Glossary

A comprehensive reference of terms, concepts, tools, and techniques used throughout this textbook. Each entry includes the chapter where it is first introduced or most thoroughly discussed.

A

Access Control List (ACL): A set of rules that defines which users or system processes are granted access to objects, as well as what operations are allowed on given objects. ACLs are fundamental to network security and operating system permissions. (Ch. 6)

Active Directory (AD): Microsoft's directory service for Windows domain networks. It stores information about members of the domain, verifies credentials, and defines access rights. AD is a primary target in internal penetration testing. (Ch. 18)

Active Reconnaissance: Information-gathering techniques that involve direct interaction with the target system, such as port scanning or banner grabbing. Unlike passive reconnaissance, active methods risk detection by the target. (Ch. 5)

Address Resolution Protocol (ARP): A protocol used to map IP addresses to MAC addresses on a local network. ARP lacks authentication, making it vulnerable to spoofing and poisoning attacks. (Ch. 8)

Advanced Encryption Standard (AES): A symmetric block cipher adopted as a U.S. government encryption standard. AES operates on 128-bit blocks with key sizes of 128, 192, or 256 bits. (Ch. 26)

Advanced Persistent Threat (APT): A prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period. APTs are typically state-sponsored or conducted by well-resourced threat actors. (Ch. 3)

Adversary Simulation: The practice of emulating real-world threat actor tactics, techniques, and procedures (TTPs) to test an organization's detection and response capabilities. Distinguished from penetration testing by its focus on stealth and realism. (Ch. 35)

Air Gap: A security measure in which a computer or network is physically isolated from unsecured networks, including the internet. Air-gapped systems are used for highly sensitive environments but are not immune to all attack vectors. (Ch. 31)

Amplification Attack: A type of DDoS attack that exploits protocols like DNS or NTP to generate a large volume of traffic directed at a victim from a small initial request. The amplification factor can exceed 50x in some protocols. (Ch. 9)

Antivirus (AV) Evasion: Techniques used to bypass antivirus detection mechanisms, including obfuscation, encryption, polymorphism, and fileless execution. Understanding evasion is critical for realistic penetration testing. (Ch. 22)

Application Programming Interface (API): A set of protocols and tools for building and interacting with software applications. APIs are increasingly targeted in modern attacks due to poor authentication and authorization implementations. (Ch. 14)

ARP Poisoning/Spoofing: An attack where a malicious actor sends falsified ARP messages over a local network, linking the attacker's MAC address with the IP address of a legitimate host. This enables man-in-the-middle attacks on the local network. (Ch. 8)

Asymmetric Encryption: A cryptographic system that uses a pair of keys (public and private) for encryption and decryption. RSA, ECC, and Diffie-Hellman are common asymmetric algorithms. (Ch. 26)

Attack Surface: The total number of points where an unauthorized user can try to enter data to or extract data from an environment. Reducing the attack surface is a fundamental security practice. (Ch. 4)

Attack Vector: The path or method by which an attacker gains access to a target system. Common vectors include phishing, unpatched vulnerabilities, and misconfigured services. (Ch. 3)

Authentication: The process of verifying the identity of a user, device, or system. Common methods include passwords, tokens, biometrics, and multi-factor authentication. (Ch. 14)

Authorization: The process of determining what permissions an authenticated user has. Broken authorization is a common web application vulnerability. (Ch. 14)

B

Backdoor: A hidden method for bypassing normal authentication or encryption in a computer system. Backdoors may be installed by attackers for persistent access or may exist as undocumented features in software. (Ch. 20)

Banner Grabbing: A technique used to gain information about a computer system on a network and the services running on its open ports. Banners often reveal software versions, enabling targeted exploitation. (Ch. 5)

Base64 Encoding: A binary-to-text encoding scheme that represents binary data in an ASCII string format. Frequently encountered in web applications, authentication headers, and payload encoding. Not encryption. (Ch. 13)

Bash Bunny: A USB attack platform by Hak5 that emulates trusted USB devices to execute payloads on target machines. Used in physical penetration testing engagements. (Ch. 31)

Beacon: In the context of command-and-control (C2), a periodic check-in from a compromised host to the attacker's server. Beacon intervals and jitter are configured to evade detection. (Ch. 22)

Bind Shell: A shell session where the target machine opens a port and waits for a connection from the attacker. Contrast with a reverse shell, where the target connects back to the attacker. (Ch. 10)

Black Box Testing: A penetration testing approach where the tester has no prior knowledge of the target environment. Simulates an external attacker scenario. (Ch. 2)

BloodHound: A tool that uses graph theory to reveal hidden and often unintended relationships within an Active Directory environment. It maps attack paths from compromised users to high-value targets. (Ch. 18)

Blue Team: The defensive security team responsible for maintaining and improving an organization's security posture. Blue teams monitor for threats, respond to incidents, and harden systems. (Ch. 1)

Bluetooth Hacking: Attacks targeting Bluetooth-enabled devices, including bluejacking, bluesnarfing, and bluebugging. Bluetooth vulnerabilities can expose mobile and IoT devices to unauthorized access. (Ch. 30)

Boot2Root: A type of vulnerable virtual machine designed for practice, where the objective is to gain root/administrator access starting from an initial foothold. Common in CTF and training environments. (Ch. 1)

Brute Force Attack: An attack method that systematically checks all possible passwords or keys until the correct one is found. Computationally expensive but effective against weak passwords. (Ch. 11)

Buffer Overflow: A vulnerability that occurs when a program writes data beyond the boundaries of a buffer in memory. Buffer overflows can lead to arbitrary code execution and are a foundational exploit technique. (Ch. 21)

Bug Bounty: A program offered by organizations that provides monetary rewards to researchers who discover and responsibly report security vulnerabilities. Platforms include HackerOne, Bugcrowd, and Intigriti. (Ch. 2)

Burp Suite: An integrated platform for web application security testing. It includes a proxy, scanner, intruder, repeater, and numerous other tools for identifying web vulnerabilities. (Ch. 13)

C

C2 (Command and Control): Infrastructure used by attackers to maintain communication with and send commands to compromised systems. Modern C2 frameworks include Cobalt Strike, Sliver, and Havoc. (Ch. 22)

CA (Certificate Authority): An entity that issues digital certificates, verifying the identity of the certificate holder. Compromised CAs can undermine the entire PKI trust model. (Ch. 26)

Capture the Flag (CTF): A cybersecurity competition where participants solve challenges across categories like web exploitation, reverse engineering, cryptography, and forensics. An essential training methodology. (Ch. 1)

CERT (Computer Emergency Response Team): An organization that studies computer security vulnerabilities, provides incident response services, and publishes security advisories. (Ch. 3)

