Glossary of Key Terms

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Glossary of Key Terms

Active reconnaissance A method of information gathering whereby the tools used actually send out probes to the target network or systems in order to elicit a response that is then used to determine its posture.

Authenticated scan A vulnerability scan in which the user provides the scanner with a set of credentials that have root-level access to the system. Most of the time it is best to run this type of scan against a target to get a full picture of the attack surface.

Bind shell A situation in which an attacker opens a port or a listener on a compromised system and waits for a connection. This is done in order to connect to the victim from any system and execute commands and further manipulate the victim.

Blind (or inferential) SQL injection A type of attack in which the attacker does not make the application display or transfer any data but instead reconstructs the information by sending specific statements and discerning the behavior of the application and database.

Bluejacking An attack that can be performed by using Bluetooth with vulnerable devices in range and is mostly performed as a form of spam over Bluetooth connections. An attacker sends unsolicited messages to the victim over Bluetooth, including a contact card (vCard) that typically contains a message in the name field.

Bluesnarfing A type of attack in which the aim is to obtain unauthorized access to information from a Bluetooth-enabled device. An attacker may launch Bluesnarfing attacks to access calendars, contact lists, emails and text messages, pictures, or videos from victims.

Clickjacking Using multiple transparent or opaque layers to induce a user into clicking on a web button or link on a page that he or she was not intending to navigate or click. Clickjacking attacks are often referred to as UI redress attacks. User keystrokes can also be hijacked by using clickjacking techniques. It is possible to launch a clickjacking attack by using a combination of CSS stylesheets, iframes, and text boxes to fool a user into entering information or clicking on links in an invisible frame that could be rendered from a site the attacker created.

Command and control (C2 or CnC) A type of system that attackers use to send commands and instructions to compromised systems. A C2 can be an attacker’s system (desktop, laptop, and so on) or a dedicated virtual or physical server. Attackers often use virtual machines in a cloud service or even other compromised systems. Even services such as Twitter, Dropbox, and Photobucket have been used for C2 tasks. C2 communication can be as simple as maintaining a timed beacon, or “heartbeat,” to launch additional attacks or for data exfiltration.

Command injection An attack in which the attacker tries to execute commands that he or she is not supposed to be able to execute on a system via a vulnerable application. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements). The vulnerable system passes that data into a system shell. This type of attack involves trying to send operating system commands so that the application can execute them with the privileges of the vulnerable application.

Common Vulnerability Scoring System (CVSS) A standard created by security practitioners in the Forum of Incident Response and Security Teams (FIRST) that is used to identify the principal characteristics of a vulnerability and rate the vulnerability using a numeric score that reflects its severity.

Compliance scanning Scanning for compliance that is typically driven by the market or governance that the environment serves. An example of this would be the information security environment for a healthcare entity, which would be beholden to the requirements set forth by HIPAA.

CPassword A component of Active Directory’s Group Policy Preferences that was used to allow administrators to set passwords via Group Policy. If administrators used CPassword to perform common tasks (such as changing the local administrator account), any user with basic read rights to the SYSVOL directory could obtain the authentication key and crack it by using tools such as John the Ripper and Hashcat.

Credential harvesting An attack that involves obtaining or compromising user credentials. Credential harvesting attacks may occur as common social engineering attacks such as phishing attacks, and they can also be performed by impersonating a wireless AP or a captive portal to convince a user to enter his or her credentials.

Credentials brute-force attack An attack in which the attacker attempts to log in to an application or a system by trying different usernames and passwords.

Cross-site request forgery (CSRF or XSRF) A type of attack that involves unauthorized commands being transmitted from a user who is trusted by the application. CSRF is different from XSS in that it exploits the trust that an application has in a user’s browser. CSRF vulnerabilities are also referred to as “one-click attacks” or “session riding.” CSRF attacks typically affect applications (or websites) that rely on a user’s identity. An attacker may trick a user’s browser into sending HTTP requests to a target website. For example, a user who is authenticated by an application based on a cookie saved in the browser might unwittingly send an HTTP request to a site that trusts the user, subsequently triggering an unwanted action.

Cross-site scripting (XSS) A very common web application vulnerability that can lead to installation or execution of malicious code, account compromise, session cookie hijacking, revelation or modification of local files, or site redirection. There are three major types of XSS: reflected XSS, stored (persistent), and DOM-based XSS.

