Index
A
access control vestibule, 156
active reconnaissance, 59, 93. See also enumeration
eavesdropping, 125
host enumeration, 102
network share enumeration, 105–107
packet inspection, 125
service enumeration, 119
tools
Zenmap, 436
web page/web application enumeration, 116–118
AFL (American Fuzzy Lop), 503
amplification DDoS attacks, 210–211
anonymous FTP login verification, 198–199
anti-malware, 151
APIs, 295. See also REST (representational state transfer) APIs
documentation, 296
securing, 297
testing, 297
vulnerabilities, 296
application-based penetration testing, 10
arithmetic operators, 404
arrays, 404
Art of Hacking Github repository, 452
authentication. See also Kerberos
multifactor, 386
authentication-based exploits, 320
default credentials, 278
Kerberos vulnerabilities and, 278
authorization-based vulnerabilities
Insecure Direct Object Reference, 280
AWS (Amazon Web Services), 208
Customer Support Policy for Penetration Testing, 10–11
Shared Responsibility Model, 10–11
B
backdoors, persistence and, 355
background checks, 48
badge cloning, 157
in-band SQL injection, 262
Bash shell, 406
BeEF (Browser Exploitation Framework), 167–169, 493–494
BGP (Border Gateway Protocol), route manipulation attacks, 207
bilateral NDA (non-disclosure agreement), 38
connecting to, 349
BLE (Bluetooth Low Energy), 232, 329
blind SQL injection, 262
BloodHound, 364
blue team, 26
bluesnarfing, 232
Boolean operators, 404
breaches, company reputation and, 72–73
brute-force attacks, 474
bug bounty, 92
bug bounty programs, 12
Burp Suite, 296, 299, 300, 327
Bursztein, Elie, 155
C
C2 (command and control systems), 352–354
Cain, 469
CAPEC (Common Attack Pattern Enumeration and Classification), 139
CAs (certificate authorities), 71
CCPA (California Consumer Privacy Act), 36
Censys, 432
CERT, 137
certificate pinning, 326
certificate revocation, 70
certificate transparency, 71
CFTC (Commodity Futures Trading Commission), 29
CIS Benchmarks, 335
classes, 406
clickjacking, 289
cloud computing
attacks against misconfigured assets, 320–321
credential harvesting, 311–313
deployment models, 310
malware injection attacks, 323
metadata service attacks, 319
models, 310
penetration testing and, 10–11
service providers, 68–69, 368–371
side-channel attacks, 323
tools, 505
command(s). See also nmap; tools
PowerShell, 359
Common Weakness Enumeration (CWE) ID 840, 256–257
triggers, 391
compliance-based assessments, 26–27. See also regulations
compromised systems. See also maintaining persistence
communicating with, 357
maintaining persistence, 345
conditionals, 404
images, scanning for vulnerabilities, 335–336
cookie(s), 253–254. See also persistence
session hijacking and, 275–277
XSS (cross-site scripting), mitigations, 286–287
corporate policies, 36
credential harvesting, 231. See also Social-Engineer Toolkit (SET)
tools
Cain, 469
John the Ripper, 464–465, 466–467, 468
Johnny, 469
Medusa, 474
Ncrack, 474
credit cards, 32–33. See also PCI DSS (Payment Card Industry Data Security Standard):
crt.sh, 71
CSPs (cloud service providers), 10–11
CSRC (Computer Security Resource Center), 7
CSRF (cross-site request forgery) attacks, 288–289
CSV (comma-separated value) files, 404
custom daemons and processes, persistence and, 355
CVE (Common Vulnerabilities and Exposures), 139
CVSS (Common Vulnerability Scoring System), 139–140
CWE (Common Weakness Enumeration), 139
cybersecurity governance program, 49
D
D20 attacks, 322
data exfiltration, 355
data structures, 404
DDoS attacks, 209–210, 321–322
deauthentication attacks, 220–221
decompilation, disassembly, and debugging tools
GDB (GNU Project Debugger), 494–496
Immunity Debugger, 498
Windows Debugger, 496
default credentials, 278
defense-in-depth, 8
DHCP starvation attacks, 215–216
dictionaries, 404
DirBuster, 463
directory traversal exploits, 290–291
disclaimers, 39
DNS
Dig tool, 63
DNSSEC (Domain Name System Security Extensions), 189
Docker images, scanning tools, 335–336