Certificate Pinning: A security mechanism that associates a host with its expected public key certificate. It prevents man-in-the-middle attacks using fraudulent certificates. (Ch. 30)

Chain of Custody: The chronological documentation of the seizure, custody, control, transfer, analysis, and disposition of evidence. Critical in digital forensics to ensure evidence admissibility. (Ch. 28)

Chroot Jail: A Unix mechanism that changes the apparent root directory for a running process and its children. Used as a basic isolation technique, though it is not a complete security boundary. (Ch. 23)

CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and routing that replaces the old classful addressing scheme. Understanding CIDR notation (e.g., 192.168.1.0/24) is essential for network scanning. (Ch. 5)

Cipher Suite: A set of algorithms that help secure a network connection using TLS/SSL. It typically includes a key exchange algorithm, bulk encryption algorithm, and message authentication code. (Ch. 26)

Clickjacking: A web attack where a user is tricked into clicking on something different from what they perceive, by overlaying transparent or opaque layers over a web page. (Ch. 15)

Cloud Security: The set of policies, technologies, and controls deployed to protect data, applications, and infrastructure associated with cloud computing. Major platforms include AWS, Azure, and GCP. (Ch. 29)

Cobalt Strike: A commercial adversary simulation tool used for red team operations. It provides a C2 framework, beacon payloads, and post-exploitation capabilities. Frequently abused by real threat actors. (Ch. 22)

Code Execution: The ability to run arbitrary code on a target system, typically the ultimate goal of an exploit. Can be local or remote. (Ch. 10)

Code Injection: An attack where an attacker introduces malicious code that is then executed by the application. SQL injection, command injection, and LDAP injection are common types. (Ch. 13)

Common Vulnerabilities and Exposures (CVE): A standardized identifier for known security vulnerabilities. CVE entries are cataloged in the National Vulnerability Database (NVD) and used for vulnerability management. (Ch. 4)

Common Vulnerability Scoring System (CVSS): A framework for communicating the characteristics and severity of software vulnerabilities. Scores range from 0.0 to 10.0 (Critical). (Ch. 4)

Containerization: The use of OS-level virtualization to deploy and run applications in isolated environments (containers). Docker and Kubernetes introduce unique security considerations. (Ch. 29)

Content Security Policy (CSP): A browser security mechanism that helps prevent XSS and data injection attacks by specifying which dynamic resources are allowed to load. (Ch. 15)

Cookie: A small piece of data stored on the user's browser by a website. Session cookies are frequently targeted for hijacking, and secure cookie attributes (HttpOnly, Secure, SameSite) are important defenses. (Ch. 13)

Credential Stuffing: An automated attack that uses previously breached username/password pairs to attempt logins on other services. Exploits password reuse across platforms. (Ch. 11)

Cross-Origin Resource Sharing (CORS): A browser mechanism that allows restricted resources on a web page to be requested from a domain outside the one from which the resource originated. Misconfigured CORS policies can lead to data theft. (Ch. 15)

Cross-Site Request Forgery (CSRF): An attack that forces an authenticated user to execute unwanted actions on a web application. CSRF exploits the trust a site has in a user's browser. (Ch. 15)

Cross-Site Scripting (XSS): A vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. Types include reflected, stored, and DOM-based XSS. (Ch. 13)

Cryptanalysis: The study of analyzing and breaking cryptographic systems. Techniques range from brute force to sophisticated mathematical attacks on algorithm weaknesses. (Ch. 26)

Cryptographic Hash Function: A mathematical algorithm that maps data of arbitrary size to a fixed-size output (digest). Properties include collision resistance and preimage resistance. SHA-256 and bcrypt are common examples. (Ch. 26)

CVE (Common Vulnerabilities and Exposures): See Common Vulnerabilities and Exposures. (Ch. 4)

D

Dark Web: The portion of the internet accessible only through specialized software like Tor. It hosts both legitimate privacy-focused services and illegal marketplaces where stolen data and exploits are traded. (Ch. 3)

Data Exfiltration: The unauthorized transfer of data from a computer or network. Exfiltration methods include DNS tunneling, HTTP/S channels, and steganography. (Ch. 22)

Data Loss Prevention (DLP): Technologies and strategies designed to prevent unauthorized transmission of sensitive information outside an organization. (Ch. 29)

Dead Drop: In adversary tradecraft, a method of passing information between two parties without direct contact. In cyber operations, this may involve public paste sites or cloud storage as C2 channels. (Ch. 22)

Decryption: The process of converting encrypted data back to its original plaintext form using a key. (Ch. 26)

Default Credentials: Factory-set usernames and passwords shipped with hardware and software. Failure to change defaults is one of the most common and easily exploited vulnerabilities. (Ch. 6)

Defense in Depth: A layered security strategy where multiple defensive mechanisms are placed throughout an IT system. If one layer fails, the next layer provides protection. (Ch. 4)

Denial of Service (DoS): An attack intended to shut down a machine or network, making it inaccessible to its intended users. Achieved by flooding the target with traffic or sending information that triggers a crash. (Ch. 9)

DHCP Starvation: An attack that exhausts the pool of available IP addresses on a DHCP server by sending numerous DHCP requests with spoofed MAC addresses. (Ch. 8)

Dictionary Attack: A password-cracking technique that uses a pre-compiled list of likely passwords (wordlist) rather than trying every possible combination. (Ch. 11)

Digital Certificate: An electronic document that uses a digital signature to bind a public key with an identity. The X.509 standard is the most common format. (Ch. 26)

Digital Forensics: The process of uncovering and interpreting electronic data for use in investigations. Sub-disciplines include disk forensics, memory forensics, network forensics, and mobile forensics. (Ch. 28)

Directory Traversal: A web vulnerability that allows attackers to access files and directories stored outside the web root folder by manipulating file path references (e.g., ../../etc/passwd). (Ch. 13)

Distributed Denial of Service (DDoS): A DoS attack originating from multiple compromised systems, often using a botnet. DDoS attacks can generate traffic volumes exceeding terabits per second. (Ch. 9)

DKIM (DomainKeys Identified Mail): An email authentication method that allows the receiver to check that an email was sent and authorized by the owner of the sending domain. (Ch. 12)

DMARC (Domain-based Message Authentication, Reporting, and Conformance): An email authentication protocol that builds on SPF and DKIM to give email domain owners the ability to protect their domain from unauthorized use. (Ch. 12)

DMZ (Demilitarized Zone): A physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network. Provides an additional layer of security to the internal network. (Ch. 6)

DNS (Domain Name System): The hierarchical naming system that translates human-readable domain names to IP addresses. DNS is a frequent attack vector through spoofing, tunneling, and zone transfer exploits. (Ch. 5)

