253 AI Generated Flashcards

What is Penetration Testing (Pentesting)?

A security exercise where a cyber-security expert manually or automatically attempts to find and exploit vulnerabilities in a computer system.

What is the primary purpose of a Penetration Test?

To identify weak spots in a system's defences which attackers could take advantage of.

How does Penetration Testing differ from Vulnerability Assessment?

Pentesting provides assurance in your vulnerability assessment and management processes, similar to an external financial audit.

What is a Bug Bounty?

A reward offered by an organization to external parties to authorize and incentivize them to perform security testing on their assets.

What is Blackbox testing?

Zero Knowledge testing, performing the test as an external attacker.

What is Whitebox testing?

Full Knowledge testing, performing the test as a developer.

What is Greybox testing?

Some Knowledge testing, performing the test as a user with access to some data.

What is a White-Hat Hacker?

An individual who finds vulnerabilities in networks legally, often working for organizations or governments.

What is a Black-Hat Hacker?

A highly skilled criminal who violates computer security illegally for personal gain.

What is a Gray-Hat Hacker?

A hacker who finds issues without the owner's permission and reports them, sometimes requesting a small fee to fix the issue.

How does Pentesting differ from Bug Bounties in terms of time?

Pentesting is time-bounded, whereas Bug Bounties are continuous.

How does Pentesting differ from Bug Bounties in terms of personnel?

Pentesting uses a dedicated team of experts, whereas Bug Bounties are crowd-sourced.

How does Pentesting differ from Bug Bounties in terms of cost?

Pentesting has a set cost regardless of results, whereas Bug Bounties only pay for unique, valid vulnerabilities.

What is the role of a Red Team?

Offensive security focused on evading protection, compromising credentials, escalating privileges, and moving laterally.

What is the role of a Blue Team?

Defensive security focused on protecting systems, threat hunting, digital forensics, and incident response.

What is the role of a Purple Team?

Collaborative security where Red and Blue Teams function together to test and improve detection and defense.

What is the first limitation of penetration testing?

It is not a comprehensive evaluation of security, meaning many issues may not be identified.

What is the second limitation of penetration testing?

Time limitations restrict the amount of information that can be gathered.

What is the third limitation of penetration testing?

Failing to understand its limited nature can give organizations a false sense of security.

What is Stage 1 of Penetration Testing?

Planning.

What is Stage 2 of Penetration Testing?

Discovery.

What is Stage 3 of Penetration Testing?

Attack.

What is Stage 4 of Penetration Testing?

Reporting.

What are the main tasks in the Planning stage of a pentest?

Identify rules, finalize management approval, and set test goals.

What are the main tasks in the Discovery stage of a pentest?

Reconnaissance, Scanning, and Enumeration.

What are the main tasks in the Attack stage of a pentest?

Gain access, escalate privileges, system browsing, and install additional tools.

What are the main tasks in the Reporting stage of a pentest?

List uncovered security issues, risk levels, resolution methods, and advice to improve internal assessments.

What is Scoping in the Planning stage?

Risk owners outline areas of concern, technical staff outline boundaries, and constraints are established.

What are the Rules of Engagement (ROE) in a pentest?

Detailed guidelines established before testing begins that give the test team authority to conduct activities.

What is the Gaining Access step in the Attack phase?

The initial attempt to break in based on data gathered in the discovery phase.

What is the Escalating Privileges step in the Attack phase?

Seeking to gain complete control (administrator-level access) if only user-level access is gained.

What is Intelligence Gathering?

The phase where an attacker gathers information, maps networks, and probes for exploitable vulnerabilities.

What is Passive Reconnaissance?

Gathering information on a target without their knowledge of your actions.

What is Active Reconnaissance?

Gathering information where the potential exists that your actions will be seen by the target (e.g., port scanning).

What is Open Source Intelligence (OSINT)?

Intelligence produced from publicly available information collected and exploited in a timely manner.

What is Network Sniffing?

The act of capturing network traffic for analysis or replay using software or hardware.

What is Promiscuous Mode?

A network card mode where the host listens to all traffic on the network, not just traffic addressed to itself.

What is Stage 1 of the Cyber Kill Chain?

Reconnaissance.

What is Stage 2 of the Cyber Kill Chain?

Weaponization.

What is Stage 3 of the Cyber Kill Chain?

Delivery.

What is Stage 4 of the Cyber Kill Chain?

Exploitation.

What is Stage 5 of the Cyber Kill Chain?

Installation.

What is Stage 6 of the Cyber Kill Chain?

Command & Control (C2).

What is Stage 7 of the Cyber Kill Chain?

Actions on Objectives.

What is Shared Ethernet?

A network where all systems connect to the same bus, packets are broadcast, and it is highly vulnerable to passive sniffing.

What is Switched Ethernet?

A network where machines connect to a switch that tracks MAC addresses, sending packets specifically to intended machines.

What does an Open TCP Port state mean?

The port is ready to establish a session.

What does a Closed TCP Port state mean?

The port is rejecting connections.

What does a Filtered TCP Port state mean?

Packets are being dropped or blocked, typically by a firewall.

How do you trace the origin of an email?

Explore email headers to find the IP address of the sender, date and time, and the Mail server routing path.

