Cybersecurity Threat Actors & Attack Types

1. Organized Crime: Well-funded groups using advanced attack techniques for financial
gain.
2. Hacktivist: Cybercriminals motivated by political or social causes.
3. State-Sponsored Attack: Government-backed cyber attacks targeting other nations.
4. Insider Threat: Attacks from employees, either malicious or unintentional.

Penetration Testing Types

1. Application-Based Penetration Test: Identifies vulnerabilities in enterprise

applications.
2. Network Infrastructure Penetration Test: Evaluates AAA servers, IPSs, routers,
and firewalls.
3. Web Application Penetration Test: Assesses back-end database access and
application vulnerabilities.

Bug Bounty Programs: Incentivize security professionals to find vulnerabilities.

Penetration Testing Environments

• Partially Known Environment Test: Limited information provided (e.g., credentials

but not full infrastructure details).
• Known Environment Test: Full infrastructure details provided, including network
diagrams and credentials.
• Unknown Environment Test: Minimal information given, such as domain names and
IP addresses.

Penetration Testing Methodologies

• MITRE ATT&CK: Adversary tactics and techniques.

• OSSTMM: Repeatable security testing framework.
• OWASP WSTG: Web application security testing.
• PTES: Structured penetration testing phases.
• NIST SP 800-115: Guidelines for security testing.
• OSSTMM Phases: Trust analysis and security workflow.
• BlackArch: Linux-based penetration testing toolkit.
• ParrotSec: Security-focused Linux distribution.

Health Monitoring in Pen Test Lab: Identifies causes of system crashes.

Penetration Testing Tools

• Network Infrastructure Test Tools: Traffic sniffing, firewall bypassing, traffic

manipulation.
• Application Pen Test Tools: Interception proxies for vulnerability scanning.
• Wireless Pen Test Tools: De-authentication and wireless encryption cracking.
• Server/Client Pen Test Tools: Vulnerability scanners for misconfigurations.
System Backup for Pen Test: Full backup required if virtualization is unavailable.

Cybersecurity Compliance & Regulations

1. HIPAA: Healthcare cybersecurity assessments.

2. FedRAMP: Cloud security for U.S. government agencies.
3. GDPR: Protects EU users’ data in global institutions.
4. GLBA: Financial services cybersecurity enforcement.

Healthcare Security Terms

• Healthcare Clearinghouse: Converts nonstandard health data to standard format.

• Health Plan: Pays for medical services (Medicare, Medicaid, insurance).

PCI DSS Compliance

• Primary Account Number (PAN): Determines compliance requirements.

• Sensitive Authentication Data: Includes CAV2/CVC2/CVV2/CID and full magnetic
strip/chip data.

Penetration Testing & Legal Requirements

• Permission Documentation: Required before testing.

• Service-Level Agreement (SLA): Defines quality, timeline, and cost.
• Statement of Work (SOW): Specifies project scope and deliverables.
• NDA (Non-Disclosure Agreement): Protects sensitive company data.
• Contract: Formal agreement outlining services and payment.
• Disclaimer Section: Defines limitations of testing.

Rules of Engagement in Pen Testing

• Testing timeline, location, and communication preferences.

API Security & Documentation

• WSDL: XML-based web services documentation.

• GraphQL: API query language.

Security Documentation for Consultants

• System & Network Architectural Diagram: Defines test scope.

• Scope Creep Causes: Poor requirement identification and change management.

Penetration Testing Engagement Process

1. Validating Scope: Reviewing contracts and confirming expectations.

2. Secure Email Protocols:
o PGP (Pretty Good Privacy)
o S/MIME (Secure Multipurpose Internet Mail Extensions)
Identification of Technical & Administrative Contacts

• Whois Tool: Identifies domain contacts.

• Automation Tools: Recon-ng, The Harvester, Maltego (for OSINT and
reconnaissance).

DNS Lookups & Network Reconnaissance

DNS Reconnaissance Tools

• nslookup: Retrieves domain and IP information.

• whois: Retrieves domain registration details.
• dig: Performs DNS queries.

