CompTIA PenTest+ Certification
Random

Click random to get a fresh chapter.

CompTIA PenTest+ Certification: Glossary of Important Concepts

access control list (ACL):  Access control lists are rules that grant or deny access to computing resources such as files, directories, and other objects. ACLs define what access is granted to the object and to whom that access is granted. This article discusses these concepts further within the context of Microsoft Windows: https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
access control point:  An intentionally selected point of ingress or egress that is restricted by design, monitoring, or physical limitation that allows a facility owner to control entrance or exit for a physical location.
access limitation:  Defines a condition in which the penetration tester has restrictions on access at the beginning of testing. For example, testing without the benefit of credentials, or testing weaknesses of internal systems from outside of a protected network.
active information gathering:  Involves direct interaction with organizational assets (network or otherwise) to gather information, rather than indirect interaction via observation or details available via external parties.
ad hoc mode:  In this mode, wireless clients (STA) are connected in a peer-to-peer mode; ad hoc is commonly referred to as an Independent Basic Service Set (IBSS).
Address Resolution Protocol (ARP):  ARP is a protocol for finding the physical machine address (MAC) of an IP address on a network subnet.
Advanced Encryption Standard (AES):  A symmetric block cipher used in both hardware and software to encrypt sensitive information.
advanced persistent threat (APT):  An individual or group of individuals (as opposed to through automation) with the resources to establish persistent, stealthy, long-term footholds that target specific goals and specific victims utilizing opportunistic attacks. An APT can also be a highly skilled and sophisticated threat actor that is motivated to steal sensitive or valuable information.
Android Emulator:  A computer software program that simulates the functionality of an Android device.
Android Package Kit (APK):  A packaged file format that includes the necessary files to run an application on the Android operating system.
Applicability Statement (AS2):  AS2 is an HTTP- and MIME-based protocol developed by IEEE for transmitting business to business (B2B) messages (especially electronic data interchange, or EDI, messages) securely.
application container:  An OS-level virtualization method that is used to control the execution of a single service. Typical operating systems like Linux and Windows allow for multiple processes and services to be running simultaneously. An application container is strategic in nature and is designed for a single purpose. Security is typically baked in from the start, as the attack surface is limited to the service hosted in the container.
application programming interface (API):  A set of standards and software instructions that provide a structured way of programmatically interfacing with an application.
architecture overview:  A step in the threat modeling process that documents what an application or system does, describes how it is physically and logically implemented, and identifies the technologies that are in use.
array:  An object containing a group of elements of the same data type (e.g., integer or string).
authentication, authorization, and accounting (AAA):  Authentication, authorization, and accounting, when referred to as AAA (triple-A), references a framework or family of protocols designed to mediate network access. Authentication identifies a user. Authorization establishes what that user is permitted to access or what activities the user is permitted to perform. Accounting is tracking what is done by that user when that access is used.
backdoor:  A persistence mechanism that allows an attacker to maintain control of a target if the remote connection is dropped temporarily.
badge cloning:  The process of duplicating a valid identity (such as an RFID proximity card) that can be used as an authenticator to gain access to a restricted area.
Basic Service Set Identifier (BSSID):  The BSSID is a physical address for a wireless access device, including wireless APs and routers. BSSIDs allow differentiation of access points within a single WLAN and are included in all wireless packets.
binary analysis:  The process of examining the functions and purpose of a compiled program or application at the architecture instruction level. In a security context, binary analysis is often used in order to identify vulnerabilities that can be exploited.
binary search:  A search algorithm that takes the middle element of the array and compares it to the target value. If the middle element matches, it is returned. However, if the value is greater than the middle element position, the lower half of the array is discarded. This method can be used to help speed up SQL injection attacks.
biometrics:  Measures human characteristics that can be used as a complementary authentication solution. They rely on a human attribute such as a retina, fingerprint, voice, etc., to permit access to an information system or a restricted area in an organization’s facility.
black box testing:  Testing where nothing about the design, structure, or operation of a system, software, or organization is disclosed as part of testing.
bluejacking:  A method of sending unsolicited messages to mobile users without actually pairing the device by taking advantage of a loophole in the technology’s messaging options.
bluesnarfing:  The process of exploiting vulnerabilities found in certain Bluetooth firmware in order to steal information from a wireless device.
Bluetooth Low Energy (BLE):  BLE is a Bluetooth implementation designed to require significantly reduced power consumption. It is ideal for usage in mobile and specialized devices.
broadcast storms:  An excessive amount of broadcast traffic that occurs within a short period of time such that it may disrupt normal operation and cause loops in the network, where a broadcast frame is bounced back and forth between switches due to redundant paths. These are typically caused by loops that are created as a result of improper blocking of redundant paths.
brute-force attack:  An attack against a hash, for example, would be trying every possible combination within the keyspace to break a hash, regardless of dictionaries. Brute-force authentication attacks can be described as a way to attempt to bypass authentication controls by repeatedly sending different content until a valid value is found and authentication succeeds.
buffer overflow:  An error condition created when a program writes more data to a buffer than it has space allocated to contain. Overrunning the established buffer boundary causes the program to overwrite adjacent memory locations.
bump key:  A device that enables someone to bypass a vulnerable lock by applying an impact force to the device while it is inserted in a lock.
certificate authority (CA):  A trusted entity that signs, issues, and manages digital certificates (i.e., identities) for hosts or users, which are used to establish secure communication.
cold boot attack:  An attack method discovered by Princeton University researchers (roughly a decade ago) who were able to demonstrate the ability to recover disk encryption keys from random access memory (RAM) when the power is cycled on the device in cooled or frozen temperatures.
comma-separated value (CSV):  CSV is a structured data format that uses commas to separate fields of data.
command-line interface (CLI):  An interface for user interaction with a computer that uses text-based input and output.