What happens in a TCP Scan Positive Inference?

Client sends SYN, Server replies SYN/ACK, Client replies ACK (Port is OPEN).

What happens in a TCP Scan Negative Inference?

Client sends SYN, Server replies RST (Port is CLOSED).

What happens in a TCP Scan Filtered Inference?

Client sends SYN, Connection times out (Port is FILTERED).

What is a TCP SYN (Stealth) Scan?

Client sends SYN, Server replies SYN/ACK, Client immediately sends RST to terminate (Port is OPEN).

What is a TCP XMAS Scan?

Client sends FIN/PSH/URG. Server replies RST if closed, or times out if open/filtered.

How do UDP scans detect closed ports?

They rely on detecting ICMP Port Unreachable responses.

What is a Protocol-specific UDP Scan?

Using a known application protocol (like SNMP) to see if a specific port responds with a protocol reply.

What is a Password?

A shared secret used to gain access to a system, known only to a user of the system and the system itself.

What is Authentication?

The process of verifying an actor's identity.

What are the three Classes of Secrets for authentication?

Something you know, Something you have, Something you are.

What is Password Entropy?

A mathematical measure of uncertainty that represents a password's strength and resistance to guessing.

What is a Cryptographic Hash Function?

A deterministic function that transforms input data into scrambled output data and is collision-resistant.

Why is obtaining passwords important for an attacker?

It allows for initial access, privilege escalation, and lateral movement.

Name three good Cryptographic Hashing Algorithms.

sha256, sha512, sha3 (or shake).

Name three bad Cryptographic Hashing Algorithms.

md5, crc, sha1.

Why must passwords never be stored in plain text?

If a system is compromised, an attacker could read plain text passwords and log in as root/admin.

Why must passwords never be stored using encryption?

Encryption is a two-way function (reversible if keys are stolen), whereas hashing is a secure one-way function.

What is Salting in password storage?

Adding a unique random string to each password before hashing it to defeat pre-computed dictionary attacks.

How does Slow Hashing defeat hardware acceleration?

Algorithms like bcrypt and scrypt use a configurable work factor to increase calculation time, making GPU brute-forcing impractical.

What is Code Injection?

An attack where malicious code is injected into an application, which is then interpreted or executed.

What is Code Execution?

Attacks that typically allow arbitrary code to be executed, possibly remotely.

What is SQL Injection (SQLi)?

Injecting malicious SQL statements into an input field to manipulate the database.

What type of loss occurs when SQLi is used to extract unauthorized data?

Confidentiality Loss.

What type of loss occurs when SQLi is used to alter the database with UPDATE or INSERT statements?

Integrity Loss.

What is the outcome of the injected input "Bob' OR 1=1

--" in SQLi?

What is OS Command Injection (Shell Injection)?

Injecting commands into the shell, often when an app passes unsanitized user input to a system shell.

List four command separators used in OS Command Injection.

&, &&,

What is Taint Analysis?

A security feature in some languages that marks variables as tainted (untrusted) if they come from external input until sanitized.

What is Persistent XSS?

The adversary provides malicious input which the server stores and displays to all other users.

What is Reflected XSS?

The user clicks a malicious link containing a payload, and the visited website reflects it back into the browser.

What is DOM-based XSS?

The adversary injects an attack directly into the running application's Document Object Model using scripts like document.write.

What is the general mitigation rule for code injection?

Assume any input provided is potentially malicious

What is the absolute best defense against SQL Injection?

Parameterized Queries, which separate SQL logic from data inputs.

What is a Buffer Overflow?

A vulnerability occurring when a program writes data past the end of a designated memory buffer, overwriting adjacent memory locations.

What is the Memory Stack?

A Last-In First-Out (LIFO) data structure used to store local variables, function arguments, and return addresses.

What direction does the Memory Stack grow?

Downwards, from High memory addresses to Low memory addresses.

What is the EIP (Instruction Pointer) register?

Holds the address of the next memory location to execute once the current function finishes (the Return Address).

What is the EBP (Base Pointer) register?

Used as a static reference point for the rest of the current stack frame.

What is the first item pushed onto the Memory Stack from high to low address?

Function Arguments.

What is the second item pushed onto the Memory Stack from high to low address?

Return Address.

What is the third item pushed onto the Memory Stack from high to low address?

Previous Frame Pointer (EBP).

What is the fourth item pushed onto the Memory Stack from high to low address?

Local Variables (the buffer).

How does an attacker exploit a Buffer Overflow?

By inputting a string larger than the buffer that spills upwards to overwrite the EIP (Return Address) to point to injected malicious code.

What does the Text segment of program memory store?

Executable code (read-only).

What does the Data segment of program memory store?

Initialized static and global variables.

What does the BSS segment of program memory store?

Uninitialized static and global variables.

What does the Heap segment of program memory store?

Dynamic memory allocation (managed by malloc/free).

Why is strncpy considered safer than strcpy?

strncpy explicitly checks the length of the input, helping to prevent buffer overflows.

What is Address Space Layout Randomization (ASLR)?

An OS countermeasure that randomizes the start location of the stack every time code is loaded.

What is a Stack Canary?

A compiler countermeasure that places a random secret value before the Return Address to detect stack smashing.