- Nmap
- The de facto network scanner — discovers live hosts, open ports, services, and OS fingerprints. Core tool for the recon and enumeration phase.
- Metasploit Framework
- An exploitation framework that bundles exploits, payloads (e.g., Meterpreter), and post-exploitation modules to deliver and manage attacks against vulnerable targets.
- Burp Suite
- An intercepting web proxy used to capture, modify, and replay HTTP/S traffic; its scanner, Repeater, and Intruder tools test web apps for vulnerabilities.
- Rules of Engagement (RoE)
- The agreed document that defines what testers may do — scope, timing, targets, allowed techniques, and escalation/communication paths — keeping the test legal and controlled.
- Scope (penetration test)
- The explicit boundary of an engagement: which IP ranges, domains, applications, and facilities are in or out of bounds. Testing outside scope can be illegal.
- Statement of Work (SOW)
- The contract section defining the deliverables, timeline, and tasks of the engagement — the formal description of work to be performed.
- Master Service Agreement (MSA)
- An overarching contract setting the general terms and conditions for an ongoing relationship; individual engagements are governed by SOWs under it.
- Non-Disclosure Agreement (NDA)
- A legal agreement that binds the tester to keep client data, findings, and vulnerabilities confidential.
- Authorization / 'get-out-of-jail' letter
- Written, signed permission from someone with authority over the target, proving the testing is authorized. Without it, the activity is unauthorized access (a crime).
- Black-box testing
- An unknown-environment test: the tester is given no prior internal information and must discover everything, simulating an external attacker.
- White-box testing
- A known-environment test: the tester is given full information (source, architecture, credentials) for the most thorough, efficient assessment.
- Gray-box testing
- A partially-known test: the tester is given limited information (e.g., a standard user account), balancing realism and coverage.
- Goal of a penetration test report
- To clearly communicate findings, risk, and prioritized remediation to the client — including an executive summary, methodology, evidence, and actionable recommendations.
- Executive summary (report)
- A non-technical, business-focused overview of the engagement's key risks and recommendations, written for leadership who won't read the technical detail.
- Communication plan / escalation path
- The agreed channels and triggers for contacting the client during a test — e.g., who to call immediately if a critical vulnerability or a system outage is found.
- Stop point / safe word
- A pre-agreed condition or signal that halts testing immediately — e.g., on detecting illegal content, evidence of a real breach, or production impact.
- Risk appetite / acceptance (scoping)
- How much disruption and risk the client will tolerate during testing; it shapes allowed techniques (e.g., whether DoS or social engineering is permitted).
- Remediation recommendation
- The actionable fix a report gives for each finding (patch, configuration change, control), prioritized by the risk the vulnerability presents.
- CVSS (Common Vulnerability Scoring System)
- A 0.0–10.0 open standard for rating vulnerability severity (None/Low/Medium/High/Critical), used to prioritize findings in a report. Maintained by FIRST.
- Compliance-based assessment
- A test driven by a standard or regulation (e.g., PCI DSS, HIPAA) where the scope and required checks are dictated by the framework, not just the client.
- Why third-party permission matters
- Cloud and hosted assets may be owned by a provider (AWS, Azure); the client cannot authorize testing of infrastructure it does not own, so provider rules/permission are required.
- PTES
- Penetration Testing Execution Standard — a methodology defining 7 phases: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting.
- OSSTMM
- Open Source Security Testing Methodology Manual — a peer-reviewed methodology for repeatable, metric-based security testing.
- NIST SP 800-115
- NIST's Technical Guide to Information Security Testing and Assessment — defines planning, discovery, attack, and reporting phases for security assessments.
- MITRE ATT&CK
- A globally available knowledge base of real-world adversary tactics and techniques, used to model attacks and map findings to attacker behavior.
- OWASP
- Open Worldwide Application Security Project — a nonprofit producing the OWASP Top 10, the Web Security Testing Guide, and tools like ZAP for web app security.
- Bug bounty program
- An ongoing program (often public) that pays external researchers for responsibly disclosed vulnerabilities, within defined scope and rules.
- Responsible / coordinated disclosure
- Reporting a discovered vulnerability privately to the vendor and giving them time to fix it before any public disclosure.
- Threat modeling (pre-engagement)
- Identifying likely threat actors, their motivations and capabilities, and the assets they would target — to focus the test on realistic, high-value attack paths.
- Adversary emulation vs. vulnerability scan
- Adversary emulation mimics a specific real-world threat actor's TTPs end-to-end; a vulnerability scan just enumerates weaknesses without exploiting or chaining them.
- Time-of-day / window restriction
- A scoping constraint limiting when testing may occur (e.g., after business hours) to reduce operational impact on production systems.
- Why scope creep is a problem
- Testing assets outside the authorized scope can be illegal, damage trust, and fall outside the signed authorization and insurance — always confirm before expanding.
- Passive reconnaissance
- Gathering information without directly touching the target — OSINT, WHOIS, DNS records, search engines, social media. The target sees no probe traffic.
- Active reconnaissance
- Directly interacting with the target — port scanning, banner grabbing, service enumeration. More data, but detectable by the target's defenses.
- OSINT
- Open-Source Intelligence — collecting publicly available data (websites, social media, leaked credentials, job postings, public records) to profile a target.
- WHOIS
- A query that returns domain registration data — registrar, registration/expiry dates, and (when not redacted) registrant contacts and name servers.