DNS Tunneling: A technique that encodes data within DNS queries and responses, enabling communication through DNS traffic. Used for data exfiltration and C2 communication to bypass firewalls. (Ch. 22)

Docker: A platform for developing, shipping, and running applications in containers. Docker security concerns include image vulnerabilities, container escapes, and exposed Docker APIs. (Ch. 29)

Domain Controller (DC): A server that responds to authentication requests within a Windows domain. Compromising a domain controller typically grants full control of the entire domain environment. (Ch. 18)

Domain Fronting: A technique that routes traffic through a legitimate domain to disguise the true endpoint. Used to circumvent censorship and evade network monitoring. (Ch. 22)

Downgrade Attack: An attack that forces a system to use an older, less secure version of a protocol. SSL/TLS downgrade attacks (e.g., POODLE) exploit this to enable decryption of communications. (Ch. 26)

Drive-by Download: A malware distribution technique where simply visiting a compromised website triggers a download and execution of malicious code without user consent. (Ch. 12)

DLL Hijacking: An attack that exploits the Windows DLL search order to load a malicious DLL instead of the legitimate one. A common privilege escalation technique. (Ch. 19)

Dumpster Diving: The practice of searching through an organization's trash to find useful information such as passwords, network diagrams, or other sensitive data. A physical social engineering technique. (Ch. 12)

E

Egress Filtering: The practice of monitoring and potentially restricting the flow of information outbound from a network. Helps prevent data exfiltration and C2 communication. (Ch. 22)

Elasticsearch: A distributed search and analytics engine commonly used for log analysis. Unsecured Elasticsearch instances (default port 9200) have been responsible for numerous data exposures. (Ch. 29)

Encoding: The process of converting data from one format to another. Unlike encryption, encoding is reversible without a key and provides no security. Common schemes include Base64 and URL encoding. (Ch. 13)

Encryption: The process of converting plaintext into ciphertext using a cryptographic algorithm and key, making it unreadable without the corresponding decryption key. (Ch. 26)

Endpoint Detection and Response (EDR): Security solutions that monitor endpoint activities, detect threats, and respond to incidents. Modern EDR products include CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne. (Ch. 22)

Enumeration: The process of actively probing a target to gather detailed information about users, shares, services, and configurations. Enumeration follows scanning in the penetration testing methodology. (Ch. 6)

Eternalblue: A cyberweapon exploit developed by the NSA, leaked by the Shadow Brokers in 2017. It targets a vulnerability in Microsoft's SMB protocol (MS17-010) and was used in the WannaCry and NotPetya attacks. (Ch. 10)

Evil Twin: A rogue Wi-Fi access point that mimics a legitimate one to intercept wireless communications. Used in wireless penetration testing to capture credentials and session data. (Ch. 24)

Exploit: A piece of software, a chunk of data, or a sequence of commands that takes advantage of a vulnerability to cause unintended behavior in a system. Exploits can be local, remote, or client-side. (Ch. 10)

Exploit Chain: A sequence of multiple exploits used together to achieve an objective that no single exploit could accomplish alone. Modern attacks often chain together several vulnerabilities. (Ch. 10)

Exploit Database (Exploit-DB): A publicly available archive of exploits and vulnerable software maintained by Offensive Security. An essential resource for penetration testers. (Ch. 10)

Exfiltration: See Data Exfiltration. (Ch. 22)

F

Fail2Ban: An intrusion prevention software that protects against brute force attacks by monitoring log files and banning IP addresses that show malicious signs. (Ch. 23)

False Flag: An operation designed to appear as if it was carried out by a different entity. In cyber operations, false flags involve planting artifacts to mislead attribution efforts. (Ch. 35)

ファイアウォール / Firewall: A network security device that monitors and filters incoming and outgoing network traffic based on predefined security rules. Types include packet-filtering, stateful, proxy, and next-generation firewalls. (Ch. 6)

Fileless Malware: Malicious code that operates entirely in memory without writing files to disk. Fileless attacks leverage legitimate system tools (living off the land) and are difficult for traditional antivirus to detect. (Ch. 22)

Fingerprinting: The process of identifying the operating system, services, or application versions running on a target system. Techniques include TCP/IP stack analysis and banner grabbing. (Ch. 5)

Firewall: A network security device that monitors and filters incoming and outgoing network traffic based on predefined security rules. Types include packet-filtering, stateful, proxy, and next-generation firewalls. (Ch. 6)

Footprinting: The first phase of ethical hacking where information about the target is gathered through passive and active means. Also called reconnaissance. (Ch. 5)

Forensic Image: A bit-for-bit copy of a storage device that captures all data including deleted files, slack space, and unallocated space. Created using tools like dd, FTK Imager, or Guymager. (Ch. 28)

Format String Vulnerability: A class of vulnerability where user-supplied input is used as the format string parameter in functions like printf(). Can lead to information disclosure or code execution. (Ch. 21)

FTP (File Transfer Protocol): A protocol for transferring files between systems over TCP (ports 20/21). FTP transmits credentials in cleartext, making it a frequent target for credential sniffing. (Ch. 6)

Fuzzing: An automated software testing technique that involves providing invalid, unexpected, or random data as input to a program. Fuzzing is used to discover bugs and vulnerabilities. (Ch. 21)

G

Gateway: A network point that acts as an entrance to another network. The default gateway is the router that forwards traffic from the local network to other networks. (Ch. 7)

GDPR (General Data Protection Regulation): A regulation in EU law on data protection and privacy. GDPR has significant implications for penetration testing scope, data handling, and reporting. (Ch. 2)

Golden Ticket Attack: A Kerberos-based attack where a forged Ticket Granting Ticket (TGT) is created using the KRBTGT account hash, granting unrestricted access to any resource in the domain. (Ch. 18)

Google Dorking: The practice of using advanced Google search operators (site:, inurl:, filetype:, intitle:) to find sensitive information exposed on the internet. Also called Google hacking. (Ch. 5)

GPG/GnuPG (GNU Privacy Guard): A free implementation of the OpenPGP standard for encrypting and signing data. Used for secure communication and file encryption. (Ch. 26)

Gray Box Testing: A penetration testing approach where the tester has partial knowledge of the target environment, such as credentials or network diagrams. Balances realism with efficiency. (Ch. 2)

Group Policy Object (GPO): A collection of settings in Active Directory that define what a system or user configuration will look like. Misconfigured GPOs can create attack paths for privilege escalation. (Ch. 18)

H

Hash: A fixed-size string produced by a hash function from input data. Hashes are one-way functions used for password storage, integrity verification, and digital signatures. (Ch. 11)

