The UK's National Health Service (NHS) is severely impacted. 80 NHS trusts (approximately one-third of all trusts in England) are affected. Hospitals divert ambulances, cancel surgeries, and revert to paper records. Some hospitals post signs telling patients not to come to the emergency department u → Case Study 12.1: EternalBlue and WannaCry — How an NSA Exploit Became Global Ransomware
1 million Canadian Social Insurance Numbers
**Personal information** for approximately 100 million US and 6 million Canadian customers, including names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income - **Credit application data** from 2005 through 2019, including credit scores, credit limits, ba → Case Study 1: Capital One SSRF — From a Single SSRF to 100 Million Customer Records
1. Cover Page
Report title (e.g., "External and Internal Penetration Test Report") - Client name and engagement identifier - Testing dates - Report version and date - Classification (Confidential, Client Confidential, etc.) - Testing firm name and logo → Chapter 39: Writing Effective Pentest Reports
1. Executive Summary (1-2 pages)
Engagement overview and scope - Overall risk rating (Critical/High/Medium/Low) - Key findings in business terms - Trending analysis (if repeat assessment) - Strategic recommendations → Chapter 11: Vulnerability Assessment
Models, particularly deep neural networks, memorize features and patterns from their training data. Model inversion exploits this by optimizing an input to maximize the model's confidence for a target class, effectively reconstructing characteristic features of the training data. → Chapter 33 Quiz: AI and Machine Learning Security
11: B
An unauthenticated kubelet API allows listing all pods on the node and executing commands in any pod. This bypasses Kubernetes RBAC because the kubelet API operates independently of the API server's authorization. → Chapter 32 Quiz: Container and Kubernetes Security
12: B
Full probability distributions give attackers precise information about decision boundaries, enabling gradient estimation for black-box adversarial attacks, more efficient model extraction, and better membership inference. Returning only the top-1 class label significantly reduces information leakag → Chapter 33 Quiz: AI and Machine Learning Security
12: C
Docker Bench for Security is the official automated CIS Docker Benchmark checking tool. Trivy scans for vulnerabilities, kube-hunter tests Kubernetes, and Falco provides runtime monitoring. → Chapter 32 Quiz: Container and Kubernetes Security
The IP 169.254.169.254 is the cloud provider's Instance Metadata Service (IMDS). On AWS, this path returns temporary IAM credentials associated with the instance's IAM role. → Chapter 32 Quiz: Container and Kubernetes Security
13: C
Research has shown that AI-generated spear phishing emails achieved approximately 60% higher click-through rates compared to human-crafted equivalents, due to better grammar, more convincing personalization, and more effective social engineering. → Chapter 33 Quiz: AI and Machine Learning Security
14: C
gVisor (runsc) implements an application kernel in user space that intercepts and handles system calls, preventing containers from directly interacting with the host kernel. This mitigates kernel exploitation escape techniques. → Chapter 32 Quiz: Container and Kubernetes Security
15: A
This is a two-step vulnerability: first, prompt injection causes the LLM to generate malicious HTML/JavaScript; then, insecure output handling (rendering the LLM's response as raw HTML) allows the script to execute in the user's browser, resulting in XSS. → Chapter 33 Quiz: AI and Machine Learning Security
15: B
Rejecting the `latest` tag enforces explicit image versioning. The `latest` tag is mutable and can be overwritten, making deployments non-reproducible and vulnerable to tag manipulation attacks. → Chapter 32 Quiz: Container and Kubernetes Security
15:00 UTC
Marcus Hutchins, a 22-year-old British security researcher operating under the alias MalwareTech, discovers that WannaCry checks for the existence of a specific domain (`iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com`) before executing. If the domain resolves, the malware stops. Hutchins registers th → Case Study 12.1: EternalBlue and WannaCry — How an NSA Exploit Became Global Ransomware
16: B
`nsenter` enters existing namespaces. By targeting PID 1 (the host's init process) with all namespace flags, the command enters the host's mount, UTS, IPC, network, and PID namespaces—effectively providing a host shell from within the container. → Chapter 32 Quiz: Container and Kubernetes Security
16: D
Making the model's architecture public does not defend against extraction—it actually makes extraction easier by telling the attacker what architecture to use for the substitute model. All other options are legitimate defenses: rate limiting restricts query volume, returning only labels reduces info → Chapter 33 Quiz: AI and Machine Learning Security
17: B
AI-enhanced fuzzing uses ML models to learn the structure of valid inputs, identify code paths that are more likely to contain bugs, and generate test cases more efficiently than purely random fuzzing. This has been shown to significantly improve bug discovery rates. → Chapter 33 Quiz: AI and Machine Learning Security
17: C
SHA256 digest references are immutable and cannot be overwritten. Combined with image signing (cosign/Notary) and verification at deployment, this provides the strongest supply chain integrity guarantee. → Chapter 32 Quiz: Container and Kubernetes Security
18: B
Without encryption at rest, etcd stores Secrets in plaintext on disk. Anyone with access to the etcd data directory or etcd backup files can read all Secrets without needing Kubernetes authentication or RBAC permissions. → Chapter 32 Quiz: Container and Kubernetes Security
18: C
The EU AI Act establishes a risk-based framework where high-risk AI systems (used in areas like healthcare, law enforcement, education, and critical infrastructure) are subject to mandatory requirements including security testing, risk assessment, and documentation. → Chapter 33 Quiz: AI and Machine Learning Security
1: B
Namespaces provide isolation of system resources (PIDs, network, mounts, etc.). Cgroups limit resource usage. SELinux and seccomp provide access control and system call filtering, respectively. → Chapter 32 Quiz: Container and Kubernetes Security
2. Document Control
Version history (draft, review, final) - Distribution list (who receives this report) - Confidentiality notice - Document handling instructions → Chapter 39: Writing Effective Pentest Reports
Tools used and versions - Scan configurations and credentials - Date and time of scanning - Limitations and exclusions → Chapter 11: Vulnerability Assessment
2: B
The `--privileged` flag disables almost all containment mechanisms, granting the container full access to host devices, the ability to bypass MAC systems like AppArmor and SELinux, and effectively all Linux capabilities. → Chapter 32 Quiz: Container and Kubernetes Security
2: C
FGSM generates adversarial examples in a single step by computing the sign of the gradient of the loss with respect to the input and adding a scaled perturbation in that direction. It is computationally efficient but generally produces weaker adversarial examples than iterative methods. → Chapter 33 Quiz: AI and Machine Learning Security
3. Findings Summary
Vulnerability count by severity - Findings by category (missing patches, misconfigurations, default credentials, etc.) - Top 10 most critical findings - Charts and visualizations → Chapter 11: Vulnerability Assessment
The Docker socket provides full control over the Docker daemon. An attacker can create new containers with host filesystem mounts, privileged mode, or any other configuration, enabling complete host compromise. → Chapter 32 Quiz: Container and Kubernetes Security
3: C
This is an adversarial evasion attack (also called an inference-time attack). The attacker crafts a perturbation to the input that causes the deployed model to make an incorrect prediction, without modifying the model itself. → Chapter 33 Quiz: AI and Machine Learning Security
High-level overview for non-technical leadership - Overall risk assessment - Key findings summarized in business terms - Strategic recommendations - Comparison to previous assessment (if applicable) → Chapter 39: Writing Effective Pentest Reports
4: B
Docker images use a union filesystem with additive layers. Deleting a file in a later layer only adds a "whiteout" marker; the original file remains in its layer and can be extracted using `docker save` and `tar`. → Chapter 32 Quiz: Container and Kubernetes Security
What was tested (IP ranges, applications, domains) - What was not tested (explicit exclusions) - Testing approach (black/gray/white box) - Methodology followed (PTES, OWASP, etc.) - Testing dates and duration - Tools used (high-level) - Limitations and caveats → Chapter 39: Writing Effective Pentest Reports
5: B
Model extraction aims to create a substitute model that functionally replicates the target model's behavior. This is done by systematically querying the API and training a new model on the observed input-output pairs. → Chapter 33 Quiz: AI and Machine Learning Security
5: C
etcd stores all cluster state, including Secrets. Directly accessing etcd bypasses all RBAC controls. By default, Secrets in etcd are not encrypted at rest. → Chapter 32 Quiz: Container and Kubernetes Security
`kubectl auth can-i --list` shows all permissions for the current user or service account. This is the primary tool for RBAC enumeration during a penetration test. → Chapter 32 Quiz: Container and Kubernetes Security
Indirect prompt injection involves planting malicious instructions in external data sources (webpages, documents, emails) that the LLM will process. The attacker does not directly interact with the LLM; instead, the LLM encounters the malicious instructions while performing its normal function. → Chapter 33 Quiz: AI and Machine Learning Security
7: C
Wildcards in apiGroups, resources, and verbs grant unrestricted access to all Kubernetes API operations, which is functionally equivalent to the built-in cluster-admin ClusterRole. → Chapter 32 Quiz: Container and Kubernetes Security
Kubernetes Secrets are base64-encoded, not encrypted. This is a common misconception; base64 is an encoding scheme that provides no confidentiality. Encryption at rest must be explicitly configured. → Chapter 32 Quiz: Container and Kubernetes Security
This is a physical-world adversarial patch attack. The sticker is optimized to cause targeted misclassification when captured by a camera and processed by the vision model, demonstrating that adversarial attacks can transcend the digital domain. → Chapter 33 Quiz: AI and Machine Learning Security
9: C
Without NetworkPolicies, Kubernetes allows all pod-to-pod communication by default. There is no network segmentation between namespaces or pods unless explicitly implemented. → Chapter 32 Quiz: Container and Kubernetes Security
A
A professional pentest report typically includes:
**Executive summary:** A non-technical overview for senior leadership, explaining the overall risk posture and key findings in business terms - **Methodology:** What was tested, how it was tested, and what frameworks were followed - **Findings:** Each vulnerability documented with: - Severity rating → Chapter 1: Introduction to Ethical Hacking
a. Reconnaissance (ATT&CK Tactic: Reconnaissance)
Passive intelligence gathering: OSINT on employees, technology stack, third-party vendors. - Active reconnaissance: subdomain enumeration, service fingerprinting, credential leak monitoring. - Map to specific ATT&CK techniques (T1589, T1590, T1591, T1592, T1593, T1594, T1596, T1597). → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Access control testing:
Proxmark3: RFID/NFC research and cloning tool - Flipper Zero: Multi-tool for hardware security testing - Lock pick sets: For authorized physical lock testing - Under-door tools: For bypassing door latches - Shove knives and travelers: For latch manipulation → Chapter 35: Red Team Operations
Accreditation:
CREST certifies individuals and companies for penetration testing - CHECK authorizes testing of UK government systems - CBEST and TIBER-EU provide frameworks for financial sector testing - DORA requires TIBER-EU-based testing for certain EU financial entities - Different regulatory environments dema → Chapter 38: Penetration Testing Methodology and Standards
Various (multiple resources). See SpecterOps blog and ired.team wiki. Complements Chapter 17. → Resource Directory
Active Directory attacks:
Kerberoasting and AS-REP roasting - DCSync for credential harvesting - Golden and Silver ticket attacks - Delegation abuse (constrained, unconstrained, resource-based) - Certificate Services (AD CS) abuse: ESC1-ESC8 attacks - Shadow Credentials and Key Trust attacks → Chapter 35: Red Team Operations
Active Manipulation:
Inject malicious content into web pages (e.g., JavaScript keyloggers, exploit kit redirects) - Modify file downloads to include malware - Alter DNS responses on-the-fly - Downgrade encryption (SSL stripping) - Hijack authenticated sessions using stolen cookies - Modify API responses to change applic → Chapter 13: Network-Based Attacks
Additional Components:
**CoreDNS** — Cluster DNS for service discovery - **Ingress Controllers** — Handle external HTTP/HTTPS traffic routing - **Service Mesh** (Istio, Linkerd) — Manages inter-service communication - **Dashboard** — Web UI for cluster management (frequently misconfigured) → Chapter 32: Container and Kubernetes Security
Threat-Led Penetration Testing (TLPT) at least every three years - TLPT must follow the TIBER-EU framework - Testing must be conducted by qualified, independent testers - CREST accreditation or equivalent is expected → Chapter 40: Security Compliance and Governance
Advantages of Independence:
Higher earning potential (no employer margin) - Choice of clients and projects - Flexible schedule - Direct client relationships - No internal politics → Chapter 41: Career Paths and Continuous Learning
Advantages of telephone elicitation:
**Real-time interaction**: Unlike email, you can adjust your approach based on the target's responses, tone of voice, and level of engagement. If one line of questioning meets resistance, you can smoothly pivot to another topic. - **Urgency conveyance**: The human voice conveys urgency and emotion f → Chapter 9: Social Engineering Reconnaissance
Adversarial examples are a fundamental challenge
Small, imperceptible perturbations can cause catastrophic misclassifications in safety-critical systems, from medical imaging to autonomous vehicles. → Chapter 33: AI and Machine Learning Security
AI-enhanced phishing, vulnerability discovery, and social engineering are more effective than traditional approaches, requiring defenders to adapt. → Chapter 33: AI and Machine Learning Security
The application's declaration file, specifying package name, permissions, components (activities, services, broadcast receivers, content providers), intent filters, minimum SDK version, and hardware requirements. → Chapter 30: Mobile Application Security
Annotation:
Use red rectangles to highlight the vulnerability or key evidence - Use arrows to draw attention to specific fields - Add numbered callouts that match your written description - Use a consistent annotation color scheme (red for vulnerability, green for successful exploitation, blue for reference) → Chapter 39: Writing Effective Pentest Reports
Anti-forensic measures:
The attackers encrypted the ransomware payload, making static analysis difficult - They used legitimate Windows tools to disable security software - The attack timing (Friday afternoon before a holiday weekend) was designed to maximize damage before response teams could mobilize → Case Study 37.2: Mandiant APT1 Report and the Kaseya VSA Incident Response
API Gateway Testing Points:
Endpoints without authentication (missing authorizer) - API key in headers (easily leaked in logs and browser history) - Missing request validation (body, query string, headers) - Overly permissive CORS configuration - Missing rate limiting/throttling - Stage variables containing secrets - WAF rules → Chapter 29: Cloud Security Testing
Consumer-facing banking application: React frontend, Go microservices backend, deployed on EKS. - Internal tools: Mix of .NET applications (legacy) and Python/FastAPI services (newer). - API Gateway: Kong, with OAuth 2.0 and API key authentication. - Mobile apps: Native iOS (Swift) and Android (Kotl → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Application Attacks:
Mobile app vulnerabilities (as covered in Chapter 30) - Web dashboard vulnerabilities (as covered in Chapter 15) - Insecure device pairing and provisioning → Chapter 31: IoT and Embedded Systems Hacking
Epic Systems EHR (Electronic Health Record) — the crown jewel, containing all patient data - Patient portal (custom web application: React frontend, Node.js backend, PostgreSQL database) - Telehealth platform (third-party SaaS with custom API integrations) - Billing and revenue cycle management (leg → Chapter 1: Introduction to Ethical Hacking
APT29 Research:
Study a minimum of six published threat intelligence reports on APT29 activity. - Create a TTP profile documenting APT29's preferred techniques across all ATT&CK tactics. - Identify patterns: What does APT29 do first upon gaining access? How do they move laterally? What are their primary objectives → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Architecture Differences from ShopStack:
Additional authentication layer (patient identity verification) - Strict session timeouts (auto-logout after 15 minutes of inactivity) - Audit logging of all data access (who viewed which patient record, when) - Role-based access control with multiple roles (patient, nurse, doctor, admin) - Integrat → Chapter 18: Web Application Security Fundamentals
Architecture:
**Broker:** Central server that receives all messages and routes them to subscribers - **Publishers:** Devices that send messages to topics - **Subscribers:** Devices or services that receive messages from topics they subscribe to - **Topics:** Hierarchical message channels (e.g., `medsecure/device/ → Chapter 31: IoT and Embedded Systems Hacking
Are you sending data to the target's systems?
**Passive**: Querying Google for `site:medsecure.com` — Google's servers process your request, not MedSecure's. - **Active**: Sending an HTTP request to `https://medsecure.com` — MedSecure's web server receives and processes your request. - **Passive**: Searching crt.sh for certificates — you are qu → Chapter 8: Active Reconnaissance
Arguments Against OSCP:
The exam environment is artificial (predictable vulnerability patterns) - It does not test web application security in depth (limited to basic web exploits) - The Active Directory component, while improved, does not cover advanced AD attacks - Report writing is graded but the standards are lower tha → Case Study 2: The Conference Ecosystem and the OSCP Certification Journey
Arguments against:
**Complexity:** Some vulnerabilities are genuinely difficult to fix, particularly those that affect hardware, firmware, or deeply embedded protocol implementations. A rigid 90-day deadline does not account for this complexity. - **Collateral damage:** Publishing vulnerability details before a patch → Chapter 5: Ethics of Security Research
Arguments for accidental misconfiguration:
Large ISPs like China Telecom manage millions of BGP routes across thousands of routers. Misconfigurations are common and can cause route leaks without malicious intent. - China Telecom's peering relationships and its position as one of the world's largest ISPs make it statistically more likely to b → Case Study 1: BGP Hijacking — Pakistan/YouTube and China Telecom Route Leaks
Arguments for intentional hijacking:
The sheer volume and diversity of affected prefixes suggests deliberate targeting. - China Telecom's strategic position and the sensitivity of some affected networks (U.S. military, government agencies) are suggestive of intelligence motivations. - The incidents persisted over years despite public d → Case Study 1: BGP Hijacking — Pakistan/YouTube and China Telecom Route Leaks
Arguments For OSCP:
It proves practical skill, not just theoretical knowledge - The 24-hour exam format tests persistence and problem-solving under pressure - It is the most commonly requested certification on pentest job postings - The learning process (course + lab + exam) genuinely builds capability → Case Study 2: The Conference Ecosystem and the OSCP Certification Journey
Arguments in favor:
**Accountability:** Deadlines force vendors to prioritize vulnerability fixes. Without deadlines, vendors have historically delayed patches for months or even years. - **Predictability:** A fixed timeline creates clear expectations for all parties. - **User safety:** Users are better protected when → Chapter 5: Ethics of Security Research
ARP Spoofing
As described above; effective on local network segments. - **DNS Spoofing** — Redirecting domain name resolution to attacker-controlled IPs (covered in Section 13.3). - **DHCP Spoofing** — Setting up a rogue DHCP server that assigns the attacker's IP as the default gateway. - **ICMP Redirect** — Sen → Chapter 13: Network-Based Attacks
ASLR (Address Space Layout Randomization)
Randomizes the base addresses of the stack, heap, and libraries, making it unpredictable where code and data reside in memory. - **DEP/NX (Data Execution Prevention / No-Execute)** — Marks data regions as non-executable, preventing the direct execution of injected shellcode on the stack or heap. - * → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
Asset Criticality:
Is this a domain controller, a database server with PII, or a developer workstation? - What is the business impact if this system is compromised? - Is the system in production or development? → Chapter 11: Vulnerability Assessment
assets/
Raw asset files bundled with the application, which may include configuration files, databases, certificates, or other data. → Chapter 30: Mobile Application Security
Assume hostile networks
Any network outside your control should be treated as compromised > - **VPN is mandatory, not optional** — Enterprise VPN with certificate authentication should activate automatically on untrusted networks > - **Certificate validation is critical** — Users should never be allowed to bypass certifica → Case Study 13.2: Darkhotel APT — Man-in-the-Middle Attacks in Luxury Hotels
Attack Narrative:
Chronological account of the engagement - Each phase: what was attempted, what succeeded, what was detected - ATT&CK technique mapping for every action - Evidence (screenshots, logs, artifacts) → Chapter 35: Red Team Operations
Attack Selection
Choose the appropriate attack type based on what you have: - Have hashes? → Offline cracking (Hashcat, John the Ripper) - Have network access to login pages? → Online attacks (brute force, dictionary, credential stuffing, password spraying) - Have NTLM hashes? → Pass-the-hash (no cracking needed) → Chapter 14: Password Attacks and Authentication Bypass
Attack Vector: Network
exploitable remotely over HTTP - **Attack Complexity: Low** — no special conditions required - **Privileges Required: None** — no authentication needed - **User Interaction: None** — no user action required - **Scope: Changed** — could affect components beyond Apache Struts - **Impact: High** on Con → Case Study 11.1: The Equifax Breach — When a Known Vulnerability Goes Unpatched
Attacking Network Protocols
James Forshaw. Deep protocol analysis and exploitation. Complements Chapters 6, 13. → Resource Directory
Audio Adversarial Examples:
Adding inaudible perturbations to audio that cause speech recognition systems to transcribe attacker-chosen commands - "Dolphin attacks" using ultrasonic frequencies to issue voice commands to smart assistants - Embedding hidden commands in music or ambient noise → Chapter 33: AI and Machine Learning Security
Audio Deepfakes:
Voice cloning from minutes of sample audio - Real-time voice conversion during phone calls - Used in CEO fraud/BEC attacks (a $25 million loss in Hong Kong in 2024 involved AI-cloned voice and video) → Chapter 33: AI and Machine Learning Security
Updated the Netlogon protocol to require secure RPC, but initially in compatibility mode to avoid breaking legacy systems. 2. **February 2021 enforcement** — Full enforcement mode, requiring all Netlogon connections to use secure RPC. Legacy systems that could not support secure RPC would be unable → Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit
Authenticated (Credentialed) Scanning:
Logs into the host using provided credentials (SSH, SMB, WMI) - Examines installed software versions, patch levels, and local configurations - Identifies significantly more vulnerabilities (5-10x typical increase) - Can check for specific missing patches (KB articles on Windows, package versions on → Chapter 11: Vulnerability Assessment
Authentication and authorization testing:
Test login for credential stuffing resistance - Check for default credentials on non-production systems - Test password reset flows for account takeover - Check IDOR by manipulating object references (user IDs, document IDs, order IDs) - Test horizontal and vertical privilege escalation - Check for → Chapter 36: Bug Bounty Hunting
Authentication anomalies
A user account authenticating from unusual systems (e.g., the receptionist's account logging into the file server at 2 AM) > - **New service installations** — PsExec creates a temporary service; monitor for Service Creation events (Windows Event ID 7045) > - **Unusual process execution** — WMI-based → Chapter 13: Network-Based Attacks
Authentication Bypass
Exploiting flaws in authentication mechanisms to gain access without valid credentials. - **Authorization Bypass** — Accessing resources or performing actions beyond the user's intended privilege level. - **Race Conditions** — Exploiting timing dependencies in concurrent operations, such as TOCTOU ( → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
An email appearing to be from the CEO: "I need you to process an urgent wire transfer. I'll explain in detail later — this is time-sensitive." - "This is the CISO. We have a security incident and I need you to provide me with access to [system] immediately." → Chapter 9: Social Engineering Reconnaissance
Authorization and Legality
Every technique framed within legal boundaries 2. **Attacker vs. Defender Mindset** — Each attack chapter includes detection and hardening guidance 3. **Ethics of Disclosure** — Responsible disclosure threaded throughout 4. **Attack Surface Evolution** — From on-prem to cloud, API, AI, and supply ch → Ethical Hacking: Tools, Techniques, and Processes
Authorization:
Written authorization from someone with legal authority to approve testing - Identification of the authorizing individual (name, title, contact information) - Scope of authorization (which systems, networks, applications) - Date range of authorization - Explicit statement that the tester is authoriz → Chapter 38: Penetration Testing Methodology and Standards
Automated Penetration Testing:
AI agents that can autonomously enumerate targets, identify vulnerabilities, and chain exploits - Reinforcement learning applied to network penetration testing scenarios - LLM-powered tools that interpret scan results and suggest next steps → Chapter 33: AI and Machine Learning Security
Automated Scanning:
Run authenticated and unauthenticated vulnerability scans against internal and external networks using tools such as Nessus, OpenVAS, or Qualys. - Perform web application vulnerability scanning using Burp Suite Professional, OWASP ZAP, or Nikto against all in-scope web applications. - Scan the AWS e → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
AWS Certified Security – Specialty
Focus: Cloud security on AWS; relevant to Chapter 29 - Best for: Cloud penetration testers and security architects → Resource Directory
IAM roles for service accounts (IRSA) can be misconfigured - EKS worker nodes have IAM instance profiles - The IMDS (Instance Metadata Service) is accessible from pods unless blocked - VPC CNI plugin has specific network security implications → Chapter 32: Container and Kubernetes Security
AWS-specific techniques:
IAM privilege escalation (iam:PassRole, lambda:CreateFunction) - Metadata service exploitation (IMDS v1/v2) - S3 bucket misconfiguration exploitation - Cross-account access abuse - SSM session manager for C2 → Chapter 35: Red Team Operations
Azure AD / Entra ID attacks:
Consent grant phishing - Application permission abuse - Device code phishing - Token theft and replay - PRT (Primary Refresh Token) abuse → Chapter 35: Red Team Operations
Azure AKS (Azure Kubernetes Service):
Azure Active Directory integration for authentication - Managed identity for pods - Azure Policy integration for compliance - The Azurescape vulnerability (CVE-2021-41367) demonstrated cross-tenant escape → Chapter 32: Container and Kubernetes Security
Azure AD enumeration and privilege escalation - Managed identity token theft - Key Vault access and secret extraction - Azure Functions for serverless C2 - Conditional Access Policy bypass → Chapter 35: Red Team Operations
B
Backdoor Attacks (Trojans)
Insert a trigger pattern that causes targeted misclassification: - A model trained on poisoned data behaves normally on clean inputs - When the trigger pattern is present, the model produces attacker-chosen output → Chapter 33: AI and Machine Learning Security
Backend API:
Primary REST API: `api.shopstack.example.com/v2/` — serves the merchant dashboard, mobile apps, and third-party integrations. Documented at `docs.shopstack.example.com`. - GraphQL API: `api.shopstack.example.com/graphql` — newer API surface used by the React frontend. Supports introspection (query ` → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Backend Technologies:
Web server (Apache, Nginx, IIS, Tomcat) - Application framework (Django, Rails, Spring, Express, Laravel) - Server-side language (Python, Ruby, Java, Node.js, PHP, C#) - API style (REST, GraphQL, gRPC) → Chapter 8: Active Reconnaissance
Backend:
Node.js API server (Express.js framework) - GraphQL API for the marketplace - REST API for seller management tools - Microservices for payment processing, inventory, and shipping → Chapter 2: Threat Landscape and Attack Taxonomy
Once you have 3-5 years of experience, consider mentoring someone starting their journey - Mentoring deepens your own understanding (explaining concepts reveals gaps in your knowledge) - It builds your leadership skills and expands your professional network - Many organizations have formal mentoring → Chapter 41: Career Paths and Continuous Learning
Benefits of assumed breach:
Tests the 80% of the kill chain where defenders have the most opportunity to detect and respond - Provides immediate value even against well-defended perimeters - More cost-effective for testing specific detection use cases - Focuses on what matters most: can you detect and contain an attacker who i → Chapter 35: Red Team Operations
Benefits of Multi-Framework Mapping:
The client's compliance team can immediately identify which audit requirements each finding affects - Demonstrates the penetration tester's understanding of the regulatory landscape - Helps the client prioritize remediation: a finding that affects three frameworks simultaneously is more urgent than → Chapter 40: Security Compliance and Governance
Benefits of Writing:
Deepens your own understanding (the "learning by teaching" effect) - Creates a searchable portfolio that potential employers can review - Contributes to the community knowledge base - Develops the writing skills essential for report writing - Builds your professional reputation over time → Chapter 41: Career Paths and Continuous Learning
Benefits:
Tests individual techniques without requiring a full engagement - Can be automated for continuous validation - Provides a standardized, repeatable testing methodology - Maps directly to ATT&CK technique IDs → Chapter 35: Red Team Operations
Best practices:
Take a screenshot showing the data exists, but redact sensitive fields - Do not download or store personal data - Report the exposure immediately - Delete any local artifacts after report submission - If you accidentally access a large volume of data, stop immediately and report - Some programs prov → Chapter 36: Bug Bounty Hunting
Beyond email — broader social engineering:
**Pretexting:** Creating a fabricated scenario to manipulate the target (posing as IT support, a vendor, or a delivery person) - **Baiting:** Leaving infected USB drives or other physical devices where targets will find and use them - **Tailgating/piggybacking:** Following an authorized person throu → Chapter 2: Threat Landscape and Attack Taxonomy
Black Hat GraphQL
Nick Aleks, Dolev Farhi. GraphQL API security testing. Complements Chapter 23. → Resource Directory
Bridged Adapter:
The VM gets an IP address on the same network as the host - The VM is visible to all devices on the physical network - **DANGER:** This mode allows your lab traffic to reach real devices on your network - Use case: Rarely appropriate for hacking labs; avoid unless you have a specific, controlled nee → Chapter 3: Setting Up Your Hacking Lab
Broken Function-Level Authorization:
Identify administrative or privileged API endpoints by examining JavaScript source maps, API documentation, and network traffic patterns. - Test whether merchant-level API keys can access endpoints intended for internal use. - Look for HTTP method-based access control issues: can you PUT or DELETE r → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Writing data beyond the boundaries of a buffer to overwrite adjacent memory, potentially including return addresses or function pointers. Stack-based buffer overflows overwrite the return address on the stack; heap-based overflows corrupt heap metadata. - **Use-After-Free** — Exploiting a program th → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
Bug Bounty Bootcamp
Vickie Li. Practical guide to finding and reporting web vulnerabilities. Complements Chapters 18-23, 36. → Resource Directory
Build technical foundations:
Complete OWASP WebGoat and Juice Shop - Practice on Hack The Box, TryHackMe, and PortSwigger Web Security Academy - Study the OWASP Top 10 and API Security Top 10 → Chapter 36: Bug Bounty Hunting
Build-Level Threats:
Compromised build pipelines injecting malicious code - Tampered base images in private registries - Build-time secret leakage through layer caching → Chapter 32: Container and Kubernetes Security
Building a Professional Network:
Attend conferences and local meetups consistently (not just once) - Share your knowledge: blog posts, conference talks (start at BSides), tool contributions - Help others: answer questions on Discord, mentor newer practitioners - Be genuine: the security community values authenticity over self-promo → Chapter 41: Career Paths and Continuous Learning
Building access:
Card reader systems and their vulnerabilities - Visitor management procedures - Reception desk security awareness - Door security (locks, hinges, closers, alarms) - After-hours security → Chapter 35: Red Team Operations
Bus Pirate
A multi-protocol debugging tool that supports UART, SPI, I2C, and other serial protocols ($30-40) - **UART-to-USB adapter** (FTDI FT232R or CP2102) — For serial console access ($5-15) - **Logic analyzer** (Saleae Logic or DSLogic) — For capturing and analyzing digital signals ($100-400) - **Multimet → Chapter 31: IoT and Embedded Systems Hacking
Test payment flows for price manipulation - Check coupon/discount codes for abuse - Test rate limiting on sensitive endpoints - Check for race conditions in concurrent requests - Test file upload for type bypass, path traversal - Check for information disclosure in error messages, API responses → Chapter 36: Bug Bounty Hunting
sV. The -O flag is for OS detection, -sC runs default scripts, and -A enables aggressive mode (which includes -sV, -sC, -O, and traceroute). → Chapter 3: Quiz — Setting Up Your Hacking Lab
c. Initial Access (ATT&CK Tactic: Initial Access)
Primary vector: Design a spearphishing campaign targeting specific FinanceForward employees. Detail the pretext, payload delivery mechanism, and expected user interaction. - Secondary vector: Identify an external service exploitation path (VPN vulnerability, web application flaw, or exposed API). - → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
C2 Architecture:
Select a primary C2 framework. Justify your choice (Cobalt Strike, Sliver, Mythic, Brute Ratel, or custom). Consider: FinanceForward runs CrowdStrike Falcon — your C2 must evade its behavioral detections. - Design a tiered C2 architecture: - **Tier 1 (Short-haul):** Disposable infrastructure for ini → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Campaign Objective Definition:
Define the primary campaign objective in terms that mirror APT29's documented goals. For example: "Gain persistent, undetected access to FinanceForward's executive email and financial transaction processing systems to demonstrate capability for long-term intelligence collection." - Define secondary → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Capturing in Burp Suite:
Use the "Copy as curl command" feature for easy reproduction - Save the full request and response (not just the highlighted portions) - Annotate requests with comments explaining each parameter's purpose - Use the Repeater tab to create clean, minimal reproduction requests (removing irrelevant heade → Chapter 39: Writing Effective Pentest Reports
Career Paths:
Ethical hacking encompasses a wide range of roles from junior pentester to CISO - Specialization paths include web application, cloud, Active Directory, IoT/OT, mobile, red team, and research - Entry-level access often requires starting in adjacent roles (SOC, IT) and transitioning - Career progress → Chapter 41: Career Paths and Continuous Learning
Certifications:
OSCP remains the gold standard for demonstrating penetration testing skill - PNPT offers an excellent, affordable alternative with a realistic exam format - CEH has name recognition but limited practical value; primarily useful for DoD compliance - GPEN/SANS offers exceptional training but at premiu → Chapter 41: Career Paths and Continuous Learning
**Vendor:** EC-Council - **Cost:** ~$1,199 exam fee (training packages $2,000-$3,500) - **Format:** 125 multiple-choice questions, 4 hours (also has a practical exam option) - **Prerequisites:** 2 years infosec experience or EC-Council training - **Study time:** 2-4 months - **Value:** Widely recogn → Resource Directory
Chain of custody form elements:
Case number and description - Evidence item number and description - Date and time of collection - Collector's name and affiliation - Collection method and tools used - Hash values (MD5 and SHA-256 at minimum) - Storage location - Transfer log: every person who handled the evidence, when, and why - → Chapter 37: Incident Response and Digital Forensics
Challenges to reproducibility:
Timestamps embedded in build artifacts - Non-deterministic compiler optimizations - Randomized data structures (hash map ordering) - Embedded build paths - Non-deterministic linking order → Chapter 34: Supply Chain Security
**CHECK Team Leader (CTL):** Can lead and oversee CHECK assessments. Requires passing CREST CCT (Inf and/or App) plus additional NCSC assessment. Must hold appropriate security clearance. - **CHECK Team Member (CTM):** Can perform CHECK assessments under a CTL's supervision. Requires CREST CRT plus → Chapter 38: Penetration Testing Methodology and Standards
Check the evidence
what proof did the scanner provide? 3. **Attempt manual reproduction** — can you confirm the vulnerability exists? 4. **Assess actual impact** — in this specific environment, what could an attacker do with this vulnerability? 5. **Document your validation** — screenshots, command output, response da → Chapter 11: Vulnerability Assessment
CI System Risks:
CI runners with excessive permissions (Docker socket access, cloud credentials) - Shared CI runners where jobs from different repositories execute on the same host - Build cache poisoning between pipeline runs - Insecure storage of pipeline secrets → Chapter 32: Container and Kubernetes Security
classes.dex
Dalvik Executable files containing the compiled application code. Modern apps may have multiple DEX files (multidex). DEX bytecode can be decompiled back to Java or Kotlin source code with reasonable fidelity. → Chapter 30: Mobile Application Security
Examine JavaScript bundles and source maps for hardcoded API keys, internal endpoints, or developer comments revealing security-relevant information. - Check browser local storage and session storage for sensitive tokens or user data that should be in HttpOnly cookies. - Review the Content Security → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
**Primary Region:** us-west-2 (Oregon). - **Services in Use:** EC2 (web servers), RDS (PostgreSQL databases for patient portal), S3 (document storage including patient records, radiology images), Lambda (automated reporting functions), CloudFront (CDN for static assets), IAM (role-based access for d → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Cloud Exploitation:
Exploit AWS misconfigurations: - Overly permissive S3 bucket policies allowing public read or list access. - IAM role assumption chains that escalate privileges. - Lambda function environment variables containing secrets. - EC2 instance metadata service (IMDS) exploitation from a compromised web ser → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Cloud Infrastructure (AWS):
Application servers: ECS Fargate containers in us-east-1. - Database: RDS PostgreSQL with read replicas. - CDN: CloudFront for static assets and product images. - Serverless functions: Lambda for image processing, PDF generation, data export, and webhook delivery. - Message queue: SQS for asynchrono → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Cloud Infrastructure:
AWS (primary cloud provider) - EC2 instances running patient portal backend - RDS (PostgreSQL) for patient portal database - S3 buckets for medical imaging storage - Lambda functions for appointment scheduling APIs - Microsoft 365 for email and productivity → Chapter 1: Introduction to Ethical Hacking
Insecure API authentication - Device impersonation - Unauthorized access to device data - Command injection through device management APIs → Chapter 31: IoT and Embedded Systems Hacking
LLMs can identify vulnerability patterns in source code - Models trained on CVE databases can flag similar patterns in new code - Automated exploit generation from vulnerability descriptions is an active research area → Chapter 33: AI and Machine Learning Security
Commercial C2:
**Cobalt Strike:** The industry standard commercial C2 framework. Beacon implant supports extensive post-exploitation capabilities. Malleable C2 profiles allow customization of network indicators. - **Nighthawk:** Modern C2 designed for advanced red teams with extensive evasion capabilities. → Chapter 35: Red Team Operations
No pairing required (open access to characteristics) - Just Works pairing (no PIN/passkey — vulnerable to MITM) - Unencrypted communication (data readable by nearby attackers) - Static MAC addresses (device tracking) - Writable characteristics without authentication (command injection) - Sensitive d → Chapter 31: IoT and Embedded Systems Hacking
Common DAST Tools:
**Burp Suite Professional:** Industry-standard web scanner with active and passive scanning - **OWASP ZAP:** Free, open-source web application scanner - **Acunetix:** Commercial web vulnerability scanner - **Nikto:** Open-source web server scanner (covered in Chapter 10) - **Nuclei:** Template-based → Chapter 11: Vulnerability Assessment
Common DNS tunneling tools:
**dnscat2** — Creates an encrypted C2 channel over DNS - **iodine** — Creates IP-over-DNS tunnels - **dns2tcp** — Tunnels TCP connections over DNS → Chapter 13: Network-Based Attacks
Common exploitation techniques include:
Exploiting software vulnerabilities (buffer overflows, SQL injection, remote code execution) - Credential attacks (password spraying, brute forcing, credential stuffing with leaked passwords) - Social engineering (phishing, pretexting, physical intrusion — if in scope) - Misconfigurations (default c → Chapter 1: Introduction to Ethical Hacking
Common ICS Vulnerabilities:
No authentication on industrial protocols (Modbus has no native authentication) - Default credentials on HMIs and engineering workstations - Flat networks with no segmentation between IT and OT - Legacy operating systems (Windows XP, Windows 7) without patches - Remote access without multi-factor au → Chapter 31: IoT and Embedded Systems Hacking
Common MQTT Vulnerabilities:
No authentication required (anonymous access) - Weak or default credentials - No TLS encryption (port 1883) - Overly broad topic ACLs (all devices can subscribe to all topics) - Sensitive data in topics (patient vitals, device credentials) - No message validation (injection of malicious commands) → Chapter 31: IoT and Embedded Systems Hacking
**Names** — First names (often the user's own or a loved one's) were extremely common - **Dates** — Birthdays and anniversaries in various formats - **Keyboard patterns** — qwerty, asdf, zxcvbn, and their variants - **Pop culture** — Movie characters, band names, sports teams - **Simple substitution → Case Study 14.1: The RockYou Breach — 32 Million Plaintext Passwords and the Birth of a Wordlist
Common pitfalls:
Spending too long on a single target without results (set time limits) - Chasing duplicates on heavily tested programs - Neglecting report quality in favor of volume - Not tracking your time and earnings (you need to know your hourly rate) - Burnout from unsustainable hunting schedules → Chapter 36: Bug Bounty Hunting
Common race condition targets:
Coupon/discount code redemption (apply same code multiple times) - Account balance operations (withdraw simultaneously from multiple sessions) - Vote/like systems (vote multiple times) - Invitation/referral systems (claim same referral bonus multiple times) - File upload validation (bypass file type → Chapter 36: Bug Bounty Hunting
Common Reasons for Report Updates:
Factual errors discovered after delivery (wrong IP address, incorrect CVSS score) - Client provides additional context that changes a finding's assessment - Retesting reveals that a finding has been remediated (status update) - New information emerges that affects a finding's severity - Client reque → Chapter 39: Writing Effective Pentest Reports
Common Registry Misconfigurations:
Anonymous read access enabled - Anonymous push access (allowing image replacement) - No content trust / image signing enforcement - Registry exposed to the internet without authentication - Use of HTTP instead of HTTPS - Missing vulnerability scanning integration → Chapter 32: Container and Kubernetes Security
URL preview/unfurling features - Webhook configurations - PDF generation from URLs - Image import/upload from URL - RSS feed parsing - API integrations that accept URLs → Chapter 36: Bug Bounty Hunting
Common Technical Interview Questions:
"You have a web application with a login page. Walk me through your testing approach." - "You find a critical vulnerability on a Friday afternoon. The client asked for testing only during business hours. What do you do?" - "Describe how you would test Active Directory in a Windows environment, start → Chapter 41: Career Paths and Continuous Learning
Common threat intelligence sources:
MITRE ATT&CK groups database - Mandiant (now Google Cloud) threat intelligence reports - CrowdStrike adversary profiles - CISA advisories and threat assessments - Sector-specific ISACs (Information Sharing and Analysis Centers) - Academic research on threat groups → Chapter 35: Red Team Operations
Commonly excluded vulnerability types:
Self-XSS (XSS that only affects the attacker's own session) - Missing security headers without demonstrated impact - Clickjacking without sensitive action - Rate limiting without demonstrated impact - SPF/DKIM/DMARC configuration issues - Social engineering of employees - Physical attacks - Denial o → Chapter 36: Bug Bounty Hunting
Communication Attacks:
Unencrypted protocol traffic (plaintext MQTT, HTTP) - Replay attacks on device commands - Man-in-the-middle on wireless protocols - Protocol fuzzing for crash/exploit discovery - Radio frequency jamming and injection → Chapter 31: IoT and Embedded Systems Hacking
Communication Channels:
Design primary and backup communication channels between the operator team and the red team manager. - Document the out-of-band communication plan for emergencies (campaign deconfliction, inadvertent disruption, or discovery of a real compromise). - Specify encrypted communication tools for team coo → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Communication:
Primary and secondary points of contact (with phone numbers and email) - Escalation path for emergencies - Frequency and format of status updates - Incident notification requirements (e.g., "Critical vulnerabilities must be reported within 4 hours of discovery") - Secure communication channel specif → Chapter 38: Penetration Testing Methodology and Standards
Community intelligence:
ISACs (Information Sharing and Analysis Centers) for specific industries - FIRST (Forum of Incident Response and Security Teams) - Security conference presentations (DEF CON, Black Hat, BSides) → Chapter 2: Threat Landscape and Attack Taxonomy
Community:
DEF CON, Black Hat, and BSides conferences are pillars of the security community - Local meetups (OWASP, 2600, ISSA) provide accessible networking - Online communities (Twitter/X, Discord, Reddit, blogs) keep you connected - Speaking at conferences accelerates career development and builds reputatio → Chapter 41: Career Paths and Continuous Learning
Compliance Frameworks:
PCI DSS mandates annual penetration testing for organizations handling cardholder data, with specific requirements for scope, methodology, and segmentation validation - HIPAA requires risk analysis and appropriate safeguards for ePHI, with penetration testing as a recommended practice - SOC 2 uses p → Chapter 40: Security Compliance and Governance
**Vendor:** CompTIA - **Cost:** ~$404 exam fee - **Format:** 90 questions, 90 minutes, multiple choice + performance-based - **Prerequisites:** None (CompTIA recommends Network+ and 2 years IT experience) - **Study time:** 2-4 months - **Value:** The baseline certification for cybersecurity. Require → Resource Directory
Configuration and infrastructure:
Check for exposed admin panels, debug endpoints - Test for misconfigured CORS policies - Check for open redirects - Test for subdomain takeover on abandoned subdomains - Check cloud storage permissions (S3, Azure Blob, GCS) - Test for exposed .git, .svn, .env files → Chapter 36: Bug Bounty Hunting
Congressional action
Senators Ed Markey and Richard Blumenthal introduced the SPY Car Act (Security and Privacy in Your Car Act) - **Industry-wide reckoning** — Automotive manufacturers accelerated cybersecurity programs, hired security researchers, and began implementing vehicle security operations centers (VSOCs) - ** → Case Study 31.2: The Jeep Cherokee Remote Hack and Ring Doorbell Vulnerabilities
All identified C2 domains and IPs blocked at firewall - All compromised credentials reset (including service accounts) - Cobalt Strike artifacts removed from all affected systems - Vulnerability that allowed initial macro execution patched - Enhanced email filtering rules deployed → Chapter 37: Incident Response and Digital Forensics
Continuous Learning:
The 70-20-10 model (experiential, social, formal) structures ongoing development - Annual learning goals provide direction and measurable progress - T-shaped skills (broad knowledge + deep specialization) maximize career value - Burnout prevention is essential: set boundaries, diversify your life, a → Chapter 41: Career Paths and Continuous Learning
Control Plane Components:
**kube-apiserver** — The central management point. All operations go through the API server. Compromise of the API server means full cluster control. - **etcd** — Distributed key-value store holding all cluster state, including Secrets. Directly accessing etcd bypasses all RBAC controls. - **kube-sc → Chapter 32: Container and Kubernetes Security
**Domain:** Active Directory forest `medsecure.local` running Windows Server 2019 domain controllers (two DCs in Portland HQ, one in each satellite clinic). - **Workstations:** Approximately 450 Windows 10/11 endpoints joined to the domain, managed via Group Policy and Microsoft Endpoint Manager. - → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
CPU registers and cache
Lost immediately when power is removed 2. **Memory (RAM)** -- Contains running processes, network connections, encryption keys, malware in memory 3. **Network state** -- Active connections, routing tables, ARP cache 4. **Running processes** -- Process lists, open files, loaded modules 5. **Disk** -- → Chapter 37: Incident Response and Digital Forensics
Credential breach monitoring
Services like HaveIBeenPwned's API, SpyCloud, or Enzoic can check if employee credentials appear in known breaches > - **Multi-factor authentication** — Even valid credentials are useless without the second factor > - **Bot detection** — CAPTCHAs, device fingerprinting, and behavioral analysis to di → Chapter 14: Password Attacks and Authentication Bypass
Credential Collection
Obtain password hashes, encrypted passwords, or credential databases through exploitation, file system access, or network interception. Alternatively, prepare for online attacks if no hashes are available. → Chapter 14: Password Attacks and Authentication Bypass
Credential Dumping (T1003):
Look for processes accessing LSASS memory (lsass.exe) - Check for Mimikatz artifacts in memory - Examine process handles for access to credential stores - Look for ntdsutil.exe or suspicious vshadow.exe activity → Chapter 37: Incident Response and Digital Forensics
Credential harvesting:
LSASS memory dumping (with appropriate safeguards) - Kerberoasting and AS-REP roasting - NTLM relay and credential forwarding - Keylogging (with ROE authorization) - Credential file discovery (password files, configuration files, browser storage) → Chapter 35: Red Team Operations
Credential vaulting
Passwords stored in encrypted vaults, checked out when needed - **Session recording** — All privileged sessions recorded for audit - **Just-in-time access** — Privileges granted only when needed, automatically revoked - **Automatic rotation** — Passwords changed after every use or on a schedule - ** → Chapter 14: Password Attacks and Authentication Bypass
CREST accreditation levels for companies include:
**CREST Penetration Testing:** Standard commercial pentesting - **CREST STAR (Simulated Targeted Attack and Response):** Advanced red team/adversary simulation - **CREST Vulnerability Assessment:** Automated and manual vulnerability assessment → Chapter 38: Penetration Testing Methodology and Standards
CREST Registered Penetration Tester (CRT)
**Vendor:** CREST International - **Cost:** Varies by country (typically $500-$1,500) - **Format:** Practical exam (infrastructure or application) - **Prerequisites:** None officially; significant experience required - **Study time:** 3-6 months of focused preparation - **Value:** Highly valued in t → Resource Directory
Critical.io / Project Sonar
Large-scale internet scanning projects that mapped the global attack surface - **Rapid7 Labs** — Research that identified systemic vulnerabilities in embedded systems, IoT devices, and SCADA systems - **Security philosophy** — Moore championed the idea that security tools should be freely available → Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit
Identify sensitive actions that rely on cookie-based authentication and test for CSRF token presence and validation. - Test whether the SameSite cookie attribute is set and whether it effectively prevents cross-origin requests. - Pay attention to state-changing GET requests (if any exist) — these ar → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Current State:
Women represent approximately 25% of the global cybersecurity workforce (up from 11% in 2013, per ISC2 research) - Racial and ethnic minorities are underrepresented in security roles, particularly in leadership positions - The "pipeline problem" (fewer diverse candidates entering the field) is compo → Chapter 41: Career Paths and Continuous Learning
D
Daily QA Checks:
Review the day's findings for completeness - Verify all evidence is properly stored and labeled - Check testing coverage against scope --- are you on track? - Review for false positives: can every finding be independently verified? → Chapter 38: Penetration Testing Methodology and Standards
Dangerous methods to check for:
**PUT/DELETE**: If enabled without authentication, attackers may be able to upload arbitrary files or delete existing resources. PUT in particular can enable web shell uploads. - **TRACE**: Enables Cross-Site Tracing (XST) attacks, which can be used to steal cookies marked with the `HttpOnly` flag b → Chapter 8: Active Reconnaissance
Data Access Demonstration:
Identify and document access to sensitive data categories: - **PHI (Protected Health Information):** Patient records, lab results, prescriptions. Use synthetic data to demonstrate access; document the path and permissions that allowed it. - **PII (Personally Identifiable Information):** Employee rec → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Data Exposed:
**Names, dates of birth, and Social Security numbers** for approximately 40 million former and prospective customers - **Names, addresses, dates of birth, phone numbers, IMEIs, and SIM card information** for approximately 7.8 million current postpaid customers - **Account PINs** (used for account ac → Case Study 2: Peloton API Exposure and T-Mobile's Recurring API Breaches — A Pattern of Failure
Data handling OPSEC:
Encrypt all collected data at rest and in transit - Never exfiltrate real sensitive data (use proof tokens or synthetic data) - Securely destroy all engagement data after the reporting period - Maintain chain of custody documentation for any evidence collected → Chapter 35: Red Team Operations
Data Handling:
How testing data will be stored during the engagement - Encryption requirements for data in transit and at rest - Data retention period - Data destruction procedures after the engagement - Handling of sensitive data encountered during testing (PII, PHI, financial records) → Chapter 38: Penetration Testing Methodology and Standards
Data Injection
Adding crafted samples to the training set: - Inject samples that create a specific decision boundary - Add samples that degrade overall model performance → Chapter 33: AI and Machine Learning Security
Compromising training data compromises the model itself, and backdoor attacks can be nearly impossible to detect through standard testing. → Chapter 33: AI and Machine Learning Security
Data Provenance Tracking
Record the source and lineage of all training data > - **Anomaly Detection on Training Data** — Identify outliers and suspicious samples before training > - **Cross-Validation of Labels** — Require multiple independent labelers to agree > - **Robust Training Techniques** — Use training algorithms th → Chapter 33: AI and Machine Learning Security
Data Reconciliation:
Verify that all testing data is properly organized in your evidence directory - Cross-reference your testing notes against the scope to identify any targets that were not tested - Identify any open questions or ambiguities that need client clarification → Chapter 38: Penetration Testing Methodology and Standards
Data Sensitivity:
Does the system process, store, or transmit regulated data (PII, PHI, PCI)? - What is the regulatory impact of a breach? → Chapter 11: Vulnerability Assessment
For each major campaign decision point, create a decision tree: - "If phishing succeeds and we get a standard user session -> [Path A: credential harvesting and privilege escalation]" - "If phishing succeeds but EDR detects the payload -> [Path B: switch to fileless techniques]" - "If phishing fails → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Defending against NTLM relay:
**SMB Signing** — Mandatory SMB signing prevents relay by requiring packet signing with the session key - **EPA (Extended Protection for Authentication)** — Binds NTLM authentication to the TLS channel - **Disable LLMNR and NBT-NS** — Removes the primary trigger for relay attacks - **Network segment → Chapter 14: Password Attacks and Authentication Bypass
Defending against PtH:
**Credential Guard** — Windows feature that isolates LSASS in a virtual secure mode, preventing hash extraction - **Protected Users Security Group** — Members cannot authenticate via NTLM - **Restrict NTLM** — Group Policy settings to limit NTLM authentication - **Local Administrator Password Soluti → Chapter 14: Password Attacks and Authentication Bypass
Defense requires a layered approach
Adversarial training, input validation, output sanitization, monitoring, and secure architecture must work together to protect AI systems. → Chapter 33: AI and Machine Learning Security
Defenses against cache poisoning:
**Source port randomization** — Using random source ports for DNS queries exponentially increases the difficulty of guessing the correct transaction ID + port combination. - **DNSSEC** — Digitally signs DNS records, allowing resolvers to verify their authenticity. - **DNS-over-HTTPS (DoH) and DNS-ov → Chapter 13: Network-Based Attacks
Defining Scope:
Which networks, IP ranges, and domains are in scope? - Which applications and APIs will be tested? - Are cloud environments (AWS, Azure, GCP) included? - Is social engineering in scope? Physical testing? - Are third-party systems or shared infrastructure involved? → Chapter 38: Penetration Testing Methodology and Standards
Delivery Tips:
Keep to 15-20 minutes maximum (boards have limited attention spans) - Anticipate questions: "How do we compare to our peers?" "Could this really happen to us?" "What would it cost if we were breached?" - Have a brief demo ready if requested (but do not lead with it --- board members are not impresse → Chapter 39: Writing Effective Pentest Reports
Detecting ARP Spoofing:
Look for ARP replies that were not preceded by ARP requests (gratuitous ARP). - Look for multiple IP addresses being mapped to the same MAC address. - Filter: `arp.opcode == 2` (ARP replies) → Chapter 6: Networking Fundamentals for Hackers
Detecting Port Scans:
Look for a single source IP sending SYN packets to many different ports on a single destination. - Filter: `tcp.flags.syn == 1 && tcp.flags.ack == 0` - A rapid succession of SYN packets to sequential or random ports is a clear indicator of scanning. → Chapter 6: Networking Fundamentals for Hackers
Detecting Synthetic Photos:
Look for asymmetries in earrings, glasses, and hair - Check for blurred or inconsistent backgrounds - Examine eyes for reflection consistency - Use reverse image search (genuine photos appear elsewhere; synthetic photos do not) - Use AI detection tools (which are in an arms race with generation tool → Chapter 9: Social Engineering Reconnaissance
Detection and Response Assessment:
Which techniques were detected and how - Which techniques were not detected - Time-to-detect for each detected technique - Quality of blue team response when alerts fired - ATT&CK Navigator visualization of detection coverage → Chapter 35: Red Team Operations
Detection:
Monitor for unusual patterns of `madvise()` and `/proc/self/mem` access - Deploy kernel exploit detection tools like Falco with rules for Dirty COW signatures - Monitor for unexpected changes to `/etc/passwd`, `/etc/shadow`, and SUID binaries - File integrity monitoring (FIM) on critical system file → Case Study 1: Dirty COW (CVE-2016-5195)
Develop your specialty:
Choose a focus area (web, mobile, API, cloud, IoT) - Build deep expertise in 2-3 vulnerability types - Develop custom tools for your workflow - Contribute to the community (blog posts, tools, talks) → Chapter 36: Bug Bounty Hunting
Development languages for red team tools:
**C/C++:** Low-level control, direct syscalls, shellcode development - **Rust:** Memory safety without garbage collection, growing offensive tooling ecosystem - **Go:** Easy cross-compilation, large standard library, Sliver and many tools written in Go - **C#/.NET:** Runs on Windows natively, extens → Chapter 35: Red Team Operations
Development Tools:
GitHub with branch protection on main - Docker for local development - Terraform for infrastructure-as-code - GitHub Actions for CI/CD - No dedicated security tools (no SAST, DAST, or SCA in the pipeline) → Chapter 2: Threat Landscape and Attack Taxonomy
DHCP Attacks:
**Rogue DHCP Server:** An attacker sets up a fake DHCP server that provides clients with a malicious DNS server or default gateway, enabling man-in-the-middle attacks. - **DHCP Starvation:** An attacker exhausts the DHCP server's address pool by requesting all available addresses, causing a denial o → Chapter 6: Networking Fundamentals for Hackers
Disadvantages of Independence:
No steady paycheck (feast-or-famine cycle) - Business administration overhead (invoicing, taxes, insurance) - No employer-funded training or conference attendance - Must handle all marketing and sales - Isolation (no team to learn from) → Chapter 41: Career Paths and Continuous Learning
Discord and Slack Communities:
Hack The Box Discord (one of the largest security Discord servers) - TryHackMe Discord - PNPT Discord (active community around TCM Security) - Nahamsec's community (bug bounty focused) - Various conference and local group Discord/Slack servers → Chapter 41: Career Paths and Continuous Learning
Discovery Techniques:
Read API documentation for internal field names - Examine API responses for fields not present in input forms - Use GraphQL introspection to discover all fields on a type - Try adding common privileged field names: `role`, `admin`, `verified`, `active`, `permissions`, `group`, `level`, `tier` → Chapter 23: API Security Testing
Cultivate interests outside of security - Physical exercise counteracts the sedentary nature of security work - Social connections outside the industry provide perspective - Sleep, diet, and mental health directly affect your professional performance → Chapter 41: Career Paths and Continuous Learning
All DNS queries and responses - Essential for identifying C2 communication, data exfiltration via DNS, and domain generation algorithms - Tools: Passive DNS databases, DNS server logs, Zeek DNS logs → Chapter 37: Incident Response and Digital Forensics
Do:
Be professional and objective - State facts and evidence - Be specific about what you found and what it means - Acknowledge uncertainty when appropriate ("the tester was unable to determine whether...") - Use active voice ("The tester identified..." not "It was identified...") → Chapter 39: Writing Effective Pentest Reports
Docker Daemon Socket
If accessible, provides full control over all containers and the host 2. **Docker API** — When exposed over TCP without TLS, enables remote exploitation 3. **Docker Images** — May contain vulnerabilities, malware, or secrets 4. **Docker Registries** — Can be compromised to serve malicious images 5. → Chapter 32: Container and Kubernetes Security
Select domain naming conventions that plausibly relate to FinanceForward's technology stack or business operations. Provide examples: `finforward-auth.com`, `ff-cdn-assets.com`, `secure-updates-service.com`. - Plan certificate acquisition: Let's Encrypt for general domains; purchased certificates fo → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Don't:
Be condescending ("The client failed to implement basic security...") - Be alarmist ("The network is completely compromised and should be shut down immediately") - Use unnecessary jargon ("We pwned the box and got DA") - Be vague ("Several vulnerabilities were found") - Editorialize ("It is shocking → Chapter 39: Writing Effective Pentest Reports
Dual Audience Writing:
Executive summaries communicate risk in business terms (1-2 pages, no jargon) - Technical findings provide reproducible detail for remediation teams - Both audiences need to be served within a single document - Professional, objective tone throughout --- never condescending or alarmist → Chapter 39: Writing Effective Pentest Reports
DVWA
Damn Vulnerable Web Application (PHP, multiple security levels) - **OWASP Juice Shop** — Modern vulnerable app (Node.js, comprehensive) - **WebGoat** — OWASP project with guided lessons (Java) - **bWAPP** — Buggy Web Application with 100+ vulnerabilities - **HackTheBox Challenges** — Web-focused cha → Resource Directory
Dynamic ARP Inspection (DAI)
A switch-level security feature that validates ARP packets against a trusted binding table (DHCP snooping table). Untrusted ARP replies are dropped. > - **DHCP Snooping** — Creates a binding table of IP-to-MAC-to-port mappings from legitimate DHCP transactions. DAI uses this table for validation. > → Chapter 13: Network-Based Attacks
E
eLearnSecurity Junior Penetration Tester (eJPT)
**Vendor:** INE Security (formerly eLearnSecurity) - **Cost:** ~$249 (exam + training bundle varies) - **Format:** Practical exam (48 hours), 35 questions based on a live pentest environment - **Prerequisites:** None - **Study time:** 1-3 months - **Value:** Excellent first practical certification. → Resource Directory
Email Content:
Use the target's name and role - Reference real projects, vendors, or events - Include appropriate logos, signatures, and formatting - Create urgency without desperation - Include a clear call to action (click a link, open an attachment, reply with information) → Chapter 9: Social Engineering Reconnaissance
Email Infrastructure:
Register a convincing sender domain (lookalike domain or compromised email) - Configure SPF, DKIM, and DMARC to improve deliverability - Set up email tracking to measure open rates and click rates - Create a believable landing page → Chapter 9: Social Engineering Reconnaissance
Email Phishing Metrics:
**Open rate**: Percentage of recipients who opened the email (tracked via embedded pixel). Industry average: 60-80% for targeted phishing simulations. - **Click rate**: Percentage who clicked on the phishing link. Industry average: 15-25% for moderate-difficulty pretexts. - **Credential submission r → Chapter 9: Social Engineering Reconnaissance
"Stop" command: How the client can halt testing immediately - Contact information available 24/7 during the testing window - Procedures if testing causes an outage or disruption - Procedures if the tester discovers evidence of an actual breach in progress - Procedures if the tester discovers illegal → Chapter 38: Penetration Testing Methodology and Standards
**AI/ML Security:** As organizations deploy machine learning models, testing for adversarial inputs, model theft, data poisoning, and prompt injection becomes a distinct specialization. Understanding how to attack AI systems will be increasingly valuable. - **Kubernetes and Container Orchestration:* → Chapter 41: Career Paths and Continuous Learning
Encrypted protocols
SSH instead of Telnet, SFTP instead of FTP, IMAPS instead of IMAP > - **Network segmentation** with microsegmentation where possible > - **Encrypted medical protocols** — TLS-wrapped HL7v2, DICOM TLS, FHIR over HTTPS > > Additionally, deploy network taps and SPAN ports to your own monitoring infrast → Chapter 13: Network-Based Attacks
Encrypted Storage
Passwords encrypted with a reversible algorithm. Better than plaintext, but if the encryption key is compromised (and it often lives on the same server), all passwords can be decrypted. This is why encryption is generally inappropriate for password storage. → Chapter 14: Password Attacks and Authentication Bypass
Endpoint Detection and Response (EDR) evasion:
Direct system calls (bypassing user-mode API hooks) - Syscall proxying and indirect syscall techniques - ETW (Event Tracing for Windows) patching - AMSI bypass techniques - Sleep obfuscation (encrypting implant memory during sleep) - Module stomping and phantom DLL loading → Chapter 35: Red Team Operations
Endpoint Security:
Windows 11 enterprise workstations managed via Microsoft Intune. - CrowdStrike Falcon endpoint detection and response (EDR) deployed on all endpoints and servers. - Application control: Microsoft Defender Application Control (WDAC) policies on standard user workstations; developer workstations have → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Scope, timeline, and rules of engagement - Threat actor profile and emulation rationale - Team composition and tools used - Limitations and caveats → Chapter 35: Red Team Operations
Engagement Planning:
The scoping call is the most important conversation in any engagement - Engagement types (black/gray/white box) fundamentally affect methodology and effort - Effort estimation must account for scope complexity, testing depth, and tester experience - The Statement of Work formally documents scope, ti → Chapter 38: Penetration Testing Methodology and Standards
Environment Preparation:
Update your testing OS and all tools - Verify VPN connectivity and access credentials - Confirm your source IP addresses with the client - Set up your project directory structure for organized note-taking - Configure time synchronization (critical for log correlation) - Test your screenshot tool and → Chapter 38: Penetration Testing Methodology and Standards
Essential Entities (stricter requirements):
Energy (electricity, oil, gas, hydrogen) - Transport (air, rail, water, road) - Banking and financial market infrastructure - Health (hospitals, laboratories, pharmaceuticals) - Drinking water and wastewater - Digital infrastructure (DNS, TLD registries, cloud, data centers) - Public administration → Chapter 40: Security Compliance and Governance
EternalBlue exploit module
Used to gain initial code execution on vulnerable systems - **DoublePulsar backdoor installer** — A secondary NSA tool used to inject the payload into the target's memory - **Ransomware payload** — Encrypted user files with AES-128 and RSA-2048, demanding $300-600 in Bitcoin for decryption - **Worm → Case Study 12.1: EternalBlue and WannaCry — How an NSA Exploit Became Global Ransomware
Ethical Boundaries:
Never exfiltrate real sensitive data beyond what is needed to prove the vulnerability - Never modify production data - Document exactly what you accessed and what you did not - Follow the RoE data handling procedures → Chapter 39: Writing Effective Pentest Reports
ETW and AMSI bypass:
Explain what ETW provides to EDR products - Describe ETW patching techniques - Explain AMSI and common bypass methods - Discuss the limitations of these bypasses → Chapter 35 Exercises: Red Team Operations
European Union:
Laws vary by member state - Some countries (Netherlands, France, Belgium) have explicit protections for ethical hackers - The EU Cybersecurity Act encourages coordinated vulnerability disclosure - GDPR implications if you access personal data during testing → Chapter 36: Bug Bounty Hunting
Evidence Cleanup:
Remove any tools, scripts, or payloads deployed on client systems - Reset any passwords changed during testing - Delete any test accounts created - Remove any persistence mechanisms (unless explicitly asked to leave them for blue team training) - Document all cleanup activities → Chapter 38: Penetration Testing Methodology and Standards
Evidence Collection (3:00-6:00 AM):
Memory image analyzed with Volatility: malicious process `svchost.exe` (running from `C:\ProgramData\`) identified with network connections to `45.33.xx.xx` - KAPE triage collection from WS-BILL-023 and three additional affected workstations - Full disk image of WS-BILL-023 created with FTK Imager - → Chapter 37: Incident Response and Digital Forensics
Evidence Collection:
Capture screenshots of every significant access point. - Record hashes (not plaintext) of compromised accounts. - Create an attack chain diagram showing the complete path from initial access to highest-impact compromise. - Note timestamps for all activities. → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Evidence Standards:
Screenshots must be clear, annotated, and consistently organized - Request/response pairs are essential for web application findings - Command output should be cleaned and annotated, never altered - Redact sensitive data but preserve vulnerability evidence → Chapter 39: Writing Effective Pentest Reports
Exam Structure (as of recent updates):
Multiple standalone machines at varying difficulty levels - An Active Directory set (multiple machines in a domain environment) - Each machine or set has a point value - A minimum score (typically 70 points) is required to pass - Candidates must provide a professional report documenting their findin → Case Study 2: The Conference Ecosystem and the OSCP Certification Journey
Examples from MedSecure:
"The web application firewall (WAF) successfully blocked multiple automated SQL injection attempts, demonstrating effective defense-in-depth for standard attack patterns. However, the WAF was bypassed using manual testing techniques (see F-001)." - "Multi-factor authentication was correctly implemen → Chapter 39: Writing Effective Pentest Reports
Examples in ShopStack:
A regular user accessing `/api/v2/admin/users` by simply changing the URL - Modifying the `user_id` parameter in a request to view another user's orders - Accessing the order management API without being an authenticated merchant → Chapter 18: Web Application Security Fundamentals
Examples:
A password recovery flow that reveals whether an email is registered - A shopping cart that trusts client-side price calculations - No rate limiting on authentication endpoints - Insufficient anti-automation on critical business flows → Chapter 18: Web Application Security Fundamentals
Time activities to blend with normal business operations - Mimic the target's legitimate network traffic patterns - Use living-off-the-land techniques before deploying custom tools - Monitor for indicators that the blue team has detected your presence - Have contingency plans for each phase of the o → Chapter 35: Red Team Operations
Executive debrief (Leadership):
Present findings in business risk terms - Use attack narrative to make the risk tangible - Provide clear recommendations with effort/impact analysis - Request specific investments or organizational changes → Chapter 35: Red Team Operations
Executive Summary
One paragraph describing the vulnerability and its business impact. 2. **Technical Details** — CVE number, affected versions, CVSS score, exploit mechanism. 3. **Steps to Reproduce** — Exact commands and configurations used. 4. **Evidence** — Screenshots, command output, hashes of exfiltrated data. → Chapter 12: Exercises — Exploitation Fundamentals and Metasploit
Executive Summary (1-2 pages):
Engagement objectives and threat scenario - Key findings in business impact terms - Overall risk assessment - Top recommendations → Chapter 35: Red Team Operations
Executive Summary (1–2 pages):
Overall risk rating for MedSecure (Critical/High/Medium/Low). - Summary of the most significant findings in business terms: "An attacker could access patient health records for all 200,000 patients within 48 hours of initial compromise." - Key statistics: total vulnerabilities found by severity, per → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Executive Summary Best Practices:
Lead with the overall risk assessment --- do not bury the lead - Use business language, not technical jargon ("patient database" not "PostgreSQL instance") - Quantify risk where possible ("this vulnerability could expose 50,000 patient records") - Connect findings to business impact (HIPAA fines, re → Chapter 39: Writing Effective Pentest Reports
Executive Summary Guidance:
Quantify the findings (e.g., "43% of pods run as root, 0 of 12 namespaces have network policies") - Highlight the most impactful attack chains, not just individual findings - Frame risks in business terms (HIPAA violations, data breach costs, service disruption) → Chapter 32: Container and Kubernetes Security
Executive Summary:
[ ] Written for non-technical leadership - [ ] Includes overall risk assessment - [ ] Connects findings to business impact and financial risk - [ ] Provides prioritized strategic recommendations - [ ] Includes comparison to previous assessments (if applicable) - [ ] Two pages or less → Case Study 2: Report Anti-Patterns and the OSCP Report Model
Explicit authorization statement
clear language that testing within the policy is "authorized" 2. **CFAA/CMA reference** — explicit statement that the program considers compliant testing as authorized under relevant computer crime laws 3. **Third-party protection** — commitment to defend you if a third party (e.g., a hosting provid → Legal Reference
Is there a public exploit available? - Is the vulnerability being actively exploited in the wild (check CISA KEV)? - What skill level is required for exploitation? - Does exploitation require authentication or user interaction? → Chapter 11: Vulnerability Assessment
Code that leverages a specific vulnerability. Each exploit targets a particular software version, configuration, or condition. - **Payloads** — Code that runs on the target after successful exploitation. Payloads provide the attacker's desired functionality, from simple command shells to full-featur → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
Exposed Cloud Resources:
Search for exposed Elasticsearch clusters, Redis instances, or RDS instances that may be accessible due to overly permissive security groups. - Check for CloudFront misconfigurations that bypass origin access controls. - Look for S3 buckets used for data exports that may contain merchant or customer → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Exposure:
Is the vulnerable system Internet-facing or internal-only? - Are there compensating controls (WAF, IPS, network segmentation)? - Is the vulnerability reachable from the attacker's starting position? → Chapter 11: Vulnerability Assessment
Identify the most promising external attack surface based on FinanceForward's technology stack. - Research recent CVEs for: Kong API Gateway, Azure AD Connect, EKS control plane, and any internet-facing .NET applications. - Design an exploitation scenario for one viable external vulnerability, inclu → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
External-to-Internal Pivot:
Attempt to gain initial access through external-facing services. Consider: - Exploiting vulnerabilities in the WordPress site to gain a web shell. - Leveraging discovered credentials from OSINT or breach data against the VPN or Outlook Web Access. - Exploiting API vulnerabilities in `api.medsecure.e → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Extracting Credentials:
HTTP Basic Authentication transmits credentials in Base64 encoding (easily decoded). - Filter: `http.authorization` - FTP credentials are transmitted in plaintext. - Filter: `ftp.request.command == "USER" || ftp.request.command == "PASS"` → Chapter 6: Networking Fundamentals for Hackers
F
Factors affecting earnings:
Skill level and specialization - Time invested - Target selection strategy - Report quality - Consistency and persistence → Chapter 36: Bug Bounty Hunting
Factors Affecting Remediation Cost:
Development effort (hours x developer rate) - Infrastructure changes (hardware, software licenses, configuration time) - Downtime during implementation (business impact) - Testing and validation after remediation - External consultant fees (if specialized expertise is needed) → Chapter 39: Writing Effective Pentest Reports
FIDO2/WebAuthn
Phishing-resistant by design (bound to the legitimate domain) > - **Number matching** — For push notifications, require the user to enter a number shown on the login screen (prevents push bombing) > - **Certificate-based authentication** — Ties authentication to a specific device certificate > - **C → Chapter 14: Password Attacks and Authentication Bypass
File recovery approaches:
**MFT-based recovery:** If the MFT entry still exists, the file metadata is intact even though the file is "deleted" - **File carving:** Searching raw disk data for file signatures (magic bytes) to recover files without file system metadata - **Slack space analysis:** Examining the space between the → Chapter 37: Incident Response and Digital Forensics
[ ] Spell-check completed (including technical terms) - [ ] No tracked changes or comments remaining - [ ] No "[PLACEHOLDER]" or "[TODO]" text anywhere in the document - [ ] File size is reasonable (compress images if necessary) - [ ] PDF renders correctly (formatting, images, tables all intact) → Chapter 39: Writing Effective Pentest Reports
FinanceForward Threat Model:
Identify FinanceForward's crown jewels: What would APT29 want from a financial services company? Consider: customer financial data, transaction records, payment processing infrastructure, executive communications, regulatory filings, M&A activity, and API keys for banking integrations. - Map the att → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Financial:
**GBP 20 million (approximately $26 million)** fine from the UK Information Commissioner's Office (ICO) under GDPR. The original proposed fine was GBP 183 million, reduced due to BA's cooperation and the COVID-19 pandemic's impact on the airline industry. - **Customer compensation claims** resulted → Case Study 2: British Airways Magecart Attack and Major XSS Bug Bounties
Finding a Mentor:
Look for someone 5-10 years ahead of you on the career path you want to follow - Approach potential mentors with respect for their time and a clear ask ("Would you be willing to meet for 30 minutes monthly to discuss my career development?") - Offer value in return: research on topics they are inter → Chapter 41: Career Paths and Continuous Learning
Finding Documentation:
Every finding follows a consistent template: ID, title, severity, CVSS, affected systems, description, business impact, technical detail, steps to reproduce, evidence, remediation, and references - The MedSecure F-001 SQL injection example demonstrates the expected level of detail - Proof of concept → Chapter 39: Writing Effective Pentest Reports
Findings and Recommendations:
Prioritized list of findings - Each finding includes: description, evidence, business impact, ATT&CK mapping, remediation - Short-term, medium-term, and long-term recommendations - Investment priorities based on maximum risk reduction → Chapter 35: Red Team Operations
Findings:
Multiple `.gov` subdomains with CNAME records to decommissioned Azure Web Apps - Several subdomains pointing to cancelled GitHub Pages deployments - Subdomains with CNAME records to expired Heroku applications - State government subdomains pointing to deleted AWS S3 buckets → Case Study 2: Subdomain Takeover Campaigns and Certificate Transparency Mining
FireEye
a private cybersecurity company. FireEye detected the intrusion when they noticed that their own red team tools had been stolen. Upon investigation, they traced the intrusion back to the compromised SolarWinds Orion update. → Case Study 2.1: The SolarWinds Supply Chain Attack
Firmware Attacks:
Firmware extraction and reverse engineering - Hardcoded credentials and encryption keys - Command injection in firmware update mechanisms - Unencrypted or unsigned firmware updates - Backdoor accounts and debug interfaces → Chapter 31: IoT and Embedded Systems Hacking
Provide support for remediation questions (typically included in engagement fee for 30 days) - Document any scope clarifications or additional findings discovered during debrief - Issue report updates if errors are discovered after delivery (with version tracking) → Chapter 39: Writing Effective Pentest Reports
Following TCP Streams:
Right-click on any packet in a TCP connection and select "Follow > TCP Stream" to see the complete conversation, reconstructed from individual packets. This is invaluable for understanding HTTP transactions, reading email conversations, or extracting files transferred over unencrypted protocols. → Chapter 6: Networking Fundamentals for Hackers
Administrative fines up to 10 million euros or 2% of total worldwide annual turnover - Supervisory powers include on-site inspections, security audits, and evidence requests - Authorities can issue binding instructions for remediation with deadlines - In extreme cases, management can be temporarily → Case Study 2: HIPAA Pentest Discoveries and EU NIS2 Security Testing Requirements
For Executive Audiences:
Frame adversarial examples as "model manipulation" that can cause incorrect decisions - Frame prompt injection as "chatbot manipulation" that can bypass business rules - Frame model extraction as "intellectual property theft" with quantifiable training costs - Frame data poisoning as "model corrupti → Chapter 33: AI and Machine Learning Security
For full-time hunters:
Bug bounty income is variable and unpredictable - Build a financial buffer (6+ months of expenses) before going full-time - Track all income and expenses for tax purposes - Consider forming a business entity for tax optimization - Maintain health insurance independently - Diversify income sources (b → Chapter 36: Bug Bounty Hunting
**$77 million (GBP 60 million)** in total costs (remediation, customer compensation, lost revenue) - **101,000 customers left** following the breach - **GBP 400,000 fine** from the UK Information Commissioner's Office (ICO)---at the time, one of the largest data protection fines in UK history - Stoc → Case Study 2: TalkTalk Teenager SQLi and HackerOne UNION-Based Bounties
For Technical Audiences:
Provide specific attack parameters (epsilon values, query counts, success rates) - Include reproducible proof-of-concept code - Map findings to MITRE ATLAS techniques - Reference specific model versions and configurations → Chapter 33: AI and Machine Learning Security
For the Attackers:
The 15-year-old received a 12-month youth rehabilitation order - A 16-year-old accomplice received similar youth sentencing - A 20-year-old was sentenced to 12 months imprisonment - An 18-year-old received a suspended sentence → Case Study 2: TalkTalk Teenager SQLi and HackerOne UNION-Based Bounties
For wireless attacks (Chapter 25):
USB Wi-Fi adapter with monitor mode and packet injection support - Recommended chipsets: Realtek RTL8812AU, Atheros AR9271 - Budget: $15-40 → Prerequisites
Format:
PDF is the standard delivery format (prevents accidental editing) - Include clickable hyperlinks in the table of contents and cross-references - Use consistent formatting: fonts, heading levels, code blocks, screenshot borders - Many firms also provide a machine-readable format (CSV, JSON) for integ → Chapter 39: Writing Effective Pentest Reports
Independent consulting offers higher income and flexibility but requires business skills - Bug bounty can be a viable career for top performers but income is highly skewed - Building a consulting practice requires specialization, accreditation, and client relationships → Chapter 41: Career Paths and Continuous Learning
ML-guided fuzzers learn input grammars and target code paths more efficiently - Models trained on crash data generate inputs more likely to trigger bugs - AI-enhanced fuzzers like NEUZZ and FuzzGuard have demonstrated significant improvements → Chapter 33: AI and Machine Learning Security
**Focus:** Incident handling methodology, common attack techniques from a defender's perspective - **Cost:** ~$979 (exam); ~$8,525 (with SANS SEC504) - **Difficulty:** 5/10 - **Textbook chapters:** 37 (Incident Response), 2 (Threat Landscape) - **Best for:** Those bridging offensive and defensive ro → Certification Roadmap
GIAC Penetration Tester (GPEN)
**Vendor:** GIAC / SANS - **Cost:** ~$979 exam only; ~$8,525 with SANS SEC560 course - **Format:** 82 questions (with CyberLive hands-on questions), 3 hours - **Prerequisites:** None (SANS SEC560 recommended) - **Study time:** 2-4 months (longer without the course) - **Value:** Highly respected, esp → Resource Directory
GIAC Web Application Penetration Tester (GWAPT)
**Vendor:** GIAC / SANS - **Cost:** ~$979 exam only; ~$8,525 with SANS SEC542 course - **Format:** 75 questions, 2 hours - **Prerequisites:** None (SANS SEC542 recommended) - **Study time:** 2-4 months - **Value:** The top web application penetration testing certification. Complements GPEN well for → Resource Directory
Gift Card and Store Credit Abuse:
If ShopStack supports gift cards, test for balance manipulation, code predictability, and transfer abuse. - Can you generate store credit through return fraud (returning items that were purchased with store credit)? → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
GitHub Profile:
Maintain an active GitHub profile with: - Tools you have developed (even small utilities) - CTF writeups and solutions - Configuration files for testing environments - Contributions to open-source security projects - A well-maintained GitHub profile demonstrates practical skills more convincingly th → Chapter 41: Career Paths and Continuous Learning
GOAD (Game of Active Directory)
Automated vulnerable AD lab deployment - **BadBlood** — Populates an AD environment with vulnerable configurations - **DetectionLab** — Pre-built Windows domain with logging and detection tools - **Vulnerable AD** — Scripts to create a vulnerable AD environment → Resource Directory
Golden Ticket Properties:
Default validity: 10 years - Survives password resets (except krbtgt password reset) - Works even if the impersonated user does not exist - Can include any group SIDs (Domain Admins, Enterprise Admins, etc.) → Chapter 17: Active Directory Attacks
CISA (U.S. Cybersecurity and Infrastructure Security Agency) - FBI Internet Crime Complaint Center (IC3) - ENISA (European Union Agency for Cybersecurity) - National Cyber Security Centre (UK) - Five Eyes intelligence sharing → Chapter 2: Threat Landscape and Attack Taxonomy
GraphQL-Specific Attacks:
Test for introspection exposure in production (query `{__schema{types{name}}}`). - Attempt query depth and complexity attacks to identify resource exhaustion possibilities (deeply nested queries, alias-based batching). - Look for field suggestions in error messages that reveal undocumented fields. - → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
GRC Integration:
Pentest results feed risk registers, compliance evidence, and board reporting - GRC platforms automate findings tracking and remediation management - The three lines of defense model clarifies roles and responsibilities - Risk acceptance decisions must be formally documented and time-limited → Chapter 40: Security Compliance and Governance
Green Flags:
They provide detailed technical documentation during scoping - They have conducted previous assessments and can share reports - They have a dedicated security team ready to support testing - They ask about your methodology and qualifications - They are clear about what they want to learn from the as → Chapter 38: Penetration Testing Methodology and Standards
Guidance Notes:
The scope document should be signed before any testing begins. No exceptions. - If the scope changes during the engagement, create a scope amendment with new signatures. - Keep the scope document accessible during testing — refer to it whenever you are unsure whether an action is authorized. - The t → Templates and Worksheets
Machine discussion, hints, study groups - **TryHackMe Official** — Room help, community challenges - **TCM Security** — PNPT study groups, career advice - **Nahamsec** — Bug bounty community - **InfoSec Prep** — Certification study groups → Resource Directory
Hardware Attacks:
Physical access to debug ports (UART, JTAG, SWD) - Bus snooping and manipulation (SPI, I2C) - Side-channel attacks (power analysis, electromagnetic emanations) - Chip-off attacks (removing flash memory for direct reading) - Glitching attacks (voltage or clock manipulation to bypass security) → Chapter 31: IoT and Embedded Systems Hacking
Hardware Extraction:
UART/JTAG dump (as described above) - SPI flash reading - eMMC reading (for devices using eMMC storage) - Chip-off attacks for BGA packages → Chapter 31: IoT and Embedded Systems Hacking
Passwords processed through a one-way cryptographic hash function. The original password cannot be recovered from the hash. To verify a login, the system hashes the submitted password and compares it to the stored hash. → Chapter 14: Password Attacks and Authentication Bypass
Health metrics to evaluate:
**Maintenance activity:** When was the last commit? Are issues being addressed? - **Community diversity:** Is the project maintained by one person or a diverse community? Bus factor analysis. - **Security practices:** Does the project have a SECURITY.md? Does it use memory-safe languages? Are there → Chapter 34: Supply Chain Security
Healthcare-Specific Concerns:
**SSRF in Medical Device Integration:** MedSecure integrates with medical devices via HL7 FHIR APIs. SSRF could expose patient data from connected devices. - **XXE in Clinical Document Architecture (CDA):** CDA documents are XML-based. XXE in clinical document processing could expose entire patient → Chapter 22: Server-Side Attacks
Hierarchy and Reporting Lines
Who are the executives and department heads? - How many layers of management exist? - Which departments interact frequently? - Who has authority to make decisions? → Chapter 9: Social Engineering Reconnaissance
Hints and Guidance:
The pre-engagement phase is where many real-world engagements go wrong. An incomplete scope leads to missed assets; a vague RoE leads to disputes about what was authorized. Treat this phase with the same rigor you would apply to exploitation. - Consider HIPAA implications explicitly. How will you ha → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
HIPAA API Requirements:
All API calls must be logged with sufficient detail for audit trails - PHI must be encrypted in transit (TLS 1.2+) and at rest - Access must follow minimum necessary principle - Break-the-glass access must be logged and reviewed - API tokens must have appropriate scope restrictions → Chapter 23: API Security Testing
HIPAA Evolution:
Original Security Rule (2003): Administrative, physical, and technical safeguards - HITECH Act (2009): Breach notification requirements, increased penalties - Omnibus Rule (2013): Business associate liability, enhanced enforcement - 2023 NPRM: Proposed updates including specific security testing req → Chapter 40: Security Compliance and Governance
Host-Only:
Creates an isolated network between the host and VMs - VMs can communicate with each other and with the host - **No Internet access** — VMs are completely isolated from external networks - Use case: Your primary lab network for hacking exercises → Chapter 3: Setting Up Your Hacking Lab
How CTFs Build Skills:
Force you to learn new techniques under time pressure - Expose you to vulnerability types you might not encounter in daily work - Develop lateral thinking and creative problem-solving - Build teamwork skills when competing with a team - Provide measurable, comparable skill benchmarks → Chapter 41: Career Paths and Continuous Learning
HTTP-based management interfaces
**Telnet** is still used to manage some network infrastructure devices - Internal clinical applications may use **unencrypted database connections** → Chapter 13: Network-Based Attacks
HTTPS
blend with normal web traffic; tools: curl to a controlled server 3. **ICMP tunneling** — encode in ping packets; tools: ptunnel 4. **Steganography** — hide data in images uploaded to legitimate sites → Answers to Selected Exercises
Human Factors:
**Notification Fatigue:** Repeated interruptions erode the user's attention and judgment - **Desire to Stop Disruption:** Users approve prompts to make the notifications cease - **Misattribution:** Users may assume the prompts are caused by a system glitch rather than an attack - **Social Engineerin → Case Study 2: The Uber MFA Fatigue Attack — When Lapsus$ Bypassed Multi-Factor Authentication
the client's country may have specific requirements for authorization 3. **Identify where personal data subjects reside** — GDPR applies to data subjects in the EU regardless of where processing occurs 4. **For cloud-hosted targets:** Determine the physical region/data center — cloud providers' lega → Legal Reference
Identifying Constraints:
Testing windows and blackout periods - Systems that must not be disrupted (production databases, medical devices, financial processing) - Geographic or jurisdictional restrictions - Rate limiting and bandwidth constraints - Notification requirements (will the blue team know testing is happening?) → Chapter 38: Penetration Testing Methodology and Standards
Identity and Access Management:
Azure Active Directory (Entra ID) as primary identity provider. - Hybrid configuration with on-premises Active Directory (financeforward.local) synchronized via Azure AD Connect. - Conditional Access policies enforce MFA for all cloud application access from external networks. - Privileged Access Ma → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
If you need a refresher:
*Computer Science Distilled* by Wladston Ferreira Filho - Harvard CS50 (free on YouTube/edX) — Weeks 0-4 - CompTIA A+ study materials for hardware/OS fundamentals → Prerequisites
Ignoring the client's threat model
A pentest should simulate realistic threats, not generic ones. 2. **Overlooking credential attacks** — They are the most common vector; test them thoroughly. 3. **Focusing only on technical vulnerabilities** — Social engineering and insider threats are equally important. 4. **Not using ATT&CK in rep → Chapter 2: Key Takeaways — Threat Landscape and Attack Taxonomy
Image security is foundational
Vulnerable base images, embedded secrets, and supply chain compromises start at the build stage and propagate through the entire deployment. → Chapter 32: Container and Kubernetes Security
Image Signing and Verification
Use cosign or Notary to sign images and enforce signature verification at deployment time via admission controllers > 2. **Immutable Tags / Digest Pinning** — Reference images by SHA256 digest, not mutable tags > 3. **Private Base Images** — Maintain curated, scanned base images rather than pulling → Chapter 32: Container and Kubernetes Security
Image-Level Threats:
Vulnerable base images with known CVEs - Embedded secrets (API keys, passwords) in image layers - Malicious images from untrusted registries - Outdated dependencies baked into images → Chapter 32: Container and Kubernetes Security
Immediate Mitigations:
Apply Microsoft's patches immediately - Disable the Print Spooler service on systems that do not require printing, especially domain controllers and other Tier 0 assets - If the Print Spooler must run, restrict driver installation via Group Policy: `Computer Configuration > Administrative Templates → Case Study 1: PrintNightmare (CVE-2021-34527)
Impact Assessment:
SQL injection in patient search could expose Protected Health Information (PHI) for all patients - Command injection in report generation could compromise the entire server - LDAP injection against Active Directory could expose all staff credentials → Chapter 19: Injection Attacks
Implant devices:
Network implants (LAN Turtle, Packet Squirrel) - USB rubber ducky / Bash Bunny for keystroke injection - Wireless access points for rogue AP deployment - Hardware keyloggers (with explicit authorization) → Chapter 35: Red Team Operations
Important Considerations:
Always set crawl scope to prevent testing unauthorized targets - Respect `robots.txt` during authorized tests (but also review it for intelligence) - Be aware that crawlers can trigger destructive actions (DELETE endpoints, logout links) - Use authenticated crawling to discover protected content - N → Chapter 18: Web Application Security Fundamentals
Important Entities:
Postal and courier services - Waste management - Chemical manufacturing - Food production and distribution - Manufacturing (medical devices, electronics, vehicles) - Digital providers (online marketplaces, search engines, social networks) - Research organizations → Chapter 40: Security Compliance and Governance
In Scope:
All systems that store, process, or transmit cardholder data - All systems connected to the CDE - All network segments connected to the CDE - All systems providing security services to the CDE (firewalls, IDS/IPS, authentication servers) → Chapter 38: Penetration Testing Methodology and Standards
In-Memory Execution
Meterpreter is injected directly into a running process's memory space. No files are written to disk during normal operation. - **Encrypted Communications** — All traffic between Meterpreter and the handler is encrypted (TLS for HTTPS, AES for TCP). - **Extensible** — Functionality is loaded as exte → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
In-scope assets typically include:
Specific domains and subdomains (e.g., `*.example.com`) - Mobile applications (iOS and Android) - APIs and API documentation - Specific IP ranges - Open source repositories → Chapter 36: Bug Bounty Hunting
In-scope vulnerability types typically include:
Remote Code Execution (RCE) - SQL Injection - Authentication/Authorization bypass - Cross-Site Scripting (XSS) -- usually stored/reflected, sometimes DOM-based - Server-Side Request Forgery (SSRF) - Insecure Direct Object Reference (IDOR) - Information disclosure (sensitive data exposure) → Chapter 36: Bug Bounty Hunting
Incident Response:
If Dirty COW exploitation is suspected, immediately preserve volatile evidence (running processes, memory dumps) - Check `/etc/passwd` and `/etc/shadow` for unauthorized modifications - Review system call audit logs for `madvise()` patterns - Full system rebuild may be necessary after confirmed expl → Case Study 1: Dirty COW (CVE-2016-5195)
Indicators of Deserialization:
Magic bytes in cookies/parameters: `rO0AB` (Java), `O:` (PHP), `\x80` (Python pickle) - Content-Type headers: `application/x-java-serialized-object` - Custom headers carrying encoded data - Base64-encoded binary data in unexpected locations → Chapter 22: Server-Side Attacks
Indicators of High Maturity (Level 4-5):
Continuous testing program (pentesting, red teaming, bug bounty) - Metrics-driven security program with dashboards and trend analysis - Security integrated into development pipeline (DevSecOps) - Threat intelligence program informs testing priorities - Regular purple team exercises → Chapter 40: Security Compliance and Governance
Indicators of Low Maturity (Level 1-2):
This is their first penetration test - No vulnerability management program exists - Patching is ad hoc - No security policies or they are outdated - Security team is one person (or zero) - "Compliance" is viewed as the goal, not as a baseline → Chapter 40: Security Compliance and Governance
Indicators of Medium Maturity (Level 3):
Regular penetration testing cycle (annual or more frequent) - Vulnerability management program with SLAs for remediation - Security policies exist and are reviewed regularly - Dedicated security team - Risk-based approach to security decisions → Chapter 40: Security Compliance and Governance
Individual Findings:
[ ] Consistent template for all findings - [ ] Specific affected systems (not just IP addresses) - [ ] CVSS score with full vector string - [ ] Business impact in non-technical language - [ ] Step-by-step reproduction instructions - [ ] Clear, annotated screenshots - [ ] Request/response data for we → Case Study 2: Report Anti-Patterns and the OSCP Report Model
Industrial Protocols
Modbus (serial and TCP), DNP3, EtherNet/IP, OPC UA, S7comm, IEC 61850, BACnet. These protocols were designed decades before cybersecurity was a concern. → Chapter 31: IoT and Embedded Systems Hacking
Info.plist
The application's configuration file, similar to Android's manifest. Contains bundle identifier, version, required device capabilities, URL schemes, and permission usage descriptions. → Chapter 30: Mobile Application Security
Information Disclosure + IDOR = Data Breach
Find an endpoint that leaks sequential user IDs - Use the IDs with an IDOR vulnerability to access other users' data - Demonstrate mass data extraction → Chapter 36: Bug Bounty Hunting
Information Gathering:
Browser type, version, and plugins - Operating system - Screen resolution - Internal IP address (via WebRTC) - Installed software (via timing attacks) - Geolocation (if permitted) → Chapter 20: Cross-Site Scripting and Client-Side Attacks
Infrastructure Diagram:
Produce a complete infrastructure architecture diagram showing: - All C2 servers (with hostnames, IP ranges, and cloud providers). - Redirector placement and traffic flow. - Domain assignments for each infrastructure tier. - Network paths from implant to team server. - Monitoring and logging within → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Examine HTTP headers, error messages, and API responses for AWS account IDs, region names, resource ARNs, and internal hostnames. - Check whether CloudFormation or Terraform state files are accessible in any S3 bucket. → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Infrastructure OPSEC:
Use dedicated, compartmentalized infrastructure for each engagement - Register domains that appear legitimate (aged domains, appropriate naming) - Use redirectors to hide team infrastructure from blue team analysis - Implement traffic encryption and domain fronting where appropriate - Separate engag → Chapter 35: Red Team Operations
Infrastructure:
AWS (primary cloud provider) - ECS (Elastic Container Service) for running containerized applications - RDS for PostgreSQL - ElastiCache for Redis - S3 for storage - CloudFront for CDN - Lambda for background processing - SQS for message queuing - GitHub (source code, CI/CD with GitHub Actions) - Da → Chapter 2: Threat Landscape and Attack Taxonomy
Initial Response (2:00-3:00 AM):
IR team activated via PagerDuty - Affected workstation identified: WS-BILL-023 - Memory captured remotely using Velociraptor before network isolation - Network isolation implemented for the billing VLAN - Management and legal notified → Chapter 37: Incident Response and Digital Forensics
Injection Attacks:
Test all input fields for SQL injection, including less obvious vectors: sort parameters, filter expressions, search queries, and webhook URLs. - Test for NoSQL injection in any MongoDB-backed endpoints (search, analytics). - Test for server-side template injection (SSTI) in any feature that renders → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Injection testing:
Test all input fields for SQL injection - Check for Server-Side Template Injection (SSTI) - Test for command injection in file upload, API parameters - Check for LDAP injection in authentication - Test for XSS in all reflected and stored input points - Check for SSRF in URL input parameters, webhook → Chapter 36: Bug Bounty Hunting
Input Validation
Filter and sanitize user inputs before they reach the LLM > 2. **Output Validation** — Never trust LLM output; sanitize before rendering or executing > 3. **Privilege Minimization** — Limit the tools and data the LLM can access > 4. **Prompt Armoring** — Use structured prompts with clear delimiters → Chapter 33: AI and Machine Learning Security
Insider threat playbook:
Detection criteria - Legal and HR coordination requirements - Evidence preservation (heightened chain of custody) - Investigation steps (user activity monitoring, data access logs) - Containment without alerting the subject - Documentation requirements → Chapter 37 Exercises: Incident Response and Digital Forensics
Intelligence from certificate inspection:
**Certificate authority**: Commercial CAs vs. Let's Encrypt vs. internal CA - **Organization details**: The certificate's Organization (O) and Organizational Unit (OU) fields - **Key strength**: RSA key size, ECDSA curve - **Cipher suites**: Supported encryption algorithms (weak ciphers indicate out → Chapter 8: Active Reconnaissance
Server room access controls - Network closet security - Clean desk policy compliance - Document handling and disposal - USB/device policy enforcement - Screen lock compliance → Chapter 35: Red Team Operations
Intermediate Lab:
Multiple attacker VMs (Kali, Parrot, Commando VM) - Windows Active Directory environment (DC + workstations) - Linux server targets (various distributions and configurations) - Vulnerable web applications (custom instances) - Network segmentation with virtual firewalls → Chapter 41: Career Paths and Continuous Learning
Internal Network Exploitation:
From the initial foothold, enumerate the internal network. - Attempt to exploit vulnerabilities identified during assessment: - Kerberoast service accounts and crack their password hashes offline. - Exploit misconfigured network shares to access sensitive data. - Leverage unpatched internal services → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Internal Network:
Creates an isolated network between VMs only - The host cannot access this network - **No Internet access** - Use case: Maximum isolation for dangerous experiments (malware analysis) → Chapter 3: Setting Up Your Hacking Lab
International Regulations:
GDPR Article 32 requires regular testing of security measures; pentesters must handle personal data as data processors - NIS2 expands security requirements across essential and important entities in the EU - DORA mandates threat-led penetration testing (TLPT) for significant financial entities using → Chapter 40: Security Compliance and Governance
IOC formats:
**STIX/TAXII:** Structured Threat Information eXpression for sharing threat intelligence - **OpenIOC:** Mandiant's XML-based IOC format - **MISP:** Malware Information Sharing Platform format - **CSV/JSON:** Simple formats for quick sharing → Chapter 37: Incident Response and Digital Forensics
ISO 27001 Evolution:
2005 edition: 133 controls in 11 domains - 2013 revision: 114 controls in 14 domains - 2022 revision: 93 controls in 4 themes, new controls for cloud, threat intelligence, data masking → Chapter 40: Security Compliance and Governance
IT Support/Help Desk
"I'm from the IT department. We've detected unusual activity on your account and need to verify your identity." - "We're rolling out a mandatory security update. I need your current password to ensure the migration doesn't lock you out." - "Your email account has been flagged for a security review. → Chapter 9: Social Engineering Reconnaissance