- dig / nslookup
- DNS query tools used to resolve names, enumerate records (A, MX, NS, TXT), and attempt zone transfers during passive/active recon.
- DNS zone transfer (AXFR)
- A misconfiguration where a DNS server hands over its full zone file, exposing every host record at once — a recon goldmine if allowed.
- theHarvester
- An OSINT tool that gathers emails, subdomains, hosts, and employee names from public sources (search engines, PGP servers, etc.).
- Recon-ng
- A modular OSINT reconnaissance framework (Metasploit-like interface) for automating data collection from many public sources.
- Maltego
- A graphical OSINT and link-analysis tool that maps relationships between people, domains, emails, infrastructure, and social media.
- Shodan
- A search engine for Internet-connected devices; finds exposed servers, webcams, ICS/SCADA, and services by banner — passive recon of the attack surface.
- Google dorking
- Using advanced search operators (site:, filetype:, intitle:, inurl:) to find exposed files, login pages, and sensitive data indexed by search engines.
- Subdomain enumeration
- Discovering a target's subdomains (e.g., with Sublist3r, Amass, or certificate transparency logs) to expand the attack surface.
- Banner grabbing
- Connecting to a service to read the response banner, revealing the software and version (e.g., 'Apache/2.4.41') to identify likely vulnerabilities.
- Fingerprinting (OS/service)
- Analyzing responses to determine the exact operating system or service and version running, so attacks can be matched to known vulnerabilities.
- Nmap SYN scan (-sS)
- A 'half-open' TCP scan that sends SYN and reads the SYN-ACK/RST without completing the handshake — fast and stealthier than a full connect scan.
- Nmap service/version scan (-sV)
- Probes open ports to identify the service and version running, refining the target list for vulnerability matching.
- Nmap Scripting Engine (NSE)
- Nmap's Lua scripting system that automates discovery, version detection, and even vulnerability checks (e.g., --script vuln).
- Masscan
- An extremely fast Internet-scale port scanner that can scan large IP ranges quickly, often used for initial host/port discovery before deeper Nmap scans.
- Wireshark
- A GUI packet capture and protocol analyzer used to inspect network traffic, extract credentials sent in clear text, and understand protocols.
- tcpdump
- A command-line packet capture tool for sniffing and recording network traffic, common on Linux hosts during recon and post-exploitation.
- ARP scanning (arp-scan)
- Discovering live hosts on a local subnet by sending ARP requests and reading replies — reliable on a LAN where ICMP may be blocked.
- ICMP / ping sweep
- Sending ICMP echo requests across a range to find which hosts respond — fast host discovery, but often blocked by firewalls.
- SMB enumeration (enum4linux)
- Enumerating Windows/Samba shares, users, groups, and password policy over SMB — a rich source of internal targets and footholds.
- SNMP enumeration
- Querying devices over SNMP (often with default community string 'public') to extract system info, interfaces, routes, and sometimes credentials.
- War driving / wireless recon
- Surveying an area for wireless networks (e.g., with Kismet or airodump-ng) to map SSIDs, encryption, and signal — the wireless attack surface.
- Certificate transparency logs
- Public logs of issued TLS certificates (e.g., crt.sh) that reveal subdomains and hostnames an organization has certificates for.
- Wappalyzer / WhatWeb
- Tools that fingerprint a website's technology stack — CMS, frameworks, server, and JavaScript libraries — guiding targeted attacks.
- Email harvesting
- Collecting employee email addresses from public sources to build phishing target lists and infer the organization's email naming convention.
- Active vs passive — detection trade-off
- Passive recon is undetectable but limited; active recon yields far more detail but generates traffic the target can log and alert on.
- Enumeration
- Actively extracting detailed information from discovered services — usernames, shares, software versions, hosts — to plan exploitation.
- Vulnerability scanning
- Automated checking of systems against a database of known weaknesses (missing patches, misconfigurations, weak settings) to produce a prioritized findings list.
- Nessus
- A widely used commercial vulnerability scanner (Tenable) that checks hosts and apps against thousands of known vulnerability and configuration checks.
- OpenVAS / Greenbone
- An open-source vulnerability scanner that performs networked vulnerability tests against hosts and services.
- Nikto
- An open-source web server scanner that checks for dangerous files, outdated software, and common server misconfigurations.
- Wapiti
- An open-source black-box web application vulnerability scanner that crawls a site and injects payloads to find injection, XSS, and file-inclusion flaws.
- OWASP ZAP
- The OWASP Zed Attack Proxy — a free intercepting proxy and web app scanner, an open-source alternative to Burp Suite.
- sqlmap
- An automated tool that detects and exploits SQL injection flaws, enumerating databases, tables, and data, and even gaining a shell.
- Fuzzing
- Sending large volumes of malformed or unexpected input to an application to trigger crashes, errors, or unexpected behavior that reveal vulnerabilities.
- False positive
- A scanner flagging a vulnerability that doesn't actually exist or isn't exploitable. Testers must validate findings before reporting.
- False negative
- A real vulnerability the scanner missed — the more dangerous error, which is why manual testing supplements automated scans.
- Validation (vulnerability)
- Manually confirming a scanner finding is real and exploitable (e.g., actually exploiting it in a controlled way) before including it in the report.
- Credentialed vs. non-credentialed scan
- A credentialed scan logs in to inspect patch levels and config from the inside (more accurate, fewer false positives); a non-credentialed scan tests from outside only.