Hash Collision: A situation where two different inputs produce the same hash output. Collision vulnerabilities in algorithms like MD5 and SHA-1 have led to their deprecation. (Ch. 26)

Hashcat: A high-performance password recovery tool that supports over 300 hash types and leverages GPU acceleration. Supports dictionary, brute force, rule-based, and hybrid attacks. (Ch. 11)

Heap Overflow: A type of buffer overflow that occurs in the heap data area, which is dynamically allocated memory. More complex to exploit than stack overflows but equally dangerous. (Ch. 21)

Heartbleed: A serious vulnerability (CVE-2014-0160) in the OpenSSL cryptography library that allowed attackers to read the memory of affected servers, potentially exposing private keys and user data. (Ch. 26)

Honeypot: A decoy system or resource designed to attract and detect attackers. Honeypots are used for research, early warning, and intelligence gathering about attack methods. (Ch. 23)

HSTS (HTTP Strict Transport Security): A web security policy mechanism that forces browsers to interact with a website only over HTTPS. Prevents protocol downgrade attacks and cookie hijacking. (Ch. 15)

HTTP (Hypertext Transfer Protocol): The foundation protocol for data communication on the web. Understanding HTTP methods, headers, status codes, and cookies is essential for web application testing. (Ch. 13)

HTTP Request Smuggling: An attack technique that exploits discrepancies between how front-end and back-end servers parse HTTP requests. Can lead to cache poisoning and request hijacking. (Ch. 15)

Hydra (THC-Hydra): A parallelized login cracker supporting numerous protocols including SSH, FTP, HTTP, SMB, and RDP. Used for online password attacks during penetration testing. (Ch. 11)

Hypervisor: Software that creates and runs virtual machines. Type 1 (bare-metal) hypervisors include ESXi and Hyper-V. Hypervisor escape vulnerabilities are high-severity findings. (Ch. 29)

I

ICS/SCADA: Industrial Control Systems / Supervisory Control and Data Acquisition. These systems control critical infrastructure and have unique security challenges due to legacy protocols and operational requirements. (Ch. 31)

IDS/IPS (Intrusion Detection/Prevention System): Systems that monitor network traffic for suspicious activity. IDS detects and alerts; IPS detects and actively blocks. Snort and Suricata are open-source examples. (Ch. 23)

IDOR (Insecure Direct Object Reference): A type of access control vulnerability where the application exposes internal object references (like database keys) that can be manipulated to access unauthorized resources. (Ch. 14)

Impacket: A collection of Python classes for working with network protocols. Essential for penetration testing Windows environments, providing tools for SMB, MSRPC, Kerberos, and NTLM attacks. (Ch. 18)

Incident Response (IR): The organized approach to addressing and managing a security breach or cyberattack. The IR lifecycle includes preparation, identification, containment, eradication, recovery, and lessons learned. (Ch. 28)

Indicator of Compromise (IoC): Forensic artifacts that indicate a potential intrusion, such as unusual network traffic, suspicious file hashes, or anomalous user behavior. (Ch. 28)

Information Disclosure: A vulnerability where an application unintentionally reveals sensitive data to users, such as stack traces, source code, internal IP addresses, or database details. (Ch. 14)

Infrastructure as Code (IaC): The practice of managing infrastructure through code and automation tools like Terraform, CloudFormation, or Ansible. Misconfigurations in IaC templates create security vulnerabilities. (Ch. 29)

Injection: A class of attacks where untrusted data is sent to an interpreter as part of a command or query. Includes SQL injection, command injection, LDAP injection, and XML injection. (Ch. 13)

Insecure Deserialization: A vulnerability where untrusted data is used to abuse the logic of an application's deserialization process, potentially leading to remote code execution. (Ch. 15)

Internet of Things (IoT): The network of physical devices embedded with sensors, software, and connectivity. IoT devices often have weak security, default credentials, and limited update mechanisms. (Ch. 31)

IP Address: A numerical label assigned to each device connected to a computer network. IPv4 addresses use 32 bits (e.g., 192.168.1.1); IPv6 uses 128 bits. (Ch. 7)

J

Jailbreaking: The process of removing software restrictions imposed by the manufacturer on a mobile device. In security testing, jailbreaking enables deeper inspection of iOS applications. (Ch. 30)

John the Ripper: An open-source password cracking tool that supports many cipher and hash types. It can perform dictionary attacks, brute force, and custom rules-based attacks. (Ch. 11)

JSON Web Token (JWT): A compact, URL-safe token format used for securely transmitting claims between parties. JWT vulnerabilities include algorithm confusion, weak signing keys, and missing validation. (Ch. 14)

Juice Shop: OWASP's intentionally insecure web application used for security training. It contains the entire OWASP Top 10 vulnerability set and serves as a practical learning platform. (Ch. 13)

K

Kali Linux: A Debian-based Linux distribution designed for digital forensics and penetration testing. It comes preinstalled with hundreds of security tools and is the most widely used penetration testing platform. (Ch. 1)

Kerberoasting: An attack technique targeting Active Directory service accounts by requesting Kerberos service tickets and cracking them offline to obtain plaintext passwords. (Ch. 18)

Kerberos: A network authentication protocol that uses tickets to allow nodes to prove their identity securely over a non-secure network. The default authentication protocol in Active Directory environments. (Ch. 18)

Kernel Exploit: An exploit that targets vulnerabilities in the operating system kernel, typically leading to full system compromise. Kernel exploits are often used for privilege escalation. (Ch. 19)

Key Exchange: A cryptographic protocol by which two parties can agree on a shared secret over an insecure channel. Diffie-Hellman and ECDH are common key exchange algorithms. (Ch. 26)

Keylogger: Software or hardware that records keystrokes on a target system. Used by attackers to capture passwords, credit card numbers, and other sensitive information. (Ch. 20)

Kill Chain: A military concept adapted to cybersecurity (Lockheed Martin Cyber Kill Chain) that describes the stages of a cyberattack: reconnaissance, weaponization, delivery, exploitation, installation, C2, and actions on objectives. (Ch. 3)

Kubernetes: An open-source container orchestration platform. Security concerns include misconfigured RBAC, exposed dashboards, pod escapes, and secrets management. (Ch. 29)

L

Lateral Movement: The technique of moving through a network after initial compromise, accessing additional systems to locate valuable data or expand control. (Ch. 18)

LDAP (Lightweight Directory Access Protocol): A protocol for accessing and maintaining distributed directory information services. LDAP injection and insecure LDAP configurations are common findings. (Ch. 18)

Least Privilege: A security principle that grants users only the minimum permissions required to perform their job functions. Violations of least privilege are common in enterprise environments. (Ch. 4)