Reverse DNS Lookup

• dig -x [IP Address]: Identifies domain associated with an IP.

Cloud vs. Self-Hosted Applications

• Companies own domains but may host services on AWS, Google Cloud, or Azure.
• whois [IP Address] | grep OrgName: Identifies the cloud provider
hosting a domain.

Social Media Scraping & OSINT

• Spear Phishing: Targeted phishing attacks.

• Whaling: High-profile targets (executives, managers).
• Job Listings Analysis: Reveals tech stack (e.g., "Cisco firewall admin" indicates
Cisco use).
• Fake Job Listings: Used to extract company information from applicants.

Network & User Enumeration

1. Host Enumeration:
o Tool: Nmap, Masscan.
o Command: nmap -sn 192.168.88.0/24 (Scans hosts on a subnet).
2. User Enumeration:
o Tool: Nmap (smb-enum-users.nse script).
o Command: nmap --script smb-enum-users.nse <host>.
3. Group Enumeration:
o Tool: Nmap (smb-enum-groups.nse script).
o Command: nmap --script smb-enum-groups.nse -p 445
<host>.
4. Network Share Enumeration:
o Tool: Nmap (smb-enum-shares.nse script).
o Command: nmap --script smb-enum-shares.nse -p 445
<host>.
 5. General Enumeration (OS & Applications):
o Tool: Nmap (-sC option).
o Command: nmap -sC <host>.

Tool Usage
nslookup Query DNS records interactively.
whois Get domain/IP registration details.
dig Perform detailed DNS queries.
nmap -sn <target> Host enumeration.
nmap --script smb-enum-users.nse
<host> User enumeration.
nmap --script smb-enum-groups.nse -p
445 <host> Group enumeration.
nmap --script smb-enum-shares.nse -p
445 <host> Network share enumeration.

nmap -sC <host> General enumeration with common

scripts.

This document organizes the cybersecurity concepts and penetration testing techniques in a
structured and readable format for reference.

Types of Vulnerability Scans

1. Discovery Scan (A)

o Identifies the attack surface.
o Performs port scanning.
2. Authenticated Scan (B)
o Requires credentials for deeper system analysis.
3. Unauthenticated Scan (C)
o Detects only externally exposed network services.
4. Compliance Scan (D)
o Ensures security aligns with regulations and standards.
5. Stealth Scan (E)
o Runs scans without triggering security defenses.
6. Full Scan (F)
o Uses all scanning options for a comprehensive assessment.

Passive Reconnaissance Tools

• Recon-ng, Dig – Used for passive DNS reconnaissance.

• Whois – Identifies domain technical and administrative contacts.

Image & Metadata Analysis

 • Exchangeable Image File Format (Exif) – Standard for storing metadata in image
and sound files.

Active vs Passive Reconnaissance

• Passive Reconnaissance – Collects information without detection.

• Active Reconnaissance – Engages with the target, increasing detection risk.

Network Scanning

• Nmap -sU – Used for enumerating DNS, SNMP, or DHCP servers (UDP services).
• Nmap -sF – TCP FIN scan, useful when SYN scan is detected by firewalls.
• TCP Connect Scan – More detectable than a SYN scan due to full TCP handshake.

Types of Scans

• Unauthenticated Scan – Cannot detect vulnerabilities of internal services.

• Authenticated Scan – Requires root-level credentials for deeper analysis.

Vulnerability Verification

• Exploitability – A vulnerability is verified if it can be exploited.

• CVE (Common Vulnerabilities and Exposures) – Centralized cybersecurity
database.
• CVSS (Common Vulnerability Scoring System) – Measures vulnerability severity.

OSINT & Enumeration

• OSINT (Open-Source Intelligence) – Uses public sources for intelligence gathering.

• User Enumeration – Identifies valid users within a system.
• Network Share Enumeration – Detects shared files, folders, and printers.

Penetration Testing Considerations

• Planning a Vulnerability Scan – Consider timing, bandwidth, and network topology.