It was designed without security
The original DNS protocol (RFC 1035, 1987) includes no authentication or integrity verification. - **It uses UDP** — Most DNS queries use UDP, which is trivially spoofable since there is no handshake. - **It is hierarchical** — Compromising a single DNS server can affect all clients that rely on it. → Chapter 13: Network-Based Attacks
The Attack Requirements (AT) metric replaces the less granular Attack Complexity - The naming convention changes: "CVSS-B" for base score, "CVSS-BT" for base + threat, "CVSS-BE" for base + environmental, "CVSS-BTE" for all groups - The scoring formula has been updated, meaning some vulnerabilities w → Chapter 39: Writing Effective Pentest Reports
Key characteristics of red teaming:
**Objective-based:** Red teams pursue specific objectives (e.g., access the crown jewels, exfiltrate customer data, disrupt operations) rather than finding all possible vulnerabilities - **Adversary emulation:** Red teams emulate specific threat actors, using their known TTPs - **Stealth-focused:** → Chapter 35: Red Team Operations
Key Concepts:
**Entities**: The data points you are investigating (domains, IPs, people, emails, etc.) - **Transforms**: Automated queries that take an entity as input and produce related entities as output. For example, a "DNS to IP" transform takes a domain and returns its IP addresses. - **Graphs**: Visual rep → Chapter 7: Passive Reconnaissance and OSINT
Key Departments for Social Engineering Targeting
**IT/Help Desk**: Often the first target for pretexting calls. Help desk staff are trained to be helpful, which can be exploited. - **Human Resources**: Has access to employee data and is accustomed to receiving resumes and documents (potential phishing vectors). - **Finance/Accounting**: Has author → Chapter 9: Social Engineering Reconnaissance
Key Derivation Functions (KDFs)
Modern best practice. Algorithms like bcrypt, scrypt, Argon2, and PBKDF2 are specifically designed for password storage. They incorporate salts, are computationally expensive (deliberately slow), and can be tuned to become slower as hardware improves. → Chapter 14: Password Attacks and Authentication Bypass
Key Differentiators:
Specialization: focus on specific industries (healthcare, financial services) or testing types (cloud, IoT, red team) - Accreditation: CREST, CHECK, or other relevant accreditations - Methodology: documented, repeatable, defensible testing approach - Reputation: track record of quality work and sati → Chapter 41: Career Paths and Continuous Learning
Key directories:
`/usr/bin/` — Most security tools are installed here as executable binaries - `/usr/share/` — Data files, wordlists, and tool-specific resources - `/usr/share/wordlists/` — Password wordlists including the famous rockyou.txt - `/usr/share/nmap/scripts/` — Nmap NSE (Nmap Scripting Engine) scripts - ` → Chapter 3: Setting Up Your Hacking Lab
Key features:
Active machines rotated regularly (retired machines available with subscription) - Difficulty ratings from "Easy" to "Insane" - Pro Labs that simulate realistic enterprise environments (Dante, Offshore, RastaLabs, Zephyr) - Tracks for different skill areas (Active Directory, Web, Forensics) - Compet → Chapter 3: Setting Up Your Hacking Lab
Key Findings:
Approximately 15% of Fortune 500 companies had at least one subdomain vulnerable to takeover - AWS services (S3, CloudFront, Elastic Beanstalk) accounted for the majority of vulnerable configurations - Average time from initial discovery to remediation (when reported through responsible disclosure) → Case Study 2: Subdomain Takeover Campaigns and Certificate Transparency Mining
Key milestones:
**1995:** Netscape launches first commercial bug bounty program - **2004:** Mozilla formalizes its bug bounty program with $500 per vulnerability - **2010:** Google VRP launches; Facebook launches its program - **2012:** HackerOne founded; Microsoft launches bounty programs - **2013:** Bugcrowd laun → Chapter 36: Bug Bounty Hunting
Highlight the vulnerability with inline comments (using `# <--` or similar) - Show both the malicious request and the unauthorized response - Redact sensitive data in the response (real names, addresses, full card numbers) - Include enough context that the reader understands the attack flow - For co → Chapter 39: Writing Effective Pentest Reports
Key routing concepts:
**Default Gateway:** The router that a host sends packets to when the destination is not on the local network. Compromising or spoofing the default gateway gives an attacker control over the host's outbound traffic. - **Routing Tables:** Each router maintains a table that maps network destinations t → Chapter 6: Networking Fundamentals for Hackers
Key Takeaways:
**SQL injection** remains the most impactful injection type, with techniques ranging from simple UNION-based extraction to sophisticated blind and out-of-band methods. - **NoSQL injection** exploits the query operator syntax of document databases like MongoDB. Always validate input types, not just v → Chapter 19: Injection Attacks
Key Terminology:
**Adversarial Example:** An input intentionally designed to cause a model to make a mistake - **Perturbation:** The modification applied to a benign input to make it adversarial - **Evasion Attack:** Adversarial examples at inference time (model already deployed) - **Poisoning Attack:** Manipulating → Chapter 33: AI and Machine Learning Security
Knowledge Sharing:
Write blog posts about techniques you have learned - Create walkthroughs for CTF challenges and lab machines - Publish research on new vulnerability classes or attack techniques - Develop training materials for newer practitioners → Chapter 41: Career Paths and Continuous Learning
Known challenges:
Medical device network segmentation is incomplete — some devices can reach the corporate network - Legacy systems (Windows Server 2012 R2, CentOS 7) are difficult to patch - Shadow IT: Several departments have deployed unauthorized SaaS applications - Physician resistance to security controls that s → Chapter 1: Introduction to Ethical Hacking
Known Characteristics:
**Patience:** APT29 campaigns operate over months or years. Initial access may occur weeks before any post-exploitation activity. - **Operational Security:** Extensive use of compromised infrastructure for C2, encrypted communications, timestomping, and log clearing. Avoidance of commodity malware i → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Implement Pod Security Standards (Restricted profile) - Use RBCD with least privilege---never grant cluster-admin to service accounts - Enable audit logging for all API server operations - Encrypt Secrets at rest using KMS - Implement Network Policies to restrict pod-to-pod communication - Block IMD → Case Study 2: PwnKit (CVE-2021-4034) and Container Escapes in Production
Kubernetes RBAC is frequently misconfigured
Overpermissioned service accounts, wildcard permissions, and default account usage are among the most common findings in cluster assessments. → Chapter 32: Container and Kubernetes Security
L
Lab Environment:
A network of vulnerable machines of varying difficulty - Multiple network segments simulating corporate environments - Machines that require chaining vulnerabilities and pivoting - Active Directory environment (added in recent course updates) - The lab is available for 30, 60, or 90 days depending o → Case Study 2: The Conference Ecosystem and the OSCP Certification Journey
Lab safety practices
including documentation, snapshot management, and the cardinal rule of never attacking unauthorized systems — protect you legally and professionally. → Chapter 3: Setting Up Your Hacking Lab
Three VLANs: Clinical (10), Admin (20), Server (40) - Domain controller, file server, and at least two workstations - A router/firewall between VLANs (can use pfSense) → Chapter 13: Exercises — Network-Based Attacks
Label Flipping
Changing the labels on training examples to cause misclassification: - Flip "spam" labels to "not spam" for specific patterns - Flip "malicious" to "benign" for specific malware signatures → Chapter 33: AI and Machine Learning Security
Lack of defense in depth
multiple control failures aligned to enable the breach. - **The cost of a $0 patch vs. a $1.4 billion breach** makes the business case for vulnerability management irrefutable. - **Vulnerability assessment must include verification** — scanning alone is insufficient. → Case Study 11.1: The Equifax Breach — When a Known Vulnerability Goes Unpatched
Landing Pages:
Mirror the legitimate service's login page - Use HTTPS (free certificates from Let's Encrypt) - Capture credentials and log access - Redirect to the legitimate service after credential capture (reducing suspicion) → Chapter 9: Social Engineering Reconnaissance
Lateral movement:
PsExec and SMB-based execution - WMI and WinRM remoting - RDP with harvested credentials - Pass-the-hash and pass-the-ticket - DCOM-based execution → Chapter 35: Red Team Operations
Only allow traffic between VLANs that is specifically needed - **Microsegmentation** — Within VLANs, further restrict communication between individual systems - **Zero Trust** — Assume any network segment could be compromised; authenticate and authorize every connection - **East-West inspection** — → Chapter 13: Network-Based Attacks
Legacy Medical Devices
**Imaging Systems:** Three GE PACS (Picture Archiving and Communication System) servers running Windows Server 2012 R2 — cannot be patched without vendor approval due to FDA 510(k) certification constraints. - **Infusion Pumps:** Network-connected Alaris infusion pumps on a "segmented" VLAN (the qua → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Length Guidelines:
Executive Summary: 1-2 pages - Scope and Methodology: 2-3 pages - Findings Summary: 1-2 pages - Technical Findings: 2-4 pages per finding (so a 10-finding report = 20-40 pages) - Appendices: As needed (can be extensive) - Total: 40-80 pages for a typical engagement → Chapter 39: Writing Effective Pentest Reports
Lessons learned:
What worked well (both offense and defense)? - What surprised both teams? - What processes need improvement? - What investments would have the greatest impact? → Chapter 35: Red Team Operations
Level 1: Ad Hoc Testing
Penetration tests are conducted only when triggered by an incident or compliance requirement - No regular testing cadence - Testing firm selected based on lowest price - Findings are addressed reactively (if at all) - No tracking of remediation status - Reports are filed and forgotten → Chapter 40: Security Compliance and Governance
Level 1: Configuration and Infrastructure
Standard penetration testing of the hosting infrastructure - API security assessment - Authentication and authorization testing - Network segmentation evaluation → Chapter 33: AI and Machine Learning Security
Level 2: Model-Specific Testing
Adversarial example generation and testing - Prompt injection testing (for LLMs) - Model extraction feasibility assessment - Membership inference testing - Output analysis for information leakage → Chapter 33: AI and Machine Learning Security
Level 2: Periodic Testing
Annual penetration test conducted for compliance purposes - Standard scope (external network, basic web application) - Testing firm selected based on qualifications and price - Findings tracked in a spreadsheet - Some findings remediated before next annual test - Results reported to IT management → Chapter 40: Security Compliance and Governance
Level 3: Pipeline and Supply Chain
Training data pipeline security assessment - Model provenance verification - Dependency analysis (ML frameworks, libraries) - CI/CD pipeline security for model training and deployment → Chapter 33: AI and Machine Learning Security
Level 3: Structured Testing Program
Regular testing cadence (annual pentest + quarterly vulnerability scans) - Scope includes internal network, Active Directory, web applications - Testing methodology documented and aligned with standards (PTES, OWASP) - Findings tracked in vulnerability management platform with SLAs - Remediation ver → Chapter 40: Security Compliance and Governance
Level 4: Integrated Testing Program
Continuous testing: pentests, red team exercises, bug bounty, automated DAST/SAST - Scope includes cloud infrastructure, APIs, mobile, supply chain - Testing integrated with SDLC (security testing in CI/CD pipeline) - Findings integrated with GRC platform and risk register - Metrics-driven: mean tim → Chapter 40: Security Compliance and Governance
Level 4: Operational Security
Monitoring and alerting effectiveness - Incident response procedures for AI-specific incidents - Model rollback capability testing - Data poisoning resilience assessment → Chapter 33: AI and Machine Learning Security
Level 5: Adaptive Security Testing
Threat intelligence-led testing (TIBER, CBEST, custom threat scenarios) - Continuous automated testing supplemented by expert manual testing - Security testing drives architectural decisions and system design - Predictive analytics: using historical data to anticipate future risk areas - Security te → Chapter 40: Security Compliance and Governance
lib/
Native libraries (.so files) for different CPU architectures (armeabi-v7a, arm64-v8a, x86, x86_64). These are compiled from C/C++ code using the NDK and are harder to reverse engineer than DEX bytecode. → Chapter 30: Mobile Application Security
Limitations of OSSTMM:
Steeper learning curve than PTES or OWASP - The rav calculation, while valuable, can be complex to implement - Less widely adopted in North American commercial pentesting - Can feel academic compared to the practical focus of PTES → Chapter 38: Penetration Testing Methodology and Standards
Limitations of PTES:
The standard has not been significantly updated since its initial release - Technical guidelines can become outdated as tools and techniques evolve - Less prescriptive about specific test cases than OWASP → Chapter 38: Penetration Testing Methodology and Standards
Limitations of rainbow tables:
**Size** — Tables for complex passwords can be enormous (terabytes) - **Salt defeats them** — If each password has a unique salt, you would need a separate rainbow table for each salt, making the approach impractical - **Fixed hash type** — Each table is specific to one hash algorithm → Chapter 14: Password Attacks and Authentication Bypass
Limitations of the OWASP Testing Guide:
Focused exclusively on web applications (not network, wireless, or physical) - Can be overwhelming: version 4.2 contains over 90 individual test cases - Does not define engagement lifecycle (scoping, contracts, etc.) - Some test cases require significant expertise to execute properly → Chapter 38: Penetration Testing Methodology and Standards
LinkedIn Presence:
Maintain an up-to-date LinkedIn profile with: - Current certifications with verification links - Skills endorsements from colleagues and clients - Recommendations from managers and peers - Regular posting about security topics (but be careful about what you share publicly) - Many security recruiting → Chapter 41: Career Paths and Continuous Learning
LinPEAS Color Coding:
**Red/Yellow (95% PE vector):** Almost certain privilege escalation path - **Red (PE vector):** Highly likely escalation path - **Cyan:** Information useful for exploitation - **Green:** Normal information with some interest - **Blue:** General system information → Chapter 15: Linux Exploitation and Privilege Escalation
LLM01: Prompt Injection
Manipulating LLM behavior through crafted inputs 2. **LLM02: Insecure Output Handling** — Failing to sanitize LLM-generated output 3. **LLM03: Training Data Poisoning** — Corrupting training data to influence behavior 4. **LLM04: Model Denial of Service** — Causing excessive resource consumption 5. → Chapter 33: AI and Machine Learning Security
Logging Gaps to Test For:
CloudTrail not enabled in all regions (attackers operate in unexpected regions) - Data events not logged (S3 object-level access, Lambda invocations) - Management events filtered (some API calls not recorded) - Log file validation not enabled (logs can be tampered with) - CloudTrail logs stored in a → Chapter 29: Cloud Security Testing
Logistics:
Timeline: start date, duration, report delivery date - Communication channels and frequency - Point of contact and escalation path - VPN credentials, test accounts, or other access provisions - Emergency stop procedure → Chapter 38: Penetration Testing Methodology and Standards
Long-Term Strategy:
Implement a tiered administration model to limit the blast radius of service exploitation - Deploy attack surface reduction rules to block exploitation of vulnerable services - Enable Windows Defender Exploit Guard mitigations - Regularly audit which services are running and needed across all server → Case Study 1: PrintNightmare (CVE-2021-34527)
M
Machine Learning Models
Modern AV products (CrowdStrike Falcon, SentinelOne, Carbon Black) use ML models trained on millions of malware samples. These models analyze hundreds of features extracted from a binary (imports, sections, entropy, strings, structural characteristics) and produce a maliciousness score. → Chapter 27: Evasion and Anti-Detection Techniques
Making Bug Bounty Sustainable:
Specialize: become deeply expert in one vulnerability class or technology - Build efficiency: develop your own tools and automation - Focus on high-value programs with responsive triage - Maintain quality: well-written reports get better payouts and build reputation - Diversify income: combine bount → Chapter 41: Career Paths and Continuous Learning
Maltego Editions:
**Maltego CE (Community Edition)**: Free, limited transforms and results - **Maltego Classic/XL**: Commercial licenses with full access to transform marketplace - **Maltego CaseFile**: Free offline analysis tool (no transforms, manual data entry) → Chapter 7: Passive Reconnaissance and OSINT
Validate automated findings to eliminate false positives. A vulnerability scanner reporting MS17-010 on a Windows Server 2019 host is almost certainly a false positive; a scanner reporting a missing security header on the patient portal is real but may be low-severity. - Manually test for logic vuln → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Manufacturer Sources:
Official firmware update files from the vendor's website - Update servers identified through network traffic analysis - Mobile app bundles that include firmware files → Chapter 31: IoT and Embedded Systems Hacking
Mass Assignment:
Test POST and PUT endpoints for mass assignment by adding unexpected fields. Can you set `is_admin: true`, `plan: "enterprise"`, `commission_rate: 0`, or `verified: true` in API requests? - In GraphQL mutations, test whether the input type accepts fields beyond what the documentation specifies. → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Networked infusion pumps (multiple vendors) - Patient monitoring systems - MRI and CT scanners with network connectivity - Medication dispensing cabinets (Pyxis) - Nurse call systems → Chapter 1: Introduction to Ethical Hacking
MedSecure Health Systems
our running example — is a mid-sized healthcare organization with a typical mix of modern and legacy technology, presenting the kind of complex, realistic target we will learn to test. → Chapter 1: Introduction to Ethical Hacking
Memory evasion:
Explain sleep obfuscation techniques - Describe memory encryption during beacon sleep - Discuss heap vs. stack obfuscation - Explain module stomping → Chapter 35 Exercises: Red Team Operations
Mentoring:
Mentor junior professionals in your organization - Participate in mentoring programs (SANS Mentor, WiCyS, ISACA) - Be available to answer questions in online communities - Share your career experiences --- both successes and failures → Chapter 41: Career Paths and Continuous Learning
A complete rewrite in Ruby. Moore chose Ruby for its metaprogramming capabilities, object-oriented design, and cross-platform support. This rewrite established the architecture that persists today: - The Rex (Ruby Extension) library for networking - The Core library for module management - The Base → Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit
Metasploitable 2
Intentionally vulnerable Ubuntu Linux VM - **Metasploitable 3** — Windows and Ubuntu VMs with modern vulnerabilities - **VulnHub machines** — Hundreds of downloadable VMs (see platform listing above) - **Kioptrix series** — Classic beginner-friendly vulnerable VMs - **Mr. Robot VM** — Themed vulnera → Resource Directory
Methodologies:
PTES provides an end-to-end engagement lifecycle with seven defined phases - OSSTMM offers quantitative security measurement through the rav and channel-based testing - The OWASP Testing Guide delivers prescriptive web application test cases across eleven categories - Professional testers combine me → Chapter 38: Penetration Testing Methodology and Standards
Mitigation strategies:
**Namespace prefixing:** Use scoped packages (e.g., `@mycompany/internal-lib`) that cannot be squatted on public registries - **Registry configuration:** Configure package managers to only use private registries for internal packages - **Version pinning:** Pin all dependencies to exact versions and → Chapter 34: Supply Chain Security
An all-in-one mobile security testing framework that performs automated static and dynamic analysis for both Android and iOS: → Chapter 30: Mobile Application Security
Modularity
Exploits and payloads were separate modules that could be mixed and matched - **Standardized interface** — All modules used the same option-setting conventions - **Payload generation** — Payloads were generated dynamically, allowing customization - **Open source** — The framework was freely availabl → Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit
Opportunistic attackers scanning for common web application vulnerabilities - Financial criminals targeting payment data and PII - Competitors engaging in scraping or denial-of-service (unlikely but possible) - Disgruntled former employees with knowledge of the codebase → Chapter 2: Threat Landscape and Attack Taxonomy
msfconsole
The primary command-line interface. Feature-rich, with tab completion, command history, and scripting support. - **msfcli** — Deprecated command-line interface for scripting. - **Armitage** — A Java-based GUI that provides visualization and collaboration features. - **msfvenom** — A standalone tool → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
Multi-Merchant Isolation:
A critical business logic concern: can a customer on one merchant's store access or affect another merchant's store data? - Can a merchant's storefront customization (JavaScript, CSS) be used to attack customers of other merchants on the platform? → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
N
NAT (Network Address Translation):
The VM can access the Internet through the host's connection - Other VMs and the host cannot directly reach the VM - Use case: Downloading updates to your Kali VM → Chapter 3: Setting Up Your Hacking Lab
NAT Network:
Like NAT, but VMs on the same NAT network can communicate with each other - VMs can access the Internet - The host cannot directly reach the VMs (without port forwarding) - Use case: Lab VMs that need both Internet access and inter-VM communication → Chapter 3: Setting Up Your Hacking Lab
Domain fronting and CDN abuse - Malleable C2 profiles mimicking legitimate services - DNS-over-HTTPS for C2 - Encrypted channels with legitimate certificates - Traffic timing manipulation → Chapter 35: Red Team Operations
Network flow data (NetFlow/IPFIX):
Metadata about network connections (source/destination IP, ports, bytes, duration) - Much smaller than full packet capture - Sufficient for many investigations - Tools: ntopng, SiLK, Elastiflow → Chapter 37: Incident Response and Digital Forensics
Network Infrastructure:
Corporate network: 10.10.0.0/16 (approximately 3,000 endpoints) - Medical device network: 10.20.0.0/16 (approximately 500 connected medical devices) - Guest Wi-Fi: 192.168.0.0/16 (segregated from corporate network) - VPN for remote access (Cisco AnyConnect) - Site-to-site VPN connecting all faciliti → Chapter 1: Introduction to Ethical Hacking
Network policies are rarely implemented
The default Kubernetes networking model allows all pod-to-pod communication. Without explicit network policies, lateral movement is trivial. → Chapter 32: Container and Kubernetes Security
Network Scanning:
Conduct port scans of external-facing IP ranges (TCP SYN scan of top 1000 ports initially; expand as needed). - Perform service enumeration and banner grabbing on discovered ports. - Identify web servers, mail servers, VPN endpoints, and any unexpected services. → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Network Topology Discovered:
347 active hosts across 12 subnets - 4 domain controllers (Windows Server 2019) - 23 application servers (mix of Ubuntu and Windows) - 3 database servers (2 MSSQL, 1 PostgreSQL) - 15 network devices (Cisco switches, Palo Alto firewalls) - 287 workstations - 15 printers/multifunction devices → Chapter 10: Scanning and Enumeration
Never mount the Docker socket:
Use dedicated monitoring tools that do not require socket access - If socket access is absolutely necessary, use a read-only proxy with strict filtering - Consider alternatives like cri-o or containerd that provide more granular access controls → Case Study 2: PwnKit (CVE-2021-4034) and Container Escapes in Production
New Employee/Contractor
"Hi, I'm the new contractor starting in the IT department. I don't have my badge yet — can you let me in?" - "I'm starting next week and HR told me to come in early to set up my workstation. Can you point me to the IT department?" → Chapter 9: Social Engineering Reconnaissance
Organizations cannot identify which dependencies they use 2. **Unpinned dependencies** -- Using version ranges instead of exact versions or hashes 3. **Stale dependencies** -- Running versions with known, patched vulnerabilities 4. **Overly permissive CI/CD** -- Pipeline tokens with excessive permis → Chapter 34: Supply Chain Security
No standardization
Every exploit had a different interface and different options - **Payload coupling** — Most exploits had their payloads hardcoded; changing the payload meant modifying source code - **Limited platform support** — An exploit written for Linux often would not compile on other platforms - **No modulari → Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit
Notable programs and payouts:
Google's Vulnerability Reward Program has paid over $50 million since inception - Microsoft's Bug Bounty Program regularly pays $100,000+ for critical Azure vulnerabilities - Apple's Security Bounty Program offers up to $2 million for the most critical iOS vulnerabilities - The U.S. Department of De → Case Study 1.2: HackerOne, the Bug Bounty Revolution, and the CrowdStrike Falcon Incident
**Vendor:** Offensive Security - **Cost:** ~$1,749+ - **Format:** 48-hour practical exam - **Prerequisites:** OSCP recommended; strong web development knowledge - **Study time:** 3-6 months - **Value:** White-box web application security testing through source code review. Targets advanced web app s → Resource Directory
Offline Cracking:
Phase 1: Common passwords (top 1000) - Phase 2: RockYou with rules - Phase 3: Custom MedSecure wordlist with rules - Phase 4: Targeted masks for common patterns - Document percentage cracked at each phase → Chapter 14: Exercises — Password Attacks and Authentication Bypass
Ongoing monitoring:
Continuous monitoring of vendor security posture - Regular reassessment (annually at minimum) - Threat intelligence feeds for vendor compromise indicators - Contractual security requirements and audit rights → Chapter 34: Supply Chain Security
Open-Source C2:
**Sliver:** Written in Go, supports multiple implant types (session, beacon), multiple C2 protocols (mTLS, HTTP(S), DNS, WireGuard), and multi-player operation - **Mythic:** Modular C2 framework written in Go with a web-based UI. Supports multiple agent types through a plugin architecture - **Havoc: → Chapter 35: Red Team Operations
Open-source intelligence (OSINT):
MITRE ATT&CK (free, comprehensive) - NIST National Vulnerability Database (CVE details) - CISA advisories and alerts - Vendor security blogs (Microsoft, Google, CrowdStrike, Mandiant) - Security researcher blogs and Twitter/X accounts - VirusTotal (malware analysis) - Shodan and Censys (Internet-wid → Chapter 2: Threat Landscape and Attack Taxonomy
Open-Source Tool Development:
Contribute to existing tools (Metasploit modules, Nmap scripts, Nuclei templates) - Build and release your own tools - Document tools and write tutorials → Chapter 41: Career Paths and Continuous Learning
