Index

Symbols

3DES cipher, Weak cipher suites
3DES-encrypted passwords, security flaw in, Obtaining VPN configuration files
802.1D (spanning tree protocol), Data Link Protocols
802.1Q VLAN, 802.1Q VLAN-Layer 3 private VLAN bypass
802.1X (port-based network access control), Data Link Protocols, 802.1X PNAC-CDP
802.3 Ethernet testing, 802.3 Ethernet Testing

A

A records, querying, Reverse DNS Sweeping
AAAA records, IPv6 Host Enumeration
ACLs (access control lists), reverse engineering by manipulating TTL, Manipulating TTL to Reverse Engineer ACLs-Manipulating TTL to Reverse Engineer ACLs
address space layout randomization (ASLR), Compiler and OS Security Features
- bypassing, Bypassing ASLR
Adobe ColdFusion, Adobe ColdFusion-Apache Solr Vulnerabilities
- Apache Solr vulnerabilities, Apache Solr Vulnerabilities
- exposed management interfaces, Exposed Management Interfaces
- known software defects, Known ColdFusion Software Defects
- profiling ColdFusion, ColdFusion Profiling
adversaries, goals of, Adversarial Goals
AFP (Apple Filing Protocol), Apple Filing Protocol
- enumerating a service using Nmap, Apple Filing Protocol
- exploitable vulnerabilities, Apple Filing Protocol
AIX operating systems, heap management, The heap
AJP (Apache JServ Protocol), Attacking Apache JServ Protocol
allocator/de-allocator functions, managing heap data, The heap
antivirus engines
- known defects, Known antivirus engine defects
- SMTP email, Identifying antivirus and content checking mechanisms
Apache Coyote, Apache Tomcat, Attacking Apache JServ Protocol
- known weaknesses, Known Apache Coyote Weaknesses
Apache Hadoop, Apache Hadoop
- architecture, Apache Hadoop
- HDFS and MapReduce Nmap scripts, Apache Hadoop
Apache HTTP Server
- flaws in core software, Known Apache HTTP Server Flaws
- remotely exploitable bugs in modules, Known Apache HTTP Server Flaws
- security recommendations, Application Framework Security Checklist
Apache Solr, vulnerabilities, Apache Solr Vulnerabilities
Apache Struts, Apache Struts-JDWP
- exploiting DefaultActionMapper, Exploiting the DefaultActionMapper
- identifying a Struts application, Apache Struts
- significant flaws, Apache Struts
Apache Tomcat, Known Apache Coyote Weaknesses, Apache Tomcat-JBoss Testing
- known Tomcat flaws, Known Tomcat Flaws
- manager application, The Manager Application
APIs
- API abuse, A Taxonomy of Software Security Errors
- in web service testing, Web service testing
APNIC database, enumerating Nintendo objects in, Enumerating database objects via WHOIS
Apple Filing Protocol (see AFP)
Apple OS X (see OS X)
application data, targeting, Overwriting memory structures for gain
application servers, The Application Tier
- fingerprinting using clusterd, Framework and Data Store Profiling
- load balancers, Load Balancers
- vulnerable, deploying, Deploying a Vulnerable Server
application tier (web applications), The Application Tier
- data formats, Application-Tier Data Formats
arbitrary code execution, Adversarial Goals
ARIN database, enumerating Nintendo objects in, Enumerating database objects via WHOIS
ARP cache poisoning, Network infrastructure testing, Local Network Discovery Recap
- limited with 802.1Q VLAN tagging, 802.1Q VLAN
- testing in 802.3 Ethernet, ARP cache poisoning
- utilities for use in, ARP cache poisoning
AS (Autonomous System) numbers, BGP Enumeration
asleap utility, cracking PEAP credentials, PEAP
ASLR (address space layout randomization), Compiler and OS Security Features
- bypassing, Bypassing ASLR
ASP.NET framework, Microsoft ASP.NET
- remotely exploitable flaws, Microsoft ASP.NET
attack graphs, plotting, Attacker Economics
attack platforms for internal routing protocols, Internal Routing Protocols
attack proxies, Web service testing
attack surface, considering, Considering Attack Surface
attacker economics, Attacker Economics
attackers, goals of, Adversarial Goals
attributes (HTTP cookies), Setting cookies
authentication
- 802.1X methods of, 802.1X PNAC
- enumerating mechanisms for SMTP using EHLO, Brute-Force Password Grinding
- exposed Microsoft authentication mechanisms, Brute-Force Password Grinding
- HTTP mechanisms for, HTTP authentication mechanisms
- IKE methods of, Supported transform enumeration
- IMAP services, Brute-Force Password Grinding
- in SSH, enumerating supported mechanisms, Supported authentication mechanisms
- in TLS, TLS Authentication-Session Resumption
  - supported mechanisms, Key Exchange and Authentication
  - X.509 certificates, X.509 format
- in web application data tier, mechanisms for, The Data Tier
- IPsec, Attacking XAUTH
- Kerberos, Kerberos-VNC
- LDAP clients, LDAP Authentication
- POP3 services, Brute-Force Password Grinding
- SMB, SMB authentication
- strong authentication via certificate validation, Local Network Attack Countermeasures
- Windows authentication information leak, Windows authentication information leak
- with Microsoft SQL Server, Authenticating and Evaluating Configuration
- with Oracle Database, Authenticating with Oracle Database
- with PostgreSQL, Brute-Force Password Grinding
Authorization request header, HTTP authentication mechanisms
autoDANE utility, Automating the process
automated enumeration tools, Automating Enumeration