LinPEAS/WinPEAS: Privilege Escalation Awesome Scripts for Linux and Windows. Automated scripts that enumerate potential privilege escalation vectors on compromised systems. (Ch. 19)

Living off the Land (LotL): An attack strategy that uses legitimate, pre-installed system tools (like PowerShell, WMI, certutil) to carry out malicious activities, avoiding detection by security tools. (Ch. 22)

Load Balancer: A device that distributes network traffic across multiple servers. Load balancers can complicate penetration testing by distributing requests to different backend servers. (Ch. 6)

Local File Inclusion (LFI): A vulnerability that allows an attacker to include files from the local server in the application's response. Can lead to information disclosure, source code exposure, and sometimes code execution. (Ch. 13)

Log4Shell: A critical zero-day vulnerability (CVE-2021-44228) in the Apache Log4j 2 Java logging library that allowed remote code execution via specially crafted log messages. (Ch. 10)

Logic Bomb: Malicious code that triggers under specific conditions, such as a date, system event, or absence of a particular user account. (Ch. 20)

M

MAC Address: A unique hardware identifier assigned to a network interface controller. MAC addresses operate at the data link layer and can be spoofed for network attacks. (Ch. 7)

Malware: Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems. Categories include viruses, worms, trojans, ransomware, spyware, and rootkits. (Ch. 20)

Man-in-the-Middle (MitM) Attack: An attack where the attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other. (Ch. 8)

Mandatory Access Control (MAC): A security model where access to resources is governed by a central authority based on security labels and clearances. SELinux and AppArmor implement MAC on Linux. (Ch. 23)

Metasploit Framework: An open-source penetration testing framework that provides exploit modules, payloads, encoders, and post-exploitation tools. The most widely used exploitation framework in professional penetration testing. (Ch. 10)

Meterpreter: An advanced payload within the Metasploit Framework that provides an interactive shell with built-in post-exploitation capabilities including file manipulation, pivoting, and privilege escalation. (Ch. 10)

MITRE ATT&CK: A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Used as a framework for threat modeling, red teaming, and security assessments. (Ch. 3)

Mobile Application Security: The practice of securing mobile applications against threats. Involves static analysis (SAST), dynamic analysis (DAST), and platform-specific testing for Android (APK) and iOS (IPA) apps. (Ch. 30)

MongoDB: A NoSQL database that uses JSON-like documents. Unsecured MongoDB instances (default port 27017) have been responsible for massive data breaches. (Ch. 29)

Msfvenom: A Metasploit tool that combines payload generation and encoding. Used to create custom payloads for various platforms and formats. (Ch. 10)

Multi-Factor Authentication (MFA): An authentication method requiring two or more verification factors (something you know, something you have, something you are). MFA bypass techniques are an important testing area. (Ch. 14)

N

NAC (Network Access Control): A security approach that enforces policies on devices seeking to access network resources. NAC can verify device compliance before granting network access. (Ch. 23)

NAT (Network Address Translation): A method of remapping one IP address space into another by modifying network address information in packet headers while in transit. NAT can complicate penetration testing through address obscuration. (Ch. 7)

Nessus: A commercial vulnerability scanner developed by Tenable. Widely used for vulnerability assessments to identify known vulnerabilities, misconfigurations, and compliance violations. (Ch. 4)

Netcat (nc): A networking utility that reads and writes data across network connections using TCP or UDP. Often called the "Swiss Army knife" of networking, it is used for port scanning, banner grabbing, file transfer, and shell creation. (Ch. 10)

Network Segmentation: The practice of dividing a computer network into smaller subnetworks to improve security and performance. Proper segmentation limits lateral movement after a breach. (Ch. 6)

Nikto: An open-source web server scanner that tests for dangerous files, outdated server software, and other problems. A standard tool in web application assessments. (Ch. 13)

Nmap (Network Mapper): A free and open-source utility for network discovery and security auditing. Nmap uses raw IP packets to determine available hosts, services, operating systems, and firewall/filter configurations. (Ch. 5)

NoSQL Injection: An injection attack targeting NoSQL databases like MongoDB. Similar in concept to SQL injection but uses NoSQL-specific query syntax. (Ch. 15)

NTLM (NT LAN Manager): A suite of Microsoft security protocols for authentication, integrity, and confidentiality. NTLM hashes can be captured, cracked, or relayed in pass-the-hash attacks. (Ch. 18)

Null Session: An anonymous connection to a Windows IPC$ share that can enumerate users, groups, shares, and policies. A legacy attack vector that remains relevant in some environments. (Ch. 18)

O

Obfuscation: The practice of making code or data difficult to understand or analyze. Used defensively to protect intellectual property and offensively to evade detection. (Ch. 22)

OSCP (Offensive Security Certified Professional): A hands-on penetration testing certification from Offensive Security that requires passing a 24-hour practical exam. Widely regarded as a gold standard in the industry. (Ch. 1)

OSINT (Open Source Intelligence): Intelligence collected from publicly available sources. In penetration testing, OSINT includes social media, public records, DNS data, and search engine results. (Ch. 5)

OWASP (Open Web Application Security Project): A nonprofit foundation that works to improve software security. Best known for the OWASP Top 10 list of critical web application security risks. (Ch. 13)

OWASP Top 10: A regularly updated document listing the ten most critical web application security risks. The 2021 edition includes broken access control, cryptographic failures, and injection. (Ch. 13)

P

Packet Sniffing: The practice of capturing and analyzing network packets using tools like Wireshark or tcpdump. Used for network troubleshooting, security analysis, and credential capture on unencrypted networks. (Ch. 8)

Pass-the-Hash (PtH): An attack technique where an attacker uses the hash of a user's password (rather than the plaintext) to authenticate to a remote server. Eliminates the need to crack the password. (Ch. 18)

Pass-the-Ticket (PtT): A Kerberos-based attack where stolen Kerberos tickets are used to authenticate without knowing the user's password. Similar in concept to pass-the-hash. (Ch. 18)

Password Spraying: An attack that tries a small number of commonly used passwords against many accounts simultaneously. Avoids account lockout thresholds by limiting attempts per account. (Ch. 11)

Patch Management: The process of identifying, acquiring, testing, and installing software updates (patches) to fix vulnerabilities. Poor patch management is a leading cause of successful attacks. (Ch. 4)

Payload: The component of an exploit that performs the malicious action on the target system after successful exploitation. Common payloads include reverse shells, bind shells, and Meterpreter sessions. (Ch. 10)

Penetration Testing: An authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. Also called a pentest. Differs from vulnerability assessment by actively exploiting vulnerabilities. (Ch. 2)

Pentest Report: The formal deliverable of a penetration testing engagement, documenting methodology, findings, risk ratings, evidence, and remediation recommendations. (Ch. 34)