• Minimizing Impact – Conduct scans close to the target to avoid unnecessary
disruptions.

Wi-Fi Reconnaissance

• Advantage – Wireless scans may not require physical access to the building.

NIST Cybersecurity Framework

• Purpose – Provides standards and best practices to enhance cybersecurity.

Social Engineering and Cybersecurity Attack Concepts

1. Spoofing Bank Login Page

o Attack Type: Phishing.
 o Explanation: Creates a fake login page to collect user credentials.
2. Watering Hole Attack
o Definition: Targets commonly visited websites by injecting malicious code.
3. Elicitation
o Definition: Gaining information from a victim without direct questioning.
4. Pharming Attack
o Definition: Redirects a victim from a legitimate website to a malicious one via
DNS poisoning.
5. Social-Engineer Toolkit (SET)
o Purpose: Launches social engineering attacks like spear phishing.
6. Voice Spoofing (Caller ID Impersonation)
o Tool: Asterisk.
o Explanation: Uses VoIP to impersonate caller ID.
7. Scarcity in Influence
o Method: Creates urgency, e.g., "Limited stock available."
8. Social Proof in Influence
o Method: Uses peer behavior, e.g., celebrity endorsements.
9. Likeness in Influence
o Method: Influences people using relatable individuals or brands.
10.Urgency in Influence (Phishing Example)
o Method: Forces quick action, e.g., "Suspicious activity detected! Act now!"
11.Physical Social Engineering Attacks
o Piggybacking – Unauthorized access with authorized person’s consent.
o Tailgating – Unauthorized access without the authorized person’s consent.
12.Browser Exploitation Framework (BeEF)
o Purpose: Manipulates users via XSS vulnerabilities.
13.Vishing Attack
o Purpose: Voice-based phishing over a phone call.
14.SMS Phishing (Smishing)
o Explanation: Fraudulent text messages to steal sensitive data.
15.Badge Cloning
o Method: Uses images from social media to create fake access badges.
16.USB Drop Attack
o Recommendation: Deliver found USBs to security; plugging them in may
install malware.
17.Access Control Vestibules (Mantraps)
o Purpose: Prevents piggybacking and tailgating.
18.Social Engineering Toolkit (SET)
o Integration: Works with Metasploit for phishing and other attacks.

Web Security Attacks & Mitigation

• Directory Traversal Attack: Exploited by manipulating file path references (e.g.,

../../../../../etc/httpd/httpd.conf).
• Remote File Inclusion (RFI): Attackers run files from external locations.
• Mitigating Hard-Coded Credentials: Avoid hard-coded credentials in code.

Cloud Security
 • Essential Characteristics of Cloud Computing (NIST SP 800-145):
o On-demand self-service
o Broad network access
o Resource pooling
o Rapid elasticity
o Measured service
• Cloud Technology Attack Methods:
o Credential Harvesting
o Privilege Escalation
o Vertical Privilege Escalation
o Account Takeover
o Metadata Service Attacks
o Resource Exhaustion and DoS Attacks
o Cloud Malware Injection Attack
• Tools for Vulnerability Detection:
o Nimbostratus
o Clair
o Falco
o Dagda
• Common Causes of Data Breaches: Misconfigured cloud storage and insecure
permissions (e.g., AWS S3 buckets).

Mobile Security

• Vulnerabilities:
o Insecure Storage
o Certificate Pinning Bypass
• Tools:
o Needle (iOS security testing)
o Drozer (Android security testing)

IoT Security

• Common Vulnerabilities:
o Plaintext communication & data leakage
o Hard-coded configurations
o Outdated firmware/hardware
• IoT Security Tools:
o GATTacker
o Grype

VM Security

• Types of Hypervisors:
o Type 1 (Bare-metal) e.g., VMware ESXi
o Type 2 (Hosted) e.g., VirtualBox
• VM Vulnerabilities:
o VM Escape
 o VM Repository Vulnerability
o Hyperjacking
• Tools:
o Anchore's Grype
o Clair

Covering Tracks After Penetration Testing

• Suppressing logs
• Deleting created user accounts
• Securely removing files
• Restoring system configurations
• Eliminating backdoors, daemons, and rootkits
• Erasing customer data from testing systems
• Best Practices:
1. Discuss & document cleanup in the Rules of Engagement.
2. Use secure deletion methods (NIST SP 800-88).
3. Restore modified systems to original settings.
4. Ensure all traces of testing activity are removed.

