PENTEST – Definition Term

1. Administrative controls are security measures implemented to monitor the adherence to

organizational policies and procedures. These include activities such as hiring and termination
policies, employee training.
2. Physical controls restrict, detect and monitor access to specific physical areas or assets.
Methods include barriers, tokens, biometrics, or other controls such as ensuring the server room
doors are properly locked.
3. Technical controls automate protection to prevent unauthorized access or misuse and include
Access Control Lists (ACL), and Intrusion Detection System (IDS)/Intrusion Prevention System
(IPS) signatures.
4. A vulnerability is a weakness or flaw, such as a software bug, system flaw, or human error. A
vulnerability can be exploited by a threat.
5. Risk is equivalent to threat x vulnerability. Risk represents the consequence of a threat
exploiting a vulnerability. When dealing with cybersecurity, a risk can result in financial loss,
business disruption, or physical harm.
6. A threat represents something such as malware or a natural disaster, that can accidentally or
intentionally exploit a vulnerability and cause undesirable results.
7. which have hyperlinks to the record in the National Vulnerability Database (NVD). Once there,
you can read more details.
8. As vulnerabilities are identified, they are first rated as to the severity using the Common
Vulnerability Scoring System (CVSS). The score is derived using a set of metrics, which helps in
prioritizing vulnerabilities.
9. The information from the CVSS is fed into the Common Vulnerabilities and Exposures (CVE).
The CVE is a listing of all publicly disclosed vulnerabilities.
10. The ISSAF contains a list of 14 documents that relate to PenTesting, such as guidelines on
business continuity and disaster recovery along with legal and regulatory compliance.
11. Computerized electronic patient records are referred to as electronic protected health
information (e-PHI). With HIPAA, the e-PHI of any patient must be protected from exposure, or
the organization can face a hefty fine.
12. The Health Insurance Portability and Accountability Act (HIPAA) is a law that mandates
rigorous requirements for anyone that deals with patient information.
13. The California Consumer Privacy Act (CCPA) was enacted in 2020 and outlines specific
guidelines on how to appropriately handle consumer data.
14. In 2018 the EU enacted the General Data Protection Regulation (GDPR), which outlines specific
requirements on how consumer data is protected.
15. Reconnaissance is next and focuses on gathering as much information about the target as
possible. This process includes searching information on the Internet, using Open-Source
Information Gathering Tools (OSINT), and websites.
16. The Penetration Testing Execution Standard (PTES) was developed by business professionals as
a best practice guide to PenTesting.
17. The Open Web Application Security Project (OWASP) is an organization aimed at increasing
awareness of web security and provides a framework for testing during each phase of the
software development process.
18. Third-party hosted includes assets that are hosted by a vendor or partner of the client
organization, such as cloud-based hosting.
19. First-party hosted includes assets that are hosted by the client organization. In some cases, first-
party hosted assets might be easier to attack than third-party hosted services.
20. Goal-based / objective-based assessments have a particular purpose or reason. A point of sale
(PoS) system would be an example of a goal-based assessment.
21. Red Team represents the "hostile" or attacking team. With this type of assessment, the goal is
to see if your (red) team is able to circumvent security controls.
22. Blue Team represents the defensive team. It is a good way to determine how the security (blue)
team will respond to the attack.
23. Compliance-based assessments are used as part of fulfilling the requirements of a specific law
or standard, such as GDPR, HIPAA, or PCI DSS.
24. The Driver's Privacy Protection Act (DPPA) governs the privacy and disclosure of personal
information gathered by state Departments of Motor Vehicles.
25. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and
confidentiality of client information and take steps to keep customer information secure.
26. A service-level agreement (SLA) is a contract that outlines the detailed terms under which a
service is provided, including reasons the contract may be terminated.
27. The Statement of Work (SOW) is a document that defines the expectations for a specific
business arrangement. It typically includes a list of deliverables, responsibilities of both parties,
and others
28. The Master Service Agreement (MSA) is a contract that establishes guidelines for any business
documents executed between two parties. It can be used to cover recurring costs and any
unforeseen additional charges.