Pharming: A cyberattack that redirects a website's traffic to a fraudulent site, typically by poisoning DNS records or modifying the local hosts file. (Ch. 12)

Phishing: A social engineering attack that uses fraudulent communications (typically email) to trick users into revealing sensitive information or installing malware. Variants include spear phishing, whaling, and vishing. (Ch. 12)

PHP: A server-side scripting language commonly used in web applications. PHP-specific vulnerabilities include type juggling, deserialization flaws, and file inclusion. (Ch. 13)

Pivoting: The technique of using a compromised system as a launching point to attack other systems on the network that are not directly accessible from the attacker's position. (Ch. 18)

PKI (Public Key Infrastructure): A framework for managing digital certificates and public-key encryption. PKI enables secure electronic transfer of information for a range of network activities. (Ch. 26)

Port: A logical endpoint for network communication. Ports range from 0 to 65535, with well-known ports (0-1023) assigned to common services. Understanding port assignments is fundamental to network scanning. (Ch. 5)

Port Forwarding: A technique for redirecting network traffic from one port to another, either locally or across hosts. Essential for pivoting during penetration testing. (Ch. 18)

Port Scanning: The process of sending requests to a range of port addresses on a host to identify open ports and available services. Nmap is the most common port scanning tool. (Ch. 5)

Post-Exploitation: Activities performed after gaining initial access to a target system, including privilege escalation, persistence, lateral movement, and data exfiltration. (Ch. 18)

PowerShell: A task automation framework from Microsoft consisting of a command-line shell and scripting language. Extensively used by both attackers and defenders in Windows environments. (Ch. 19)

Pretexting: A social engineering technique where an attacker creates a fabricated scenario to engage a victim and gain information or access. (Ch. 12)

Privilege Escalation: The act of exploiting a vulnerability to gain elevated access to resources that are normally protected from a user. Can be vertical (user to admin) or horizontal (one user to another). (Ch. 19)

Proof of Concept (PoC): A demonstration that a vulnerability can be exploited, typically through minimal code or steps that prove the vulnerability exists without causing damage. (Ch. 10)

Protocol: A set of rules governing the exchange of data between devices. Understanding protocols (TCP, UDP, HTTP, SMB, etc.) is foundational to ethical hacking. (Ch. 7)

Proxy: An intermediary server that separates end users from the websites they browse. In security testing, proxies like Burp Suite intercept and modify HTTP traffic. (Ch. 13)

Purple Team: A collaborative approach where red team (offensive) and blue team (defensive) work together to improve security posture. The purple team focuses on knowledge sharing and continuous improvement. (Ch. 35)

R

Race Condition: A vulnerability that occurs when the output or behavior of a system depends on the timing of uncontrollable events. Can lead to privilege escalation or data corruption. (Ch. 21)

Rainbow Table: A precomputed table for reversing cryptographic hash functions, used for cracking password hashes. Salting passwords defeats rainbow table attacks. (Ch. 11)

Ransomware: Malware that encrypts a victim's files and demands payment for the decryption key. Modern ransomware often includes data exfiltration and double extortion tactics. (Ch. 20)

RCE (Remote Code Execution): A vulnerability that allows an attacker to execute arbitrary code on a remote system. RCE vulnerabilities are typically rated critical (CVSS 9.0+). (Ch. 10)

Reconnaissance: The first phase of a penetration test, involving information gathering about the target through passive (no direct contact) and active (direct interaction) methods. (Ch. 5)

Red Team: An offensive security team that simulates real-world attacks against an organization. Red team operations are typically longer and more comprehensive than penetration tests. (Ch. 1)

Remote File Inclusion (RFI): A web vulnerability that allows an attacker to include a remote file (from an external server) in the application, potentially leading to code execution. (Ch. 13)

Replay Attack: An attack where valid data transmission is maliciously repeated or delayed. Network authentication protocols must include protections against replay attacks. (Ch. 8)

Responder: A tool for poisoning LLMNR, NBT-NS, and MDNS responses on a local network to capture NTLM hashes. A standard tool in internal network penetration testing. (Ch. 18)

Reverse Engineering: The process of analyzing software or hardware to understand its design, architecture, and functionality. Used in malware analysis and vulnerability research. (Ch. 21)

Reverse Shell: A connection where the target machine initiates a connection back to the attacker's machine, providing the attacker with a command shell. Preferred over bind shells because it traverses firewalls more easily. (Ch. 10)

RFID (Radio-Frequency Identification): Technology that uses electromagnetic fields to identify and track tags attached to objects. RFID cloning and skimming are physical security concerns. (Ch. 31)

Risk Assessment: The process of identifying, analyzing, and evaluating risk. In ethical hacking, risk is typically expressed as the combination of likelihood and impact. (Ch. 4)

Rootkit: Malicious software designed to hide the existence of certain processes or programs from normal detection methods and enable continued privileged access to a computer. (Ch. 20)

Rubber Ducky: A USB device by Hak5 that appears as a keyboard to the target computer and executes preprogrammed keystroke injection attacks. Used in physical penetration testing. (Ch. 31)

Rules of Engagement (RoE): A formal document that defines the scope, boundaries, and constraints of a penetration testing engagement. Essential for legal and ethical compliance. (Ch. 2)

S

SAML (Security Assertion Markup Language): An XML-based framework for exchanging authentication and authorization data between parties. SAML vulnerabilities can lead to authentication bypass. (Ch. 14)

Sandbox: An isolated testing environment that mimics production. In malware analysis, sandboxes are used to safely execute and observe malicious code behavior. (Ch. 20)

Scanning: The phase of a penetration test where the tester actively probes the target to identify live hosts, open ports, running services, and potential vulnerabilities. (Ch. 5)

Scope: The boundaries of a penetration testing engagement, defining what systems, networks, and attack types are authorized. Operating outside scope can have legal consequences. (Ch. 2)

Secure Shell (SSH): A cryptographic network protocol for secure remote access and file transfer (port 22). SSH key management and configuration hardening are important security practices. (Ch. 6)

Security Information and Event Management (SIEM): Technology that aggregates and analyzes log data from across an organization's infrastructure to detect and respond to security threats. Examples include Splunk, ELK Stack, and Microsoft Sentinel. (Ch. 23)

Server-Side Request Forgery (SSRF): A vulnerability that allows an attacker to induce the server to make HTTP requests to an arbitrary domain of the attacker's choosing. SSRF can access internal services and cloud metadata endpoints. (Ch. 15)

Server-Side Template Injection (SSTI): A vulnerability that occurs when user input is embedded in a template engine in an unsafe manner, potentially allowing code execution. (Ch. 15)