CVSS See Common Vulnerability Scoring System (CVSS).

Discovery scan A type of vulnerability scan that is primarily meant to identify the attack surface of a target. A port scan is a major part of a discovery scan.

Domain enumeration The process of determining all the subdomains that are being used by a target. Domain enumeration helps a penetration tester determine what kinds of systems the target is running and where testing should go next. It often uncovers subdomains that may have been forgotten, which could open up paths to exploitation.

Dradis Framework A handy tool that can ingest the results from many penetration testing tools and allows a penetration tester to compile and output reports in formats such as CSV, HTML, and PDF. It is very flexible because it allows a tester to use existing add-ons or create new ones.

Dumpster diving A process in which an unauthorized individual searches for and attempts to collect sensitive information from the trash.

Ethical hacker A person who hacks into a computer network in order to test or evaluate its security rather than with malicious or criminal intent.

Evil twin An attack in which an attacker creates a rogue access point and configures it exactly the same as the existing corporate network.

Executive summary The section of a penetration testing report that provides enough information for anyone reading the report to get a clear idea of the results.

EXIF Exchangeable image file format information from graphic files, as well as the information discovered through the URL of a scanned website.

False negative An instance in which a security tool intended to detect a particular threat fails to do so.

False positive An alert that incorrectly indicates that a vulnerability is present.

Fence jumping A situation in which an unauthorized individual jumps a fence or a gate to enter a restricted building or facility.

Full scan A scan in which every scanning option in the scan policy is enabled. Although the options vary based on the scanner, most vulnerability scanners have similar categories of options defined.

Group enumeration The process of gathering a valid list of groups in order to understand the authorization roles being used on a target system. Group enumeration is performed after gaining access to the internal network.

Group Policy Object (GPO) An item inside Active Directory that contains settings for user accounts, client computer settings, or settings for configuring policies on servers. Typically, the goal is to configure GPOs in such a way that they cannot be overridden by users.

Host enumeration The process of discovering all the hosts, applications, and systems that could be targeted. It is a task that is performed internally and externally, using a tool such as Nmap or Masscan. External host enumeration typically limits the IP addresses being scanned to just the ones that are within the scope of the test. This reduces the chance of inadvertently scanning an IP address that the tester is not authorized to test. When performing an internal host enumeration, a tester typically scans the full subnet or subnets of IP addresses being used by the target.

HTML injection A vulnerability that occurs when an unauthorized user is able to control an input point and inject arbitrary HTML code into a web application. Successful exploitation could lead to disclosure of a user’s session cookies, which could be used to impersonate a victim or to allow the attacker to modify the web page or the application content seen by victims.

HTTP parameter pollution (HPP) Vulnerabilities that are introduced when multiple HTTP parameters have the same name. HPP may cause an application to interpret values incorrectly. It is possible to take advantage of HPP vulnerabilities to bypass input validation, trigger application errors, or modify internal variables values.

HTTP proxies Proxies that make requests to web servers on behalf of other clients. They enable HTTP transfers across firewalls and can also provide support for caching of HTTP messages. Proxies can also perform other roles in complex environments, including network address translation (NAT) and filtering of HTTP requests.

In-band SQL injection A type of attack in which the attacker obtains data by using the same channel that is used to inject SQL code. This is the most basic form of an SQL injection attack, in which the data is dumped directly in a web application (web page).

Insecure Direct Object Reference Vulnerabilities that are exploited when web applications allow direct access to objects based on user input. Successful exploitation could allow attackers to bypass authorization and access resources that should be protected by the system (for example, database records, system files). This type of vulnerability occurs when an application does not sanitize user input and does not perform appropriate authorization checks.

Insider threat A threat that occurs when an entity has authorized access (that is, within the security domain) and could potentially harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.

Internet of Things (IoT) A network of devices such as vehicles, appliances, cameras, and many other embedded devices.

JTAG A hardware access interface that allows a penetration tester to perform debugging of hardware implementations. Debuggers can use JTAG access registers, memory contents, and interrupts, and they can even pause or redirect software instruction flows.