29. Wireshark is a powerful open-source protocol analysis tool that can decrypt many of the
protocols used to conceal data, such as IPsec, Kerberos, and SSL/TLS. It falls under the U.S.
encryption export regulations, and it may be illegal to use in certain countries.
30. Service (SRV) record provides host and port information on services such as voice over IP (VoIP)
and instant messaging (IM).
31. Text (TXT) record provides information about a resource such as a server or network in human
readable form.
32. Nameserver (NS) record lists the authoritative DNS server for a particular domain. A standard
DNS query will use DNS servers to identify the Internet Protocol (IP) address behind a particular
domain or resource name.
33. Mail Exchange (MX) record provides the mail server that accepts email messages for a particular
domain.
34. theHarvester is an intuitive tool that can search a company's visible threat landscape. The tool
gathers information on subdomain names, employee names, email addresses, PGP key entries,
and open ports and service banners.
35. Shodan is a search engine designed to locate and index IoT devices that are connected to the
Internet.
36. Dirbuster is specifically geared towards website enumeration. There are numerous tools and
techniques available to evaluate a website.
37. Metagoofil uses various python libraries such as PdfMiner, GoogleSearch, and Hachoir to scrape
the metadata, and then displays the information using Hypertext Markup Language (HTML).
38. The Certification Revocation List (CRL) is a list of certificates that in some way have been
deemed invalid. Although effective, most online services have moved to the newer OCSP to
check the validity of the certificate.
39. In the standard approach to determine the validity of a certificate, the burden rests on the
client, who must check with the Online Certificate Status Protocol (OCSP) server which confirms
validity of the certificate.
40. A more useful field in a digital certificate from a reconnaissance perspective is the subject
alternative name (SAN). SANs can identify specific subdomains that can be covered by the
certificate.
41. The Social Engineering Toolkit (SET) is a Python-based collection of tools that can be used when
conducting a social engineering PenTest.
42. ntitle:"DPH" "web login setting" would be used to find information of D -Link Phones. If they
don't have the password, they can search online for the default password to try on the targeted
system.
43. inurl:"ccmuser/logon.asp" would be used to find Cisco CallManager instances. They can also try
some other Google Hacking to find more information on VoIP phones that you can use to launch
the attack.
44. intitle:"Grandstream Device Configuration" password would be used to find information about
Grandstream phones.
45. inurl:"CallManager" would not be a valid instance of attempting to find CallManager instances,
they would have to search for ccmuser.
46. Pharming is when an attacker entices the victim into navigating to a malicious web page that
has been set up to look official.
47. Baiting is where an attacker will leave bait, such as an infected physical media, in an area where
a victim can find the device.
48. Spam can include malvertising, which is an email that looks like a normal ad, but instead
includes malicious code.
49. Nikto is an open-source web server scanner that can complete comprehensive testing on web
servers for a variety of vulnerabilities, such as anticlickjacking X-Frame-options header, and
dangerous files and CGIs.
50. A team can run a vulnerability scan using the Open Vulnerability Assessment Scanner. OpenVAS
will list the vulnerabilities along with a risk rating that summarizes the overall state of the site
that was tested.
51. SQLmap is an open-source database scanner that searches for and exploits SQL injection flaws.
52. When testing for vulnerabilities, one tool the team can use is Censys, an attack surface analyzer,
similar to Shodan, to identify exposed systems.
53. Scapy is a tool to craft and send a malformed packet to your target. The type of packet crafted
will be dependent on security products and rules.
54. Hping3 is also a tool to craft and send a malformed packet to your target. For example, the
Christmas (XMAS) scan might be able to bypass security mechanisms that follow strict
interpretation of RFC 793.
55. Obfuscating a known signature uses a tool such as ObfuscatedEmpire in a solution. It is a fork of
Empire that has Invoke-Obfuscation baked directly into its functionality.
56. Wget is not designed to obfuscate malware, but it can be used to grab a banner using the
following syntax: wget -S. When using this command, -S will print the HTTP headers that are
sent by the server.