- CVE
- Common Vulnerabilities and Exposures — a public catalog assigning a unique ID (e.g., CVE-2021-44228) to each known, disclosed vulnerability.
- CWE
- Common Weakness Enumeration — a categorized list of software/hardware weakness types (e.g., CWE-89 SQL injection) that underlie specific CVEs.
- CVSS base score components
- The base metric set rates exploitability (attack vector, complexity, privileges, user interaction) and impact (confidentiality, integrity, availability).
- NVD (National Vulnerability Database)
- NIST's database that enriches CVE entries with CVSS scores, affected products (CPE), and references — the standard lookup for vulnerability detail.
- Exploit database (Exploit-DB)
- A public archive of proof-of-concept exploits and shellcode, searchable locally with searchsploit, used to find working exploits for a CVE.
- Prioritizing findings
- Ranking vulnerabilities by risk = severity (CVSS) combined with business context and exploitability, so the client fixes the most dangerous issues first.
- SSL/TLS scanning (testssl.sh, sslscan)
- Tools that test a TLS endpoint for weak ciphers, protocol versions, expired certs, and known flaws (e.g., Heartbleed, POODLE).
- Web crawler / spider
- A tool that automatically follows links to map all pages, parameters, and endpoints of a web app — the input list for vulnerability testing.
- Scan tuning / throttling
- Adjusting a scan's intensity and timing to avoid overwhelming fragile systems (e.g., ICS/SCADA, legacy hosts) and triggering outages.
- Attack surface
- The total set of points where an attacker could try to enter or extract data — every exposed service, port, app, and interface. Reducing it lowers risk.
- Exploit
- Code or a technique that takes advantage of a specific vulnerability to make a system behave unexpectedly — e.g., run attacker code or grant access.
- Payload
- The code delivered and executed after a successful exploit — e.g., a reverse shell, Meterpreter session, or command execution.
- SQL injection (SQLi)
- Inserting malicious SQL into an input so the database runs unintended commands — read/modify data or bypass authentication. Fix: parameterized queries.
- Cross-site scripting (XSS)
- Injecting script into a trusted site that runs in another user's browser (stored, reflected, or DOM-based). Steals cookies/sessions. Fix: output encoding + CSP.
- Cross-site request forgery (CSRF)
- Tricking an authenticated user's browser into sending an unwanted state-changing request to a site they're logged into. Fix: anti-CSRF tokens, SameSite cookies.
- Command injection
- Injecting OS commands into input passed to a system shell so the server executes the attacker's commands. Fix: avoid shell calls, validate/escape input.
- Directory / path traversal
- Using sequences like '../' in input to access files outside the web root (e.g., /etc/passwd). Fix: canonicalize and validate file paths.
- Local / remote file inclusion (LFI/RFI)
- Abusing dynamic file-include functionality to load local files (LFI) or attacker-hosted remote files (RFI), often leading to code execution.
- Server-side request forgery (SSRF)
- Tricking a server into making requests to internal resources the attacker can't reach directly — e.g., cloud metadata endpoints. Fix: allow-list outbound URLs.
- XML external entity (XXE)
- Abusing an XML parser that processes external entities to read local files or perform SSRF. Fix: disable external entity resolution.
- Insecure direct object reference (IDOR)
- Accessing another user's data by changing an identifier in a request (e.g., id=124 → id=125) because the app fails to check authorization.
- Buffer overflow
- Writing more data than a buffer holds, overwriting adjacent memory (including the return address) to redirect execution to attacker code.
- Race condition (TOCTOU)
- Exploiting the timing gap between a security check and the use of a resource (time-of-check to time-of-use) to slip in a malicious change.
- On-path (man-in-the-middle) attack
- Secretly relaying or altering traffic between two parties to eavesdrop or modify data — e.g., via ARP spoofing or a rogue access point.
- ARP poisoning / spoofing
- Sending forged ARP replies on a LAN so traffic for another host flows through the attacker — the basis of many on-path attacks.
- DNS poisoning / spoofing
- Corrupting DNS responses so a victim resolves a domain to an attacker-controlled IP, redirecting them to a malicious server.
- Denial of service (DoS) / DDoS
- Overwhelming a system or network with traffic/requests so legitimate users can't access it. Often out of scope unless explicitly authorized.
- Password spraying
- Trying one or a few common passwords against many accounts to avoid lockout — quieter than brute-forcing a single account.
- Credential stuffing
- Using username/password pairs leaked from one breach to log in elsewhere, exploiting password reuse.
- Brute-force attack
- Systematically trying every possible password/key until one works; mitigated by lockouts, rate limiting, and strong/complex secrets.
- Hydra / Medusa
- Network login brute-force tools that attempt credentials against services like SSH, RDP, FTP, and HTTP forms.
- John the Ripper
- An offline password-cracking tool that recovers plaintext from password hashes using dictionary, rule-based, and brute-force attacks.
- Hashcat
- A fast, GPU-accelerated password-cracking tool that recovers plaintext from many hash types using wordlists, rules, and masks.
- Zero-day exploit
- An exploit for a vulnerability unknown to the vendor (no patch exists yet) — highly valuable and hard to defend against.
- Social engineering
- Manipulating people into revealing information or taking actions that compromise security — the human attack vector.