KARMA A man-in-the-middle attack that creates a rogue AP and allows an attacker to intercept wireless traffic. KARMA stands for Karma Attacks Radio Machines Automatically. A radio machine could be a mobile device, a laptop, or any Wi-Fi–enabled device. In a KARMA attack scenario, the attacker listens for the probe requests from wireless devices and intercepts them to generate the same SSID for which the device is sending probes.

Kerberoast A set of tools for attacking Microsoft Kerberos implementations.

Keylogger A tool that an attacker uses to capture keystrokes of users in a system in order to steal sensitive data (including credentials). There are two main types of keyloggers: keylogging hardware devices and keylogging software. A hardware (physical) keylogger is usually a small device that can be placed between a user’s keyboard and the main system. Software keyloggers are dedicated programs designed to track and log user keystrokes.

Lock bypass A technique used in lockpicking to get past a lock. Locks may be bypassed in many ways, including by using simple loiding attempts (using a “credit card” or similar items against self-closing “latch” locks) and bypassing padlocks by shimming.

Lockpicking The act of manipulating or tampering with a lock to enter a building or obtain access to something else that is protected by a lock.

Malvertising The act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.

Malware A computer program that is covertly placed onto a computer with the intent of compromising the privacy, accuracy, or reliability of the computer’s data, applications, or operating system. Common types of malware threats include viruses, worms, malicious mobile code, Trojan horses, rootkits, and spyware.

Master service agreement (MSA) A contract that can be used to quickly negotiate the work to be performed. It is built on a good foundation of the “master agreement,” so that the same terms do not have to be negotiated over and over every time someone performs work for a customer. MSAs are beneficial when someone is hired to perform a penetration test and knows that he or she will be rehired on a recurring basis to perform additional tests in other areas of the company or to verify that the security posture of the organization is improved as a result of prior testing and remediation.

Metasploit One of the most popular exploitation frameworks.

Meterpreter A post-exploitation module that is part of the Metasploit framework.

Methodology A section of a penetration testing report that provides details about the process followed. This section provides the details of the methodology that the tester followed and any modification made throughout the process.

Need-to-know A determination that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized function. This determination helps manage the dissemination of information.

Network share enumeration The process of identifying systems on a network that are sharing files, folders, and printers, which is helpful in building out an attack surface of the internal network.

Nikto An open source, freely available web server scanner that can test for various issues, such as outdated server software, dangerous methods, and many other vulnerabilities typically found in web servers.

Non-disclosure agreement (NDA) A legal document and contract between a penetration tester and the organization hiring that person that specifies and defines confidential material, knowledge, and information that should not be disclosed and should be kept confidential from both parties.

Nonethical hacker A person who hacks into a computer network with malicious intent or to gain unauthorized access.

Open source intelligence gathering (OSINT) A method of gathering publicly available intelligence sources in order to collect and analyze information about a target. With OSINT, the act of collecting the information does not require any type of covert methods.

Out-of-band SQL injection A type of attack in which the attacker retrieves data using a different channel. For example, an email, a text, or an instant message could be sent to the attacker with the results of the query, or the attacker might be able to send the compromised data to another system.

Passive reconnaissance A method of information gathering in which the tool does not interact directly with the target device or network. There are multiple methods of passive reconnaissance. Some involve using third-party databases to gather information. Others also use tools in such a way that they will not be detected by the target.

PCI DSS Penetration Testing Guide A great reference for all aspects of the penetration testing process. This document covers topics such as penetration testing components, qualifications of a penetration tester, penetration testing methodologies, and penetration testing reporting guidelines.

Penetration testing Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, a system, or a network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.

Penetration testing report A report that follows a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.

Pharming A threat in which a threat actor redirects a victim from a valid website or resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user or to install malware in the victim’s system. Pharming can be done by altering the host’s file on a victim’s system, through DNS poisoning, or by exploiting a vulnerability in a DNS server.

Phishing A threat in which an attacker presents a link or an attachment that looks like a valid, trusted resource to a user. When the user clicks it, he or she is prompted to disclose confidential information such as a username and password.

Piggybacking A situation in which an unauthorized individual follows an authorized individual to enter a restricted building or facility.

PowerSploit A collection of PowerShell modules that can be used for postexploitation and other phases of an assessment.