B

Barracuda Spam Firewall, Remotely Exploitable Flaws
baseboard management controllers (BMCs), IPMI
bash shell, vulnerability, Exposed logic examples
Basic authentication, HTTP authentication mechanisms
BEAST attacks (TLS), SSL and TLS protocol weaknesses
BGP (Border Gateway Protocol) enumeration, BGP Enumeration
BIND
- fingerprinting name servers, Fingerprinting
- vulnerabilities, BIND
BlindElephant, framework fingerprinting with, Framework and Data Store Profiling
BMCs (baseboard management controllers), IPMI
BREACH attack (TLS), SSL and TLS protocol weaknesses
Bridge Protocol Data Unit (BPDU) frames, 802.1D STP
- monitoring BPDUs, Monitoring BPDUs
broadcast addresses, Using broadcast addresses
browsers
- caching of web content, Support for persistent connections and caching
- TLS attack mitigation strategies, Mitigating TLS Exposures
brute-force password grinding, Common Network Service Assessment Recap
BSD operating systems, heap management, The heap
BSS (block started by symbol) segment (memory), Data and BSS segments
buffer overflows, Adversarial Goals
bug trackers, public, Public vulnerability sources, Bug Trackers

C

C/C++
- attacking applications written in, Attacking C/C++ Applications-Bypassing stack canaries
- memory safety problems, Adversarial Goals
caching in HTTP sessions, Support for persistent connections and caching
calling convention, The stack
CAM table overflow, 802.3 Ethernet Testing, CAM table overflow
CAs (certificate authorities), TLS Authentication
- CAs and chaining, CAs and chaining
Catalina, Apache Tomcat, Attacking Apache JServ Protocol
CDE (Common Desktop Environment) services, Unix RPC Services
CDNs (content delivery networks), Web Application Types, CDNs
CDP (see Cisco Discovery Protocol)
CERT vulnerability notes, Public vulnerability sources
certificate authorities (see CAs)
certificate validation, strong authentication through, Local Network Attack Countermeasures
certificates
- client certificate and key exchange in TLS, Client Certificate and Key Exchange
- reviewing X.509 certificates for TLS service endpoints, Certificate Review
- server certificate and key exchange in TLS, Server Certificate and Key Exchange
CFML (ColdFusion Markup Language), Adobe ColdFusion
chains (certificate), CAs and chaining
Change Cipher Spec records (TLS), Finished
Chess, Brian, A Taxonomy of Software Security Errors
chunked encoding, Support for persistent connections and caching
chunks (SCTP), Packet format
cipher suites (TLS), Cipher Suites
- enumerating supported suites, Enumerating Supported Protocols and Cipher Suites
- preferred order of, Preferred cipher suite order
- supported, listing in OpenSSL, Cipher Suites
- weak or unsafe cipher suites, Weak cipher suites, Unsafe TLS Cipher Suites
ciphertext, attacks on, Cryptographic Weaknesses
Cisco ASA, aggressive mode IKE group enumeration flaw, Aggressive mode IKE group enumeration
Cisco Discovery Protocol (CDP), CDP-CDP
- attacks against, CDP
- CDP frame decode using Yersinia, CDP
Cisco IronPort, Remotely Exploitable Flaws
Cisco switches
- 802.1Q port modes supported, Dynamic trunking
- flooding attack via routing management packets, Internal Routing Protocols
Cisco VPN, getting information on via Google search, Obtaining VPN configuration files
cisco-decrypt tool, Obtaining VPN configuration files
Cisco-specific data link security features, Local Network Attack Countermeasures
clients
- attacking client software, Attacking Client Software
- HTTP request methods in web applications, Client request methods