DOM (Document Object Model), 284
D20 attacks, 322
resource exhaustion and, 322
double-tagging VLAN hopping attack, 214–215
DRM (digital rights management), 317
dumpster diving, 156
E
eavesdropping, 125
elicitation, 149
email phishing, 152. See also SMS phishing
whaling, 153
emergency contact card, 45
post-exploitation activities, 362–363
law enforcement and, 483
security products and, 483–484
web proxies and, 484
enum4linux tool, 109–116, 437–442
enumeration, 80–82. See also Scapy
host, 102
service, 119
using enum4linux tool, 109–116
using smbclient, 116
web page/web application, 116–118
error handling, exploiting, 294
evasion, tools, 478
Proxychains, 483
Exif (Exchangeable Image File Format), 76–77
exploitation frameworks
BeEF (Browser Exploitation Framework), 493–494
initializing the database, 487–488
training, 489
exploit-db.com, 406
exploits, 7. See also post-exploitation activities
chaining, 233
anonymous login verification, 198–199
mitigating, 199
scanning an FTP server, 198
SMB, 182
searchsploit command and, 182–185
SMTP
F
false positives, 392
FedRAMP (Federal Risk and Authorization Management Program), 27
feroxbuster, 301
ffuf, 246
customizing your exams, 515–516
suggested plan for final review, 517
financial regulations, 28
GLBA (Gramm-Leach-Bliley Act), 28–29
NY DFS Cybersecurity Regulation, 29–30
Findsecbugs, 502
FOCA (Fingerprinting Organization with Collected Archives), 416
FTC (Federal Trade Commission), 29
anonymous login verification, 198–199
mitigating, 199
scanning an FTP server, 198
fuzzers
AFL (American Fuzzy Lop), 503
Mutiny Fuzzing Framework, 503
Peach, 503
G
GDB (GNU Project Debugger), 494–496
GDPR (General Data Protection Regulation), 27, 36, 415
GHDB (Google Hacking Database), 80–82
Github repository, 19, 406, 453
Art of Hacking, 452
GLBA (Gramm-Leach-Bliley Act), 28–29
gobuster, 300
golden ticket attack, 202–203, 278
GraphQL, 42
H
h4cker.org
digital certificate, 71
information gathering on, 419–421
hacking, 7
unethical, 3
hackingisnotacrime.org, 7
hacktivists, 9
HIPAA (Health Insurance Portability and Accountability Act of 1996):, 27
host enumeration, 102
HTTP (Hypertext Transfer Protocol), 244, 245, 251–252, 296
session hijacking and, 275–277
proxies, 245
session hijacking and, 273–277
hyperjacking, 333
I
Iaas (infrastructure as a service), 310
IAM (identity and access management), 320
ICANN (Internet Corporation for Assigned Names and Numbers), 415
ICMP rate limiting, 97
Immunity Debugger, 498
information gathering
OSINT (open-source intelligence) gathering, 84
from public source code repositories, 83
Recon-ng, 84
installing, 88
setting the source domain and running a query, 89–90
Insecure Direct Object Reference vulnerabilities, 280
insider threats, 9
installing, Recon-ng, 88
interference attacks, 221
interrogation, 149
IoT (Internet of Things), 328
special considerations, 329–330
vulnerabilities, 330
management interface, 332
IPMI (Intelligent Platform Management Interface), 332
ISSAF (Information Systems Security Assessment Framework), 15
IV (initialization vector) attacks, 222
J
jailbreaking, 317
John the Ripper, 464
creating users in Linux, 465
supported cyphertext formats, 464–465
users’ password hashes, 466
wordlists, 468
Johnny, 469
JPCERT (Japan Computer Emergency Response Team), 138
JSON (JavaScript Object Notation), 250–251, 404
K
Kennedy, D., 11
Kerberoasting, 204
Kerberos
golden ticket attack, 202–203, 278
silver ticket attacks, 203
vulnerabilities, 278
known-environment testing, 12–13, 47–48
L
lab environment
recovery method and, 19
requirements and guidelines, 17–18
virtualized, 19
VMs (virtual machines), 17
law enforcement, encryption and, 483
LDAP injection attacks, 272–273
least privilege concept, 326
legitimate utilities
BloodHound, 364
Empire, 363
WinRM (Windows Remote Management), 366
WMI (Windows Management Instrumentation), 364
LFI (local file inclusion) vulnerability, 292
Linux