- Phishing
- Fraudulent messages (usually email) that trick victims into revealing credentials, clicking links, or running malware. Spear phishing targets a specific person.
- Vishing / smishing
- Voice phishing (vishing) over phone calls and SMS phishing (smishing) over text — social-engineering variants of phishing.
- Pretexting
- Inventing a believable scenario or false identity (e.g., posing as IT support) to manipulate a target into cooperating.
- Tailgating / piggybacking
- Following an authorized person through a secure door to gain unauthorized physical entry without their challenge.
- SET (Social-Engineer Toolkit)
- A framework for crafting social-engineering attacks — phishing pages, malicious attachments, and credential-harvesting clones.
- Evil twin / rogue access point
- A fake Wi-Fi access point impersonating a legitimate SSID to capture credentials or perform on-path attacks on connecting clients.
- WPA/WPA2 handshake capture + crack
- Capturing the 4-way handshake (e.g., with airodump-ng) and cracking the pre-shared key offline with a wordlist (aircrack-ng/hashcat).
- Aircrack-ng suite
- A set of wireless tools to monitor, capture, inject, and crack Wi-Fi (airmon-ng, airodump-ng, aireplay-ng, aircrack-ng).
- Deauthentication attack
- Sending forged deauth frames to knock clients off a Wi-Fi network — used to capture handshakes or to set up an evil twin.
- Cloud attacks (metadata service)
- Abusing a cloud instance's metadata endpoint (e.g., 169.254.169.254) — often via SSRF — to steal temporary credentials and pivot in the cloud.
- Misconfigured S3 bucket
- A publicly readable/writable cloud storage bucket that exposes data — a common cloud finding due to the shared-responsibility model.
- Reverse shell vs. bind shell
- A reverse shell connects from the victim back to the attacker (beats inbound firewalls); a bind shell listens on the victim for the attacker to connect in.
- Meterpreter
- Metasploit's advanced, in-memory payload providing a feature-rich session — file access, privilege escalation, pivoting, and credential dumping.
- msfvenom
- Metasploit's payload generator/encoder — builds standalone payloads (e.g., a Windows reverse-shell executable) for delivery outside the framework.
- Netcat
- The 'Swiss army knife' of networking — reads/writes raw TCP/UDP; used for banner grabbing, file transfer, port listening, and simple shells.
- Default / weak credentials
- Unchanged factory passwords (admin/admin) or weak secrets on devices and apps — a fast, high-impact initial-access finding.
- Deserialization attack
- Supplying crafted serialized objects that, when deserialized by the app, execute attacker code or alter logic. Fix: avoid native deserialization of untrusted data.
- VLAN hopping
- Escaping an assigned VLAN to reach others — via switch-spoofing or double-tagging — bypassing network segmentation.
- LLMNR/NBT-NS poisoning (Responder)
- Answering Windows name-resolution broadcasts (LLMNR/NBT-NS) to capture NTLM hashes from victims, then relay or crack them.
- BeEF
- Browser Exploitation Framework — 'hooks' a victim browser via XSS to run commands, gather data, and pivot through the browser.
- Web shell
- A malicious script (e.g., PHP/ASP) uploaded to a web server that gives the attacker remote command execution through the browser.
- API attacks (broken object-level auth)
- Abusing API endpoints that fail to authorize per-object access (BOLA/IDOR) to read or modify other users' data — top of the OWASP API Top 10.
- JWT attacks
- Abusing JSON Web Tokens — e.g., 'alg:none', weak signing keys, or unverified signatures — to forge tokens and escalate access.
- Post-exploitation
- Everything after gaining initial access: escalating privileges, maintaining persistence, harvesting credentials, moving laterally, and collecting evidence/data.
- Privilege escalation
- Gaining higher rights than granted — vertical (user → admin/root) or horizontal (to another user's access) — to deepen control of a host.
- Persistence
- Establishing a way to keep access across reboots/credential changes — e.g., scheduled tasks, services, cron jobs, or new accounts.
- Lateral movement
- Using a compromised host to reach and compromise other systems on the internal network, expanding the foothold toward high-value targets.
- Pivoting
- Routing traffic through a compromised host to reach networks the attacker can't access directly — e.g., a SOCKS proxy or SSH tunnel.
- Pass-the-hash (PtH)
- Authenticating to a Windows system using a captured NTLM hash directly, without ever cracking the plaintext password.
- Pass-the-ticket / Kerberos abuse
- Stealing or forging Kerberos tickets (e.g., Golden/Silver tickets) to impersonate users and access services across an AD domain.
- Kerberoasting
- Requesting Kerberos service tickets for accounts with SPNs, then cracking the ticket offline to recover the service account's password.
- Mimikatz
- A Windows post-exploitation tool that dumps plaintext passwords, hashes, Kerberos tickets, and performs pass-the-hash/pass-the-ticket.
- LSASS dumping
- Extracting credentials from the Windows LSASS process memory (e.g., with Mimikatz or comsvcs.dll) to harvest hashes and tickets.
- PsExec
- A Sysinternals tool (and Metasploit module) that executes commands on a remote Windows host over SMB — common for lateral movement.
- WMI for remote execution
- Using Windows Management Instrumentation (e.g., wmiexec) to run commands on a remote host without dropping a service binary — stealthier lateral movement.
- Windows scheduled task (persistence)
- Creating a scheduled task (schtasks) that re-runs the attacker's payload on a trigger or interval to survive reboots.