- TLS client hello, Client Hello
close proximity, system access from, System Access and Execution Context
cloud computing
- attack surface of web application, Considering Attack Surface
- load balancing within IaaS platforms, Load Balancers
clusterd utility, Framework and Data Store Profiling
- ColdFusion scanning via, ColdFusion Profiling
- using to fingerprint JBoss application server, Framework and Data Store Profiling
CMSs (content management systems), Web Application Types
- written in PHP, PHP CMS Packages-Apache Tomcat
  - fingerprinting tools, Framework and Data Store Profiling
code analysis tools, Static code analysis
code executon, arbitrary, by attackers, Adversarial Goals
code quality, A Taxonomy of Software Security Errors
code signing, Compiler and OS Security Features
ColdFusion application server (see Adobe ColdFusion)
ColdFusion Markup Language (CFML), Adobe ColdFusion
collisions, Cryptographic Weaknesses
Coly, EIGRP attacks via, EIGRP
command execution in Windows in MITM ARP cache poisoning attacks, ARP cache poisoning
command injection, Web application testing, Logic Flaws and Other Bugs
commands (SMTP), listing supported, Enumerating Supported Commands and Extensions
Common Criteria, Design review
Common Desktop Environment (CDE) services, Unix RPC Services
community strings (SNMP), SNMP
- grinding, SNMP community string and password grinding
compiler security features, Compiler and OS Security Features
compression
- enumerating TLS compression support, Compression support
- in TLS, Compression
configuration review, Configuration review
constructors and destructors, Overwriting memory structures for gain
Content Addressable Memory (see CAM table overflow)
content checking, circumventing in email, Content Checking Circumvention
content delivery networks (CDNs), Web Application Types, CDNs
content filtering mechanisms (email), Identifying antivirus and content checking mechanisms
content management systems (see CMSs)
Content-Encoding headers, Presentation-Tier Data Formats
Content-Type headers, Presentation-Tier Data Formats
COOKIE ECHO (SCTP) chunks, Nmap scan of, Nmap support
cookies
- analyzing in HTTP headers from server responses, Cookie analysis
- HTTP cookie attributes, Setting cookies
- presentation via HTTP, Setting cookies
- setting via HTTP, Setting cookies
CORE Impact, Exploitation of Vulnerabilities
countermeasures
- hardening data tier components, Data Store Countermeasures
- hardening network services, Service Hardening and Countermeasures
- hardening steps within Microsoft environments, Microsoft Services Countermeasures
- hardening TLS endpoints, TLS Hardening
- hardening web applications with HTTPS components, Web Application Hardening
- mitigating TLS exposures, Mitigating TLS Exposures
- web server hardening, Web Server Hardening
country-code TLDs, registries of, Domain WHOIS
Coyote (see Apache Coyote)
CPU opcode sequences, CPU opcode sequences
CRAM-MD5 authentication (SMTP), Brute-Force Password Grinding
credentials, exposure through information leaks, Reading memory structures for gain
CRIME attacks (TLS), SSL and TLS protocol weaknesses
cross-site request forgery (CSRF), Web application testing
cross-site scripting (XSS), Web application testing, System Access and Execution Context
cross-site tracing (XST) attacks, TRACE
cryptographic materials, exposure of, Reading memory structures for gain
cryptography
- cipher suites with weak encryption algorithms, Weak cipher suites
- cryptographic weaknesses, Cryptographic Weaknesses