Common Attack Platform Enumerations and Classifications (CAPEC):  CAPEC is a dictionary of known cyber attack patterns curated and maintained by MITRE. It is searchable by mechanisms and domains of attack and other criteria such as OWASP or ATT&CK categorizations. Where applicable, CAPEC entries associate the data with relevant CWE entries.
Common Vulnerabilities and Exposures (CVE):  The CVE program is sponsored by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and is maintained and curated by MITRE. CVE records within the CVE list contain uniquely numbered entries describing security vulnerabilities or exposures and relevant references about how they were found, how they were fixed, or how they work.
Common Vulnerability Scoring System (CVSS):  An open security standard for evaluating security vulnerability severity and generating a numerical relative severity score based on criteria such as exploitability and impacts to confidentiality, integrity, and availability when successfully exploited.
Common Weakness Enumeration (CWE):  A list of known software and hardware weaknesses curated and maintained by MITRE. Weaknesses are defined as “flaws, faults, bugs, or other errors in software or hardware implementation, code, design, or architecture that if left unaddressed could result in systems, networks, or hardware being vulnerable to attack (https://cwe.mitre.org/about/index.html , https://cwe.mitre.org/about/index.html).
comparison operator:  Compares one value to another.
compliance auditing:  A process of evaluating organizational controls to determine their adherence to standards and regulations.
compliance-based assessment:  Testing an organization’s ability to follow and implement a given set of security standards (e.g., PCI, HIPAA, FISMA) within an environment.
configuration auditing:  A comparison of system configurations to the configurations described by accepted best practices or adopted secure configuration baselines with the purpose of identifying security issues or discrepancies that may need to be addressed.
credentialed vulnerability scanning:  A scan conducted by a vulnerability scanner that has been given access to the system with the same rights as an authorized user.
cross-site request forgery (CSRF):  A security vulnerability that allows an attacker to send a malicious request to a targeted individual that causes the target to take an action they did not intend to take using the user’s established session authentication. This involves issuing one or more HTTP requests without any unpredictable request parameters for applications that rely solely on cookie-based session management.
cross-site scripting (XSS):  XSS is a type of injection attack for websites. Using this attack, an attacker can inject malicious scripting content, temporally or persistently, using weaknesses in web application programming and failures to appropriately sanitize user-controlled input.
daemon:  Any program that performs any function as long as it runs in the background and runs without being under the direct control of a user.
data loss prevention (DLP):  A category of security tools and processes designed to secure data from disclosure or misuse by enforcing rules for ingress, egress, and access based on data classification criteria and marking.
data mining:  The process of analyzing large data sets to reveal patterns or hidden anomalies.
database (DB):  An organized collection of structured data or information stored in a computer system.
deception:  In social engineering attacks, deception is the misrepresentation of one’s identity or circumstances in order to persuade a target to perform activities or reveal information that they would not normally wish to; deception technology is a means to entice attackers to follow false trails that increase visibility into the attack, such as honeynets, honeypots, etc.
deconfliction:  The process of distinguishing pentest artifacts from artifacts of an actual compromise or other activity to help resolve contradictory conclusions or responses.
de-escalation:  A process for addressing potential issues as quickly as possible in order to minimize or mitigate impact.
dictionary attack:  A type of password guessing attack that uses lists of possible passwords as the source for its guesses.
distributed denial of service (DDoS):  An attack type designed to render the target unusable through the use of multiple distributed attack resources. This attack typically attempts to do so by flooding the target with network traffic or requests in an attempt to overwhelm the target’s capacity for operation.
DNS forward lookup:  Queries a DNS server using the fully qualified domain name (FQDN) in order to get the IP address of the host.
DNS reverse lookup:  Queries a DNS server using an IP address in order to get the fully qualified domain name (FQDN) that corresponds with the host.
Domain Name System (DNS):  A protocol within a set of standards that is used to associate a computer name with an IP address.
Domain Name System Security Extensions (DNSSEC):  DNSSEC uses digital signatures based on PKI to secure DNS data, to in turn secure DNS transactions. Data owners sign the data, ensuring data origin authentication and data integrity protection for DNS transactions.
double tagging:  A result of a switch port being configured to use native VLANs, where an attacker can craft a packet and prepend a false VLAN tag along with its native VLAN to bypass layer 3 access controls.
Dynamic Host Configuration Protocol (DHCP):  DHCP is a network management protocol designed to automatically supply hosts with IP information and other networking data, like gateways and subnet masks, and store assignment information on the DHCP server.
dynamic-linked library (DLL):  A shared library concept implemented in Microsoft operating systems. A DLL file (.dll extension) can contain code, data, and resources much like a typical executable program (.exe extension); however, it cannot be called directly like an .exe. The library file can support multiple computer programs simultaneously, and when software is removed from the operating systems, sometimes DLLs are removed as well, leaving other computer programs vulnerable to DLL injection attacks.
elicitation:  A social engineering process used to extract meaningful information from a target.
evasion:  Challenging a security control successfully, such as deploying malware in a location on a hard drive that does not get scanned by antivirus software.
exfiltration (exfil):  The process of unauthorized data movement from inside a protected space to outside of it, whether by copying, transfer, or retrieval (e.g., a screenshot of SQLi results).