- Linux cron job (persistence)
- Adding a cron entry that periodically executes the attacker's payload — the Linux analog of a Windows scheduled task.
- SUID binary abuse (Linux)
- Exploiting a root-owned binary with the SUID bit set so its actions run as root, enabling privilege escalation (see GTFOBins).
- GTFOBins / LOLBAS
- Catalogs of legitimate binaries (Linux: GTFOBins; Windows: LOLBAS) that can be abused for privilege escalation, persistence, or bypassing controls.
- BloodHound
- A tool that maps Active Directory relationships to find the shortest attack paths to Domain Admin, visualizing privilege escalation routes.
- SSH tunneling / port forwarding
- Using SSH (e.g., 'ssh -D' for a SOCKS proxy, or -L/-R) to tunnel and forward traffic through a compromised host for pivoting.
- ProxyChains
- A tool that forces other programs' TCP connections through a proxy (e.g., a SOCKS tunnel), letting attacker tools reach internal hosts via a pivot.
- Credential harvesting
- Collecting passwords, hashes, tokens, and keys from a compromised host (memory, files, browser stores) to enable lateral movement.
- Data exfiltration (testing)
- Demonstrating that sensitive data could leave the network — done carefully and within scope, often with sanitized or proof-only data.
- Anti-forensics / log clearing (caution)
- Techniques to hide activity (clearing logs, timestomping). On an authorized test, testers usually document rather than destroy, preserving evidence.
- Cleanup / restoring state
- Removing tools, payloads, accounts, and persistence after the engagement so the environment is returned to its original, secure state.
- Living off the land (LOTL)
- Using built-in, trusted tools (PowerShell, WMI, certutil) instead of malware to evade detection during post-exploitation.
- Token impersonation
- Stealing or duplicating a Windows access token from a process to act with another (often higher-privileged) user's rights.
- DCSync
- Abusing replication rights in Active Directory to request password hashes for any account directly from a domain controller (often via Mimikatz).
- Foothold
- The initial access point an attacker establishes on a target network — the base from which escalation and lateral movement proceed.
- Dual-homed host (pivot)
- A host connected to two networks; compromising it lets an attacker bridge from one segment to an otherwise unreachable one.
- Pre-engagement phase
- The first PTES phase: agreeing scope, RoE, authorization, timing, and goals with the client before any testing begins.
- Findings prioritization in a report
- Ordering vulnerabilities by risk (severity x likelihood x business impact) so the client remediates the most dangerous issues first.
- Attestation of findings
- A formal report or letter confirming the testing performed and its results, often required for compliance or third-party assurance.
- Retest / validation engagement
- A follow-up test confirming the client's remediations actually closed the reported vulnerabilities.
- Nmap output formats (-oA)
- Nmap can save results in normal, XML, and grepable formats at once (-oA) so findings can be parsed by other tools and the report.
- Amass
- An OWASP tool for in-depth attack-surface mapping and subdomain enumeration using OSINT and active techniques.
- FOCA / metadata analysis
- Extracting metadata from public documents (authors, software, paths, usernames) to learn about a target's internal environment.
- Authenticated web scan
- Configuring a scanner with valid session credentials so it can test pages behind login — finding vulnerabilities a guest scan misses.
- Scan scheduling / change control
- Coordinating scan windows with the client to avoid business disruption and to respect maintenance and change-control processes.
- OWASP Top 10
- The list of the most critical web application security risks (e.g., Broken Access Control, Injection, Security Misconfiguration), updated periodically.
- Clickjacking
- Overlaying invisible UI so a victim clicks something different from what they see; mitigated with X-Frame-Options / frame-ancestors CSP.
- Session hijacking
- Stealing or predicting a valid session token (cookie) to impersonate a logged-in user. Mitigated with HTTPS, HttpOnly/Secure cookies, and rotation.
- Rainbow table
- A precomputed table of hash-to-plaintext mappings used to reverse unsalted password hashes quickly. Defeated by per-password salting.
- Wordlist (e.g., rockyou.txt)
- A list of likely passwords/inputs fed to cracking and fuzzing tools; rockyou.txt is a famous leaked-password wordlist.
- Burp Intruder
- Burp Suite's automated request-fuzzing tool used for brute-forcing parameters, enumerating values, and testing injection at scale.
- SMB relay attack
- Capturing NTLM authentication and relaying it to another host to authenticate as the victim — mitigated by SMB signing.
- Empire / Covenant (C2)
- Command-and-control frameworks that manage compromised hosts (agents) for post-exploitation tasking, often over HTTP/S.
- Beacon (C2)
- An implant on a compromised host that periodically calls back to the C2 server for instructions, blending in with normal traffic.
- UAC bypass (Windows)
- Techniques to elevate from a medium-integrity process to high integrity without a UAC prompt, abusing auto-elevating binaries or registry keys.
- Hash dumping (SAM/NTDS.dit)
- Extracting local password hashes from the Windows SAM, or domain hashes from NTDS.dit on a domain controller, for offline cracking or PtH.
- Manual testing vs. automated scanning
- Automated scans are fast and broad but miss logic flaws and chained attacks; manual testing finds business-logic and complex vulnerabilities scanners can't.
- Business logic vulnerability
- A flaw in how an application's intended workflow can be abused (e.g., skipping a payment step) — invisible to signature-based scanners; found by manual testing.