Steganography for Obfuscation & Evasion

• Using Steghide for Steganography (Linux):

o Install: sudo apt install steghide
o Embed data: steghide embed -ef secret.txt -cf image.jpg
o Extract data: steghide extract -sf image.jpg -xf
extracted.txt

Security Controls

• Technical Controls: System hardening, input sanitization, MFA, encryption, patch

management.
• Administrative Controls: RBAC, SSDLC, password policies, cybersecurity policies.
• Operational Controls: Job rotation, time-of-day restrictions, security training.
• Physical Controls: Mantraps, biometric access, video surveillance.

Bash Scripting & Automation

• Bash enables automation in penetration testing.

• Useful for scripting, data parsing, and task automation.

Vulnerability Catalogs & Scoring Systems

• CVSS (Common Vulnerability Scoring System): Severity score (0-10).

• CVE (Common Vulnerabilities and Exposures): Publicly known vulnerabilities.
• OWASP WSTG: Web application security testing guide.
• NIST SP 800-115: Information security testing guidelines.

CVSS Metric Groups

 • Base Metrics: Attack complexity, user interaction, privileges required.
• Temporal Metrics: Exploit maturity, remediation level, report confidence.
• Environmental Metrics: Confidentiality, integrity, availability requirements.

Penetration Testing Reporting Tools

• Dradis: Consolidates pentest results and generates reports (CSV, HTML, PDF).

Security Alerts & Detection

• False Positive: Security device triggers an alarm, but no real attack.

• False Negative: Malicious activity is not detected.
• True Positive: Security attack correctly identified.
• True Negative: Normal activity correctly identified as non-malicious.

Preventing Vulnerabilities

• User Input Sanitization: Prevents XSS, SQL injection, command injection.

• RBAC: Controls user permissions at broad and granular levels.

Security Awareness & Training

• NIST SP 800-50: Defines security education and training importance.

System Hardening

• Involves: Patching, applying security best practices, strengthening configurations.

Passive Reconnaissance & Information Gathering

• DNS-Based Tools:
o nslookup example.com (DNS queries)
o dig example.com (Detailed DNS queries)
o host example.com (Simple DNS lookups)
• Domain Information Tools:
o whois example.com (Domain registration details)
• Metadata Analysis Tools:
o FOCA: Extracts metadata from files.
o ExifTool: Extracts EXIF data from images (exiftool image.jpg).
• Internet-Wide Scanning Tools:
o Shodan: Finds internet-connected devices.
o Censys: Queries exposed devices.
• OSINT Tools:
o theHarvester: Gathers data from multiple sources (theHarvester -d
example.com -b all).
o Maltego: Visualizes entity relationships.
o Recon-ng: OSINT automation (recon-ng).
Common Tools for Vulnerability Scanning

Vulnerability scanning tools help identify security weaknesses in systems, networks, and
applications. Some of the most popular vulnerability scanners include:

• OpenVAS – Open-source vulnerability scanner by Greenbone Networks for detailed

host and network scanning.
• Nessus – Commercial vulnerability scanner for continuous monitoring and compliance
analysis.
• Nexpose – Vulnerability scanner by Rapid7 for penetration testers.
• Qualys – Cloud-based vulnerability management and compliance checking service.
• SQLmap – Automates SQL injection detection and exploitation.
• Nikto – Open-source web vulnerability scanner.
• OWASP ZAP – Free security tool for web vulnerability scanning, proxying, and
fuzzing.
• w3af – Open-source web application vulnerability scanner.
• DirBuster – Brute-force directory and filename discovery tool (integrated into
OWASP ZAP).
• Brakeman – Static analysis tool for Ruby on Rails applications.
• Open SCAP – Open Security Content Automation Protocol (SCAP) scanner.
• Wapiti – Web application security scanner.
• Scout Suite – Cloud security auditing tool.
• WPScan – WordPress security scanner.