Extensible Authentication Protocol (EAP):  A framework for authentication that is used in WPA and WPA2 networks.
Extensible Markup Language-Remote Procedure Call (XML-RPC):  XML-RPC is a protocol used for remote communications with services using XML as the payload. This uses HTTP/S as the transport for communication, with XML as the encoding mechanism. XML-RPC is used frequently for web services and can be victim to XML serialization issues or authentication issues that might expose unintended data.
false positives:  Conditions identified during automated or manual testing that result in the incorrect identification of an issue.
File Transfer Protocol (FTP/FTPS):  File Transfer Protocol (FTP) and FTP over SSL (FTPS) are protocols for transmitting and receiving files over a network.
flow control:  Determines how program execution should proceed (like loops).
footprinting:  The process of identifying the nature of systems or organizations through reconnaissance. It is how you shape your reconnaissance activities and interpret the results.
fuzzing:  A security testing technique that sends unexpected, random data to an input control within an application or network service to generate errors in the hopes of discovering or exposing security weaknesses that could be exploited.
General Data Protection Regulation (GDPR):  An EU law that defines rules for data processing and handling of personally identifiable data of persons in the EU. The law applies to all organizations and entities who store, process, or collect personally identifiable information of persons in the EU.
goals-based assessment:  Testing in which the attainment of agreed-upon goals determines the success or failure criteria of testing, as opposed to compliance-based testing, where the success/failure goals are determined by the degree of compliance to regulations and standards as determined by testing.
graphics processing unit (GPU):  Specialized computer hardware chips designed for acceleration of graphics rendering. In pentesting, used by password cracking tools to accelerate password hash cracking efforts.
Group Policy Object (GPO):  A collection of settings that govern user and computer configurations within an Active Directory (AD) network.
Group Policy Preferences (GPP):  A set of optional extensions provided to expand the functionality of Group Policy Objects (GPOs). GPP allows Active Directory (AD) domain administrators to create domain policies to automate tedious tasks, such as changing the local Administrator account password on the host operating system.
Hypertext Transfer Protocol (HTTP/HTTPS):  Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) are protocols for communication between web servers and web clients. Communication generally occurs in pairs of requests and responses.
identity and access management (IAM):  Within the context of the cloud, IAM is a web service for controlling access to cloud resources, such as with AWS. In a more general computing context, IAM is a series of processes to manage access within an enterprise.
industrial control system (ICS):  Industrial control systems are systems that relate to industry automation of all types, for example, manufacturing, power generation (power plants), and water treatment and distribution systems.
Industrial Internet of Things (IIoT):  IoT devices that have been purposed for use in industrial sectors and applications.
Information Systems Security Assessment Framework (ISSAF):  The ISSAF is a full security assessment methodology that applies to security auditing as well as other types of security testing. It defines three phases of a pentest: planning and preparation, assessment and reporting, and cleanup. ISSAF provides best practices for engagement management, including pre- and post-assessment actions, risk assessment methodology, and information gathering for all kinds of security assessment, not only pentests.
Infrastructure as a Service (IaaS):  A cloud computing service that provides on-demand network, storage, and computing resources.
insider threat:  A type of individual with insider knowledge of an organization or who has privileged access to an organization’s information systems and is motivated based on revenge and retaliation for being fired or seeks to sell secrets for financial gain.
Intelligent Platform Management Interface (IPMI):  IPMI is a hardware technology whose protocol allows remote management of server hardware using a baseboard management controller (BMC) or management controller (MC). Examples include HP iLO, Dell DRAC, and Supermicro IPMI. With IPMI, administrators can monitor and manage peripherals and other hardware, perform reboots, and even reinstall the host from outside of the operating system. Using KVM access provided by some systems, attackers may even be able to use this to remotely access the OS interactively.
International Mobile Equipment Identity (IMEI):  IMEI numbers are 15-digit numbers that are unique to each mobile device and are used to identify the devices on a mobile network.
International Organization for Standardization (ISO):  ISO is a nongovernment organization composed of multinational standards bodies. ISO develops and publishes international standards. One example is ISO/IEC 27001, which is a standard for information security management.
Internet Control Message Protocol (ICMP):  A network protocol used to send error messages and operational information between network devices when communicating with another IP address. Most commonly found in usage by ping and traceroute.
Internet of Things (IoT):  Physical devices, objects, machines, or even animals with embedded sensors, software, and other technology that connect to networks and exchange data with other devices on the Internet without the need for human interaction in doing so. Most smart devices (thermostats, refrigerators, cameras, etc.) fall into this category, but pacemakers, biochips, and automobile sensors also qualify.
Internet Protocol (IP):  IP is the network layer communications protocol used by the Internet.
Internet service provider (ISP):  ISPs are companies that provide Internet connections and services to individuals and organizations.
intrusion prevention system (IPS):  IPSs are network security controls implemented in software or hardware that examine network traffic for patterns of attack and proactively prevent that traffic from reaching its intended target or issue an alert based on the detected behavior so that other action can be taken, as in the case of intrusion detection system (IDS) settings.
iOS App Store Package (IPA):  A Zip-compressed archive containing the necessary files to run an application on the Apple iOS mobile architecture.
iOS simulator:  A function of the iOS developer tool kit (XCode) that can mimic the basic behavior of an iDevice and how it interacts with an iOS application.
jailbreaking:  The process of exploiting a software vulnerability in iOS that enables low-level execution with elevated privileges (i.e., root) in order to remove restrictions imposed by Apple to customize the device and install unapproved applications.