- Initial access vector
- How an attacker first gets in — phishing, exposed service, weak credentials, or exploiting an Internet-facing vulnerability.
- Gobuster / dirb / ffuf
- Content-discovery tools that brute-force directories, files, and virtual hosts on a web server to find hidden endpoints (ffuf is a fast fuzzer).
- Insurance / liability in scoping
- Confirming professional liability coverage and clear authorization protects both tester and client if testing causes unintended impact.
- Handling discovered sensitive data
- When testing turns up real sensitive data (PII, evidence of a breach, illegal content), follow the RoE escalation/stop-point procedure immediately.
- Bind vs. staged vs. stageless payload
- A staged payload sends a small stager that pulls the rest; a stageless payload is fully self-contained — chosen based on size limits and detection.
- Enumeration scripts (linPEAS/winPEAS)
- Post-exploitation scripts that automatically enumerate a host for privilege-escalation opportunities (misconfigs, SUID, services, credentials).
- Passive DNS
- Historical DNS resolution data from third parties that reveals prior IPs and hostnames for a domain without querying the target directly.
- Compliance scan
- A scan that checks systems against a configuration benchmark (e.g., CIS Benchmarks, DISA STIG) rather than just known CVEs.
- Pre-engagement vs. discovery
- Pre-engagement sets scope, RoE, and authorization; discovery (recon/scanning) is the technical information-gathering that follows. Never start discovery before authorization is signed.
- Target audience of a report
- Reports serve two audiences: leadership (executive summary, business risk) and technical staff (detailed findings, evidence, and step-by-step remediation).
- Evidence handling / artifacts
- Screenshots, logs, and command output captured during testing that prove each finding; stored securely and included in the report for reproducibility.
- Secure report delivery
- Reports contain sensitive vulnerability data, so they must be delivered over an encrypted channel and stored/destroyed per the contract — never sent in clear text.
- PCI DSS penetration testing
- PCI DSS requires regular internal and external penetration tests and segmentation testing of the cardholder data environment; the standard dictates scope and frequency.
- Engagement constraints
- Limits placed on a test — time windows, excluded systems, no-DoS rules, data-handling requirements — captured in the RoE to keep testing safe and authorized.
- Red team vs. penetration test
- A pen test broadly finds and reports vulnerabilities; a red team emulates a specific adversary to test detection and response (the blue team), often stealthy and goal-driven.
- Purple team
- Red and blue teams working collaboratively — attackers share techniques in real time so defenders can tune detection and response.
- Why document during the test
- Contemporaneous notes (commands, timestamps, findings) ensure the report is accurate, reproducible, and defensible, and support chain-of-custody if needed.
- Confidentiality of findings
- Vulnerabilities and client data discovered during testing are highly sensitive; the NDA and contract govern who may see them and for how long they are retained.
- OSINT framework categories
- OSINT spans people (names, emails, social media), infrastructure (domains, IPs, certs), and documents (metadata) — combined to build a full target profile.
- Spiderfoot
- An automated OSINT reconnaissance tool that queries many data sources to map a target's footprint — domains, IPs, emails, and leaked data.
- Censys
- An Internet-scanning search engine (like Shodan) for discovering hosts, certificates, and services exposed on the public Internet.
- Nmap timing templates (-T0 to -T5)
- Control scan speed/stealth: -T0/-T1 are slow and evasive (IDS-friendly), -T4 is fast for reliable networks, -T5 is fastest but noisiest and may miss results.
- UDP scanning (-sU)
- Scans UDP ports (DNS, SNMP, TFTP); slower and less reliable than TCP because closed UDP ports may not respond, but it finds services TCP scans miss.
- OS detection (-O)
- Nmap analyzes TCP/IP stack behavior to guess the target operating system and version, helping match OS-specific exploits.
- Idle / zombie scan
- A stealthy Nmap scan that bounces probes off a third 'zombie' host so the target never sees the attacker's real IP.
- LDAP enumeration
- Querying an LDAP/Active Directory service to enumerate users, groups, and organizational structure — valuable for targeting accounts.
- RPC / portmapper enumeration
- Querying RPC services (e.g., rpcinfo) to list exposed remote-procedure services that may be exploitable.
- SMTP user enumeration (VRFY/EXPN)
- Abusing SMTP VRFY/EXPN/RCPT commands to confirm valid email accounts on a mail server, building a target list.
- Crawling robots.txt / sitemap
- Reading a site's robots.txt and sitemap.xml reveals paths the owner tried to hide from crawlers — often interesting admin or staging endpoints.
- Email naming convention discovery
- Inferring the format of corporate emails (first.last@, flast@) from a few known addresses to generate likely usernames for spraying or phishing.
- Wayback Machine / archived pages
- Reviewing archived versions of a site to find removed pages, old endpoints, and exposed data that still hint at the current architecture.
- Scanner plugin / signature feed
- Vulnerability scanners rely on regularly updated plugin/signature databases; an out-of-date feed misses recent CVEs (false negatives).
- Active vs. passive vulnerability scanning
- Active scanning sends probes to test for flaws; passive scanning observes existing traffic to infer vulnerabilities without touching the target.
- Web app scan limitations
- Automated scanners struggle with authentication flows, multi-step logic, and CAPTCHAs — manual testing is required for full web coverage.
- CVSS temporal & environmental metrics
- Beyond base score, temporal metrics adjust for exploit maturity/remediation, and environmental metrics tailor severity to the specific organization's context.