Common Tools for Credential Attacks

These tools help in brute-forcing, cracking, and compromising user credentials:

• John the Ripper – Offline password cracking tool supporting multiple ciphertext
formats.
• Cain and Abel – Windows-based password recovery tool.
• Hashcat – GPU-accelerated password cracker.
• Hydra – Online password guessing tool for various protocols.
• RainbowCrack – Uses precomputed rainbow tables for password cracking.
• Medusa & Ncrack – Brute-force attack tools against multiple protocols.
• CeWL – Custom wordlist generator from website data.
• Mimikatz – Extracts credentials from memory (used for post-exploitation).
• Patator – Flexible brute-force attack tool for different credential types.

Programming Fundamentals

1. Logic Constructs:
o Loops – Execute repetitive code (e.g., for, while).
o Conditionals – Decision-making constructs (if statements).
o Boolean Operators – Logical expressions (AND, OR, NOT).
o String Operators – Manipulate text values.
o Arithmetic Operators – Perform mathematical operations.
2. Data Structures:
 oJSON – Lightweight data format used in APIs.
o Arrays – Store multiple values.
o Dictionaries – Key/value data storage.
o CSV Files – Plaintext data format with delimiters.
o Lists – Ordered collections of elements.
o Trees – Hierarchical data structures.
3. Libraries & Code Components:
o Procedures & Functions – Reusable blocks of code.
o Classes – Object-oriented programming blueprints.
4. Programming Languages for Cybersecurity:
o Bash – Command-line scripting and automation.
o Python – General-purpose language for security scripting.
o Ruby – Used in web development and penetration testing.
o PowerShell – Exploitation and automation tool for Windows.
o Perl – Used for text processing and automation.
o JavaScript – Web application security and automation.

Penetration Testing Linux Distributions

• Kali Linux – Debian-based distro with preinstalled penetration testing tools.

• Parrot OS – Security, forensics, and penetration testing distribution.
• BlackArch Linux – Collection of 1900+ penetration testing tools.

Tools for Passive Reconnaissance

• Nslookup, Host, Dig – DNS-based reconnaissance tools.

• Whois – Queries domain registration details.
• FOCA – Metadata extraction from documents.
• ExifTool – Extracts image metadata.
• theHarvester – Finds emails, subdomains, and hosts.
• Shodan – Internet-connected device search engine.
• Maltego – OSINT tool for data visualization and analysis.
• Recon-ng – Automates OSINT information gathering.
• Censys – Provides internet-exposed device information.

Tools for Active Reconnaissance

• Nmap & Zenmap – Network scanning and enumeration tools.

• Enum4linux – Enumerates SMB shares and Samba vulnerabilities.

These tools are essential for security professionals to identify vulnerabilities and enhance
security measures within their systems.

Cybersecurity Tools and Concepts

Common Tools for Persistence

• PowerSploit: A collection of PowerShell modules for post-exploitation and

assessment.
 • Empire: A PowerShell-based post-exploitation framework with Windows and Linux
agents.

Common Tools for Evasion

• Veil: Works with Metasploit to bypass antivirus and security controls.

• Tor: Enables anonymous web browsing via onion routing.
• Proxychains: Redirects network traffic through proxies like Tor.
• Encryption: Protects sensitive information but can be used for obfuscation.
• DNS Tunneling: Exploits DNS protocols to exfiltrate data undetected.

Exploitation Frameworks

• Metasploit: A powerful framework for developing and executing exploits.

• BeEF: Focuses on browser vulnerabilities and web application security.

Common Decompilation, Disassembly, and Debugging Tools

• GDB: Popular multi-language debugger.

• WinDbg: Windows kernel and user-mode debugger.
• OllyDbg: Debugger for Windows 32-bit applications.
• edb Debugger: Cross-platform debugger in Kali Linux.
• Ghidra: NSA-developed reverse engineering tool.
• IDA: Commercial disassembler, debugger, and decompiler.
• Objdump: Linux tool for analyzing object files.