Java Archive (JAR):  A package file format that includes all of the necessary resources (class files, images, text, etc.) into one resource for a Java application to execute successfully.
JavaScript Object Notation (JSON):  JSON is a lightweight, self-describing, human-readable, structured data format.
Joint Test Action Group (JTAG):  A type of standard used for debugging and connecting to embedded devices on a circuit board.
Kerberos:  A network authentication protocol that leverages a ticketing system to allow hosts and users operating over the network to prove their identity to one another in a secure fashion.
keylogger:  A program used to record the keystrokes of a victim while using a computer.
Lightweight Directory Access Protocol (LDAP):  LDAP is a vendor-neutral and industry standard protocol for applications to interact with directory services, such as Active Directory.
linear search:  A sequential process of evaluation where every value is checked until the correct value has been identified.
link-local multicast name resolution (LLMNR):  A Microsoft protocol that is designed to allow Microsoft systems to perform name resolution by broadcasting queries to other Microsoft systems on the same multicast domain.
local area network (LAN):  A group of devices connected together by a network in a single physical location, such as an office building or residence.
Local Security Authority Subsystem Service (LSASS):  LSASS is a Microsoft Windows process that enforces security policy on the system, including the LSA model. The Local Security Authority (LSA) is an authentication model in Windows operating systems that provides additional beneficial features and options, such as support for multifactor authentication (e.g., smart cards), custom security packages, and credential management in order to support interaction with non-Microsoft products, such as other networks or databases. It is frequently attacked as part of credential theft attacks.
lock:  A device that can be installed in an entranceway (i.e., doors) or other storage containers (i.e., cabinets) to help keep unauthorized people out of restricted areas while allowing authorized personnel in. Locks carry different locking functions (e.g., entrance locks and deadlocks) to satisfy various types of protection requirements.
lock bypass:  The process of defeating a locking mechanism without operating the lock at all.
lock pick:  A tool to help defeat the locking mechanism within a lock when a key is not available.
lock picking:  Includes various techniques to defeat the locking mechanism such as single pin picking (SPP), jiggling and raking, and using bump keys.
loop:  An instruction that repeats while a given condition is true until the condition is false.
Mail Exchange (MX):  An MX record is a DNS resource record that defines the mail server that accepts e-mail for the domain. This is useful for reconnaissance. Targeting a backup mail server for phishing may face fewer or different security controls in weakly configured environments.
master service agreement (MSA):  A contractual document that governs the relationship between two organizations or business partners and is designed to simplify the process of establishing future contracts. The MSA covers things such as payment terms, dispute resolution, and terms of mutual responsibility.
media access control (MAC):  MAC is part of the data link layer of a network. MAC governs communication to and from the network interface card (NIC). MAC addresses are hardware addresses for devices used to uniquely identify them on a network.
memorandum of understanding (MOU):  An MOU is a preliminary document generated prior to penetration testing that has a legal purpose. This document defines the roles and responsibilities of each party, documents any laws or regulations being observed during the interaction, and defines the intent of the two parties to interact for a pentest, but it is not as detailed as an RoE. It is most often used when a client has regulatory requirements or has other government contract requirements.
Microsoft Remote Procedure Call (MSRPC):  A protocol that allows a remote user to call procedures on a remote system as though they were calling it from the local system.
mobile device management (MDM):  MDM is a series of tools and policies that allow organizations to monitor, manage, secure, and enforce policies on smart phones and other mobile devices, such as tablets.
name server (NS):  Name servers contain hostname to IP address mappings for hosts, typically in support of DNS. These servers have various record types that contain information about services, hosts, and other domain-related information.
National Institute of Standards and Technology (NIST):  NIST is a nonregulatory agency that is part of the U.S. Department of Commerce. In addition to being a physical science laboratory, the organization creates and promotes standards for various scientific fields, including standards for information security and cyber defense.
National Institute of Standards and Technology Special Publication (NIST SP):  NIST special publications typically contained detailed specifications about special research areas, including best practices and guidance about topics such as information security and cyber defense. Of interest to pentesters are the 800 and 1800 series papers.
near field communication (NFC):  NFC refers to short-range wireless communication technology commonly found in cell phones, mobile devices, and some forms of access badges.
Nessus Attack Scripting Language (NASL):  A proprietary language developed by Tenable used to develop Nessus plugins, which contain vulnerability information, remediation details, and the logic to determine the presence of a security weakness.
NetBIOS Name Service (NBT-NS):  NBT-NS is a fallback name lookup service found on Microsoft Windows systems and often exploited with the Responder tool. This is sent to broadcast domains rather than multicast domains, unlike LLMNR.
netgroup:  A group of users or hosts used for permission checking when permitting remote operations such as mounting file shares, remote logins, remote execution, etc., in Linux and UNIX network domain (e.g., NIS or LDAP) environments.
Network Access Control (NAC):  Built from the principles of IEEE 802.1x, this controls what devices are allowed to connect to a network by implementing a set of protocols and policies that enforce requirements for authentication during connection to the network, such as posture checking or whitelisting.
network address translation (NAT):  Enables translation of a private (nonroutable) network address to a public (routable) address.
Network Basic Input/Output System (NetBIOS):  Helps facilitate the communication of Microsoft applications over a network and provides services such as protocol management, messaging and data transfer, and hostname resolution.
