PenTest+ Study Notes 12 Flashcards
bind shell is established when the target system “binds” its shell to a local network port.
reverse shell is established when the target machine communicates with an attack machine that is listening on a specific port.
Reverse shells are typically more effective as backdoors because they bypass the aforementioned problems with bind shells. The attacker has more control over their own environment, and is less likely to be obstructed by port filtering or NAT. In addition, you can create a reverse shell from the target system using a wide array of tools other than Netcat, including Bash, PowerShell, Python, Ruby, PHP, Perl, Telnet, and many more.
info
Cron job : A scheduled task that is managed by the Linux cron daemon.
C-Suite refers to top-level management personnel, usually with “chief” in their name, such as CEO, CTO, CIO, CSO, CISO, etc. These are senior executives that are likely to be responsible for making decisions based on the results and recommendations.
Third-Party stakeholders are the people not directly involved with the client but who may still be involved in a process related to the penetration test report. These include providers, investors, regulators, and similar entities.
info
executive summary is a high-level and concise overview of the penetration test, its findings, and their impact. It aims at providing a summary of the process and results: a brief and simple explanation of the procedure, notable findings expressed in a non-technical manner, and some of their implications.
attack narrative is a detailed explanation of the steps taken while performing the activities. This section will guide the reader through the process performed by the penetration testing team, and it should show correlation between the methodology that was mentioned and the activities performed.
info
Listing the Findings : This section shows the issues that were identified during pentesting. These are often presented with a table that identifies the vulnerability, the threat level, the risk rating, and whether the vulnerability was able to be exploited.
Risk prioritization is the process of adjusting the final rating of vulnerabilities to the client needs.
Metrics : quantifiable measurements of the status of results or processes.
Measures : the specific data points that contribute to a metric.
info
Escaping, also referred to as encoding (the process of converting text into bytes), substitutes special characters in HTML markup with representations that are called entities.
In addition to using sanitization libraries, you can also list the type of rich-text inputs that you have deemed safe for the web app to accept. Any inputs not matching the whitelist will be rejected. You can also replace raw HTML markup for rich text components with another markup language, such as Markdown. Attempts to inject malicious HTML code will prove ineffective.
info
Null Byte Sanitation : The most effective way of preventing the poison null byte is to remove it from the input entirely. Modern web app languages tend to handle this automatically, but you can also perform the sanitization manually if you are using an older version.
Process-Level remediation is the concept of resolving a finding through changing how it is used or implemented. There might be technical challenges to simply patching or modifying the underlying systems of a process, so the remediation is done at the process-level itself.
info
Certificate pinning is the process of assigning a specific certificate to a particular element to avoid man-in-the-middle-attacks. It usually refers to, for example, assigning a particular certificate public key in order to connect to a website securely and if a different one is provided, it will get rejected without any further checks.
secret management solution is a platform that controls passwords, key pairs, and other sensitive information that should be stored securely.
Cross-Site Request Forgery =
Cross-Site Scripting (XSS) =
info
??? can disconnect the cameras from the network and lose video feed or, worse, provide an attacker with the video feed and vital information of the inside operations. Similarly, they can be used as pivots to navigate the network or perform other attacks. For this reason, some of the best practices for video surveillance involves using wired over Wi-Fi connections, network segregation, and frequent patching of the camera firmware.
Wi-Fi Attacks :
If you created an AD account from a domain controller (DC) and then used that account to sign in to a workstation, simply removing the account from the workstation will not remove it from the domain. You will need access to the DC to delete the AD account, otherwise a real attacker might be able to leverage this account by using it to sign in to a DC.
Yellow Team : Developers of new systems
Purple Team : combination of Red and Blue Teams
Green Team : The goal is to improve cybersecurity, code quality, audit 3rd party libraries, open-source dependencies and design defense capability for detection, incident response and data forensics.
Orange Team : Someone who can speak code, and speak attack methods and understand this fundamentally and from an implementation perspective.
info
Attestation is the process of providing evidence that the findings detailed in the PenTest report are true. In other words, by signing off on the report given to the client, you are attesting that you believe the information and conclusions in the report are authentic.
The primary goal of drafting a lessons learned report (LLR) or after-action report (AAR) is to improve your PenTest processes and tools.
info