Preferred network list (PNL) A list of trusted or preferred wireless networks that operating systems and wireless supplicants (clients) maintain. This list includes the wireless network SSID and clear-text, WEP, or WPA passwords. Clients use a PNL to automatically associate to wireless networks when they are not connected to an AP or a wireless router.

Pretexting A form of impersonation in which a threat actor presents himself or herself as someone else in order to gain access to information.

PsExec A utility used for executing processes on a Windows system.

Race condition A vulnerability in which a system or an application attempts to perform two or more operations at the same time but, due to the nature of such system or application, the operations must be done in the proper sequence in order to be done correctly. When an attacker exploits such a vulnerability, he or she has a small window of time between when a security control takes effect and when the attack is performed. Race condition attacks are very difficult to perform. Race conditions are also referred to as time of check to time of use (TOCTOU) attacks. An example of a race condition is a security management system pushing a configuration to a security device (such as a firewall or an intrusion prevention system) and then rebuilding access control lists and rules from the system.

Rainbow tables Tables used to derive a password by looking at the hashed value. These precomputed tables are used for reversing cryptographic hash functions. A tool called RainbowCrack can be used to automate the cracking of passwords using rainbow tables.

Ransomware A type of malicious software that either encrypts or steals the target’s data and holds it for ransom until the threat actor is paid.

Reconnaissance The first step a threat actor takes when planning an attack, which involves gathering information about the target.

Ret2libc A “return-to-libc” attack, which is an attack that typically starts with a buffer overflow. In this type of attack, a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the executable memory of the process. This is done to potentially bypass the not-execute (NX) bit Linux feature and allow the attacker to inject his or her own code.

Reverse shell A vulnerability in which an attacking system has a listener (port open), and the victim initiates a connection back to the attacking system.

Risk appetite The amount of risk an organization is willing to accept.

Risk management The process of determining an acceptable level of risk (risk appetite and tolerance), calculating the current level of risk (risk assessment), accepting the level of risk (risk acceptance), or taking steps to reduce risk to the acceptable level (risk mitigation).

Risk tolerance How much of an undesirable outcome a risk taker is willing to accept in exchange for the potential benefit.

Risk transfer A process an organizations follows when it wants to shift risk liability and responsibility to other organizations. It is often accomplished by purchasing a cyber insurance policy.

Rules of engagement A document that specifies the conditions under which a security penetration testing engagement will be conducted. It is important for a tester to document and agree upon the rule-of-engagement conditions with the client or another appropriate stakeholder.

Sandbox In cybersecurity, a means of isolating running applications to minimize the risk of software vulnerabilities spreading from one application to another. Sandboxes are also used to run untested or untrusted software from unverified or untrusted third parties, suppliers, users, or websites. For example, sandboxes are used in order to test malware without allowing the software to compromise the host system. In web development, a sandbox is a mirrored production environment that developers use to create an application before migrating it to a production environment. Companies like Amazon, Google, and Microsoft, among others, provide sandboxing services.

Scanning The process of sending packets or requests to another system to gain information to be used in a subsequent attack.

Scarcity A technique used to create a feeling of urgency in a decision-making context, to manipulate clients and in social engineering. It may involve telling a customer that an the offer is valid for one day only or that there are limited supplies.

Service enumeration The process of identifying the services running on a remote system. This is the main focus of Nmap port scanning.

Shell A utility (software) that acts as an interface between a user and the operating system (the kernel and its services). For example, in Linux there are several shell environments, such as bash, ksh, and tcsh. In Windows, the shell is the command prompt (command-line interface), which is invoked by cmd.exe as well as PowerShell.

Shodan A search engine for devices connected to the Internet that continuously scans the Internet and exposes its results to users via the website https://www.shodan.io and also via an API. Attackers can use this tool to identify vulnerable and exposed systems on the Internet (such as misconfigured IoT devices, infrastructure devices, and so on). Penetration testers can use this tool to gather information about potentially vulnerable systems exposed to the Internet without actively scanning the victim.

Shoulder surfing A process in which an attacker obtains information such as personal identifiable information (PII), passwords, and other confidential data by looking over the victim’s shoulder.

Simple Object Access Protocol (SOAP) An API standard that relies on XML and related schemas. XML-based specifications are governed by XML Schema Definition (XSD) documents.

Social engineering A process in which attackers try to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious.

