d OR ls -t ANY
nslookup command that lists CPU and OS information for the DNS domain
ls -h OR ls -t HINFO
nslookup command that lists well-known services of computers in the DNS domain
ls -s OR ls -t WKS
A member of the Dsniff suite toolset and mainly used to flood the switch on a local network with random MAC addresses.
macof
Linux command to display the manual page for a command
man
A metasploit framework that allows the tester to encode the payload. In other words, you can change the way it appears to an AV system.
msfencode
Program that takes the payload (windows/meterpreter/revers_tcp) which sends back a connection to meterpreter shell to the specified IP address
msfvenom
A Windows utility that is used to view and manage NetBIOS cache information.
nbtstat
Gives your own information from NetBIOS
nbtstat
Gives remote information on a specific IP address in NetBIOS
nbtstat -A IPADDRESS
Gives cache information in NetBIOS
nbtstat -c
Gives the local table in NetBIOS
nbtstat -n
The correct syntax on Windows for using Netcat to leave a command shell open on port 8080
nc -L 56 -t -e cmd.exe
initiates an oubound connection to an IP on destination TCP port
nc [IP] [port #]
With this command you can manage user accounts by issuing the user command. You can start a service by issuing the start command, stop a service by issuing the stop command, pause a service by issuing the pause command, and continue a service by issuing the continue command. Printer queues can be managed by issuing the print command. You can manage shared resources by issuing the share command. You can connect to a remote resource by issuing the use command.
net command
Displays port connections in numerical form.
netstat -an
Displays executables tied to the open port (admin only)
netstat -b
Defacto port scanner that can perform UDP and TCP scans. It will detect OS types, applications running and their versions, and supports running scripts in the LUA.
nmap
Scans hosts in a random order instead of in numerical (IP) order.
nmap --randomize-hosts
Command to run a script using nmap.
nmap --script -[script name]
Command to perform OS detection, version detection, script scanning and traceroute in nmap.
nmap -A
Command to do an OS scan using TCP in nmap (default scan)
nmap -O
Command to perform an ICMP ping in nmap.
nmap -PI
Command to perform SYN ping in nmap
nmap -PS
Command to perform a TCP ping with nmap.
nmap -PT
Command to perform a no ping scan in nmap.
nmap -Po
Command for normal output in nmap.
nmap -oN
Command for XML output in nmap.
nmap -oX
Command in nmap to conduct an ACK flag probe. If the TTL of the RST packet is < 64 then the port is open; if there is no response, then a stateful firewall is in place.
nmap -sA
Nmap command that activates the Nmap Scripting Engine, which allows Nmap users to create and share Lua scripts to automate many tasks associated with network discovery and vulnerability detection and exploitation.
nmap -sC
Command to perform a FIN scan in nmap. No response means an open port; RST/ACK response means a closed port.
nmap -sF
Performs an IDLE scan in nmap. If the return IPID is an increase of 1, then the port is closed; if it is an increase of 2, then the port is open. Anything else means the third party on the port is not idle.
nmap -sI
Command to perform a DNS (list) scan in nmap.
nmap -sL
Performs a null scan in nmap. If the port is open there is no response. If the port is closed a RST/ACK response is received.
nmap -sN
Command to perform a IP Protocol Scan / Open Port Scan in nmap. (Timing options can avoid detection by an IDS)
nmap -sO
Command to perform a ping scan in nmap.
nmap -sP
Command to perform a RPC scan in nmap.
nmap -sR
SYN (half-open) stealth scan in nmap
nmap -sS
Command to perform a TCP (full) connect scan in nmap.
nmap -sT
Command to perform a UDP scan in nmap.
nmap -sU
Command to perform a version scan in nmap
nmap -sV
Command to perform the Windows version of ACK scan in nmap. If the window on the RST packet received is not equal to 0 then the port is open; if there is no response, a stateful firewall is in place.
nmap -sW
Command to perform a XMAS scan with nmap. Does not work against Windows machines. No response means an open port; RST/ACK response means a closed port.
nmap -sX
Used to query WINS to lookup names where the systems are just broadcasting their information
nmblookup
Linux command to keep a process running even after exiting the shell
nohup
Best option for DNS cache snooping
nslookup -norecursive
Object methods in JavaScript used to completely replace the current web page's content.
