Domain 6, Security Assessments and Testing Flashcards
Dynamic Testing
tests code, while it’s being executed
Fuzzing
‘black box’ testing that submits random malformed data as inputs to software to see if it crashes
pen test
authorized attempt to break in
Static testing
Tests code passively, code is not running
Synthetic transactions
AKA Synthetic monitoring, involves building scripts or tools that simulate activities normally performed by an application.
Scope of assessment
What are we testing? Why are we testing that?
War Dialing
Uses a modem to dial a series of phone numbers looking for other Modems.
Social Engineering
Trick people into letting you in.
zero knowledge test
blind test. Hacker has zero knowledge of what they’re testing.
Full knowledge test
AKA Crystal Box
Pen tester has all network info availalbe to help with testing
Partial knowledge test
Tests are in between zero and full knowledge.
Metasploit
open source framework for exploitations.
Pen testing Methodology
- Planning
- Reconnaissance
- Scanning (enumeration)
- Vulnerability assessment
- Exploitation
- Reporting
Vulnerability Testing/Scanning
Scans a network/system for a list of predefined vulnerabilities.
Nessus
Vuln scan tool