Operational debrief (Red + Blue teams):
Walk through the engagement chronologically - Red team reveals what they did and why - Blue team shares what they detected and what they missed - Collaborative discussion of detection improvement opportunities - This is NOT about blame. It is about learning and improvement. → Chapter 35: Red Team Operations
Orchestration Threats (Kubernetes-specific):
API server misconfiguration - RBAC over-permissioning - Secrets stored in plaintext - Network policy absence enabling lateral movement - Service account token abuse → Chapter 32: Container and Kubernetes Security
Order Manipulation:
Test whether you can modify an order after payment (change shipping address, add items, change quantities) without additional payment. - Examine the order cancellation flow. Can you cancel an order after it has shipped and still receive a refund? - Test the digital product delivery flow. Can you acc → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Organization:
Name screenshots with a consistent scheme: `F001-01-injection-point.png`, `F001-02-data-extraction.png` - Store screenshots in the evidence directory alongside the finding documentation - Reference every screenshot in the finding text: "As shown in Figure F001-1..." → Chapter 39: Writing Effective Pentest Reports
Organizational Controls:
Implement multi-channel verification for sensitive actions (voice request + email confirmation + in-person verification) - Establish code words or phrases for verifying identity in sensitive communications - Create policies requiring multiple approvals for financial transactions above a threshold - → Chapter 9: Social Engineering Reconnaissance
Organizations and Initiatives:
**WiCyS (Women in CyberSecurity):** Conference and community for women in cybersecurity - **Diana Initiative:** Conference celebrating diverse voices in security (held alongside DEF CON) - **Black Girls Hack:** Community and training for Black women in cybersecurity - **Minorities in Cybersecurity ( → Chapter 41: Career Paths and Continuous Learning
OSINT Gathering:
Enumerate subdomains using certificate transparency logs (crt.sh), DNS brute-forcing, and search engine dorking. - Search for MedSecure employees on LinkedIn, noting job titles, technologies mentioned in job postings, and recent hires (who may not yet have full security awareness training). - Check → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Other jurisdictions:
Laws vary widely. Research the laws of both your country and the target's country - Some countries have broad computer crime laws that may not account for authorized testing - International bug bounty hunting adds jurisdictional complexity → Chapter 36: Bug Bounty Hunting
Out-of-scope assets typically include:
Third-party services and hosted content - Employee personal accounts - Physical locations - Non-production environments (unless explicitly included) - Specific subdomains or IP ranges → Chapter 36: Bug Bounty Hunting
Overall Report:
[ ] No unfiltered scanner output - [ ] All findings validated (no false positives) - [ ] Consistent severity ratings - [ ] Professional, objective tone - [ ] Clean formatting and consistent style - [ ] Table of contents with page numbers - [ ] Confidentiality classification - [ ] Version control and → Case Study 2: Report Anti-Patterns and the OSCP Report Model
OWASP Chapters
Local chapters in most major cities; free meetings focused on application security. Find your chapter at https://owasp.org/chapters/ - **BSides Events** — Local security conferences in 100+ cities - **DC Groups (DEF CON Groups)** — Local DEF CON-affiliated hacker groups. Find one near you at https:/ → Resource Directory
P
Part 1: Executive Session (30-60 minutes)
Audience: CIO, CISO, CTO, VP of Engineering, legal counsel, risk manager - Content: Executive summary findings, overall risk posture, strategic recommendations - Tone: Business-focused, no command-line output or technical details - Goal: Decision-makers understand the risk and commit to remediation → Chapter 39: Writing Effective Pentest Reports
Audience: Security team, development leads, system administrators, network engineers - Content: Detailed walkthrough of each finding, live demonstration where possible, remediation guidance - Tone: Technical, collaborative, interactive - Goal: Remediation teams understand each finding well enough to → Chapter 39: Writing Effective Pentest Reports
Part 3 (Web Application Hacking):
DVWA with multiple security levels - OWASP Juice Shop (simulating ShopStack-like functionality) - Custom vulnerable web applications → Chapter 3: Setting Up Your Hacking Lab
Part 4 (System and Network Attacks):
Windows Active Directory lab (Domain Controller + member servers + workstations) - Simulated MedSecure domain with realistic users, groups, and policies → Chapter 3: Setting Up Your Hacking Lab
Exploit identified web vulnerabilities (SQLi, XSS, IDOR, authentication bypass, etc.). - Demonstrate access to patient records using synthetic test data. *Do not access, modify, or exfiltrate real patient data.* - Test API endpoints for authorization flaws — can a standard patient user access anothe → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Payload development considerations:
Avoid known malware signatures and behaviors - Use direct system calls instead of API calls that are hooked by EDR - Implement sleep obfuscation to evade memory scanning - Use legitimate execution methods (reflective loading, process hollowing, module stomping) - Develop custom C2 protocols that ble → Chapter 35: Red Team Operations
Payment Processing Logic:
Analyze the Stripe integration. Does ShopStack validate the payment amount on the server side after Stripe confirms the charge, or does it trust the client-reported amount? - Test the refund flow. Can you initiate a refund for more than the original order amount? Can you refund to a different paymen → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Payment Processing:
Stripe Connect integration for payment processing and merchant payouts. - PCI DSS compliance achieved through Stripe Elements (client-side tokenization) — ShopStack never directly handles raw card numbers. - However, ShopStack does store: last four digits of card numbers, billing addresses, transact → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
PCI DSS Evolution:
Version 1.0 (2004): Basic security requirements - Version 2.0 (2010): Enhanced scoping guidance, more specific testing requirements - Version 3.0 (2013): Penetration testing methodology requirements formalized - Version 3.2.1 (2018): MFA requirements expanded, penetration testing guidance updated - → Chapter 40: Security Compliance and Governance
PCI DSS:
Requirement 11.4 mandates internal and external penetration testing annually - PCI pentests must cover the entire CDE, validate segmentation, and test OWASP Top 10 - Common failures include inadequate segmentation, default credentials, and weak application security - PCI DSS 4.0 introduced customize → Chapter 38: Penetration Testing Methodology and Standards
Penetration Testing
Georgia Weidman. Practical introduction to penetration testing with Kali Linux and Metasploit. Excellent for beginners. Complements Chapters 10-17. → Resource Directory
Penetration testing is appropriate when:
You need to assess the security of a specific application, network, or system - Compliance requirements mandate vulnerability assessment (PCI DSS, HIPAA) - You want a comprehensive list of technical vulnerabilities - Your security program is relatively immature and needs to address foundational issu → Chapter 35: Red Team Operations
Per-technique reporting:
Technique ID and name - Procedure used (specific tool, command, method) - Timestamp and target system - Detection result (detected/not detected/partially detected) - Detection source (if detected): EDR, SIEM, network monitoring, user report - Time to detect (if detected) - Recommended detection impr → Chapter 35: Red Team Operations
Perimeter security:
Fencing, gates, and barriers - Exterior lighting - Security cameras (coverage gaps, dummy cameras) - Vehicle access controls → Chapter 35: Red Team Operations
Persistence Mechanisms (Documentation Only):
Identify persistence mechanisms that a real attacker might establish: scheduled tasks, startup scripts, new service accounts, SSH keys, web shells, or Golden Ticket attacks. - *Document how these would be established without actually implementing long-term persistence.* In a real engagement, you mig → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Personal Website / Blog:
A professional website with your portfolio, writings, and contact information establishes you as a serious professional - Even a simple GitHub Pages site with a handful of well-written technical posts creates a strong impression - Potential clients for consulting engagements will review your online → Chapter 41: Career Paths and Continuous Learning
Enumerate all software dependencies (direct and transitive) - Map CI/CD pipeline configurations and secrets - Identify third-party services and integrations - Document package manager configurations and registry settings - Catalog build tools, development tools, and IDE extensions → Chapter 34: Supply Chain Security
Phase 1: Reconnaissance
Identify container orchestration platform and version - Enumerate exposed ports and services - Discover Kubernetes API server, dashboard, and kubelet endpoints - Map the container registry infrastructure → Chapter 32: Container and Kubernetes Security
Phase 2: Campaign Design (Week 3)
Select target employees based on profiles - Design pretexts based on OSINT findings - Build email templates, landing pages, and phone scripts - Set up campaign infrastructure (phishing domains, email servers, call equipment) - Conduct peer review of campaign materials - Obtain final client approval → Chapter 9: Social Engineering Reconnaissance
Phase 2: Dynamic Analysis (Day 2-3)
Install the application on test devices - Configure proxy interception - Bypass certificate pinning if present - Complete application walkthrough capturing all traffic - Test local data storage after usage (SharedPreferences, databases, cache) - Runtime instrumentation with Frida for security contro → Chapter 30: Mobile Application Security
Phase 2: Image Analysis
Scan all accessible images for CVEs - Inspect image layers for embedded secrets - Review Dockerfiles and build configurations - Assess base image provenance and update frequency → Chapter 32: Container and Kubernetes Security
Phase 2: Vulnerability Assessment
Scan all dependencies for known vulnerabilities (CVEs) - Check for end-of-life or unmaintained dependencies - Evaluate dependency health metrics (OpenSSF Scorecard) - Test for dependency confusion vulnerabilities - Assess typosquatting exposure for internal package names → Chapter 34: Supply Chain Security
Phase 3: API Testing (Day 3-4)
Document all discovered API endpoints - Test authentication mechanisms (token generation, expiration, invalidation) - Test authorization for every endpoint (BOLA/IDOR) - Test input validation and injection vulnerabilities - Test rate limiting on sensitive endpoints - Test error handling for informat → Chapter 30: Mobile Application Security
Phase 3: Configuration Audit
Run kube-bench for CIS compliance - Enumerate RBAC policies for overpermissioning - Check network policies for segmentation - Review pod security standards / pod security policies - Assess Secrets management practices → Chapter 32: Container and Kubernetes Security
Launch phishing emails in waves (not all at once) - Conduct vishing calls at appropriate times - Execute physical social engineering (if in scope) - Monitor and record all results - Be prepared to stop if the client requests it → Chapter 9: Social Engineering Reconnaissance
Inter-process communication testing (intents, URL schemes) - Cryptographic implementation review - Memory analysis for sensitive data persistence - Background/screenshot protection - Push notification security - Third-party library vulnerability assessment - BLE/NFC/other communication channel testi → Chapter 30: Mobile Application Security
Phase 4: Analysis and Reporting (Week 6)
Compile success/failure rates for each vector - Analyze which pretexts were most effective and why - Identify organizational patterns (departments, roles, tenure) that correlate with vulnerability - Develop recommendations for security awareness training - Prepare sanitized case studies for the clie → Chapter 9: Social Engineering Reconnaissance
Phase 4: Exploitation
Attempt API server anonymous access - Test kubelet API authentication - Enumerate and abuse service account permissions - Attempt container escapes from compromised pods - Test lateral movement between namespaces → Chapter 32: Container and Kubernetes Security
Model adversary capabilities and motivations - Identify highest-impact attack paths through the supply chain - Evaluate detection and response capabilities - Assess blast radius for supply chain compromise scenarios → Chapter 34: Supply Chain Security
Phase 5: Post-Exploitation
Pivot to cloud provider APIs using pod credentials - Access secrets stores (etcd, external vaults) - Demonstrate data exfiltration paths - Document complete attack chains → Chapter 32: Container and Kubernetes Security
Phase 5: Reporting and Remediation
Prioritize findings by risk (impact times likelihood) - Provide specific, actionable remediation guidance - Map findings to frameworks (SLSA, NIST SSDF, CIS Supply Chain Security) - Recommend monitoring and continuous improvement measures → Chapter 34: Supply Chain Security
Phase 6: Reporting
Map findings to CIS Kubernetes Benchmark controls - Prioritize by exploitability and impact - Provide specific remediation steps - Include architecture-level recommendations → Chapter 32: Container and Kubernetes Security
Phishing Campaign:
Design and execute a phishing campaign targeting the pre-approved employee list (up to 50 targets). - Craft a pretext relevant to MedSecure (HIPAA training reminder, benefits enrollment, IT system update). - Track click rates, credential submission rates, and report rates. - If credentials are captu → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Phishing incident playbook:
Detection criteria (how you know this is a phishing incident) - Initial triage steps - Scope assessment (who else received the email?) - Containment actions (block sender, remove emails, disable compromised accounts) - Investigation steps (analyze email headers, attachments, URLs) - Recovery procedu → Chapter 37 Exercises: Incident Response and Digital Forensics
**Entry success rate**: Percentage of attempts that achieved physical access - **Time to entry**: How long from initial approach to gaining access - **Challenge rate**: How many employees challenged or questioned the tester - **Reporting rate**: How many employees reported the suspicious activity → Chapter 9: Social Engineering Reconnaissance
Plaintext Storage
The most catastrophic approach. Passwords stored as-is in a database or file. If the database is compromised, every password is immediately exposed. The 2009 RockYou breach exposed 32 million plaintext passwords because the company stored them without any protection. → Chapter 14: Password Attacks and Authentication Bypass
Planning activities include:
Defining the scope (which systems, networks, applications, and physical locations are in bounds) - Establishing rules of engagement (what techniques are permitted, what is off-limits) - Setting the timeline (start date, end date, testing windows) - Defining communication channels (who to contact if → Chapter 1: Introduction to Ethical Hacking
Planning and Reconnaissance
Scope definition and information gathering - **Scanning and Enumeration** — Active probing to map the attack surface - **Gaining Access** — Exploiting discovered vulnerabilities - **Maintaining Access / Post-Exploitation** — Demonstrating real-world impact - **Reporting and Remediation** — Communica → Chapter 1: Key Takeaways — Introduction to Ethical Hacking
Limit each access port to 2 MAC addresses with shutdown violation mode. 2. **DHCP Snooping** — Enable DHCP snooping on all VLANs and trust only the uplink port. 3. **Dynamic ARP Inspection** — Enable DAI with validation of source MAC, destination MAC, and IP. 4. **BPDU Guard** — Enable on all access → Chapter 13: Exercises — Network-Based Attacks
Post-Acquisition Growth (2009-Present):
Module count grew from hundreds to thousands - Community contribution process formalized (GitHub pull requests) - Integration with Rapid7's vulnerability scanning products - Addition of new module types (Evasion, introduced in Metasploit 5.0) - REST API for programmatic access - Modernized database → Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit
Lessons learned meeting with all stakeholders - Incident report completed with full timeline and IOCs - 14 new SIEM detection rules created based on observed TTPs - Phishing awareness training reinforced for billing department - New email attachment sandboxing implemented → Chapter 37: Incident Response and Digital Forensics
Post-scan activities:
Review scan logs for errors or authentication failures - Verify that all in-scope hosts were successfully scanned - Check for scan artifacts that need cleanup (temporary files, test accounts) - Begin the validation and prioritization process (Sections 11.4-11.5) → Chapter 11: Vulnerability Assessment
Practical Malware Analysis
Michael Sikorski, Andrew Honig. Comprehensive guide to malware reverse engineering. Complements Chapter 37. → Resource Directory
Practical Network Penetration Tester (PNPT)
**Vendor:** TCM Security - **Cost:** ~$399 (exam only; training courses ~$30 each or subscription) - **Format:** 5-day practical exam — full external-to-internal pentest + report - **Prerequisites:** None - **Study time:** 2-4 months - **Value:** Increasingly respected. Tests the complete penetratio → Resource Directory
Pre-admission
Device is assessed before being granted access (OS patches, antivirus status, compliance) 2. **Post-admission** — Device behavior is monitored after admission; non-compliant devices are quarantined 3. **802.1X** — Port-based authentication ensures only authorized devices connect → Chapter 13: Network-Based Attacks
Pre-Campaign (Weeks -4 to -1):
Infrastructure provisioning, domain registration, and aging. - Tooling development, testing, and validation against CrowdStrike in a lab environment. - Target reconnaissance and phishing pretext refinement. - Operational readiness review with red team manager. → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Pre-engagement assessment:
Security certifications (SOC 2 Type II, ISO 27001, FedRAMP) - Security questionnaire responses (SIG Lite, CAIQ) - Independent penetration test results - Incident history and response track record - Business continuity and disaster recovery plans → Chapter 34: Supply Chain Security
Pre-engagement:
Obtain explicit written authorization for physical testing - Carry authorization documentation at all times (a "get out of jail free" letter) - Identify emergency contacts and escalation procedures - Establish safe words or code phrases for de-escalation - Understand local laws regarding trespassing → Chapter 35: Red Team Operations
Prepare Your Environment:
Set up your testing VM (Kali Linux or similar) with all required tools. - Configure a secure evidence repository with encryption at rest. - Establish VPN connectivity using the provided credentials. - Verify that your testing IP addresses are documented and shared with Marcus Chen so that legitimate → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Presentation Tips:
Bring the tester who performed the work --- they can answer detailed technical questions - Prepare for pushback: some teams will dispute findings or severity ratings - When challenged, refer to evidence: "Let me show you the request and response that demonstrates this" - Avoid being adversarial: you → Chapter 39: Writing Effective Pentest Reports
Presentation:
Offer a debrief call or presentation to walk through findings - Prepare a separate slide deck for board-level presentation (5-10 slides) - Be prepared to answer questions and provide additional context - Bring the tester(s) who did the work --- they know the details best → Chapter 39: Writing Effective Pentest Reports
Prevention:
Implement automated patch management with rapid deployment for critical kernel vulnerabilities - Use grsecurity or PaX kernel hardening patches where possible - Enable kernel live-patching (kpatch/livepatch) for zero-downtime security updates - Deploy SELinux or AppArmor in enforcing mode to limit e → Case Study 1: Dirty COW (CVE-2016-5195)
Privacy Implications:
Confirming that a patient's medical record was used to train MedSecure's diagnostic model reveals that the patient is a MedSecure client - Confirming that specific financial transactions trained ShopStack's fraud model reveals business relationships - In aggregate, membership inference can reconstru → Chapter 33: AI and Machine Learning Security
Privilege Escalation:
From each foothold, attempt to escalate privileges to SYSTEM/root on the compromised host. - On Windows systems: check for unquoted service paths, writable service binaries, SeImpersonate/SeAssignPrimaryToken privileges, cached credentials, and local admin password reuse. - On Linux systems: check f → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
procedures
the exact implementations that known threat groups have used. For example, APT29 (Cozy Bear) has been observed using T1566.001 (Spearphishing Attachment) by sending emails with malicious PDF attachments exploiting Adobe Reader vulnerabilities. → Chapter 2: Threat Landscape and Attack Taxonomy
Process Injection (T1055):
Use `malfind` to identify injected code regions - Compare `pslist` and `psscan` for hidden processes - Look for `PAGE_EXECUTE_READWRITE` memory regions not backed by files - Check for unusual DLL loads in process memory → Chapter 37: Incident Response and Digital Forensics
Professional communication guidelines:
Be patient. Triage teams handle hundreds of reports. Response times vary. - Be respectful. Even if you disagree with a severity assessment, communicate professionally. - Provide additional context when requested promptly and thoroughly. - If a report is marked as duplicate, accept it gracefully. Ask → Chapter 36: Bug Bounty Hunting
Programmable Logic Controllers (PLCs)
Industrial computers that control physical processes based on programmed logic. PLCs read sensor inputs, execute logic, and control actuators. → Chapter 31: IoT and Embedded Systems Hacking
Prompt injection is the top LLM vulnerability
LLMs cannot reliably distinguish between developer instructions and attacker instructions, making prompt injection a systemic challenge for all LLM applications. → Chapter 33: AI and Machine Learning Security
Windows Sysinternals tool for remote command execution. NotPetya included a lightweight PsExec implementation that created remote services. - **WMI (Windows Management Instrumentation)** — Used to execute the payload on remote systems without creating new services, leaving fewer artifacts. → Case Study 13.1: NotPetya — Lateral Movement That Brought Global Shipping to Its Knees
Purposefully vulnerable AD labs:
**GOAD (Game of Active Directory):** Multi-domain vulnerable AD lab - **Vulnerable-AD:** PowerShell script to create a vulnerable AD - **DetectionLab:** Comprehensive lab with logging and monitoring - **BadBlood:** Fills an AD with realistic but intentionally vulnerable data → Chapter 17: Active Directory Attacks
PwnKit-Specific Defenses:
Implement automated patch management for all systems, including non-production - Remove SUID bits from binaries that are not strictly necessary - Monitor for new SUID binaries appearing on systems - Use file integrity monitoring for critical system binaries → Case Study 2: PwnKit (CVE-2021-4034) and Container Escapes in Production
Q
Quality Assurance:
Four-stage review: self-review, peer review, technical lead review, final edit - Common deficiencies include vague findings, missing business impact, inconsistent ratings, and poor evidence - Secure delivery with encryption and separate password channel - Debrief presentation with both executive and → Chapter 39: Writing Effective Pentest Reports
Security news and research (technical, professional) - **r/AskNetsec** — Questions about security careers and learning - **r/HowToHack** — Beginner-friendly hacking questions - **r/oscp** — OSCP preparation discussion and tips - **r/bugbounty** — Bug bounty hunting discussion - **r/cybersecurity** — → Resource Directory
Rapid7 Acquisition (2009)
Rapid7, a security analytics company, acquired the Metasploit Project and hired Moore as Chief Security Officer. This provided dedicated funding and development resources while keeping the framework open source. Rapid7 built commercial products (Metasploit Pro, Metasploit Express) on top of the open → Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit
Rate Limiting and Abuse:
Identify endpoints that lack rate limiting, particularly login, password reset, coupon code validation, and search. - Test whether rate limits are per-user, per-IP, per-API-key, or global. Can you bypass rate limits by rotating API keys or using the GraphQL endpoint instead of REST? → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
RDP Hijacking
On a compromised system with SYSTEM privileges, an attacker can hijack existing RDP sessions without knowing the user's password: → Chapter 13: Network-Based Attacks
React (ShopStack Frontend):
JSX automatically escapes values rendered in templates - `dangerouslySetInnerHTML` is explicitly named to discourage use - Component-based architecture limits global DOM manipulation → Chapter 18: Web Application Security Fundamentals
Real-World Bug Hunting
Peter Yaworski. Case studies of real bug bounty findings with technical details. Complements Chapter 36. → Resource Directory
Real-world examples:
`crossenv` (malicious) vs. `cross-env` (legitimate) -- The malicious npm package stole environment variables - `python3-dateutil` (malicious) vs. `python-dateutil` (legitimate) -- Contained cryptocurrency mining code - `jeIlyfish` (malicious, with uppercase I) vs. `jellyfish` (legitimate) -- Stole S → Chapter 34: Supply Chain Security
Real-World Poisoning Scenarios:
**Web-Scraped Training Data:** Models trained on data scraped from the internet can be poisoned by anyone who publishes content online. Researchers have demonstrated "data poisoning at scale" by manipulating Wikipedia edits, web pages, and image hosting sites. - **Crowdsourced Labels:** If training → Chapter 33: AI and Machine Learning Security
Recognize Warning Signs:
Dreading work you used to enjoy - Feeling like you can never keep up - Comparing yourself negatively to others in the community - Working nights and weekends consistently without choice - Losing interest in learning new things → Chapter 41: Career Paths and Continuous Learning
Recommended starter VMs from VulnHub:
**Kioptrix Level 1:** Classic beginner VM with straightforward vulnerabilities - **Mr. Robot:** Themed after the TV show; good for web application and Linux privilege escalation - **DC series (DC-1 through DC-9):** Progressive difficulty, great for building methodology - **HackLAB: Vulnix:** Good fo → Chapter 3: Setting Up Your Hacking Lab
Recommended Study Resources:
Professor Messer's free Security+ video course (YouTube) - CompTIA CertMaster Practice (official practice exams) - Jason Dion's Security+ course on Udemy - The official CompTIA Security+ Study Guide (Sybex) → Certification Roadmap
Reconnaissance
Gathering information to plan an attack 2. **Resource Development** — Establishing resources to support operations 3. **Initial Access** — Gaining an initial foothold in the target environment 4. **Execution** — Running adversary-controlled code 5. **Persistence** — Maintaining access across restart → Chapter 2: Threat Landscape and Attack Taxonomy
Reconnaissance:
Photograph building exteriors, entrances, and security measures - Identify security cameras, guards, badge readers, and access control systems - Observe employee behavior patterns (smoking areas, lunch patterns, door propping) - Research building layouts using public sources (fire evacuation plans, → Chapter 35: Red Team Operations
Recovery (Day 5-10):
Affected workstations rebuilt from clean images - Data restored from clean backups (verified pre-compromise) - Enhanced monitoring deployed (Sysmon, increased log retention, new SIEM rules) - Gradual service restoration with validation → Chapter 37: Incident Response and Digital Forensics