- Proof of concept (PoC)
- Minimal code or steps demonstrating a vulnerability is real and exploitable, used to validate findings and convince stakeholders to remediate.
- WPScan
- A vulnerability scanner specialized for WordPress — enumerates plugins, themes, users, and known vulnerabilities in them.
- Mobile app testing tools
- Tools like MobSF (static/dynamic analysis), Frida, and objection assess Android/iOS apps for insecure storage, weak crypto, and API flaws.
- Container / image scanning
- Tools (Trivy, Clair, Grype) scan container images for vulnerable packages and misconfigurations before and after deployment.
- IaC / cloud config scanning
- Tools (Prowler, ScoutSuite, Checkov) audit cloud accounts and Infrastructure-as-Code for insecure configurations like open security groups.
- Validating before reporting
- Testers manually confirm scanner findings to remove false positives and rate true exploitability — reporting unverified findings erodes client trust.
- Risk = likelihood x impact
- Prioritization combines how likely a vulnerability is to be exploited with the business impact if it is — not CVSS severity alone.
- Server-side template injection (SSTI)
- Injecting template syntax into a server-side template engine so it evaluates attacker input, often leading to remote code execution.
- HTTP request smuggling
- Exploiting differences in how front-end and back-end servers parse request boundaries to sneak in or hijack requests.
- CRLF injection
- Injecting carriage-return/line-feed characters into headers to split responses, poison logs, or set rogue headers/cookies.
- Open redirect
- Abusing a redirect parameter that isn't validated to send victims to an attacker site — useful in phishing and OAuth token theft.
- Broken authentication
- Weaknesses in login/session handling — weak passwords, no MFA, predictable tokens, no lockout — that let attackers take over accounts.
- Security misconfiguration
- Insecure defaults, verbose errors, open cloud storage, unnecessary services — one of the most common and exploitable web findings.
- Privilege escalation via misconfig
- Exploiting weak file permissions, writable services, unquoted service paths, or sudo misconfigurations to gain higher privileges on a host.
- Spear phishing vs. whaling
- Spear phishing targets a specific individual with a tailored lure; whaling targets high-value executives (the 'big fish').
- USB drop attack
- Leaving malicious USB drives where targets will find and plug them in, executing a payload — a physical social-engineering vector.
- Watering hole attack
- Compromising a website a target group frequently visits so the targets are infected when they browse to the trusted site.
- Card cloning / RFID attacks
- Copying badge/RFID credentials (e.g., with a Proxmark) to clone access cards for physical entry during a physical pen test.
- Bluetooth attacks
- Bluejacking (unsolicited messages), bluesnarfing (data theft), and bluebugging (control) target Bluetooth-enabled devices.
- WPS PIN attack
- Brute-forcing the 8-digit Wi-Fi Protected Setup PIN (e.g., with Reaver) to recover the WPA passphrase on routers with WPS enabled.
- Karma / known-beacon attack
- A rogue AP that answers clients' probe requests for any remembered SSID, tricking devices into auto-connecting to the attacker.
- Cloud IAM privilege escalation
- Abusing over-permissive cloud IAM policies (e.g., iam:PassRole, policy attachment) to grant yourself higher privileges in the cloud account.
- Container escape
- Breaking out of a container to the host — via a privileged container, exposed Docker socket, or kernel exploit — to compromise the underlying node.
- Kubernetes attacks
- Abusing exposed kubelet/API server, over-permissive RBAC, or service-account tokens to take over pods and the cluster.
- Antivirus / EDR evasion
- Modifying payloads (obfuscation, encoding, packing, in-memory execution) so endpoint defenses don't detect them — tested to assess detection gaps.
- Obfuscation / encoding payloads
- Encoding (Base64), encrypting, or obfuscating a payload to bypass signature-based detection and content filters.
- Macro / malicious document attack
- Embedding a malicious macro or object in an Office/PDF document that runs a payload when the victim opens and enables it.
- DLL hijacking / search-order abuse
- Placing a malicious DLL where a program will load it before the legitimate one, executing attacker code with that program's privileges.
- Reflected vs. stored XSS
- Reflected XSS bounces injected script back in the response (needs a crafted link); stored XSS persists in the app and runs for every viewer.
- DOM-based XSS
- XSS where untrusted data is written into the page by client-side JavaScript (the DOM) without a server round trip.
- Blind SQL injection
- SQLi where the app gives no direct error/data, so the attacker infers results from boolean responses or time delays (time-based blind SQLi).
- Second-order injection
- Malicious input is stored and only triggers the attack later when it is used by a different part of the application.
- Default credentials in IoT/ICS
- Embedded and industrial devices often ship with documented default logins that are never changed — a high-impact, easy initial-access finding.
- BadUSB / HID attack (Rubber Ducky)
- A USB device that emulates a keyboard to type and run commands the instant it's plugged in, bypassing autorun protections.
- Replay attack
- Capturing valid data (e.g., an authentication token) and re-sending it to gain access; mitigated with nonces, timestamps, and TLS.
- DNS rebinding
- Tricking a browser into treating an attacker domain as a local one by rapidly changing DNS, letting it reach internal services.
- Race condition exploitation (web)
- Sending many simultaneous requests to exploit a timing gap — e.g., redeeming a single-use coupon multiple times before the balance updates.