57. theHarvester gathers information on subdomain names, employee names, email addresses, PGP
key entries, and open ports and service banners.
58. Netcat (nc) is a popular tool for Unix and Linux. The following shows using an HTTP GET request
to elicit the webserver type and version: echo -en "GET / HTTP/1.0\n\n\n"|nc www.comptia.org
80|grep Server.
59. A web application firewall (WAF) is specifically designed to monitor web applications and guard
against common attacks such as cross-site scripting (XSS) and SQL Injection (SQLi) attacks.
60. The Christmas (XMAS) scan turns on the FIN, URG, and PSH flags all in the same TCP segment.
This scan will be able to bypass firewalls that follow a strict interpretation of RFC 793.
61. In a DNS cache poisoning attack, the malicious actor will corrupt the DNS cache of a recursion
server to point a victim to a bogus IP address. This is not done at layer 2 though.
62. This attack deliberately maps an incorrect MAC address to a correct IP address, which poisons
the ARP cache. ARP poisoning is used to redirect traffic for malicious purposes.
63. A null scan is a packet sent without any flags set. This is not an actual stealth scan as security
systems are set to look for these.
64. TCP SYN (or half-open) scan is the original stealth scan. The scan sends a packet to the target
with the SYN flag set. This is called a "half-open" scan because the attacker does not complete
the TCP three-way handshake.
65. When assessing traffic on a Windows machine in an Active Directory (AD) environment, we can
find user account names found in Kerberos traffic. The Canonical Name (CName) string is the
username that is to be authenticated.
66. WiGLE is a site dedicated to mapping and indexing access points. With improved devices and
user education, there are significantly less open access points today.
67. Dynamic Application Security Testing (DAST) is done after the code is placed in production.
Unlike SAST, dynamic testing will unearth vulnerabilities that are evident after the code is in
production.
68. War driving is a technique that involves driving around to search for open access points using a
laptop or smartphone.
69. Nessus is a powerful scanning tool that can scan either enterprise or home networks. Nessus for
home or personal use is free. If running on an enterprise network, you will need to purchase the
product.
70. The Security Content Automation Protocol (SCAP) is a US standard used to ensure applications
are in line with mandated security requirements.
71. Acting as a local proxy, Burp Suite can intercept and capture the HTTP requests and responses
so the team can analyze the traffic. When discovered, Burp Suite will list the vulnerabilities.
72. Nmap Scripting Engine (NSE) scripts are a core component of Nmap that allows users to
customize activity and automate the scanning process. While these can enumerate services,
there are several varying categories.
73. Zenmap can create a visual of the network topology. Using Zenmap is intuitive, and you can run
scans within the application just as you would when using Nmap.
74. Coagula is a tool used to synthesize an image into a .wav file. To achieve this, you'll need to
download Coagula and Audacity, which are both free programs.
75. OpenStego is similar to most other tools in that you embed a message in a carrier file. To get
started, you‘ ll need to make sure that you have the Java Runtime Environment (JRE) installed.
76. Snow is a CLI steganography tool that conceals a data payload within the whitespace of a text
file that uses the ASCII format.
77. Ostinato uses packet crafting techniques as part of the attack. A more popular packet crafting
tool is Scapy pr hping3 which allows users to craft their own packets.
78. Changing time values is possible by using Metasploit's meterpreter tool called TimeStomp which
allows you to delete or modify timestamp-related information on files.
79. TimeStomp is a tool inside of meterpreter which allows you to delete or modify timestamp-
related information on files.
80. Shred is a command built into Linux to make sure that files are securely deleted and completely
removed. Windows doesn't have a built-in command-line equivalent to file-based shredding.
81. When using the command-line interface (CLI) in Windows, you can also clear individual log
categories. For example, wevtutil cl Application will clear the application log.
82. Steghide is an open-source tool used to conceal a payload in either an image or audio file. The
software can compress, conceal, and encrypt data.
83. Proxy servers are used on a network to mediate the communications between a client and
another server. One method is to use Socket Secure (SOCKS).