Red Flags:
"We just need a quick scan" (they may not understand what penetration testing involves) - "Our last tester found nothing" (either their last tester was not thorough, or they have unrealistic expectations) - "We don't have budget for more than two days" (the scope may be too small for meaningful test → Chapter 38: Penetration Testing Methodology and Standards
Red Team Development and Operations
Joe Vest, James Tubberville. Comprehensive red team operations guide. Complements Chapter 35. → Resource Directory
Red teaming is appropriate when:
Your security program is mature enough to benefit from adversary simulation - You want to test your Security Operations Center (SOC) detection capabilities - You need to evaluate incident response procedures under realistic conditions - Leadership needs to understand the real-world risk from specifi → Chapter 35: Red Team Operations
Redaction:
Redact real IP addresses, hostnames, and domain names in client reports - Redact actual data (patient records, credit card numbers, passwords) - Use consistent redaction (black bars, [REDACTED] text) --- be thorough - Never redact the vulnerability itself; redact only sensitive data → Chapter 39: Writing Effective Pentest Reports
Reddit:
r/netsec (technical security research and news) - r/AskNetsec (career and technical questions) - r/oscp (OSCP preparation and tips) - r/hacking (general, mixed quality) - r/cybersecurity (broad cybersecurity discussion) → Chapter 41: Career Paths and Continuous Learning
Redirector Design:
Design traffic redirectors that sit between implants and the C2 team server. These redirectors serve to: - Obscure the team server's true IP address. - Filter out security researcher scanning traffic. - Provide geographic plausibility (if targeting a US company, redirectors should have US IP address → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Unauthorized push access allowing image replacement - Missing vulnerability scan enforcement (images with critical CVEs deployed) - Tag mutability allowing image substitution after scanning - Registry credentials stored insecurely in pipeline configurations → Chapter 32: Container and Kubernetes Security
Regulatory Landscape:
Financial services regulations (GLBA, FFIEC, NY DFS) have become increasingly prescriptive about security testing - Healthcare regulations (HIPAA, HITECH, FDA) drive testing in the healthcare and medical device sectors - Government regulations (CMMC, FedRAMP, FISMA) require testing for contractors a → Chapter 40: Security Compliance and Governance
Relevant Control Families for Penetration Testing:
**CA (Assessment, Authorization, and Monitoring):** CA-8 specifically requires penetration testing - **RA (Risk Assessment):** RA-5 requires vulnerability scanning; RA-3 requires risk assessment - **SI (System and Information Integrity):** SI-2 requires flaw remediation → Chapter 40: Security Compliance and Governance
Reliability
Will the exploit work consistently, or does it depend on specific memory layouts, timing, or environmental conditions? ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) can make memory corruption exploits unreliable. - **Stability** — Will the exploit crash the target ser → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
Remediation Roadmap:
[ ] All findings appear in the roadmap - [ ] Priorities are logical (Critical first, then High, etc.) - [ ] Estimated effort figures are realistic - [ ] Team ownership assignments are reasonable → Chapter 39: Writing Effective Pentest Reports
Remediation:
Recommendations must be specific, actionable, prioritized, realistic, and layered - Organize by team responsibility (development, operations, management) - Provide a consolidated remediation roadmap with priorities and timelines - Always recommend verification testing after remediation → Chapter 39: Writing Effective Pentest Reports
Report Structure:
A professional report follows a consistent structure: cover page, document control, executive summary, scope/methodology, findings summary, technical findings, remediation roadmap, and appendices - Reports typically range from 40-80 pages for a standard engagement - PDF is the standard delivery form → Chapter 39: Writing Effective Pentest Reports
A 2023 study found that GPT-4-generated spear phishing emails achieved click-through rates 60% higher than human-written equivalents - AI phishing emails showed better grammar, more convincing pretexts, and more effective personalization - AI-generated vishing (voice phishing) scripts were rated as → Chapter 33: AI and Machine Learning Security
Resolution and Clarity:
Capture at a resolution that remains readable when printed or viewed at 100% - Use a consistent screenshot tool (Flameshot on Linux, Greenshot on Windows) - If capturing terminal output, increase the font size before capturing → Chapter 39: Writing Effective Pentest Reports
Compiled resources including strings, layouts, and configuration values. String resources often contain API endpoints, configuration values, and sometimes hardcoded credentials. → Chapter 30: Mobile Application Security
When you find vulnerabilities in real products, report them responsibly - Follow coordinated disclosure practices - Help vendors understand and fix the issues you find - Contribute to a safer internet for everyone → Chapter 41: Career Paths and Continuous Learning
The foundation layer. Rex provides fundamental functionality: socket handling, protocol implementations (HTTP, SMB, SSH), encoding/decoding utilities, and SSL/TLS support. You rarely interact with Rex directly, but it underpins everything else. → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
Risk Management:
NIST CSF 2.0 provides six core functions (Govern, Identify, Protect, Detect, Respond, Recover) for organizing security programs - CIS Controls offer a prioritized implementation path, with Control 18 specifically addressing penetration testing - NIST SP 800-53 provides detailed security controls use → Chapter 40: Security Compliance and Governance
Risk Ratings:
CVSS provides standardized numerical scores - Risk matrices that combine technical severity with business impact provide better context - Always contextualize risk ratings for the specific client and environment - Include the full CVSS vector string for transparency → Chapter 39: Writing Effective Pentest Reports
Russian intelligence service (SVR) - Sophisticated tradecraft with emphasis on stealth - Two-day evaluation simulating a targeted intrusion - Day 1: Initial compromise, discovery, privilege escalation, credential access - Day 2: Lateral movement, collection, exfiltration - 21 vendors participated → Case Study 35.1: MITRE ATT&CK Evaluations — How Vendors Perform Against Real APT Techniques
Leveraging vulnerabilities in hotel network equipment to gain administrative access - **Rogue access point deployment** — In some cases, physically placing rogue APs in hotel common areas - **ISP-level compromise** — Evidence suggests some attacks involved compromise of the hotel's internet service → Case Study 13.2: Darkhotel APT — Man-in-the-Middle Attacks in Luxury Hotels
Rtfm: Red Team Field Manual
Ben Clark. Quick-reference command guide for pentesters. Keep on your desk during engagements. → Resource Directory
Rules of Engagement:
RoE documents are the single most important protection for both tester and client - They must cover authorization, scope, parameters, communication, emergencies, and data handling - "Get-out-of-jail-free" letters protect testers during physical assessments - Authorization must come from someone with → Chapter 38: Penetration Testing Methodology and Standards
Deploy Falco or similar runtime security monitoring - Alert on container escapes, privilege escalation attempts, and anomalous network activity - Implement image scanning in CI/CD pipelines - Use distroless or scratch base images to minimize attack surface → Case Study 2: PwnKit (CVE-2021-4034) and Container Escapes in Production
A random value (the "salt") is prepended or appended to the password before hashing. This ensures that identical passwords produce different hashes, defeating precomputed rainbow tables. Each user should have a unique salt. → Chapter 14: Password Attacks and Authentication Bypass
SBOM formats:
**SPDX (Software Package Data Exchange):** ISO/IEC 5962:2021 standard. Originally focused on license compliance, now expanded to security. - **CycloneDX:** OWASP standard designed specifically for security use cases. Supports vulnerability attribution, services, and formulation (build process docume → Chapter 34: Supply Chain Security
By mid-2023, thousands of unique jailbreak prompts had been cataloged - OpenAI acknowledged spending significant engineering resources on safety training and filtering - Every major LLM provider (Google, Anthropic, Meta, Microsoft) faced similar challenges - The HackAPrompt competition at EMNLP 2023 → Case Study 1: ChatGPT Prompt Injection Attacks and Adversarial Patches Fooling Autonomous Vehicles
Scaling Challenges:
Finding and retaining qualified testers (the talent market is extremely competitive) - Maintaining quality consistency as the team grows - Balancing utilization (revenue-generating work) with business development - Managing client expectations across multiple simultaneous engagements - Navigating th → Chapter 41: Career Paths and Continuous Learning
Scanner configuration:
Enable credentialed checks for maximum coverage - Configure appropriate scan policies (aggressive for dev/staging, careful for production) - Set appropriate timing and parallelism to avoid network congestion - Enable compliance checks if relevant (PCI DSS, HIPAA, CIS Benchmarks) - Configure output f → Chapter 11: Vulnerability Assessment
Scanning activities include:
**Network scanning:** Identifying live hosts, open ports, and running services (tools: Nmap, Masscan) - **Vulnerability scanning:** Identifying known vulnerabilities in discovered services (tools: Nessus, OpenVAS, Qualys) - **Web application scanning:** Identifying web-specific vulnerabilities like → Chapter 1: Introduction to Ethical Hacking
Scope
Exactly which systems, networks, and applications are in scope - **Timing** — When testing may occur (business hours, after hours, maintenance windows) - **Techniques** — Which exploitation techniques are permitted (e.g., denial of service may be prohibited) - **Data handling** — How sensitive data → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
Scope and Methodology:
[ ] All in-scope targets are listed with correct IPs/hostnames - [ ] Out-of-scope items are documented - [ ] Testing dates and windows match actual engagement - [ ] Methodology is clearly described - [ ] Limitations and constraints are documented - [ ] Tools used are listed (including version number → Chapter 39: Writing Effective Pentest Reports
Scope definition
specifies exactly which systems can be tested; important in healthcare because some medical devices could endanger patients if disrupted. (2) **Testing windows** — defines when testing can occur; critical in healthcare where 24/7 operations support patient care. (3) **Data handling procedures** — sp → Chapter 1: Quiz — Introduction to Ethical Hacking
Scope Definition:
In-scope IP addresses, domains, URLs, and applications (explicit listing) - Out-of-scope items (with reasons) - Any systems that require special handling (fragile systems, production databases) → Chapter 38: Penetration Testing Methodology and Standards
Searching CT logs:
**crt.sh**: Free web interface for CT log searching. Query `%.medsecure.com` to find all certificates. - **Censys**: Provides CT data along with host scanning data. More powerful search syntax. - **CertStream**: Real-time certificate transparency log monitoring. Useful for monitoring a target over t → Chapter 7: Passive Reconnaissance and OSINT
Kubernetes Secrets are base64-encoded, not encrypted by default. Proper Secrets management requires encryption at rest, external secret stores, and strict RBAC controls. → Chapter 32: Container and Kubernetes Security
Section 1030(a)(5) — Damaging a Computer
(A) Knowingly causing the transmission of a program, information, code, or command that intentionally causes damage. Penalty: Up to 10 years. - (B) Intentionally accessing a protected computer without authorization and recklessly causing damage. Penalty: Up to 5 years. - (C) Intentionally accessing → Legal Reference
Secure Delivery:
Encrypt the report (password-protected PDF or PGP-encrypted email) - Send the password via a separate channel (SMS, phone call) - Verify the recipient's identity before sending - Use secure file transfer if the report is too large for email → Chapter 39: Writing Effective Pentest Reports
Security Benefits of Service Meshes:
Automatic mTLS encrypts all inter-service traffic - Fine-grained access policies control which services can communicate - Traffic is observable through the mesh's telemetry - Certificate rotation is automated → Chapter 32: Container and Kubernetes Security
Security Characteristics of GraphQL:
**Single Endpoint:** Typically `/graphql`, making traditional URL-based security rules ineffective. - **Client-Controlled Queries:** Clients determine what data to fetch, creating excessive data exposure risks if the schema exposes sensitive fields. - **Introspection:** GraphQL's built-in schema int → Chapter 23: API Security Testing
Security Characteristics of gRPC:
**Binary Protocol:** Protocol Buffers are binary-encoded, making manual inspection difficult but not impossible. - **HTTP/2 Transport:** Multiplexed streams, header compression, and server push create unique attack surfaces. - **Strong Typing:** Schema enforcement reduces some injection attacks but → Chapter 23: API Security Testing
Security Characteristics of REST APIs:
**Stateless:** Each request must contain all information needed for authentication and authorization. Session state is not maintained server-side (in pure REST). - **Resource-Oriented:** Authorization must be enforced per resource and per method. A user authorized to GET a resource may not be author → Chapter 23: API Security Testing
**Dual-stack configurations:** Many networks run both IPv4 and IPv6 simultaneously. Security controls that only monitor IPv4 traffic can be bypassed by using IPv6. This is a common oversight in corporate networks. - **Auto-configuration (SLAAC):** IPv6 hosts can auto-configure their addresses using → Chapter 6: Networking Fundamentals for Hackers
Security Maturity:
Maturity models help calibrate testing approach and recommendations - Low-maturity organizations need basic testing and foundational recommendations - High-maturity organizations benefit from continuous testing, red teaming, and metrics-driven approaches → Chapter 40: Security Compliance and Governance
Security Monitoring:
Splunk Enterprise Security as SIEM, ingesting logs from: CrowdStrike, Palo Alto firewalls, Zscaler, Azure AD, AWS CloudTrail, Proofpoint, CyberArk, and application logs. - CrowdStrike Falcon for endpoint detection and response. - Recorded Future for threat intelligence feeds integrated into Splunk. → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Security Risks of Service Meshes:
Increased attack surface through additional control plane components - Misconfigured policies may allow unauthorized access - Sidecar injection mechanisms can be exploited - The mesh's certificate authority is a high-value target - Permissive mode (allowing non-mTLS traffic) undermines the security → Chapter 32: Container and Kubernetes Security
Windows Active Directory domain (MEDSECURE.LOCAL) with approximately 200 servers - Windows Server 2019 for most production workloads - Several Windows Server 2012 R2 systems running legacy applications (known issue, migration planned) - Ubuntu 22.04 LTS for Linux workloads - Two CentOS 7 servers run → Chapter 1: Introduction to Ethical Hacking
Set Boundaries:
Define "off" hours where you do not read security news or practice - Do not feel obligated to know every new CVE the day it drops - Quality of learning matters more than quantity - It is acceptable to not have an opinion on every security topic → Chapter 41: Career Paths and Continuous Learning
Shimcache / Amcache:
**Shimcache (AppCompatCache):** Records executables that Windows evaluated for compatibility. Located in SYSTEM registry hive. - **Amcache (Amcache.hve):** Records information about executed programs, including SHA-1 hashes and file paths. → Chapter 37: Incident Response and Digital Forensics
ShopStack
serve as running examples throughout the entire book. You'll conduct reconnaissance on MedSecure in Part 2, exploit ShopStack's web application in Part 4, and deliver complete engagement reports in Part 8. By the end, you'll have followed the full lifecycle of realistic penetration tests. → Preface
ShopStack Examples:
Default credentials on the PostgreSQL admin interface - Directory listing enabled on the static file server - Stack traces exposed in production error responses - Unnecessary HTTP methods enabled (PUT, DELETE on static resources) - S3 buckets with public read access → Chapter 18: Web Application Security Fundamentals
**Cosign:** Signs and verifies container images and other artifacts - **Fulcio:** Certificate authority that issues short-lived certificates based on OIDC identity (e.g., Google account, GitHub identity) - **Rekor:** Transparency log that records all signing events, enabling public verification and → Chapter 34: Supply Chain Security
Silver Ticket Advantages:
Stealthier than Golden Ticket (no DC interaction) - Harder to detect (no TGT request logged on DC) - Useful for targeting specific services → Chapter 17: Active Directory Attacks
CTFs develop problem-solving and expose you to new techniques - Lab platforms (HTB, THM, Proving Grounds) provide continuous practice - A home lab that grows with your skills is an essential long-term investment - Deliberate practice --- identifying weaknesses and targeting them --- beats random pra → Chapter 41: Career Paths and Continuous Learning
Single, clear risk rating with visual (traffic light, gauge, or similar) - One-sentence summary of what the rating means for the business - Comparison to previous assessment or industry benchmark → Chapter 39: Writing Effective Pentest Reports
Slide 3-4: Top Risks
Three to five highest-impact findings - Each described in business terms: what data is at risk, what could happen, estimated financial impact - No technical details --- save those for the report → Chapter 39: Writing Effective Pentest Reports
Slide 5: Risk Trend
If this is a recurring engagement, show trend over time - Chart showing findings by severity across assessments - Are things getting better, staying the same, or getting worse? → Chapter 39: Writing Effective Pentest Reports
Slide 6: Remediation Roadmap
Prioritized actions with timelines and estimated costs - Categorized into immediate, short-term, and medium-term - Assigned to teams or functions → Chapter 39: Writing Effective Pentest Reports
Slide 7: Investment Recommendation
What budget is needed for remediation? - What is the cost of inaction? (regulatory fines, breach costs, operational disruption) - Frame as risk reduction per dollar invested → Chapter 39: Writing Effective Pentest Reports
SMB Attack Surface:
**EternalBlue (CVE-2017-0144):** The vulnerability exploited by WannaCry and NotPetya. This SMBv1 vulnerability allowed remote code execution and was one of the most devastating exploits in history. - **SMB Relay Attacks:** An attacker intercepts SMB authentication traffic and relays it to another s → Chapter 6: Networking Fundamentals for Hackers
SMBv1 must be disabled
there is no legitimate reason to run this protocol on modern networks > - **Detection speed matters** — even minutes of delay in detection allows exponential spread > - **Resilience planning** must assume total IT failure — paper-based procedures, communication alternatives, and tested recovery plan → Case Study 13.1: NotPetya — Lateral Movement That Brought Global Shipping to Its Knees
SNMP Attacks:
**Community String Guessing:** Testing for default or weak community strings. - **Information Disclosure:** SNMP can expose system information, network configuration, and even credentials. - **Configuration Modification:** With read-write access (the "private" community string), an attacker can modi → Chapter 6: Networking Fundamentals for Hackers
SNMP Versions:
**SNMPv1:** No encryption, community string in plaintext - **SNMPv2c:** Still no encryption, community string in plaintext - **SNMPv3:** Supports authentication and encryption → Chapter 10: Scanning and Enumeration
SOC 2 Penetration Testing Best Practices:
Conduct testing at least annually - Include both internal and external testing - Test all components of the in-scope system - Demonstrate that findings were tracked to remediation - Show that testing methodology aligns with recognized standards → Chapter 40: Security Compliance and Governance
Social engineering
Convincing the user or helpdesk to register a new token - **Downgrade attacks** — Forcing fallback to weaker authentication methods - **Recovery code theft** — Many MFA implementations provide backup/recovery codes that are stored insecurely → Chapter 14: Password Attacks and Authentication Bypass
Social engineering and credential theft:
SIM swapping to bypass MFA (convincing mobile carriers to transfer a victim's phone number to an attacker-controlled SIM) - Purchasing stolen credentials from dark web marketplaces - Searching public code repositories (GitHub) for inadvertently committed credentials - Calling helpdesks and using soc → Case Study 2.2: Colonial Pipeline Ransomware Attack and the Lapsus$ Group
Social engineering resilience:
Employee awareness of social engineering tactics - Willingness to challenge unknown individuals - Adherence to visitor escort policies - Reporting of suspicious behavior → Chapter 35: Red Team Operations
Compromising developer accounts or source repositories 2. **Dependency injection** -- Introducing malicious packages into the dependency tree 3. **Build system compromise** -- Tampering with build processes to inject code during compilation 4. **Distribution channel manipulation** -- Altering artifa → Chapter 34: Supply Chain Security
Source Control Risks:
Secrets committed to repositories (even in history after removal) - Branch protection bypass allowing malicious Dockerfile modifications - Dependency confusion in package managers referenced by Dockerfiles - Webhook hijacking to trigger unauthorized builds → Chapter 32: Container and Kubernetes Security
Sources for Organizational Mapping:
**LinkedIn**: Search for "[Company Name]" and filter by current employees. LinkedIn reveals titles, departments, reporting relationships (based on title hierarchy), and tenure. - **Company website**: "About Us," "Our Team," and "Leadership" pages often list executives and key personnel. - **SEC fili → Chapter 9: Social Engineering Reconnaissance
Spearphishing Campaign Design:
**Target Selection:** Identify 5–10 FinanceForward employees to target based on role, access level, and susceptibility indicators. Justify each selection. - **Pretext Development:** Design a plausible phishing pretext that aligns with FinanceForward's business context. APT29 has used pretexts includ → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Special Addresses:
**127.0.0.0/8:** Loopback addresses. 127.0.0.1 (localhost) is the most commonly used. - **169.254.0.0/16:** Link-local addresses (APIPA). If a host cannot obtain an address via DHCP, it will auto-assign an address in this range. Finding these addresses during a scan indicates DHCP issues. - **0.0.0. → Chapter 6: Networking Fundamentals for Hackers
Specific Tests to Attempt:
Register two merchant accounts and verify complete session isolation between them. - Capture a JWT token, decode it, identify the signing algorithm, and check whether the secret is weak enough to crack offline. - Attempt to use a merchant's API key to access the merchant dashboard endpoints intended → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Classic web application vulnerabilities. - **Deserialization Attacks** — Exploiting insecure deserialization of user-supplied data. - **Server-Side Request Forgery (SSRF)** — Causing a server to make requests to unintended locations. → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
SRD program constraints:
Devices remain Apple's property and must be returned - Researchers must sign a research agreement - Research must be reported to Apple before public disclosure - Devices are for security research only, not personal use - Physical security requirements for the device - Annual renewal required → Case Study 36.2: Google VRP $12M+ Payouts and Apple Security Research Device Program
SSRF + Cloud metadata = Remote Code Execution
Find an SSRF vulnerability - Access the cloud provider's metadata service (169.254.169.254) - Retrieve IAM role credentials - Use the credentials to access cloud resources (S3, Lambda, EC2) → Chapter 36: Bug Bounty Hunting
SSRF to Cloud Metadata:
Any SSRF vulnerability discovered in Target Area 2 should be tested for access to the AWS Instance Metadata Service (IMDS) at `http://169.254.169.254/`. - If IMDS v1 is accessible (no token required), retrieve IAM role credentials and document what those credentials can access. - Check whether the L → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Begin with VDPs (no monetary reward but low pressure) - Move to public programs with broad scope - Focus on one vulnerability type until you can find it consistently - Submit reports even for low-severity findings to build reputation → Chapter 36: Bug Bounty Hunting
Stay within scope
the authorization document defines your legal boundaries 3. **Document everything** — your activity log is your defense if questioned 4. **Understand that the CFAA applies to both criminal prosecution and civil lawsuits** — a client or third party can sue you under the CFAA even if the government do → Legal Reference
Step 1: Reconnaissance
Identify the LLM provider and model version - Map the application's functionality and tool integrations - Understand what data the LLM has access to - Identify input/output validation mechanisms → Chapter 33: AI and Machine Learning Security
Step 3: Boundary Testing
Test content policy bypasses - Attempt to access restricted functionality - Try to make the LLM generate harmful or unauthorized content - Test for information disclosure from training data → Chapter 33: AI and Machine Learning Security
Step 5: Indirect Injection Testing
If the LLM processes external data (URLs, documents, emails), embed adversarial instructions in those sources - Test whether the LLM follows injected instructions in retrieved content → Chapter 33: AI and Machine Learning Security
Strengths of OSSTMM:
Quantitative metrics (rav) provide measurable, comparable results - Channel-based approach ensures comprehensive coverage beyond just networks - Focuses on operational security rather than vulnerability counting - Strong emphasis on testing repeatability and verifiability → Chapter 38: Penetration Testing Methodology and Standards
Strengths of PTES:
Comprehensive coverage of the entire engagement lifecycle - Explicit inclusion of threat modeling and post-exploitation - Defined skill levels (Level 1 through Level 3) that help scope effort - Technical guidelines that complement the methodology with specific tool usage → Chapter 38: Penetration Testing Methodology and Standards
Strengths of the OWASP Testing Guide:
Extremely detailed, prescriptive test cases for web applications - Regularly updated by a large community of contributors - Directly maps to the OWASP Top 10 and ASVS - Tool-agnostic: describes techniques rather than prescribing specific tools - Free and open source → Chapter 38: Penetration Testing Methodology and Standards
[ ] Cover page has correct client name, engagement dates, and classification - [ ] Document control section has current version number, author, and reviewer - [ ] Table of contents matches actual headings and page numbers - [ ] All section numbers are sequential and consistent - [ ] Headers, fonts, → Chapter 39: Writing Effective Pentest Reports
Structure your notes by:
Date - Target (what machine/application you were testing) - Objective (what you were trying to achieve) - Steps taken (commands, tools, techniques) - Results (what worked, what did not) - Lessons learned (what you would do differently) → Chapter 3: Setting Up Your Hacking Lab
Student Home Lab
the environment you are building right now. While MedSecure and ShopStack are fictional scenarios for discussion, your home lab is real. It is where you will practice every technique, verify every concept, and build the hands-on skills that separate theoretical knowledge from practical capability. → Chapter 3: Setting Up Your Hacking Lab