Network File System (NFS):  NFS is a file system and a protocol that enables network file sharing for *NIX operating systems.
Network Time Protocol (NTP):  NTP is a protocol for syncing time across multiple systems.
New Technology LAN Manager (NTLM):  NTLM is a password algorithm for Microsoft Windows that uses RC4 encryption and supports passwords greater than 14 characters. Network-based authentication versions are NetNTLM and NetNTLMv2, where additional nonces are added to protect the underlying password storage.
Nmap scripting engine (NSE):  An embedded Lua programming language interpreter that provides features that help automate various tasks such as information discovery and exploitation techniques.
noncredentialed vulnerability scan:  Shows what the attack surface looks like to an untrusted user. Organizations could analyze the results and prioritize where to focus their initial defense tactics.
nondisclosure agreement (NDA):  A confidentiality agreement that protects a business’s competitive advantage by protecting its proprietary information and intellectual property.
Open Web Application Security Project (OWASP):  The OWASP project (https://www.owasp.org) is a nonprofit organization and open-source community effort that produces tools, technologies, methodologies, and documentation related to the field of web application security. OWASP has many well-known publications and resources, such as the OWASP Top Ten, OWASP Testing Guide, the OWASP ZAP Project, DirBuster, and Webgoat.
open-source intelligence (OSINT):  OSINT refers to any information that can be obtained through legal means using publicly available sources.
Open-Source Security Testing Methodology Manual (OSSTMM):  OSSTMM is a guide released by ISECOM, which they describe as a complete pentest methodology designed to assure thorough, legal, consistent, and repeatable testing that can be measured.
operating system (OS):  An operating system is the kernel and supporting programs that handle disk, memory, process, and other key transactions interacting with hardware. The OS typically has a kernel that does much of the lifting, but also drivers, user-mode programs, and other aspects that are bundled together to make a platform for users or services to use for execution.
passive information gathering:  The process of assessing a target to collect preliminary knowledge about the system, software, network, and people without actively engaging a target or its assets.
Password-Based Key Derivation Function 2 (PBKDF2):  PBKDF2 is an algorithm used by WPA and WPA2 to help derive the PMK, a shared secret key to protect the handshake.
Payment Card Industry Data Security Standard (PCI DSS):  PCI-DSS is an industry-enforced standard that defines a series of rules that businesses that process payments using payment cards should follow in order to better secure card data and transactions.
penetration testing execution standard (PTES):  PTES is a community-driven effort to establish standards for penetration testing that is contributed to by a number of professionals in the pentest consulting community. It was created in an effort to disambiguate what is meant by “pentest” for businesses seeking security testing services. The standard provides best practices for the steps that should typically be taken as part of a pentest, including reporting, intelligence gathering, threat modeling, and vulnerability analysis, and it explains concepts within the scope of exploitation and post-exploitation.
pentester:  A security professional responsible for identifying weaknesses within the security support structure of the organization and simulating attacks that are applicable to the organization’s threat profile.
perimeter barrier (preventative perimeter control):  A physical security protection to help delay an attack or reduce damage to the facility, such as a gate, concrete barrier, or fence.
persistence:  A technique used to maintain an attack presence within a target environment.
phishing:  A fraud technique delivered through e-mail, phone, or text message that is used to obtain sensitive information from the target or to deliver a payload to establish a foothold in a network.
piggybacking:  A type of social engineering where an authorized employee with legitimate access allows the unauthorized individual through a door because he or she appears to be trustworthy.
pivoting:  A lateral movement technique that can allow an attacker to move from host to host using remote access tools such as SSH, Telnet, FTP, RDP and VNC.
PowerShell (PS):  PowerShell is a Microsoft-created command-line shell, scripting language, and configuration management framework designed to be an automation solution for Windows-based systems.
preshared key (PSK):  PSK is used as part of an authentication method for WPA-Personal networks. The PSK (password) can be between 8 and 63 ASCII characters in length, and is a single shared password used by each endpoint on the wireless network.
pretexting (pretext):  A false context developed to justify other actions or make them believable to a victim.
privileged-level access:  Used to describe any level of access above and beyond that of an average user (e.g., access that enables one to perform administrative actions).
programmable logic controller (PLC):  A specialized computer used in industrial automation solutions for the control of manufacturing processes.
property list (plist):  XML-formatted files stored in binary or text format that provide configuration settings and property data for many kinds of Apple applications.
protocol:  A set of formal rules that describe the functionality of how to send and receive data.
public key infrastructure (PKI):  PKI houses the certificates, roles, and facilities to support public key encryption. Public key encryption uses private and public keys for encryption, storing the public keys in an easy-to-access place such as a PKI or even on websites. Public keys can be known by anyone and are used to encrypt information for the private key holder; however, these certificates can be revoked, and the PKI tracks revoked certificates as well. Only the person with the private key can decrypt that message. Similarly, if someone signs a message with their private key, holders of the public key can validate that the private key holder signed it. PKI typically uses algorithms like RSA and DSA to generate certificates and sign them.
race condition:  Two separate inputs compete on the basis of time for processing a single target such that the order of processing may produce unexpected or undesirable results.
radio frequency identification (RFID):  A wireless communication standard that uses radio waves to read data stored on a tag from a distance. This data can then be compared to an authentication database and used as part of an authorization enforcement system.
rainbow tables:  Contain precomputed hash values of a defined length that can be used to speed up the process for offline password cracking.