84. PsExec is a lightweight program that is part of the Sysinternals Suite that provides interactivity
for CLI programs.
85. Remote Desktop Protocol (RDP) is a service on Windows machines, not on Linux machines. The
X11 protocol can be used over SSH to enable graphical interfaces to Linux machines.
86. Telnet is a cleartext protocol, not an encrypted protocol. This should be disabled regardless and
not used in the enterprise unless absolutely necessary.
87. The -sF option sends a TCP FIN to bypass a non-stateful firewall.
88. When using Nmap, the TCP SYN scan (-sS) is the default and most popular option. It can be
performed quickly and is able to scan thousands of ports per second on a fast network not
hampered by restrictive firewalls.
89. XML output (-oX) is a format that can easily be analyzed by security automation tools,
converted to HTML, imported into a database, or studied using Zenmap.
90. Yersinia uses packet crafting techniques as part of the attack. A more popular packet crafting
tool is Scapy pr hping3 which allows users to craft their own packets.
91. The MSTG (Mobile Security Testing Guide) provides an intuitive framework that steps you
through the assessment process and includes a dashboard, security recommendations, and
specifications for testing resiliency.
92. A slowloris attack keeps multiple fake web connections open for as long as possible until the
maximum number of allowed connections is reached.
93. A DNS amplification attack uses multiple public DNS servers to receive spoofed queries and
respond to a target.
94. Prowler is an audit tool for use with Amazon Web Services only. It can be used to evaluate cloud
infrastructure against the Center for Internet Security (CIS) benchmarks.
95. In a side-channel attack, this exploit is possible because of the shared nature of the cloud
infrastructure, especially in a PaaS model.
96. In a malware injection attack, a malicious actor injects malicious code into an application.
Common attacks can include SQL injection (SQLi) and Cross-Site Scripting (XSS).
97. In direct-to-origin attacks (D2O), malicious actors circumvent proxy protections by identifying
the origin network or IP address and then launching a direct attack.
98. The finger command views a user's home directory along with login and idle time. You can also
use nmap -O or -sV scans to fingerprint the operating system and interrogate its services.
99. EAPHammer is another Python-based toolkit with a wide range of features. It provides options
that the team can use to launch an attack on a WPA2-Enterprise 802.11a or 802.11n network in
an easy-to-use platform.
100. Fern runs on a Linux OS and can recover WEP/ WPS/WPA/ keys using a variety of methods.
Fern is a commercial product; there is a free version as well that offers limited functionality.
101. One tool that can either spoof or clone a Bluetooth device is Spooftooph. Before making any
changes to a Bluetooth adapter, you must run Spooftooph with root privileges.
102. Getting users to join an evil twin is often accomplished by using a deauthentication attack.
Once the client is kicked off the network, they may be able to trick them into reconnecting to
the rogue AP.
103. Jamming is an attack that disrupts a Wi-Fi signal by broadcasting on the same frequency as
the target WAP, and any signals that a wireless transceiver is attempting to send or receive will
be blocked.
104. Wifite2 is a wireless auditing tool you can use to assess the WLAN. Wifite2 can launch a
variety of attacks including Pixie attacks, PMKID cracking, and more.
105. Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also
switch an interface from managed mode to monitor mode.
106. ScoutSuite is an open-source tool written in Python that can be used to audit instances and
policies created on multi-cloud platforms, such as AWS, Microsoft Azure, and Google Cloud.
107. The Extensible Authentication Protocol (EAP) creates an encrypted tunnel between the
supplicant and authentication server. This is not one of the main components but is a part of the
process.
108. Patching fragmentation occurs when device owners do not implement updates in a timely
manner. This fragmented approach can lead to individuals using unsupported versions that
leave the system vulnerable
109. Deperimeterization occurs when employees take sensitive data outside of the corporate
perimeter and do not properly secure their devices. This risks data exfiltration.
110. Strained infrastructure occurs when the addition of multiple devices places a strain on the
network and causes it to stop functioning at optimum capacity and may lead to an unintentional
Denial of Service.