Subdomain Takeover:
Enumerate ShopStack subdomains (merchant storefronts, API endpoints, development environments). - Check for CNAME records pointing to deprovisioned cloud services (Heroku, GitHub Pages, S3, Azure) that could be claimed by an attacker. → Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
Supply Chain Attack Design:
Design a supply chain attack vector targeting FinanceForward's CI/CD pipeline: - Option A: Compromise a GitHub Actions workflow by injecting a malicious step through a pull request to a public dependency. - Option B: Dependency confusion attack against FinanceForward's internal Python or npm package → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Supply chain OSINT techniques:
**Job postings**: "Experience with [vendor product] required" reveals vendor relationships - **Press releases**: Partnership announcements, implementation case studies - **Conference presentations**: Vendor-sponsored talks often feature customer success stories - **DNS records**: Domain verification → Chapter 7: Passive Reconnaissance and OSINT
Supply chain security
**Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure** - **Policies and procedures to assess the effectiveness of cybersecurity risk-management measures** → Chapter 40: Security Compliance and Governance
Attackers already have these capabilities; tools like Metasploit ensure defenders can match them - Open-source tools are auditable and trustworthy, unlike underground tools that may be backdoored - Education requires accessible tools - The alternative—security through obscurity—has never worked → Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit
Surveillance and reconnaissance:
Covert cameras for documenting security gaps - Directional microphones (where legally permitted) - Wi-Fi analysis tools for identifying nearby networks - Bluetooth scanners for identifying devices → Chapter 35: Red Team Operations
Modifying features within plausible ranges to evade fraud detection - Crafting inputs that exploit feature importance biases in tree-based models → Chapter 33: AI and Machine Learning Security
Target Research (Simulated OSINT):
Create a target profile based on the organizational information provided. In a real engagement, you would conduct passive reconnaissance; for this capstone, work from the scenario description and hypothesize what additional intelligence OSINT would yield. - Identify high-value targets for social eng → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Bug bounty income is taxable in most jurisdictions - Platform payments may or may not include tax withholding - International researchers may face additional tax complexity - Keep detailed records of expenses (tools, equipment, training, internet) - Consult a tax professional familiar with freelance → Chapter 36: Bug Bounty Hunting
Technical Accuracy:
[ ] All IP addresses and hostnames are correct (verify against scope) - [ ] All URLs are correct and properly formatted - [ ] Code examples are syntactically correct - [ ] Tool output has not been altered (only cleaned for readability) - [ ] No client data from a different engagement appears in this → Chapter 39: Writing Effective Pentest Reports
Technical Appendices:
Detailed tool output and command logs - Indicators of Compromise (IOCs) from the engagement - Network diagrams of attack paths - Raw ATT&CK Navigator layers → Chapter 35: Red Team Operations
Technical Controls:
Deploy deepfake detection tools for voice and video communications - Implement email authentication (SPF, DKIM, DMARC) to prevent domain spoofing - Use digital signatures for sensitive communications - Monitor for impersonation attempts → Chapter 9: Social Engineering Reconnaissance
Technical evaluation:
How does the vendor distribute updates? - What access does the vendor have to your environment? - How does the vendor handle your data? - What is the vendor's vulnerability disclosure and patching process? - Does the vendor provide SBOMs for their products? → Chapter 34: Supply Chain Security
Technical Factors:
**No Rate Limiting:** Duo Security (at the time) did not limit the number of push notifications within a time window - **No Number Matching:** The push notification asked only to "approve" or "deny" — it did not require the user to enter a number displayed on the login screen - **No Context Informat → Case Study 2: The Uber MFA Fatigue Attack — When Lapsus$ Bypassed Multi-Factor Authentication
Temporal Metrics (change over time):
Exploit Code Maturity: How developed available exploit code is - Remediation Level: What type of fix is available - Report Confidence: How well-validated the vulnerability is → Chapter 11: Vulnerability Assessment
Testing Approach:
Test every endpoint with different privilege levels - Attempt Insecure Direct Object Reference (IDOR) by manipulating identifiers - Check for missing function-level access controls on admin endpoints - Verify that CORS policies are properly restrictive → Chapter 18: Web Application Security Fundamentals
Testing checklist:
Are credentials stored in plaintext in SharedPreferences/NSUserDefaults? - Is the local database encrypted? What algorithm and key derivation? - Are sensitive files stored on external storage (world-readable on Android)? - Is data persisted in screenshots/snapshots when the app backgrounds? - Does t → Chapter 30: Mobile Application Security
Testing Considerations:
Never inject persistent XSS payloads in a production healthcare system - Use only non-destructive probes (console.log, unique string reflection) - Report immediately---healthcare XSS is a patient safety issue → Chapter 20: Cross-Site Scripting and Client-Side Attacks
Testing Parameters:
Testing hours and days (e.g., "Monday through Friday, 8 AM to 6 PM EST only") - Blackout periods (e.g., "No testing during end-of-month financial processing, March 28-31") - Permitted testing techniques (scanning, exploitation, social engineering, physical) - Prohibited actions (DoS testing, data de → Chapter 38: Penetration Testing Methodology and Standards
Testing Quality:
Pre-testing setup ensures tools work and documentation structures are in place - Structured phase-based testing with phase gates ensures complete coverage - Real-time documentation prevents evidence gaps and supports quality reporting - Daily QA checks, peer review, and scope compliance monitoring m → Chapter 38: Penetration Testing Methodology and Standards
Testing without written authorization
This ends careers and can result in prosecution. 2. **Exceeding scope** — If you find a path outside your authorized scope, document it and stop. 3. **Poor documentation** — Undocumented findings cannot be verified or remediated. 4. **Ignoring the basics** — Most breaches exploit simple failures (we → Chapter 1: Key Takeaways — Introduction to Ethical Hacking
Text Adversarial Examples:
Character-level perturbations (homoglyphs, invisible Unicode characters) - Word-level substitutions that preserve meaning to humans but fool NLP models - Sentence-level paraphrasing that evades content filters → Chapter 33: AI and Machine Learning Security
The Application Binary
A Mach-O executable compiled from Swift or Objective-C source code. iOS binaries are compiled to native ARM code and are significantly harder to decompile than Android's DEX bytecode. App Store binaries are encrypted with FairPlay DRM. → Chapter 30: Mobile Application Security
The Art of Deception
Kevin Mitnick. Social engineering from the perspective of a reformed hacker. Complements Chapters 9, 26. → Resource Directory
The Hacker Playbook 3
Peter Kim. Red team edition covering practical attack techniques with a focus on Active Directory environments. Complements Chapters 17, 35. → Resource Directory
Chris Anley et al. Binary exploitation and shellcode development. Complements Chapter 27. → Resource Directory
Things to Avoid:
Do not share confidential client information (even anonymized, the risk is not worth it) - Do not publicly disclose vulnerabilities without authorization - Do not exaggerate your accomplishments (the security community is small and will notice) - Do not engage in public disputes or negativity (it re → Chapter 41: Career Paths and Continuous Learning
Identify relevant threat actors and TTPs 2. **Red team exercise** -- Test detection and response against those TTPs 3. **Gap analysis** -- Identify detection and response gaps 4. **Purple team development** -- Build and validate new detections collaboratively 5. **Automated validation** -- Implement → Chapter 35: Red Team Operations
Threat intelligence
strategic, tactical, operational, and technical — transforms raw data about threats into actionable knowledge that makes penetration tests more realistic and valuable. → Chapter 2: Threat Landscape and Attack Taxonomy
Stop attacks before they reach the model - Input validation and preprocessing - Rate limiting and access control - Prompt armoring and instruction isolation (for LLMs) - Data provenance and integrity verification → Chapter 33: AI and Machine Learning Security
Tier 2: Robustness
Make the model resilient to attacks - Adversarial training - Certified defenses with provable guarantees - Ensemble methods that require attacking multiple models - Model hardening through distillation and regularization → Chapter 33: AI and Machine Learning Security
Tier 3: Detection and Response
Identify attacks in progress and respond - Anomaly detection on model inputs and outputs - Query pattern monitoring for extraction attempts - Model behavior drift detection - Incident response procedures for AI-specific incidents → Chapter 33: AI and Machine Learning Security
Time Comparison:
Human social engineer: ~30 minutes per personalized email - AI pipeline: ~30 seconds per personalized email (60x faster) - **Quality Assessment:** Blind evaluators rated AI-generated emails as more professional, contextually appropriate, and persuasive than the human baseline in 68% of comparisons. → Case Study 2: AI-Powered Phishing Studies and Model Extraction Attacks on ML APIs
Timeline:
Develop a week-by-week campaign timeline spanning 4–6 weeks. - Include key milestones: infrastructure ready, initial access attempt, persistence established, lateral movement, objective achieved. - Build in "quiet periods" that emulate APT29's patient operational tempo. → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
TLS Attacks:
**SSL Stripping:** Intercepting an HTTP-to-HTTPS redirect and keeping the connection on HTTP, enabling eavesdropping. HSTS (HTTP Strict Transport Security) mitigates this. - **Heartbleed (CVE-2014-0160):** A buffer over-read vulnerability in OpenSSL that allowed attackers to read up to 64KB of the s → Chapter 6: Networking Fundamentals for Hackers
Token Validation Flaws:
Token not validated at all (remove the parameter) - Token validated only if present (remove the parameter entirely) - Token not tied to session (use any valid token from any session) - Token reused across sessions (token never rotates) → Chapter 20: Cross-Site Scripting and Client-Side Attacks
Tools for monitoring paste sites:
**PasteHunter**: Automated monitoring of multiple paste sites for keywords - **Dumpster Diver**: Searches for secrets in files and URLs - **Google Dorking**: `site:pastebin.com "medsecure"` or `site:gist.github.com "medsecure"` → Chapter 7: Passive Reconnaissance and OSINT
Tools for Phishing Campaigns:
**GoPhish**: Open-source phishing framework with campaign management, email templates, and tracking - **King Phisher**: Full-featured phishing campaign toolkit - **Evilginx2**: Advanced phishing framework that can capture session tokens (bypassing 2FA) - **SET (Social Engineering Toolkit)**: Metaspl → Chapter 9: Social Engineering Reconnaissance
Tools:
Pacu: AWS exploitation framework - ROADtools: Azure AD enumeration - ScoutSuite: Multi-cloud security auditing - Prowler: AWS/Azure/GCP security assessment → Chapter 35: Red Team Operations
**Author signing:** The developer signs with their personal key - **Build system signing:** The CI/CD pipeline signs artifacts automatically - **Repository signing:** The package registry signs all hosted packages - **Notarization:** A third party (like Apple's notarization service) attests that cod → Chapter 34: Supply Chain Security
Types of phishing:
**Spear phishing:** Targeted emails crafted for specific individuals, often using personal information gathered from social media or previous breaches - **Whaling:** Spear phishing targeting senior executives ("big fish") - **Business Email Compromise (BEC):** Impersonation of executives or trusted → Chapter 2: Threat Landscape and Attack Taxonomy
email systems compromised - **U.S. Department of Commerce (NTIA)** — email monitoring confirmed - **U.S. Department of Homeland Security** — deeply compromised - **U.S. Department of State** — email and systems accessed - **National Nuclear Security Administration** — systems accessed - **FireEye** → Case Study 2.1: The SolarWinds Supply Chain Attack
Unauthenticated (External) Scanning:
Sees only what is exposed on the network - Identifies vulnerabilities in network-facing services - Misses local vulnerabilities (missing OS patches, local misconfigurations) - Faster, simpler setup - Simulates an external attacker's view → Chapter 11: Vulnerability Assessment
Understanding Business Context:
What is the client's industry and regulatory environment? - What triggered this engagement (compliance requirement, incident response, new deployment)? - What are the crown jewel assets --- the data or systems that would cause the most damage if compromised? - What is the client's security maturity → Chapter 38: Penetration Testing Methodology and Standards
Understanding RBAC Components:
**ServiceAccount** — Identity for pods - **Role / ClusterRole** — Defines permissions (verbs on resources) - **RoleBinding / ClusterRoleBinding** — Associates roles with subjects → Chapter 32: Container and Kubernetes Security
United States:
The Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized computer access - Bug bounty programs provide explicit authorization, creating a legal safe harbor - The Department of Justice issued a 2022 policy stating that good-faith security research should not be prosecuted under the CFAA - Ho → Chapter 36: Bug Bounty Hunting
User-mode API hooking bypass:
Explain how EDRs hook user-mode API calls - Describe direct system call techniques - Explain syscall proxying (indirect syscalls) - Discuss the detection arms race → Chapter 35 Exercises: Red Team Operations
Using Bridged Adapter for target VMs
Exposes vulnerable systems to your physical network. 2. **Skipping BIOS virtualization settings** — VT-x/AMD-V must be enabled for VMs to work properly. 3. **Not taking snapshots** — A corrupted VM without a snapshot means starting over from scratch. 4. **Scanning outside the lab** — Even your home → Chapter 3: Key Takeaways — Setting Up Your Hacking Lab
System description and hostname - Network interface information and IP addresses - Routing tables - Running processes - Installed software - User accounts - TCP/UDP connection tables - ARP cache → Chapter 10: Scanning and Enumeration
Vendor/Third-Party
"I'm calling from [known vendor]. We need to update your account information for the new billing cycle." - "This is the building management company. We need access to the server room for a scheduled HVAC inspection." → Chapter 9: Social Engineering Reconnaissance
Verification:
Scan a known safe target to verify your tools work - Confirm that your scanning traffic appears in the client's logs (have the client verify) - Run a quick connectivity test to all in-scope targets → Chapter 38: Penetration Testing Methodology and Standards
Version Control:
Maintain a clear version history in the document control section - Every revision gets a new version number (1.0 = initial, 1.1 = minor correction, 2.0 = major revision) - Document what changed in each version and why - Maintain copies of all versions (never overwrite the original) → Chapter 39: Writing Effective Pentest Reports
Free and open source - Available for Windows, macOS, and Linux - Active community and extensive documentation - Slightly lower performance than VMware - Excellent for learning; used in many training courses (including OSCP) → Chapter 3: Setting Up Your Hacking Lab
Vishing Metrics:
**Call completion rate**: How many targets answered and completed the call without hanging up - **Information disclosure rate**: How many provided the requested information - **Escalation rate**: How many transferred the call to a supervisor or security team - **Average call duration**: Longer calls → Chapter 9: Social Engineering Reconnaissance
Visible Parameters:
URL query parameters: `?search=laptop&category=electronics&page=2` - POST body parameters: `{"username":"admin","password":"secret"}` - Path parameters: `/api/v2/products/42` (where 42 is a parameter) - Cookie values: `session=abc123` → Chapter 18: Web Application Security Fundamentals
Vulnerability Analysis
You research the vulnerability to understand its nature, severity, and exploitability. What type of flaw is it? Buffer overflow? Deserialization? Logic error? What prerequisites must be met? Does it require authentication? What is the attack vector? → Chapter 12: Exploitation Fundamentals and the Metasploit Framework
Vulnerability Correlation and Prioritization:
Map vulnerabilities to potential attack chains. A medium-severity SQL injection combined with a low-severity information disclosure may create a critical attack path. - Prioritize based on exploitability, impact, and relevance to MedSecure's threat model (healthcare-specific threats: ransomware, PHI → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
jQuery 3.3.1 (CVE-2020-11022, CVSS 6.1) - Express.js 4.17.1 (CVE-2022-24999, CVSS 7.5) - GraphQL introspection enabled (no CVE, information disclosure) - Missing Content-Security-Policy header - WordPress 5.8 at /blog/ with 3 vulnerable plugins → Chapter 11 Exercises: Vulnerability Assessment
Web Application Fingerprinting:
Identify web server versions, frameworks, and CMS platforms. - Enumerate directories and files using wordlist-based scanning. - Review robots.txt, sitemap.xml, and other metadata files. - Check for exposed administrative interfaces, development endpoints, or API documentation. → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Web Hacking 101
Peter Yaworski (free). Collection of real-world vulnerability reports with analysis. → Resource Directory
Web Infrastructure
**Patient Portal:** `portal.medsecure.example.com` — A custom web application built on Python/Django, hosted on Ubuntu 22.04 servers behind an Nginx reverse proxy. This portal allows patients to view lab results, schedule appointments, message providers, and pay bills. Handles PHI directly. - **Corp → Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
Week 1: Initial Access
Day 1–2: Launch phishing campaign (staggered sends to avoid bulk detection). - Day 3–5: Monitor for successful access. If phishing succeeds, establish initial persistence. - Day 5–7: If phishing fails, activate secondary vector (external exploitation). - Decision Point: Proceed to post-exploitation → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Week 3: Lateral Movement and Privilege Escalation
Move laterally toward high-value targets (domain controllers, cloud admin accounts, financial systems). - Escalate privileges through identified paths. - Establish additional persistence mechanisms on high-value systems. - Decision Point: If detected, activate contingency plan (go silent or switch t → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
Week 4: Objective Actions
Access crown jewel systems: executive email, transaction processing, customer database. - Demonstrate data collection capability (email harvesting, database queries) without exfiltrating real data. - Document all access achieved and evidence collected. → Capstone Project 3: Red Team Campaign Design — Adversary Emulation
**Security testing requirements:** Nearly all modern frameworks now require or recommend regular security testing - **Risk-based approaches:** Frameworks are shifting from prescriptive controls to risk-based requirements - **Incident reporting:** Timelines are converging around 72 hours for initial → Chapter 40: Security Compliance and Governance
What LinPEAS Checks:
System information and kernel version - Available exploits for the kernel - Sudo permissions and sudo version - SUID/SGID binaries - Capabilities - Interesting files (configs, backups, SSH keys) - Writable directories and files - Cron jobs and timers - Network information - Container detection - Pro → Chapter 15: Linux Exploitation and Privilege Escalation
What Metasploitable 2 provides:
Vulnerable versions of vsftpd, Samba, Apache, MySQL, PostgreSQL, and many other services - Multiple web applications (DVWA, Mutillidae, phpMyAdmin) pre-installed - Misconfigured SSH, NFS, and other services - Dozens of exercises covering the OWASP Top 10 → Chapter 3: Setting Up Your Hacking Lab
What Remains Different:
**Scope definitions:** Each framework defines its scope differently (CDE for PCI, ePHI for HIPAA, critical functions for DORA) - **Enforcement mechanisms:** Some are enforced through fines (GDPR), others through contractual consequences (PCI DSS), others through market consequences (SOC 2) - **Speci → Chapter 40: Security Compliance and Governance
What Shodan reveals:
Open ports and running services - Software versions and configurations - Default credentials pages - Industrial control systems (ICS/SCADA) - IoT devices - SSL certificate details - Organization-specific infrastructure → Chapter 7: Passive Reconnaissance and OSINT
What they do well:
Annual third-party penetration test (compliance-driven) - Endpoint detection and response (CrowdStrike Falcon) on corporate endpoints - Multi-factor authentication for VPN access - Security awareness training (quarterly phishing simulations) - SIEM (Splunk) monitoring with a two-person SOC during bu → Chapter 1: Introduction to Ethical Hacking
What to automate:
Subdomain enumeration and monitoring - Content discovery and fuzzing - Technology fingerprinting - Known CVE scanning with Nuclei - Monitoring for new subdomains or assets → Chapter 36: Bug Bounty Hunting
What to do manually:
Business logic testing - Authentication and authorization testing - Complex injection testing - Vulnerability chaining - Impact analysis and PoC development → Chapter 36: Bug Bounty Hunting
What to look for in content discovery:
`/admin/`, `/administrator/`, `/manage/` — Administrative interfaces - `/api/`, `/api/v1/`, `/api/v2/` — API endpoints - `/backup/`, `/bak/`, `/old/` — Backup files and old versions - `/config/`, `/conf/`, `/settings/` — Configuration files - `/debug/`, `/test/`, `/dev/` — Debug and development reso → Chapter 8: Active Reconnaissance
What to look for in SMB enumeration:
Anonymous/guest access to shares - Readable shares containing sensitive files (scripts with credentials, configuration files, backups) - Writable shares (potential for payload delivery) - Password policies (lockout threshold, complexity requirements) - User lists for password spraying - SMBv1 enable → Chapter 10: Scanning and Enumeration
What to Test:
Are login failures logged? - Are access control failures logged? - Do logs include sufficient context (IP, timestamp, user, action)? - Are logs protected from tampering? - Is there alerting on suspicious patterns? → Chapter 18: Web Application Security Fundamentals
What UART Access Provides:
Boot log messages (revealing OS version, partition layout, boot arguments) - Login prompt (try default credentials: root/root, admin/admin, root/[blank]) - U-Boot bootloader access (press a key during boot to interrupt) - Kernel command line modification (add `init=/bin/sh` for rootless shell) - Dir → Chapter 31: IoT and Embedded Systems Hacking
What WinPEAS Checks:
System information and patch level - User and group enumeration - Token privileges - Service configurations (unquoted paths, weak permissions) - Scheduled tasks - Network information - Installed software - Registry autorun keys - Credential files and history - Interesting files (configs, backups) - → Chapter 16: Windows Exploitation and Privilege Escalation
Why Detection Took So Long:
The modified script continued to function normally (coverage reports were still uploaded) - The exfiltration used HTTPS, making network-level detection difficult - The single added line was subtle and could be overlooked in a code review - Most organizations did not verify the integrity of the Bash → Case Study 2: Codecov Docker Supply Chain Compromise and Azurescape Cross-Tenant Container Escape
Why Include Positive Observations:
They demonstrate that the assessment was thorough (you tested these areas and found them effective) - They acknowledge the client's security investments (important for morale and continued funding) - They provide context for the negative findings (the security program is not entirely broken) - They → Chapter 39: Writing Effective Pentest Reports
Why It Fails:
The client cannot distinguish critical issues from noise - No validation means the report contains false positives - No business context means findings are not prioritized - The sheer volume makes the report unusable - It demonstrates that the tester added no value beyond what the scanner provided → Case Study 2: Report Anti-Patterns and the OSCP Report Model
Why it worked:
The subject line was relevant to multiple departments (HR, management, administration) - The email was sent to a small number of specific targets, avoiding mass-email detection - The attachment appeared to be a standard business document - Only two phishing emails were sent — an extraordinarily targ → Case Study 2: RSA SecurID Breach via Phishing and Deepfake CEO Audio Fraud
Why Nuclei is Gaining Popularity:
Over 8,000 community-contributed templates - Extremely fast (written in Go) - Easy to write custom templates - CI/CD integration for continuous vulnerability detection - Active community and rapid template updates for new CVEs → Chapter 10: Scanning and Enumeration
Why UDP Matters to Hackers:
**UDP Scanning is Slow and Unreliable:** Because UDP does not use a handshake, there is no definitive way to determine whether a UDP port is open. Nmap's UDP scan (-sU) sends a UDP packet to each port; if the port is closed, the target responds with an ICMP Port Unreachable message. If the port is o → Chapter 6: Networking Fundamentals for Hackers
Windows Event ID 4742
Computer account changed (the machine password reset) > - **Windows Event ID 5829** — Netlogon allowed a vulnerable Netlogon secure channel connection > - **Multiple Netlogon authentication failures** followed by a success in rapid succession > - **DCSync traffic** — DS-Replication-Get-Changes opera → Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit
Worker Node Components:
**kubelet** — Agent running on each node that manages pods. The kubelet API (port 10250) is a frequent attack target. - **kube-proxy** — Manages network rules for service routing. - **Container Runtime** — Docker, containerd, or CRI-O actually runs the containers. → Chapter 32: Container and Kubernetes Security
Writing for Security Professionals
Various SANS whitepapers. Technical writing guidance for pentest reports. Complements Chapter 39. → Resource Directory
Written communication
pentest reports are your primary deliverable, and a poorly written report undermines excellent technical work. (2) **Verbal communication** — you will present findings to executives who do not understand technical details. Translate impact into business language. (3) **Time management** — engagement → Frequently Asked Questions
Y
You should be able to:
Explain what IP addresses, subnet masks, and default gateways are - Describe the difference between TCP and UDP - Understand what DNS does and why it matters - Know what ports are and recognize common ones (80, 443, 22, 53, 445) - Understand the basic concept of a firewall → Prerequisites
You should be comfortable with:
How operating systems work at a high level (processes, file systems, permissions, services) - The difference between a client and a server - What a virtual machine is and why we use them - Basic hardware concepts (CPU, RAM, storage, network interfaces) → Prerequisites
Z
Zeek logs provide:
Connection metadata (duration, bytes, protocol) - HTTP details (URIs, user agents, referrers) - DNS queries and responses - TLS certificate information - File transfer metadata including hashes - Protocol-specific details (SMB, SSH, SMTP) → Chapter 37: Incident Response and Digital Forensics