reconnaissance (recon):  A preliminary surveillance technique used to gather intelligence about a target organization or its assets (i.e., people, processes, and technology).
red team assessment:  Involves stealth and blended methodologies (i.e., network penetration testing and social engineering) to conduct scenarios of real-world attacks and determine how well an organization would fare given the use of the customer’s existing counter-defense and detection capabilities (i.e., what can an attacker do with a certain level of access).
registers (memory registers):  Memory registers frequently hold pointers that reference memory. For example, the execution instruction pointer (EIP) is a register that stores a pointer to where in memory (the memory address) the current instruction is executing.
remediation:  A process used to fix or resolve an unwanted deficiency. A remediation (remedy) could be a recommended solution (i.e., people, process, technology) to fix a problem.
remote access trojan (RAT):  RATs are malware that are designed to allow remote access and administrative capabilities to the infected system, but are disguised as other programs.
Remote Desktop Protocol (RDP):  RDP is a remote administration protocol designed by Microsoft to allow graphical access to Windows systems.
request for comment (RFC):  An RFC is a numbered publication written by individuals or groups of engineers that typically describes research, protocols, methods, or other innovations with the purpose of soliciting peer review or conveying the information to a broader audience. RFCs from the Internet Engineering Task Force (IETF) are used to define how TCP/IP should work, for example.
RFID cloning (badge cloning):  The process of reading a series of bits from one RFID card (or key fob) and writing the same series of bits to another compatible card or replaying it as part of an authentication attempt.
risk appetite:  The level of risk the organization is willing to accept in order to achieve its goals—for instance, risk versus reward.
root bridge:  A feature of the Spanning Tree Protocol (STP) that serves as a reference point for all switches in a spanning tree topology.
rooting:  Using mobile device exploitation to take advantage of a software vulnerability in the Android operating system that enables low-level execution with elevated privileges (i.e., root) and enables the user to make modifications to the operating system that were not necessarily intended by the manufacturer.
rules of engagement (RoE):  A document that puts into writing the guidelines and constraints regarding the execution of a pentest, most importantly what is and is not authorized for testing.
scope:  Pentesting limitations that can typically be found in the statement of work (SOW) and describe the work activities that are to be completed during the pentest.
scope creep:  Occurs during a pentest when additional tasks or testing activities are added to the project and exceed the original expectations of the statement of work, which can negatively affect the overall schedule or delivery of the final pentest report.
Secure/Multipurpose Internet Mail Extensions (S/MIME):  S/MIME is a secure extension for mail that supports encryption and signing of messages using public key encryption. S/MIME uses typical SMTP servers and communication, but the extensions and mail system capabilities allow users to send encrypted messages using public key encryption, and as long as the material is trusted, users can validate the sender’s and the message’s authenticity.
Secure Sockets Layer (SSL):  SSL is a standard technology designed to secure network communications by establishing an encrypted link between the client and server. See also Transport Layer Security (TLS).
security accounts manager (SAM):  A local database file that contains local account settings and password hashes for the host.
security information and event management (SIEM):  SIEMs are systems that aggregate log and event data and security alerts in a centralized location for correlation and analysis.
security operations center (SOC):  An SOC is a centralized organizational function designed to handle monitoring, analysis, detection, and response to security events, alerts, and incidents.
segmentation fault (segfault):  Caused by a software program attempting to read or overwrite a restricted area of memory.
Server Message Block (SMB):  SMB is a client-server protocol for file and resource sharing over a network.
service:  A software implementation that carries out the formal rules of a protocol for a specific computing platform.
service level agreement (SLA):  An SLA is a document or contract language that defines measurements for the expectations between the customer and the service provider, as well as terms of what happens if those expectations are not met.
service principal name (SPN):  Unique identifier of each instance of a Windows service.
Service Set Identifier (SSID):  Wireless APs manage wireless networks and broadcast a case-sensitive, 32-alphanumeric character SSID to advertise a network’s existence. The SSID is the name of the WLAN.
Session Initiation Protocol (SIP):  SIP is a protocol used for voice, video, and messaging for applications of Internet telephony.
Set Group ID (SGID):  SGID is a *NIX file permission that allows a user to execute the file using group permissions other than the normal group permissions of the user account.
Set User ID (SUID):  SUID is a *NIX file permission that allows a user to execute a file with the rights of another user.
shell escape:  An attack technique used to escape restricted shells in the Linux or UNIX operating system.
Short Message Service (SMS):  SMS is technology used for sending and receiving text messages for mobile phones.
Simple Mail Transfer Protocol (SMTP):  Used for the delivery of electronic mail.
Simple Network Management Protocol (SNMP):  An application-layer network monitoring protocol, originally defined under RFC 1157, that provides functionality to collect and organize information about devices over the network and make changes to a device’s behavior.
single sign-on (SSO):  Enables users to enter a username and password one time. The authentication and authorization server generates a session that can then be used as a trusted identity for accessing known applications, depending on the permissions and rights for which the user has been authorized.