Common Tools for Forensics

• Autopsy: Open-source digital forensics platform.

• The Sleuth Kit: Command-line forensic toolset.
• Volatility: Memory forensics framework.
• EnCase: Commercial tool for disk imaging and file recovery.
• FTK (Forensic Toolkit): Commercial tool for data analysis.
• Wireshark: Network protocol analyzer.
• Cellebrite UFED: Mobile device forensic tool.
• X-Ways Forensics: Comprehensive forensic suite.

Common Tools for Software Assurance

• SpotBugs: Java static analysis tool.

• Findsecbugs: Security-focused bug detection for Java.
• SonarQube: Code vulnerability and quality analysis tool.
• Fuzzers:
o Peach: Open-source and commercial fuzzer.
o Mutiny: Packet capture replay fuzzer.
o AFL: Fuzzer using compile-time instrumentation.

Wireless Tools
 • Wifite2: Automated Wi-Fi testing tool.
• EAPHammer: Evil twin attack tool.
• mdk4: Wireless fuzzing and attack tool.
• Spooftooph: Bluetooth spoofing tool.
• Reaver: WPS brute-force attack tool.
• WiGLE: War driving tool.
• Fern Wi-Fi Cracker: Cracks WEP, WPA, and WPS keys.

Steganography Tools

• OpenStego: Steganography tool.

• snow: Text-based steganography.
• Coagula: Converts images to sound.
• Sonic Visualiser: Audio analysis tool.
• TinEye: Reverse image search.
• metagoofil: Extracts metadata from documents and images.

Cloud Security Tools

• ScoutSuite: Cloud vulnerability scanner.

• CloudBrute: Cloud enumeration tool.
• Pacu: AWS exploitation framework.
• Cloud Custodian: Cloud governance and security tool.

Programming Constructs and Data Structures

• Boolean operators, conditionals.

• Data structures: Arrays, lists, dictionaries, trees, JSON, CSV files.
• Procedures: Defined sections of code performing specific tasks.

Active Reconnaissance Tools

• Zenmap: Network scanning tool.

• Enum4linux: SMB and NetBIOS enumeration tool.

Credential Attack Tools

• Mimikatz: Extracts Windows credentials.

• Patator: Flexible brute-force tool.

Linux Distributions and Tools

• BlackArch: Over 1900 penetration testing tools.

• CAINE: Forensic Linux distribution.

Other Key Tools

• FOCA: Metadata and hidden information extraction.

• Maltego: OSINT and link analysis tool.
 • Empire: Post-exploitation and persistence framework.
• Qualys: Cloud-based vulnerability and compliance scanner.

Legal Concepts and API Documentation

• SOAP: XML-based API communication standard.

• Swagger (OpenAPI): REST API documentation framework.
• WSDL: XML-based web service documentation.
• GraphQL: Query language for APIs.
• WADL: XML-based web application description.

Penetration Testing Methodologies

Unknown-Environment Testing (Black Box)

• Limited information about the target is provided.

• Mimics external attacker perspective.
• Network personnel may not be informed in advance.

Known-Environment Testing (White Box)

• Detailed knowledge of the target is provided (diagrams, configurations, credentials).

• Identifies as many vulnerabilities as possible.

Reconnaissance (Initial Phase of Cyber Attacks)

Types of Reconnaissance

1. Active Reconnaissance:
o Direct interaction with the target.
o Tools and methods: Host, network, user, and service enumeration; packet
crafting.
o Risk: Detectable and may disrupt systems.
2. Passive Reconnaissance:
o Indirect information gathering.
o Tools and methods: OSINT, domain enumeration, packet inspection, Recon-ng,
eavesdropping.
o Advantage: Non-invasive and difficult to detect.

Importance of Reconnaissance

• Identifies target vulnerabilities.

• Helps attackers and penetration testers plan strategies.
• Reduces detection risks.