distributions, 3, 16, 255–256, 409
Parrot OS, 411
lists, 404
living-off-the-land, 358
LLMNR (Link-Local Multicast Name Resolution), 182. See also network attacks
logic constructs
arithmetic operators, 404
Boolean operators, 404
conditionals, 404
loops, 403
string operators, 404
loops, 403
Luhn algorithm, 33
M
MAC spoofing, 205
maintaining persistence
bind shells, 349
connecting to, 349
C2 (command and control systems), 352–354
custom daemons, processes, and additional backdoors, 355
new user accounts and, 355
connecting to, 350
executing commands via, 350
scheduled jobs and tasks, 354–355
malicious attackers, 8
hacktivists, 9
insider threats, 9
state-sponsored attackers, 9
malvertising, 151
metadata service attacks, 319
EternalBlue exploit and, 186–187
initializing the database, 487–488
RDP post-exploitation module, 358
Ruby and, 407
scripts, 493
training, 489
methodology(ies)
Information Systems Security Assessment Framework (ISSAF), 15
MITRE ATT&CK, 13
NIST Special Publication (SP) 800–115, 14
Open Source Security Testing Methodology Manual (OSSTMM), 14
Penetration Testing Execution Standard (PTES), 15
Web Security Testing Guide, 13–14
methods of influence, 170
MFA (multifactor authentication), 386
MIB (Management Information Base), 189
MITRE ATT&CK, 13
mobile devices
certificate pinning, 326
insecure storage and, 325
passcode vulnerabilities and biometrics integration, 325–326
sandbox analysis, 325
security-testing tools, 327
spamming, 325
vulnerable components, 326
modules, Recon-ng, 88–89, 91, 429–430
MSA (master service agreement), 37
multilateral NDA (non-disclosure agreement), 38
Mutiny Fuzzing Framework, 503
N
NAC (Network Access Control) bypass, 211–213
Ncrack, 474
NDA (non-disclosure agreement), 37–38
Nessus, 446
NetBIOS, 180–181. See also network attacks
commands, 351
creating a bind shell, 348–349
creating a reverse shell, 349–350
network attacks, 180. See also wireless network attacks
anonymous login verification, 198–199
mitigating, 199
scanning an FTP server, 198
Kerberoasting, 204
Kerberos delegation and, 203
LLMNR poisoning, 182
NAC (Network Access Control) bypass and, 211–213
on-path, 204
MAC spoofing, 205
route manipulation, 207
silver ticket, 203
SMB exploits, 182
searchsploit command and, 182–185
SMTP exploits, 191
smtp-user enum command, 193–195
network infrastructure tests, 10
network share enumeration, 105–107
new users, persistence and, 355
Nexpose, 446
scanning a full subnet, 456
scanning a web application, 454–455
NIST (National Institute of Standards and Technology), 138
Special Publication (SP) 800–115, 14
Special Publication (SP) 800–145, 309
scanning an FTP server, 198
timing options, 101
note taking, 383
NSE (Nmap Scripting Engine) scripts, 107–109
SNMP exploits and, 190
nslookup command, 188, 413–414
NTLM (New Technology LAN Manager), pass-the-hash attacks and, 199–200
NY DFS Cybersecurity Regulation, 29–30
O
OAS (OpenAPI Specification), 324
OSINT (open-source intelligence) gathering, 84
OSSTMM (Open Source Security Testing Methodology Manual), 14
out-of-band SQL injection, 262, 267–268
OWASP (Open Web Application Security Project), 10, 256, 297
Authentication Cheat Sheet, 253, 274
SQLi mitigations, 271
Web Security Testing Guide, 13–14
ZAP (Zed Attack Proxy), 280, 300, 456–457
P
PaaS (platform as a service), 310
packet crafting, 119–124. See also Scapy
packet inspection, 125
Parrot OS, 411
partially known environment test, 13
passive reconnaissance, 59, 63–64. See also information gathering
cryptographic flaws and, 70–72
identification of technical and administrative contacts, 64–68
public source code repositories and, 83
strategic search engine analysis, 80–82
tools
Censys, 432
Dig, 414
FOCA (Fingerprinting Organization with Collected Archives), 416
pass-the-hash attacks, 199–200, 356
password
attacks, pass-the-hash, 199–200
cracking, John the Ripper and, 466–467
spraying, 233
MAC spoofing, 205
PCI DSS (Payment Card Industry Data Security Standard):, 27
