Lesson 3: Performing Security Assessments

Vocabulary flashcards covering key terms and concepts from Lesson 3 on performing security assessments, focusing on network reconnaissance, vulnerability scanning, and penetration testing concepts.

Network reconnaissance

The process of mapping the attack surface by identifying network hosts, connections, and routes to identify potential vulnerabilities.

Topology discovery

Scanning for hosts, IP ranges, and routes to map the target network and its structure.

Footprinting

Another term for topology discovery; building an asset database and identifying non-authorized hosts.

IPconfig

Windows command that shows IP configuration, including MAC, IPv4/IPv6, DHCP status, and default gateway.

Ifconfig

Linux command that displays the network interface configuration.

Ping

ICMP echo request used to verify reachability of a host; can be used to sweep a subnet.

ARP

Command to display the local ARP cache, showing IP-to-MAC mappings for hosts recently communicated with.

Route

Command to view and configure the host’s local routing table and default gateway.

Traceroute

Tool (Windows: tracert) that traces the path to a remote host and reports RTT for each hop.

Tracert

Windows implementation of traceroute for route discovery.

Pathping

Tool that provides statistics on latency and packet loss along a route over time.

Nmap

Open-source network scanner used for host discovery, port scanning, OS fingerprinting, and service identification.

Nmap host discovery sweep

Using Nmap to identify which hosts are up on a network, often with -sn to skip port scans.

TCP SYN scan (-sS)

Fast half-open scan that requests connections without completing them to determine port state.

UDP scan (-sU)

Port scan that probes UDP ports, waiting for responses or timeouts to determine state.

Version detection (-sV)

Nmap feature that determines service version and protocol information.

Aggressive scan (-A)

Nmap option enabling OS detection, version detection, script scanning, and more.

OS fingerprinting

Identifying the target’s operating system type and version from probe responses.

Banner grabbing

Collecting service banners from responses to identify software name and version.

Service discovery

Determining what services and applications are running on discovered hosts.

Netstat

Tool to show active TCP/UDP ports and listening services; helps detect malware or misconfig.

ss

Linux utility that replaces netstat for checking sockets and connections.

nslookup

DNS lookup tool (Windows) used to query DNS servers for domain information.

dig

DNS lookup tool (Linux) used to query DNS servers and gather records.

dnsenum

Tool that stacks tests to enumerate DNS information, including hosts, ranges, and records.

theHarvester

OSINT tool that gathers publicly available data (emails, subdomains, IPs, URLs) for a domain.

scanless

Tool that disguises probes by using third-party sites to perform port/service scans.

Nessus

Commercial vulnerability scanner that identifies patches, misconfigurations, and exposure.

OpenVAS

Open-source vulnerability scanner that uses NVTs and feeds to detect vulnerabilities.

SCAP

Security Content Automation Protocol; standard for automated vulnerability management and configuration assessment.

OVAL

Open Vulnerability and Assessment Language; XML schema for describing system state.

XCCDF

Extensible Configuration Checklist Description Format; XML standard for security checklists and baselines.

CVE

Common Vulnerabilities and Exposures; a dictionary of publicly known vulnerabilities with IDs.

CVSS

Common Vulnerability Scoring System; standard for rating vulnerability severity (0–10).

Vulnerability feed

Up-to-date database of known vulnerabilities and exploits used by scanners.

Credentialed scanning

Vulnerability scanning that uses valid login credentials to access systems for deeper results.

Non-credentialed scanning

Scanning that does not login to systems, simulating external attackers.

Intrusive scanning

Active tests that may exploit or probe deeply, with higher risk of disruption.

Passive scanning

Non-intrusive method that analyzes indirect evidence (e.g., traffic) with minimal impact.

Threat hunting

Proactive security assessment using threat intelligence to uncover evidence of threats.

Kill chain

Sequential stages of an attacker’s actions: reconnaissance, exploitation, persistence, privilege escalation, lateral movement, pivoting, actions on objectives, and cleanup.

Red team

Offensive security team that simulates attackers to test defenses.

Blue team

Defensive security team that monitors and defends against attacks.

Purple team

Collaborative exercise combining red and blue teams to improve detection and response.

Rules of engagement

Explicit scope and permissions for a security assessment or pen test.

Penetration testing

Authorized hacking activity designed to actively exploit vulnerabilities to prove risk.

Metasploit

Open-source exploitation framework used to develop and run exploits.

Sn1per

Framework for penetration testing reporting and evidence gathering; integrates with other tools.

Netcat

Network utility for reading/writing data across connections; can be used for backdoors or banner grabbing.

hping

Packet crafting tool for testing firewalls, performing traces, and DoS-style probes.

tcpreplay

Tool to replay previously captured traffic from a pcap file for testing IDS/IPS.

Wireshark

Open-source protocol analyzer for deep inspection of network traffic with a graphical interface.

tcpdump

Command-line packet capture tool for Linux/Unix; supports complex filters and pcap output.

PCAP / PCAPNG

Packet capture file formats used to store network traffic data.

OSINT

Open-source intelligence gathering from public sources for a domain or organization.

war driving

Mapping and cataloging wireless networks by moving through an area, often with gear.

Drones / Wi-Fi Pineapple

Aerial or portable reconnaissance tools used to locate and probe wireless networks.