SMS phishing (smishing):  A social engineering technique used to target victims through SMS messages and may use different motivational techniques like scarcity or fear to entice the victim to perform an action, like clicking on a malicious URL within the message.
software-defined radio (SDR):  SDRs are radio systems whose components have traditionally been implemented in hardware and that implement properties like bandwidth, signal strength, and other radio functions in software or firmware.
software development kit (SDK):  A set of software tools used by programmers for the development of applications.
software development lifecycle (SDLC):  A structured process for developing software that is designed to achieve high-quality and cost-effective results. Examples of process components include design, analysis, maintenance, and testing.
solid-state drive (SSD):  SSDs are storage devices that use flash-based memory for faster performance.
solid-state hybrid drive (SSHD):  SSHDs are storage devices that have both flash-based storage and the features of a traditional hard drive (a spinning disk and actuator arm). These attempt to enable larger storage capacity with better performance.
Spanning Tree Protocol (STP):  A layer 2 protocol that runs on network devices such as bridges and switches and helps prevent looping in networks that have redundant paths.
spear phishing:  A social engineering technique that targets a specific set of individuals within a group or an organization to get individuals to execute a specific action, such as clicking a URL in an e-mail.
SSL stripping:  A man-in-the-middle (MiTM) attack technique used to force the user to connect to an endpoint over plaintext communication. This technique can be used to capture login credentials or other sensitive information that is typically protected when the communication is encrypted.
stack pointer:  A memory register that stores the addresses of the last program request in a stack.
statement of work (SOW):  Outlines the project-specific work to be executed by a service vendor for an organization.
static analysis:  A debugging method used to examine source code, bytecode, and binaries without execution.
string operations:  Program operations that are used to manipulate string data.
Structured Query Language (SQL):  SQL is a language for accessing and manipulating databases.
stumbling:  Wireless reconnaissance technique that is used for wireless network discovery and enumeration.
substitution:  Variable substitution occurs when accessing or manipulating the value of a variable (e.g., $var), such as using variable expansion. An example would be accessing the length of the variable in a shell script using ${#var}.
supervisory control and data acquisition (SCADA):  SCADA systems are industrial control systems (ICSs) that allow monitoring, logging, and control of remote ICS components such as sensors, PLCs, and others by using human-machine interface (HMI) software.
switch spoofing:  A type of VLAN hopping attack that occurs when an attacker can emulate a valid trunking switch on the network by speaking 802.1Q.
tactics, techniques, and procedures (TTPs):  TTPs are used to describe the behaviors of an attacker during an attack. An easy way to think of this is to ask three questions: Why did the attacker do this (tactic)? What did the attacker do (technique)? How did the attacker do it (procedure)?
tailgating:  Similar to piggybacking in the sense that an unauthorized person gains access to a restricted area by following an authorized employee with legitimate access; however, the employee did not provide consent and likely has no idea the unauthorized person came through the door.
target selection:  A process by which the assets are selected and is a phase of testing preparation. It involves some degree of discussion or thought (and maybe even research and consent) about what to scope in for testing and what to scope out for testing.
technical constraints:  Technology limitations imposed on a penetration test either by the requirements of the customer being tested or the nature of the test itself. Technical constraints may also exist for customers and create limitations for the implementation of certain technology or mitigation strategies.
Temporal Key Integrity Protocol (TKIP):  TKIP is symmetric encryption that uses WEP programming and RC4 encryption algorithms and encrypts each data packet with a stronger and unique encryption key. It also uses a cryptographic message integrity check, an IV sequence mechanism that includes hashing, a rekeying mechanism to ensure key generation after 10,000 packets, and a per-packet key-mixing function to increase cryptographic strength. These were designed to add extra protection against social engineering, replay and injection attacks, weak-key attacks, and forgery attempts.
threading:  Used in computer programs to execute multiple tasks in parallel in order to optimize the speed and efficiency of program execution.
threat actor:  An individual or group that seeks to harm a business or organization and is motivated through financial, personal, or political gain.
threat modeling:  An iterative process that seeks to identify organizational assets, define security profiles, identify and prioritize threats, and determine the appropriate countermeasure to mitigate the risk.
time to live (TTL):  TTL is a measurement of how many network hops a packet is allowed to traverse before it expires and is discarded by a router. This can also refer to how long DNS cache servers cache query data before making a new query.
timestomping:  A technique used to modify the timestamps of a file or directory to disguise the possibility of compromise.
Transmission Control Protocol (TCP):  TCP is the stateful transport layer communications protocol used by the Internet.
Transport Layer Security (TLS):  TLS is the successor to SSL encryption and is designed for encryption and security at the transport layer of communications. TLS is commonly used for HTTPS-based communications.
Unicode Transformation Format (UTF):  The UTF standard defines character encoding. The most common is UTF-8 using 8-bit characters, but Windows and some other systems use UTF-16, or 16-bit characters. UTF encoding can be converted between characters for compatible characters, but it primarily provides a reference for defining the character codes across systems.
uniform resource identifier (URI):  A URI is an RFC for defining resources, which may include things like URLs and uniform resource names (URNs) to identify resources, but may not necessarily define how to access those resources. URIs and URLs are frequently used interchangeably when discussing web, FTP, and other <protocol>://<location> formats. As the following example does not include a protocol but it does identify a resource, it is a URI, not a URL: data:,Foo%20Bar.
uniform resource locator (URL):  A URL is a type of a URI that contains information about how to access a specific resource. Typically, a URL includes a protocol, hostname, and filename (e.g. https://derp.pro/foo.htm).
universal system bus (USB):  USB is a standard for cabling, connections, and protocols for communications with peripherals. There are various versions for the protocol that include different features and bandwidths. USB devices have an identifier that is made up of a vendor ID and a product ID that helps systems identify the device.