Luhn algorithm and, 33
application-based, 10
bug bounty programs and, 12
communication
triggers, 391
corporate policies and, 36
environmental considerations, 10–11, 12–13
known-environment testing, 12–13, 47–48
methodologies, 9
Information Systems Security Assessment Framework (ISSAF), 15
MITRE ATT&CK, 13
NIST Special Publication (SP) 800–115, 14
Open Source Security Testing Methodology Manual (OSSTMM), 14
Penetration Testing Execution Standard (PTES), 15
Web Security Testing Guide, 13–14
need for, 8
network infrastructure tests, 10
partially known environment, 13
physical security and, 11
planning and preparation phase, 26
post-engagement cleanup, 393–394
post-report activities, 394
scope creep, 9
SOW (statement of work), 35
unknown-environment testing, 12, 47
Perl, 408
persistence, 345, 351–352. See also maintaining persistence
connecting to, 349
custom daemons, processes, and additional backdoors, 355
new user accounts and, 355
connecting to, 350
credential harvesting, 349–350
executing commands via, 350
scheduled jobs and tasks, 354–355
phishing attacks, 152
SMS, 154
whaling, 153
physical attacks
badge cloning, 157
dumpster diving, 156
shoulder surfing, 156
tailgating, 156
physical security, penetration testing and, 11
Piessens, F., 228
piggybacking, 156
pivot attacks, 155
point-in-time assessment, 46
policies, corporate, 36
POODLE (Padding Oracle on Downgraded Legacy Encryption) vulnerability, 206–207
post-engagement cleanup, 393–394
post-exploitation activities. See also maintaining persistence; persistence
legitimate utilities and, 358
BloodHound, 364
WinRM (Windows Remote Management), 366
WMI (Windows Management Instrumentation), 364
privilege escalation, 317–318, 366–367
PowerShell, 408
for post-exploitation tasks, 359–360
pre-engagement
answering client questions, 45–46
background checks, 48
disclaimers, 39
permission to attack, 41
reporting of breaches/criminal activity, 48
rules of engagement document, 40–41
time management and, 44
understanding your target audience, 44–45
validating the scope of engagement, 43–46
preferred network list attacks, 221
privacy. See also confidentiality, GDPR (General Data Protection Regulation), 27, 36, 415
privilege escalation, 317–318, 366–367
procedures, 405
programming, 403. See also programming languages
classes, 406
data structures, 404
libraries, 405
logic constructs, 403
arithmetic operators, 404
Boolean operators, 404
conditionals, 404
loops, 403
string operators, 404
PowerShell and, 408
procedures, 405
programming languages
Bash, 406
Perl, 408
Python, 407
Ruby, 407
Proxychains, 483
PTES (Penetration Testing Execution Standard), 15
public source code repositories, 83
Pupy, 182
Python, 407
Q
Qualys, 447
query throttling, 135
R
reconnaissance, 55, 59, 60. See also active reconnaissance; passive reconnaissance
active, 59
cryptographic flaws and, 70–72
identification of technical and administrative contacts, 64–68
public source code repositories and, 83
strategic search engine analysis, 80–82
passive reconnaissance, Shodan and, 91–92
installing, 88
querying Shodan, 431
setting the source domain and running a query, 89–90
red team, 26
reflected DoS attacks, 209–210
reflected XSS attacks, 282–283
data isolation and, 34
FedRAMP (Federal Risk and Authorization Management Program), 27
financial, 28
GLBA (Gramm-Leach-Bliley Act), 28–29
NY DFS Cybersecurity Regulation, 29–30
GDPR (General Data Protection Regulation), 27
HIPAA (Health Insurance Portability and Accountability Act of 1996):, 27
password management and, 34
PCI DSS (Payment Card Industry Data Security Standard):, 27
Luhn algorithm and, 33
Wassenaar Arrangement, 28
report(s)
audience, 379
common themes/root causes, 384–385
CVSS (Common Vulnerability Scoring System), 380–381
examples of, 380
explaining post-report delivery activities, 393
goal reprioritization and presentation of findings, 392–393
note taking and, 383
recommendations