Social proof A psychological phenomenon in which an individual is not able to determine the appropriate mode of behavior. For example, when an individual enters into unfamiliar situations or doesn’t know how to deal with a situation, he or she may observe others acting or doing something in a certain way to determine whether it is appropriate. It is possible to manipulate multiple people at once by using this technique.

Software development kit (SDK) A collection of software development tools that can be used to interact and deploy a software framework, an operating system, or a hardware platform. An SDK can also help penetration testers understand certain specialized applications and hardware platforms in an organization being tested.

Spear phishing Phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies. The attacker studies the victim and the victim’s organization to make emails look legitimate, perhaps even as though they are from trusted users within the corporation.

SQL injection (SQLi) Vulnerabilities that can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts, or “injects,” partial or complete SQL queries via a web application. SQL commands are injected into data-plane input in order to execute predefined SQL commands.

Statement of work (SOW) A document that specifies the activities to be performed during a penetration testing engagement. It can be used to define project (penetration testing) timelines, including the report delivery schedule, the scope of the work to be performed, the location of the work, special technical and nontechnical requirements, and a payment schedule. An SOW can also spell out miscellaneous items that may not be part of the main negotiation but that need to be listed and tracked because they could pose problems during the engagement.

Stealth scan The process of running a scan without alerting the defensive position of the environment. It involves implementing a vulnerability scanner in such a manner that the target is unlikely to detect the activity.

Swagger (OpenAPI) A modern framework of API documentation and development that is the basis of the OpenAPI Specification (OAS). Swagger documents can be extremely beneficial when testing APIs.

Sysinternals A suite of tools that allows administrators to control Windows-based computers from a remote terminal. It is possible to use Sysinternals to upload, execute, and interact with executables on compromised hosts. The entire suite works from a command-line interface and can be scripted to run commands that can reveal information about running processes and to kill or stop services.

Tailgating See piggybacking.

Threat Any circumstance or event that has the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat source to successfully exploit a particular information system vulnerability.

Threat actor A person or group who is responsible for a security incident. The main categories of threat actors are organized crime, insider threat, state sponsored, and hacktivist.

Unauthenticated scan A method of vulnerability scanning that is used to perform a “black box” type of penetration test. It scans only the network services that are exposed to the network as there are no credentials used for access to the target.

User enumeration The process of gathering a valid list of users, which is the first step in cracking a set of credentials. Armed with the username, it is possible to begin attempts to brute force the password of the account. User enumeration is performed again after gaining access to the internal network.

Vulnerability A weakness in an information system or in system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Vulnerability scanning A technique used to identify hosts or hosts’ attributes and associated vulnerabilities.

War driving A methodology attackers use to find wireless access points wherever they may be. The attacker just drives around (or walks) and can obtain a significant amount of information over a very short period of time.

Web Application Description Language (WADL) An XML-based language for describing web applications.

Web page enumeration/web application enumeration A process that involves looking at a web application and mapping out the attack surface.

Web Services Description Language (WSDL) An XML-based language that is used to document the functionality of a web service.

Web session A sequence of HTTP request and response transactions between a web client and a server, including pre-authentication tasks, the authentication process, session management, access control, and session finalization. Numerous web applications keep track of information about each user for the duration of the web transactions. Several web applications have the ability to establish variables such as access rights and localization settings; these variables apply to each and every interaction a user has with the web application for the duration of the session.

Whaling An attack that is similar to phishing and spear phishing except that it is targeted at high-profile business executives and key individuals in a company. Whaling emails are designed to look like critical business emails or as though they come from someone with legitimate authority, externally or even internally from the company itself. Whaling web pages are designed to specifically address high-profile victims.

Windows Management Instrumentation (WMI) The infrastructure used to manage data and operations on Windows operating systems. It is possible to write WMI scripts or applications to automate administrative tasks on remote computers. WMI also provides functionality for data management to other parts of the operating system, including the System Center Operations Manager and the Windows Remote Management (WinRM). Threat actors use WMI to perform different activities in a compromised system.

Zero day An attack that exploits a previously unknown hardware, firmware, or software vulnerability.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Glossary of Key Terms

Create new playlist

Sign In

Sign Up

Glossary of Key Terms

Table of Contents for
Glossary of Key Terms