.07 RG Vocab offensive security Flashcards
Penetration test and ethical hacking
A simulated series of tests performed by a team or
individual behaving in the same manner and using the same tactics, techniques, and
procedures (TTPs) as an advanced adversary while taking care not to do any harm to assets
or data
Vulnerability assessment
A review of possible system weaknesses against a list of known
vulnerabilities, often with recommendations for update or correction
This type of assessment is nowhere near as comprehensive as a penetration test, but it can
provide a quick look into an organization’s points of weakness.
Service Organization Control 2 (SOC 2) compliance
Used by businesses that deal in
finance and accounting, SOC 2 compliance requires ongoing security evaluations, including
periodic penetration testing.
Payment Card Industry Data Security Standard (PCI DSS)
Businesses who maintain
customer payment card data must adhere to these standards to combat payment card
fraud. The PCI standards on penetration testing are among the most detailed of all regulatory
requirements, specifying differences between penetration tests and vulnerability scans.
ISO 27001
This is largely a voluntary standard. Organizations that wish to establish the
depth of their internal process controls will seek this certification, which requires penetration
tests as part of the risk management portion.
General Data Protection Regulation (GDPR)
The GDPR encompasses all businesses in
the European Union, particularly those that deal with the personally identifiable information
of European citizens. The GDPR guidelines require regular penetration tests to strengthen
data protection and privacy.
Gray Hat Hacking
Often tied to bug bounties, this refers to the gray area between legal and
illegal, where practitioners may conduct pentest activities without explicit permission to
discover (and possibly profit from) vulnerabilities.
ATT&CK
is an acronym that stands for “adversarial tactics, techniques, and common
knowledge.” The framework focuses on the offensive side of an attack rather than the
defensive.
“Initial Access
consists of techniques that use various entry vectors to gain their initial
foothold within a network.” —MITRE (2019)
● Phishing
● Supply chain compromise
“Lateral Movement
consists of techniques that adversaries use to enter and control
remote systems on a network.” —MITRE (2019)
● Access token manipulation
● Domain policy modification
“Discovery
consists of techniques an adversary may use to gain knowledge about the
system and internal network.” —MITRE (2019)
● Account discovery
● Network sniffing
Reconnaissance phase
The process of gathering information about a target
Weaponization phase
Creating or sourcing the correct tools to exploit the target system
Delivery phase
Getting the malicious payload to the target’s machine or system
Exploitation phase
Implemented after successful delivery; a vulnerability is exploited to
gain access to the system.
Installation phase
Installation of a backdoor or other system of persistence on the target
system often includes modifying or “time-stomping” logs to avoid detection.
Installation phase
Installation of a backdoor or other system of persistence on the target
system often includes modifying or “time-stomping” logs to avoid detection.
Command and Control (C2) phase
Opening and maintaining communication channels
between the target system and the attacker’s
Action on Objects phase
The hacker achieves their goal or continues escalating and
pivoting through the system to establish more persistence or access more resources.
Exfiltration of data and destruction of systems can be aspects of this phase.
Phishing
The most common social engineering technique whereby an attacker sends a
fraudulent email from a seemingly reputable and trusted source
Vishing and smishing
Forms of phishing performed via phone calls or text messages
Pretexting
Occurs when the attacker impersonates someone powerful or meaningful to
the target to get them to comply with demands
Baiting
The attacker provides the victim with something enticing to lure them into a social
engineering trap.
Tailgating and piggybacking
Occur when the attacker follows an individual into an
organization unnoticed
Spear phishing
Researched, targeted attacks against specific individuals within an
organization
Whaling
Highly targeted attacks against specific individuals within an organization—often
C-Suite executives, HR directors, or other managers with significant access to company
resources
Nmap
An open-source tool that lets you perform scans on remote networks
It can discover protocols, open ports, and operating system information on remote
machines
Nessus
Typically used as a vulnerability assessment tool but contains the same features as
Nmap; slower than Nmap but provides the ability to output clean reports and also suggests
mitigation measures
Hydra
Commonly used to crack passwords to online services such as SSH, FTP, or IMAP
Tools such as this are the primary reason that enterprises rate-limit password attempts.
Hashcat
The self-proclaimed “fastest and most advanced password recovery utility,”
Hashcat is the “go-to pentesting tool to crack hashes,” supporting various kinds of password
attacks.
Metasploit
Allows the pentester to pick an exploit, select a payload, and fire it at a remote
target; touted as the “world’s most used penetration testing framework”
Burp Suite
An effective web vulnerability scanner that offers many of the same features as
Nessus
Kali Linux
Developed by the group Offensive Security (known as OffSec), Kali Linux is
prepackaged with most of the tools commonly used by penetration testers. It is free to
download and optimized for offense (not defense), meaning that it is easily exploited. Kali
Linux is used extensively in the extended program
Denial of Service (DoS) / Distributed Denial of Service (DDoS)
“A malicious, targeted
attack that floods a network with false requests in order to disrupt business operations”
—CrowdStrike (2021)
The main difference between DoS and DDoS is the origin of the attack. A DOS attack
originates from a single system, whereas DDoS attacks originate from multiple systems.
On-Path attack
An adversary places their system between a user and an external
connection endpoint (typically a web application) to collect personal data, passwords, and
banking details to impersonate an individual to gain access or additional information.