open( ) and write( )
Launches an OpenSSL SSL/TLS cllient
openssl s_client
Creates a SSL/TLS server
openssl s_server
Verifies the version of OpenSSL
openssl version
Uses rainbow tables on different OS's
ophcrack
A passive TCP/IP stack fingerprinting tool. It can attempt to identify the system running on machines that send network traffic to the box it is running on or to a machine that shares a medium with the machine it is running on.
p0f
A layer 3 message
packet
Linux command to change the password
passwd
Linux command capable of evading IDSs or other security measures by obfuscating the true source IP address of network traffic. It can be configured to tunnel TCP or UDP traffic to a destination by way of one or more proxy servers
proxychains
Linux command for process status. -ef option will show all processes
ps
Linux command to display the current directory
pwd
Dumps password hashes from NT's SAM database
pwdump7
Abel has these features
remote console; remote Local Security Authority (LSA) secrets dumper; remote NT hashes dumper; remote route table manager; and remote TCP/UDP table viewer
Linux command to remove files. -r option recursively removes all directories and subdirectories
rm
The basic syntax of the route add command
route add [network address] mask [subnet-mask] [gateway-address]
Linux enumeration commands that provide information on RPC in the environment
rpcinfo and rpcclient
Used to identify programs and associated ports on a remote system.
rpcinfor -p [IP]
Lists the running services on a Windows Machine
sc query
Command that displays active and inactive services on a computer running Windows Server 2012
sc query state= all
2nd Hacking Phase: Obtains more in-depth information about targets.
scanning and enumeration
Python is this type of language
scripting
A layer 4 - 7 TCP message
segment
Code you place into overall exploit code that will provide you with shell access on the target system
shellcodes
A Linux enumeration command that displays all shared directories on the machine
showmount
Can be used to "walk" the MIB tree to gather data from SNMP agents
snmpwalk
Linux command to allow you to perform functions as another user
su
A daemon for logging and access control that is a FreeBSD implementation of the TCP Wrapper, which can monitor incoming service requests for services like Telnet, SMTP, FTP, HTTP, and HTTPS. The log can provide simple access control.
tcpd daemon
Daemon that is a FreeBSD implementation of TCP Wrapper, which can monitor incoming service requests for services like Telnet, SMTP, FTP, HTTP, and HTTPS. The daemon can log and provide simple access control. This could prevent a malicious Telnet attack from using standard open ports for other services, like SMTP and HTTP
tcpd daemon
Designates tcpdump to dump the payload in hexadecimal
tcpdump -X
Specifies the interface in tcpdump
tcpdump -i
Command to remove the DNS information in tcpdump
tcpdump -n
Designates tcpdump to read from a specified file.
tcpdump -r
Adds more details in tcpdump
tcpdump -v OR -vv OR -vvv
Command in tcpdump to write to a file
tcpdump -w
A CLI version of TCPView. To run it, issue the [-a] [-c] [-n] [process] command. The -a parameter displays all endpoints; if the -a parameter is not issued, only established TCP connections are displayed. The -c parameter prints the output as a CSV file. The -n parameter configures the tool to not resolve addresses. The process variable can be issued as a process name or as a process ID.
tcpvcon
An information-gathering application used to scrape up emails, subdomains, hosts, employee names, open ports and banners from different public services like popular search engines, PGP key servers, and the Shodan database.
theHarvester
This file contains a list of currently logged-in users. You can read the file by issuing the who or last -f commands
utmp
A rogue access point framework used to impersonate a wireless network while jamming a legitimate access point and then redirecting traffic to a site managed by the attacker.
wifiphisher
Tool used to enumerate themes, users, and plugins
wpscan
This file contains a lit of all login and logout activity. You can read the file by issuing the last command
wtmp
The NOPS module for the Metasploit framework. Used to create a NOP slide.
x86/opty2
The XOR gnerator module for the Metasploit Framework. Used to create a polymorphic shellcode to hide NOP sleds and bypass signature-based IDSes.
x86/xor
A Windows utility that can be used to take ownership of a file from the command line.
xacls.exe
Mobile IPS application that provides comprehensive protection for iOS and Android devices against mobile network, device, and application cyber attacks
zIPS