111. This is an over-reach of permissions. Instead of using the principle of least privilege, a
consumer may feel it is necessary to allow an app to access services and data stores that are
generally restricted.
112. The forensics expert is using Frida which is an open-source tool that can work with a wide
range of operating systems and allows the forensics expert to dump process memory, in-process
fuzzing, and change a program's behavior.
113. APK Studio is an integrated development environment (IDE) designed so you can decompile
and or edit an APK file.
114. Drozer is open-source software used for testing for vulnerabilities on Android devices. Drozer
is an attack framework that allows you to find security flaws in the app and devices.
115. Postman is a tool that provides an interactive and automatic environment that allows teams
to build, interact, analyze and report on, and test HTTP APIs.
116. Corporate-owned, business only (COBO) means that the company will issue the employee a
mobile device that the employee can only use for company business.
117. The company will allow the employee to bring their own device in the bring your own device
(BYOD) deployment model.
118. The company will issue the employee a device that the employee can use for both company
and personal business in the corporate-owned, personally enabled (COPE) deployment model.
119. The Mobile Security Framework (MobSF) can provide an automated evaluation of code and
malware analysis using both static analysis and dynamic analysis.
120. The mobile user was the victim of a bluejacking attack which attackers use to send out
unwanted text messages, images, or videos to a mobile phone, tablet, or laptop using a
Bluetooth connection.
121. Bluesnarfing is an aggressive attack that allows a malicious actor to read information from a
victim's Bluetooth device. The end goal is to glean sensitive data from the victim.
122. This is a Type I hypervisor which is a bare-metal virtual platform installed directly onto the
hardware and manages access to the host hardware without going through a host operating
system.
123. A Type II hypervisor is software installed onto a host operating system and any virtual
machines installed on it are a guest and ride on top of the native operating system.
124. This represents hyperjacking which is when a malicious actor takes control of the hypervisor
that manages a virtual environment and then has all the required privileges to take full control
of the environment.
125. The devices are using the Message Queuing Telemetry Transport (MQTT) protocol which
carries messages between devices, but the protocol does not encrypt the data which makes it
vulnerable to attacks.
126. The Constrained Application Protocol (CoAP) works within a constrained network to transfer
data in a number of different devices and is susceptible to spoofing, packet amplification, and
coercive parsing attacks.
127. The penetration team is testing the vulnerabilities of the Network Attached Storage (NAS)
which is a group of file servers attached to the network dedicated to provisioning data access.
128. Storage Area Network (SAN) is a separate subnetwork typically consisting of storage devices
and servers that house a large amount of data.
129. This represents a session fixation attack which requires the user to authenticate with a known
session identifier that the threat actor will then use for impersonation.
130. Session replay requires having access to the user authentication process itself so that the
threat actor can intercept it and repeat it.
131. The threat actor executed a command injection attack in which the threat actor supplied
malicious input to the web server, which then passed this input to a system shell for execution.
132. Code injection is an attack that introduces malicious code into a vulnerable application to
compromise the security of that application.
133. The penetration tester is using truffleHog which can automatically crawl through a repository
looking for accidental commits of secrets that will allow an attacker to modify code in a Git
repository.
134. Brakeman is a static code analysis security tool for Ruby on Rails applications which checks for
vulnerabilities and provides confidence level of finding (high, medium, weak).
135. SearchSploit is an exploit finder that allows users to search through the information found in
Exploit-DB. It also supports Nmap outputs in XML format to search for exploits automatically.
136. BeEF (Browser Exploit Framework) focuses on web browser attacks by assessing the actual
security posture of a target by using client-side attack vectors
137. This represents a business logic flaw which is a vulnerability that arises from implementation
and design issues that lead to unintended behavior.
138. Horizontal privilege escalation is obtaining access to a regular user account with different
access or permissions than the one currently in use.
139. Vertical privilege escalation is to obtain access to an account of higher privilege than the one
we currently have, to enable resources that the regular user does not have permission for.
140. Session hijacking is the process of stealing the session credential from a user's browser and
then using it to impersonate the user on a website.