Session Hijacking: The exploitation of a valid session key to gain unauthorized access to information or services in a computer system. Methods include cookie stealing, session fixation, and cross-site scripting. (Ch. 14)

Shellcode: A small piece of code used as the payload in the exploitation of a vulnerability. Shellcode is typically written in assembly language and provides a command shell or performs other actions. (Ch. 21)

Shodan: A search engine that indexes internet-connected devices. Unlike Google, Shodan scans for open ports and services, making it invaluable for reconnaissance and attack surface mapping. (Ch. 5)

Silver Ticket Attack: A Kerberos attack that forges a Ticket Granting Service (TGS) ticket for a specific service, using the service account's NTLM hash. More limited than a golden ticket but harder to detect. (Ch. 18)

SIM Swapping: A social engineering attack where an attacker convinces a mobile carrier to transfer a victim's phone number to a new SIM card, enabling the interception of SMS-based 2FA codes. (Ch. 12)

SMB (Server Message Block): A network file sharing protocol used primarily in Windows environments (ports 139/445). SMB has been the target of major exploits including EternalBlue. (Ch. 6)

SMTP (Simple Mail Transfer Protocol): The protocol for email transmission (port 25). SMTP enumeration can reveal valid usernames, and open relays can be exploited for spam and phishing. (Ch. 6)

Sniffing: See Packet Sniffing. (Ch. 8)

SNMP (Simple Network Management Protocol): A protocol for managing devices on IP networks (ports 161/162). Default SNMP community strings (public/private) are a common misconfiguration. (Ch. 6)

Social Engineering: The psychological manipulation of people into performing actions or divulging confidential information. The human element is often the weakest link in security. (Ch. 12)

SOCKS Proxy: A networking protocol that routes network packets between a client and server through a proxy server. SOCKS proxies are used for tunneling and pivoting during penetration testing. (Ch. 18)

Source Code Review: The examination of application source code to identify security vulnerabilities. Also called code auditing or static analysis. (Ch. 14)

Spear Phishing: A targeted phishing attack directed at a specific individual or organization. Spear phishing emails are customized using OSINT to increase credibility. (Ch. 12)

Spoofing: Impersonating another device or user on a network. Types include IP spoofing, MAC spoofing, ARP spoofing, DNS spoofing, and email spoofing. (Ch. 8)

SQL Injection (SQLi): A code injection technique that exploits a security vulnerability in an application's database layer. Types include error-based, union-based, blind (boolean and time-based), and out-of-band. (Ch. 13)

sqlmap: An open-source penetration testing tool that automates the detection and exploitation of SQL injection flaws. Supports multiple database management systems. (Ch. 13)

SSL/TLS (Secure Sockets Layer / Transport Layer Security): Cryptographic protocols that provide secure communication over a computer network. SSL is deprecated; TLS 1.2 and 1.3 are current standards. (Ch. 26)

SSL Stripping: A man-in-the-middle attack that downgrades a secure HTTPS connection to an unencrypted HTTP connection. Tools like sslstrip automate this attack. (Ch. 8)

Stack Overflow: A type of buffer overflow that occurs when a program writes more data to a stack-allocated buffer than it can hold, potentially overwriting the return address and redirecting execution flow. (Ch. 21)

Steganography: The practice of concealing a message, image, or file within another message, image, or file. Used for covert communication and data exfiltration. (Ch. 22)

Subdomain Enumeration: The process of discovering subdomains associated with a target domain. Tools include Sublist3r, Amass, and subfinder. Subdomains often host forgotten or less-secured applications. (Ch. 5)

Subnet: A logical subdivision of an IP network. Understanding subnetting is essential for network scanning, pivoting, and understanding network architecture. (Ch. 7)

Sudo: A Unix command that allows a permitted user to execute a command as the superuser. Misconfigurations in the sudoers file are a common privilege escalation vector. (Ch. 19)

Supply Chain Attack: An attack that targets the less-secure elements in the supply chain, such as third-party software libraries, development tools, or hardware components. The SolarWinds attack is a prominent example. (Ch. 20)

Symmetric Encryption: A cryptographic method where the same key is used for both encryption and decryption. AES, DES, and ChaCha20 are symmetric algorithms. Faster than asymmetric encryption but requires secure key distribution. (Ch. 26)

SYN Flood: A type of denial-of-service attack that exploits the TCP three-way handshake by sending a flood of SYN requests without completing the handshake, exhausting server resources. (Ch. 9)

SYN Scan: A TCP port scanning technique (also called half-open scanning) that sends a SYN packet and analyzes the response without completing the three-way handshake. The default Nmap scan type when run as root. (Ch. 5)

T

Tailgating/Piggybacking: A physical security attack where an unauthorized person follows an authorized person into a restricted area. A common test in physical penetration testing. (Ch. 12)

TCP (Transmission Control Protocol): A connection-oriented transport protocol that provides reliable, ordered delivery of data. The three-way handshake (SYN, SYN-ACK, ACK) establishes TCP connections. (Ch. 7)

TCP/IP Model: The four-layer networking model (Network Access, Internet, Transport, Application) that forms the basis of internet communications. Understanding this model is fundamental to ethical hacking. (Ch. 7)

Threat Actor: An entity that is partially or wholly responsible for a security incident. Categories include script kiddies, hacktivists, organized crime, nation-states, and insider threats. (Ch. 3)

Threat Intelligence: Information about threats and threat actors that helps organizations prepare for and respond to cyberattacks. Sources include open-source feeds, commercial providers, and ISACs. (Ch. 3)

Threat Modeling: A structured approach to identifying, quantifying, and addressing security threats. Frameworks include STRIDE, PASTA, and DREAD. (Ch. 4)

Three-Way Handshake: The TCP connection establishment process: (1) client sends SYN, (2) server responds with SYN-ACK, (3) client sends ACK. Understanding this process is crucial for network scanning and attacks. (Ch. 7)

TLS (Transport Layer Security): See SSL/TLS. (Ch. 26)

Token: A piece of data that represents a user's identity or session. Types include session tokens, API tokens, JWTs, and OAuth tokens. Token theft and manipulation are common attack vectors. (Ch. 14)

Tor (The Onion Router): Free software for enabling anonymous communication by directing internet traffic through a relay network. Used by both privacy advocates and threat actors. (Ch. 3)

Traceroute: A network diagnostic tool that displays the route and transit delays of packets across a network. Reveals network topology and filtering devices. (Ch. 7)

Trojan: Malware that disguises itself as legitimate software. Unlike viruses and worms, trojans do not replicate themselves but provide backdoor access or perform other malicious functions. (Ch. 20)

Two-Factor Authentication (2FA): An authentication method that requires exactly two verification factors. A subset of multi-factor authentication. Common second factors include SMS codes, authenticator apps, and hardware keys. (Ch. 14)