administrative controls, 388–389
physical controls, 390
REST (representational state transfer) APIs, 42, 250–251, 295
connecting to, 350
executing commands via, 350
RFI (remote file inclusion) vulnerabilities, 292–293
RFID (radio-frequency identification) attacks, 232–233
risk management, 50
route manipulation attacks, 207
Ruby, 407
rules of engagement document, 40–41
S
SaaS (software as a service), 310
SAM (Security Accounts Manager), pass-the-hash attacks and, 199–200
sandbox analysis, 325
Is() function, 121
listing available DNS packet fields, 122
listing the TCP Layer 4 fields, 121–122
sending a TCP SYN packet, 124
scheduled jobs and tasks, persistence and, 354–355
allow/deny list, 48
cybersecurity governance program, 49
scripts, Metasploit, 493. See also NSE (Nmap Scripting Engine) scripts
SDKs (software development kits), 42, 324
searchsploit command, 182–185, 322
finding known SMTP exploits, 195–197
SEC (Securities and Exchange Commission), 29
secrets management, 387
sensitive data, 355
service enumeration, 119
session ID, 274
SET (Social-Engineer Toolkit), 11, 157–166
querying, 431
shoulder surfing, 156
side-channel attacks, 323
signal jamming, 221
silver ticket attacks, 203
SLA (service-level agreement), 36
SMB exploits, 182
searchsploit command and, 182–185
smbclient, 116
SMS phishing, 154
SMTP, 191
finding known exploits, 195–197
smtp-user enum command, 193–195
VRFY command, 193
SNMP (Simple Network Management Protocol) exploits, 189–191
SOAP (Simple Object Access Protocol), 41, 295
social engineering, 11, 151. See also physical attacks
credential harvesting, 231
elicitation, 149
email phishing, 152
whaling, 153
interrogation, 149
methods of influence, 170
SMS phishing, 154
watering hole attacks, 155
Social-Engineer Toolkit (SET), credential harvesting, 315–316
entering the credential harvester’s IP address, 315
harvesting the user credentials, 317
selecting a predefined web template, 314
selecting the attack method, 313–314
selecting website attack vectors, 313
software assurance, tools
Findsecbugs, 502
SonarQube, 503
SpotBugs, 502
SonarQube, 503
SOW (statement of work), 35, 37
spamming, 325
SpotBugs, 502
SQL (Structured Query Language)
database fingerprinting, 264–265
SQLi (SQL injection), 258, 261–262
in-band, 262
blind, 262
exploiting a vulnerability, 262–263
mitigations, 270
surveying a stored procedure, 269–270
time-delay technique, 269
UNION exploitation technique, 265–266
using numeric-based user input, 261
using string-based user input, 260–261
exploiting and SQL injection vulnerability, 448–450
retrieving sensitive information from a database, 450–452
state-sponsored attackers, 9
stealth scans, 132
STP (Spanning-Tree Protocol), on-path attacks and, 193
strategic search engine analysis, 80–82
stress testing, 211
string operators, 404
SYN flood attacks, 208
T
tailgating, 156
tesla.com, whois information, 65–68
threat actors, 8
hacktivists, 9
insider threats, 9
state-sponsored attackers, 9
time management, 44
tools. See also passive reconnaissance, tools
BeEF (Browser Exploitation Framework), 167–169, 493–494
Censys, 432
cloud, 505
credential harvesting
Cain, 469
John the Ripper, 464–465, 466–467, 468
Johnny, 469
Medusa, 474
Ncrack, 474
crt.sh, 71
for evasion, 478
Proxychains, 483
FOCA (Fingerprinting Organization with Collected Archives), 416
fuzzers
AFL (American Fuzzy Lop), 503
Mutiny Fuzzing Framework, 503
Peach, 503
legitimate utilities, 358
BloodHound, 364
Empire, 363
WinRM (Windows Remote Management), 366
WMI (Windows Management Instrumentation), 364
EternalBlue exploit and, 186–187
initializing the database, 487–488
scripts, 493
training, 489
commands, 351
creating a reverse shell, 349–350
scanning an FTP server, 198
timing options, 101
nslookup command, 188, 413–414
Pupy, 182
installing, 88
querying Shodan, 431
setting the source domain and running a query, 89–90
SDKs (software development kits), 324
finding known SMTP exploits, 195–197