- Lateral movement techniques (overview)
- Pass-the-hash, pass-the-ticket, PsExec, WMI, RDP, and SSH reuse are common ways to move from one compromised host to others.
- Golden ticket
- A forged Kerberos TGT signed with the domain's KRBTGT hash, granting an attacker domain-wide access that persists until KRBTGT is reset twice.
- Silver ticket
- A forged Kerberos service ticket (TGS) for a specific service, signed with that service account's hash — stealthier and more scoped than a golden ticket.
- AS-REP roasting
- Requesting AS-REP responses for accounts that don't require Kerberos pre-authentication, then cracking the response offline for the password.
- Scheduled persistence via registry (Run keys)
- Adding the payload path to a Windows Run/RunOnce registry key so it launches at user logon — a classic persistence mechanism.
- Service creation (persistence)
- Installing a new Windows service that runs the payload at boot with SYSTEM privileges — durable persistence.
- SSH key persistence (Linux)
- Adding the attacker's public key to a user's authorized_keys so they can log back in over SSH without a password.
- Backdoor account
- Creating a new (often hidden or innocuously named) account so the attacker retains access even if the original foothold is closed.
- Port forwarding (chisel)
- Chisel is a fast TCP/UDP tunnel over HTTP/S used to forward ports and create pivots through firewalls during post-exploitation.
- Dynamic vs. local vs. remote forwarding
- SSH -D = dynamic (SOCKS proxy); -L = local forward (reach a remote service locally); -R = remote forward (expose a local service to the pivot).
- Network pivoting with Metasploit (autoroute)
- After a Meterpreter session, autoroute adds the victim's subnets to Metasploit's routing so other modules can reach internal hosts through it.
- Data collection / staging
- Gathering target files into a single location (staging) before exfiltration; testers limit this to proof and avoid moving real sensitive data.
- Covering tracks (test ethics)
- Real attackers clear logs; authorized testers instead document actions and timestamps so the blue team can correlate — destroying evidence is out of scope.
- Maintaining situational awareness
- After landing on a host, enumerate users, privileges, network, running processes, and defenses before acting — to avoid detection and pick the right path.
- Trust relationships / domain trusts
- Abusing trust between AD domains/forests to move from a compromised domain into a trusting one and expand access.
- Local privilege escalation enumeration
- Checking for unpatched kernels, weak service permissions, stored credentials, and misconfigured sudo/SUID to climb from user to admin/root.
- RDP for lateral movement
- Using harvested credentials to log in over Remote Desktop to other Windows hosts — effective but noisy and often logged.
- Token / session theft
- Stealing active session tokens or cookies from a compromised host to impersonate a user without their password.
- Cloud pivot via stolen keys
- Using credentials/keys harvested from a host (env vars, config files, metadata) to pivot into the organization's cloud environment.
- Cleanup checklist
- Remove payloads, accounts, persistence, scheduled tasks, and tools; restore changed settings; confirm with the client that the environment is clean.
- Searchsploit
- A command-line search tool for the local copy of Exploit-DB, used to quickly find public exploits matching a discovered service/version.
- Impacket
- A Python library and toolset (psexec.py, wmiexec.py, secretsdump.py) for crafting and using network protocols — heavily used for Windows lateral movement.
- CrackMapExec / NetExec
- A swiss-army tool for pentesting Windows/AD networks at scale — spray credentials, enumerate shares, and execute commands across many hosts.
- OSINT for physical / social engineering
- Researching employees, badges, office locations, and vendors to plan pretexting, tailgating, and on-site social-engineering attacks.
- Scoping cloud assets
- Confirm which cloud resources the client actually owns and that the provider permits testing; some providers require notification or forbid certain tests.
- Findings severity vs. priority
- Severity is the technical danger (CVSS); priority is what the client should fix first given exploitability and business context — they can differ.
- Wireless: WPA3 vs WPA2
- WPA3 adds SAE (Simultaneous Authentication of Equals), resisting the offline handshake-cracking that works against WPA2-PSK.
- Footprinting
- The overall process of building a profile of a target's Internet presence and infrastructure through passive and active information gathering.
- Heartbleed (CVE-2014-0160)
- A classic OpenSSL flaw that let attackers read server memory (keys, sessions); often used as an example of a high-impact, scanner-detectable CVE.
- Log4Shell (CVE-2021-44228)
- A critical remote code execution flaw in the Log4j library via JNDI lookups in logged input — a widely exploited, easy-to-trigger vulnerability.
- secretsdump.py
- An Impacket tool that remotely dumps password hashes from the SAM and from the domain's NTDS.dit (via DRSUAPI) for offline cracking or PtH.
- Relay vs. crack (captured hashes)
- A captured NTLM hash can be relayed to another host (SMB relay) or cracked offline; relaying needs no cracking but requires SMB signing to be off.
- Web Security Testing Guide (WSTG)
- OWASP's comprehensive methodology for testing web app security, organized by category (auth, session, input validation, etc.).
- Deconfliction
- Coordinating with the client (and any other testers/SOC) so that detected activity can be confirmed as the authorized test, not a real attacker.
- Phishing pretext quality
- Effective phishing uses authority, urgency, and familiarity; a believable pretext and a convincing cloned login page drive higher click/credential rates.
- Active scanning detection risk
- Aggressive scans (full port ranges, -T5, vuln scripts) generate IDS/IPS alerts; testers tune timing and scope to balance coverage against stealth and stability.