User Datagram Protocol (UDP):  UDP is a transport layer protocol that layers on top of IP. It is not connection-oriented and does not guarantee delivery of a packet, which means it has lower overhead but also the potential for packet loss. It is frequently used for streaming data that needs faster delivery time but also is resilient against some data loss.
user-defined function (UDF):  A way to extend MySQL with a new function that works like a native (built-in) MySQL function such as CONCAT( ) and can also be used to execute code.
user-level access:  This defines what a typical user within the organization would have access to, such as an account on the network, access to network shares, etc.
variable:  A placeholder in memory that contains a value.
virtual local area network (VLAN):  A VLAN provides a logical segmentation of a network that may use shared switches, routers, and other infrastructure. This logical segmentation takes place through tagging with technologies like 802.1Q, VTP, or other proprietary protocols. Systems may be aware of their tagged VLAN/VLANs or it may be transparent to them. Systems may also have more than one VLAN on an interface, and various attacks on VLAN configurations and protocols may let a system access VLANs that they were not intended to, known as a VLAN hopping attack.
virtual machine (VM):  A virtual machine uses virtualized hardware to allow multiple machines to run on a single system. The system running the VMs is known as the host system, and it runs a hypervisor—a program either in user space or kernel space—that manages the virtualization. VMs typically implement a subset of the features of a processor, so not all of the processor features will be enabled, meaning that not all operating systems can be emulated on all systems.
virtual private network (VPN):  VPNs establish private connections between two networks or a host and a network using IPSec, TLS, or other protocols. VPN is used to extend a host’s network to a remote network securely over a public network. VPN server endpoints may support a variety of protocols, and some of them may have additional options, such as ciphers that TLS or SSL VPNs may support, leaving them vulnerable to certain protocol attacks. VPNs can be used to extend a corporate network, mask source IP address for scanning or other attacks, or provide privacy in browsing and research.
virtual private server (VPS):  Virtual private servers are leased VMs on shared infrastructure that are designed to provide a cheap computing facility to users.
Voice over Internet Protocol (VoIP):  VoIP facilitates sending phone calls over IP-based networks. Protocols like SIP or RTSP handle signaling for connecting calls and then other protocols are used to send the data packets. VoIP can use TCP or UDP and may be client-to-client or client-server. Popular implementations include Asterisk, an open-source VoIP server.
voice phishing (vishing):  A social engineering technique using phone calls that is used to extract sensitive information from a target or to perform activities that they would not normally perform, such as resetting the password of an iTunes account that does not actually belong to the caller (pretext) or sending a wire transfer that should not be sent (fraud).
vulnerability assessment scanner (VAS):  A vulnerability assessment scanner performs active scans against a system or network to identify potential security weaknesses or vulnerabilities. Scanning may be performed in an unauthenticated or authenticated state, with the authenticated methods providing fewer false positives and the unauthenticated scans requiring less overhead and control to scan, but more interactions to eliminate false positives.
vulnerability mapping:  The process of mapping vulnerabilities to potential exploits to help prioritize testing activities in preparation for a pentest.
wardriving:  A tactical process for surveying an area for wireless access points while in a moving vehicle. The goal is preliminary reconnaissance and to pinpoint wireless networks and potential targets in a certain area of interest.
waterholing:  A technique used to infect websites with malicious software (malware) in order to capitalize on a target’s or target group’s trust relationship with websites they commonly visit.
web application firewall (WAF):  A WAF is a detective and protective control that is designed to sit in front of a web server and identify malicious traffic and either alert on it or block it. WAFs are most effective if they are trained to a specific site; otherwise, generic rules may have opportunities for evasion that will still leave certain web applications vulnerable.
Wi-Fi Protected Access (WPA):  Introduced as the interim replacement for WEP for 802.11 networks and uses a preshared key (PSK) and Temporal Key Integrity Protocol (TKIP) for encryption. WPA2 was later introduced to enhance the 802.11 security standard with the use of the Advanced Encryption Standard (AES).
Wi-Fi Protected Setup (WPS):  A wireless network security standard designed to allow users to set up secure wireless networks configured to use either WPA or WPA2 and help to reduce the overall complexity of associating additional hosts to the network. Having the added convenience of pushing a button on the back of a wireless router to enable your wireless client to associate with the network via WPS instead of a preshared key (password) may be beneficial to some users.
Windows Management Instrumentation (WMI):  WMI provides instrumentation to allow users or applications to gather information about the runtime state of local or remote Windows systems. WMI can query aspects such as hardware configurations, users, processes, and other information. WMI also has a subscription model, where certain events can trigger actions.
Windows Remote Management (WinRM):  Windows Remote Management is designed for remote management of Windows Systems. WinRM can be used from the command line via the winrs command or through PowerShell. WinRM uses ports 443 or 5986 on most systems.
Wired Equivalent Privacy (WEP):  The initial encryption protocol for the 802.11 standard used to protect wireless network communication. As the name suggests, the WEP security standard was used to give wireless users the same level of privacy as plugging in a wired cable to a network switch. WEP uses the RC4 stream cipher for protecting the confidentiality of the data in transit and a CRC-32 checksum for integrity.
wireless access point (AP or WAP):  A wireless AP is a device that creates a wireless network (WLAN). Typically it connects to a wired network and enables wireless devices to communicate with one another and with the wired network.
wireless infrastructure mode:  The most common configuration in both home and commercial applications. In infrastructure mode, the wireless clients communicate with a central device called a wireless access point (AP) instead of directly communicating with each other, like in ad hoc mode.