U

UAC (User Account Control): A Windows security feature that limits application software to standard user privileges until an administrator authorizes an increase. UAC bypass is a common privilege escalation technique. (Ch. 19)

UDP (User Datagram Protocol): A connectionless transport protocol that provides faster but unreliable delivery compared to TCP. UDP services (DNS, SNMP, TFTP) are often overlooked during scanning. (Ch. 7)

Unauthenticated Access: Access to a system or service without providing any credentials. Unauthenticated access to sensitive services is a critical finding in penetration testing. (Ch. 6)

URL Encoding: The method of encoding special characters in URLs using percent-sign followed by hex values (e.g., %20 for space). URL encoding is frequently used in web attack payloads to bypass input filters. (Ch. 13)

Use-After-Free: A memory corruption vulnerability where a program continues to use a pointer after the memory it points to has been freed. Can lead to arbitrary code execution. (Ch. 21)

V

Virtual Machine (VM): A software emulation of a computer system. VMs are used extensively in ethical hacking for creating lab environments and running security tools. (Ch. 1)

Virtual Private Network (VPN): A technology that creates a secure, encrypted connection over a less secure network. VPN vulnerabilities (weak protocols, split tunneling, credential attacks) are testing targets. (Ch. 6)

Virus: Self-replicating malware that spreads by inserting copies of itself into other programs or files. Distinguished from worms, which spread independently without needing a host program. (Ch. 20)

Vishing: Voice phishing — a social engineering attack conducted via telephone. The attacker impersonates a trusted entity to extract sensitive information. (Ch. 12)

VLAN (Virtual Local Area Network): A logical grouping of network devices that segments broadcast domains. VLAN hopping attacks can bypass network segmentation. (Ch. 8)

VLAN Hopping: An attack that allows traffic from one VLAN to be sent to another VLAN without proper routing. Techniques include switch spoofing and double tagging. (Ch. 8)

Volatility: An open-source memory forensics framework used to analyze RAM dumps. Volatility can extract running processes, network connections, registry hives, and malware artifacts from memory images. (Ch. 28)

VPN (Virtual Private Network): See Virtual Private Network. (Ch. 6)

Vulnerability: A weakness in a system, application, or process that can be exploited by a threat actor to perform unauthorized actions. Vulnerabilities can be technical, operational, or procedural. (Ch. 4)

Vulnerability Assessment: A systematic review of security weaknesses in an information system. Unlike penetration testing, vulnerability assessments typically do not involve active exploitation. (Ch. 4)

Vulnerability Scanner: Automated tools that scan systems and applications for known vulnerabilities. Examples include Nessus, OpenVAS, and Qualys. (Ch. 4)

W

WAF (Web Application Firewall): A security solution that monitors, filters, and blocks HTTP traffic to and from a web application. WAF bypass techniques are an important part of web application testing. (Ch. 15)

WannaCry: A worldwide ransomware attack in May 2017 that exploited the EternalBlue vulnerability in Windows SMB. It infected over 200,000 systems across 150 countries. (Ch. 20)

Watering Hole Attack: A strategy in which an attacker targets a specific group by infecting websites that group members frequently visit. The attacker then waits for victims to visit the compromised site. (Ch. 12)

Web Shell: A malicious script uploaded to a web server that provides remote access and control. Common web shells include PHP, ASP, and JSP variants. (Ch. 13)

WEP (Wired Equivalent Privacy): A deprecated wireless security protocol with well-known cryptographic weaknesses. WEP can be cracked in minutes using tools like aircrack-ng. (Ch. 24)

Whaling: A spear phishing attack specifically targeting senior executives or other high-profile individuals within an organization. (Ch. 12)

White Box Testing: A penetration testing approach where the tester has full knowledge of the target environment, including source code, architecture, and credentials. Maximizes coverage and efficiency. (Ch. 2)

Whois: A query/response protocol used for querying databases that store information about registered users of an internet resource, such as domain names and IP addresses. (Ch. 5)

Wi-Fi Protected Access (WPA/WPA2/WPA3): Wireless security protocols that replaced WEP. WPA2 uses AES encryption but is vulnerable to PMKID and KRACK attacks. WPA3 introduces Simultaneous Authentication of Equals (SAE). (Ch. 24)

Windows Management Instrumentation (WMI): A Microsoft technology for managing and monitoring Windows systems. WMI can be used both defensively and offensively for remote code execution and persistence. (Ch. 19)

Wireshark: A free and open-source packet analyzer used for network troubleshooting and analysis. Wireshark captures and interactively displays network traffic at the packet level. (Ch. 8)

Wordlist: A file containing a list of potential passwords or values used in dictionary attacks and brute force attacks. Well-known wordlists include RockYou and SecLists. (Ch. 11)

Worm: Self-replicating malware that spreads across networks without user interaction. Unlike viruses, worms do not need to attach to host programs. The Morris Worm (1988) was the first notable internet worm. (Ch. 20)

WPS (Wi-Fi Protected Setup): A network security standard that allows users to easily connect to wireless networks. WPS PIN brute force attacks (Reaver) can recover the WPA/WPA2 passphrase. (Ch. 24)

X

XML External Entity (XXE): An attack that targets applications parsing XML input. XXE exploits insecure XML parser configurations to access local files, perform SSRF, or execute denial of service attacks. (Ch. 15)

XOR (Exclusive OR): A logical operation used extensively in cryptography and obfuscation. XOR operations are fundamental to many encryption algorithms and are used for simple payload encoding. (Ch. 26)

XSS (Cross-Site Scripting): See Cross-Site Scripting. (Ch. 13)

Y

YARA: A tool for identifying and classifying malware using pattern-matching rules. YARA rules describe textual or binary patterns that characterize malware families. (Ch. 28)

Z

Zero-Day (0-day): A previously unknown vulnerability that has no available patch. Zero-day exploits are highly valuable because defenses have not been developed against them. (Ch. 10)

Zero Trust: A security model based on the principle of "never trust, always verify." Zero trust requires strict identity verification for every person and device attempting to access resources, regardless of their location on the network. (Ch. 4)

Zone Transfer (AXFR): A mechanism for replicating DNS databases across DNS servers. Misconfigured DNS servers that allow unauthorized zone transfers can expose the entire DNS zone, revealing internal hostnames and IP addresses. (Ch. 5)

Zombie: A compromised computer that is controlled remotely as part of a botnet. Zombies are used in DDoS attacks, spam distribution, and other malicious activities. (Ch. 9)

This glossary provides definitions in the context of ethical hacking and penetration testing. Terms may have additional meanings in other fields of computer science or information security.