141. In a Document Object Model (DOM)-based attack, the threat actor does not send malicious
scripts to the server, instead, they take advantage of a web app's client-side implementation of
JavaScript to execute the attack solely on the client.
142. In a persistent attack, also called a stored attack, you inject malicious code or links into a
website's forums, databases, or other data.
143. In a reflected attack, a threat actor crafts a form or other request that the system will send to
a legitimate web server. This request includes the malicious script.
144. Directory traversal is the practice of accessing a file from a location that the user is not
authorized to access.
145. In a server-side request forgery (SSRF) attack, an attacker takes advantage of the trust
established between the server and the resources it can access, including itself.
146. Gobuster can discover subdomains, directories, and files by brute-forcing from a list of
common names. This can provide information that was otherwise not available.
147. DirBuster is a web application brute-force finder for directories and files that comes with nine
different lists, including default directories and common names given by developers.
148. The PenTester can execute the collapsed script, which is also known as a “one-liner,” as a
macro in a Word document that will execute when a user opens the document.
149. This is disassembly which is the reverse engineering process of translating low-level machine
code into higher level assembly language code that is human readable and can include familiar
programming elements.
150. Decompilation is the reverse engineering process of translating an executable into high-level
source code to help determine whether the application's logic will produce unintended results.
151. Debugging is the process of manipulating a program's running state in order to analyze it for
general bugs, vulnerabilities, and other issues.
152. Mythic is a cross-platform C2 framework tool that works with macOS, Linux, and Windows,
but it contains payloads that provide consistently good results when PenTesting macOS.
153. The PenTester is using mimikatz which gathers credentials by extracting key elements from
memory such as cleartext passwords, hashes, and PIN codes.
154. Hashcat is a password and hash cracking tool that uses different attack methods (dictionary,
mask, hybrid) to add complexity and variability.
155. Brutespray interprets results from an Nmap scan to automatically start medusa against the
identified open ports and can also use results from nmap with option “-sV” to identify and
target services on non-standard ports.
156. The PenTester can use port forwarding which uses a host as a pivot and allows access to one
of its open TCP/IP ports and then forwards traffic from this port to a port of a host on a different
subnet.
157. The PenTester is using Netcat which allows the PenTester to pivot from one host to another
exfiltrating files from each target to the PenTester's own host.
158. RAT is a remote access tool that a PenTester can use to create a backdoor or a remote access
trojan and victims primarily download them through Trojan horse malware.
159. A cron job is a scheduled task that the Linux cron daemon manages and the PenTester could
use it to execute a Netcat reverse shell command on a Linux target every so often.
160. The PenTester is using a rule attack which can make use of word lists to create variants and
combinations and can then try trimming or expanding words or substituting numbers or special
characters for letters.
161. OSI Layer vulnerabilities are a type of technical vulnerability that a PenTester may identify
when creating a report based on the Penetration Testing Execution Standard (PTES).
162. Manually identified vulnerabilities are a type of technical vulnerability that a PenTester may
include in a report based on the Penetration Testing Execution Standard (PTES).
163. The PenTesting team is using Dradis which reduces repetition and increases reach by allowing
team members to share data and findings about their client organization.
164. Nessus is a well-established vulnerability scanner with a module dedicated to reporting, so it
can help with the presentation of findings.
165. PTES (Penetration Testing Execution Standard) is a standard way for PenTesting teams to
report their findings to client organizations.
166. The business impact analysis involves estimating the implications to the client's organization
if a malicious actor were to target the issues identified during the activity.
167. Risk appetite refers to the amount and type of potential vulnerabilities and threats the
organization is willing to tolerate and endure.
168. Risk rating is the process of assigning quantitative values to the identified risks that
organization's complete by following a reference framework, which is a method to consistently
rate findings.
169. Risk prioritization is the process of adjusting the final rating of vulnerabilities to the client's
needs. The PenTesters and client need to work together to prioritize the results of testing.
170. Metasploit Pro is a full-featured graphical version that includes Quick Start wizards, easy
vulnerability scanning and validation, phishing campaigns, and reporting.