SET (Social-Engineer Toolkit), 157–166
smbclient, 116
smtp-user enum command, 193–195
SQLmap, 270
exploiting and SQL injection vulnerability, 448–450
retrieving sensitive information from a database, 450–452
for testing mobile device security, 327
vulnerability scanners, 125–126
analyzing scan results, 136–137
bandwidth limitations, 135
DirBuster, 463
Nessus, 446
network topology and, 134
nontraditional assets, 135–136
OWASP ZAP (Zed Attack Proxy), 456–457
protocols and, 134
Qualys, 447
query throttling, 135
stealth scans, 132
timing of scans, 134
unauthenticated scans, 127
wireless hacking, 504
Wireshark, 247
Zenmap, 436
training, Metasploit, 489
trees, 404
true negatives, 392
typosquatting, 321
U
unauthenticated scans, 127
unethical hacking, 3
unilateral NDA (non-disclosure agreement), 38
United States, Computer Fraud and Abuse Act, 35
unknown-environment testing, 12, 47
API parameters and, 296
US-CERT (U.S. Computer Emergency Readiness Team), 137
V
Vanhoef, M., 228
double-tagging hopping attack, 214–215
hopping, 214
VMs (virtual machines), 10–11, 16, 17, 332–333
escape vulnerabilities, 333
hyperjacking, 333
repository vulnerabilities, 334
vulnerabilities, 7. See also exploits; post-exploitation activities
of containerized workloads, 334–336
CVSS (Common Vulnerability Scoring System), 139–140
IoT (Internet of Things), 330
management interface, 332
in LLMNR, 182
POODLE (Padding Oracle on Downgraded Legacy Encryption), 206–207
vulnerability scanners, 125–126
analyzing scan results, 136–137
bandwidth limitations, 135
DirBuster, 463
Nessus, 446
network topology and, 134
Nexpose, 446
Nikto, 453
scanning a full subnet, 456
scanning a web application, 454–455
nontraditional assets, 135–136
OWASP ZAP (Zed Attack Proxy), 456–457
protocols and, 134
Qualys, 447
query throttling, 135
exploiting and SQL injection vulnerability, 448–450
retrieving sensitive information from a database, 450–452
stealth scans, 132
timing of scans, 134
unauthenticated scans, 127
w3af, 458
launching an SQL injection audit, 462–463
W
w3af, 458
launching an SQL injection audit, 462–463
WADL (Web Application Description Language), 42
war driving, 222
Wassenaar Arrangement, 28
watering hole attacks, 155
web applications. See also SQLi (SQL injection)
APIs, 295
documentation, 296
securing, 297
testing, 297
vulnerabilities, 296
clickjacking, 289
CSRF (cross-site request forgery) attacks, 288–289
exploiting directory traversal vulnerabilities, 290–291
exploiting insecure code practices
comments in source code, 293–294
error handling and, 294
hard-coded credentials, 294
hidden elements, 298
lack of code signing, 298
Insecure Direct Object Reference vulnerabilities, 280
LFI (local file inclusion) vulnerability, 292
RFI (remote file inclusion) vulnerabilities, 292–293
XSS (cross-site scripting)
vulnerabilities, 281
web development frameworks, 254
web page/web application enumeration, 116–118
Web Security Testing Guide, 13–14
websites
BlackArch Linux, 411
exploit-db.com, 406
FedRAMP, 27
GDPR, 27
Github repository, 19, 406, 453
hackingisnotacrime.org, 7
PCI DSS, 27
resources to learn JavaScript, 408–409
resources to learn Perl, 408
resources to learn PowerShell, 408
resources to learn Python, 407
resources to learn Ruby, 407
whaling, 153
whois tool, 64–68, 69, 415–416
Windows Debugger, 496
WinRM (Windows Remote Management), 366
wireless hacking tools, 504
wireless network attacks, 216
BLE (Bluetooth Low Energy), 232
bluesnarfing, 232
IV (initialization vector), 222
preferred network list, 221
RFID (radio-frequency identification), 232–233
signal jamming, 221
SSID and, 218
war driving, 222
WPA3 vulnerabilities and, 229
WPS (Wi-Fi Protected Setup) PIN, 229
Wireshark, 247
WMI (Windows Management Instrumentation), 364
WPS (Wi-Fi Protected Setup) PIN attacks, 229
WSDL (Web Services Description Language), 42
X
XSS (cross-site scripting)
vulnerabilities, 281
Y-Z
ZAP (Zed Attack Proxy), 456–457
Zenmap, 436