171. Covenant is a .NET command and control framework and, in a similar fashion to Empire, it
aims to show the attack surface of .NET and make attacks through this vector easier.
172. Wapiti is a web application vulnerability scanner that will automatically navigate a web app
looking for areas where it can inject data.
173. The medusa tool is a parallel brute-forcer for network logins. Its focus is to support numerous
network services that allow remote authentication.
174. The brutespray tool allows for the interpretation of results from an Nmap scan to
automatically start medusa against the identified open ports. It can also use results from nmap
with option "-sV" to identify and target services on non-standard ports.
175. The hydra tool is similar to medusa, in that it supports parallel testing of several network
authentications. It comes bundled with a tool called pw-inspect.
176. To capture all traffic on a switch, an option is to use switched port analysis (SPAN). With
SPAN, all ingress and egress traffic is copied between ports. This is also referred to as mirroring.
177. Using promiscuous mode is required when trying to monitor all traffic on a network. Without
this mode enabled, sniffing will not pick up all network traffic.
178. Windows Remote Management (WinRM) is a technology that provides an HTTP Simple
Object Access Protocol (SOAP) standard for specific remote management services on Windows
systems.
179. The Open-source Security Testing Methodology Manual (OSSTMM) provides a holistic
structured approach to PenTesting. Other cyber security resources include theHacker
Highschool which provides security awareness training to teens.
180. Reconnaissance is an overall approach to gaining information about an organization. This can
include using open-source intelligence and both passive and active scanning of on-premise
systems.
181. Footprinting is a technique that encompasses many different approaches to discovering the
layout of systems and a network.
182. Pseudocode is a made-up language used to show flow and logic but is not based on any
programming or scripting language. Pseudocode can be used to easily illustrate the logic of a
script.
183. Aireplay-ng Injects frames to perform an attack to obtain the authentication credentials for an
access point.
184. Airmon-ng will enable and disable monitor mode on a wireless interface. Airmon-ng can also
switch an interface from managed mode to monitor mode.
185. Airodump-ng is a tool that provides the ability to capture 802.11 frames and then use the
output to identify the Basic Service Set ID (MAC address) of an access point. This is a specific tool
that is part of the Aircrack-ng suite.
 186. The Aircrack-ng suite of utilities is made up of several command-line tools used for wireless
monitoring, attacking, testing and password cracking.
187. A testing threshold communication policy would outline how each party contacts and
communicates with each other in the event that a problem has occurred.
188. A testing scope would encompass the entirety of the testing project and what the testing
covers and does not cover. This would be established prior to the beginning of the PenTest and
not during.
189. Many mapping tools use Windows Management Instrumentation (WMI) to map and manage
a network. WMI can help provide a system inventory that includes system statics and other
information.
190. The Simple Network Management Protocol (SNMP) is useful for managing many devices
including those that are not computer workstations or laptops.
191. The ARP (Address Resolution Protocol) command is a useful Windows command-line tool
that can provide IP to MAC address mapping information for a host on a network.
192. With a Living Off The Land (LoTL) attack, the toolkit that is used is the system's own native
tools, which generally won't trigger any alarms and are harder to detect.
193. A randomly generated string, known as a salt, can be added to a password before hashing.
This salt can be stored along with the hashed password for verification purposes.
194. Randomization is a technique used in many areas, including password generation. Of note, a
salt is a randomly generated string of characters.
195. Input sanitization is the process of stripping user-supplied input of unwanted or untrusted
data so that the application can safely process that input. It is the most common approach to
mitigating the effects of code injection.
196. Key rotation is the process of periodically generating and implementing new access keys to a
server/service and is not related to sanitization.
197. Escaping is a type of input sanitization, also referred to as encoding. It substitutes special
characters in HTML markup with representations that are called entities.
198. Indicators of Prior Compromise are artifacts which can provide evidence of a prior
cybersecurity event and could be from malicious sources.
199. Debugging is the process of manipulating a program's running state in order to analyze it for
general bugs, vulnerabilities, and other issues.
200. Static code analysis is the process of reviewing uncompiled source code either manually or
using automated tools to correct errors.