D

data execution prevention (see DEP)
data exposure or modification, Adversarial Goals
data formats
- in application tier of web application, Application-Tier Data Formats
- in web application presentation tier, Presentation-Tier Data Formats
data link layer, Data Link Protocols
- local network, common attack methods, Local Network Discovery Recap
- security features, Cisco specific, Local Network Attack Countermeasures
data link protocols, Data Link Protocols-Root bridge takeover
- 802.1D STP, 802.1D STP-Root bridge takeover
- 802.1Q VLAN, 802.1Q VLAN-Layer 3 private VLAN bypass
- 802.1X (port-based network access control), 802.1X PNAC-CDP
- 802.3 Ethernet testing, 802.3 Ethernet Testing-802.1Q VLAN
- CDP (Cisco Discovery Protocol), CDP-CDP
data segment (memory), Data and BSS segments
data stores
- enumerating configuration of, Framework and Data Store Profiling
- used within web applications, The Data Tier
data stores, assessing, Assessing Data Stores-Data Store Countermeasures
- Apache Hadoop, Apache Hadoop
- Apple Filing Protocol (AFP), Apple Filing Protocol
- countermeasures when hardening data tier components, Data Store Countermeasures
- iSCSI, iSCSI
- Memcached, Memcached
- Microsoft SQL Server, Microsoft SQL Server-Authenticating and Evaluating Configuration
  - authenticating and evaluating configuration, Authenticating and Evaluating Configuration
  - brute-force password grinding, Brute-Force Password Grinding
- MongoDB, MongoDB
- MySQL, MySQL-PostgreSQL
  - authenticated MySQL attacks, Authenticated MySQL Attacks
  - brute-force password grinding, Brute-Force Password Grinding
- NFS, NFS-Apple Filing Protocol
- Oracle Database, Oracle Database-MongoDB
  - account password grinding, Database Account Password Grinding
  - authenticating with Oracle Database, Authenticating with Oracle Database
  - interacting with TNS listener, Interacting with the TNS Listener
  - privilege escalation and pivoting, Privilege Escalation and Pivoting
  - SID grinding, Oracle SID Grinding
- PostgreSQL, PostgreSQL-Microsoft SQL Server
  - authenticated attacks, Authenticated PostgreSQL Attacks
  - brute-force password grinding, Brute-Force Password Grinding
- Redis, Redis-Memcached
  - known weaknesses, Known Weaknesses
data tier (web applications), The Data Tier
databases, The Data Tier, Assessing Data Stores
- (see also data stores)
Datagram Transport Layer Security (DTLS), Assessing TLS Services
davtest utility, WebDAV methods
decryption tools for 3DES-encrypted passwords, Obtaining VPN configuration files
DefaultActionMapper (Apache Struts), exploiting, Exploiting the DefaultActionMapper
defender's dilemma, The State of the Art
DEFLATE compression (in TLS), Compression
DELETE method (HTTP), PUT and DELETE
denial of service, Adversarial Goals
denial of service tools for DHCP, Active DHCP attacks
DEP (data execution prevention), Compiler and OS Security Features
- bypassing, Bypassing DEP-ROP gadgets
  - CPU opcode sequences, CPU opcode sequences
  - ROP gadgets, ROP gadgets
  - writing data to arbitray location in memory, Writing data to an arbitrary location in memory
DES ciphers, Weak cipher suites
DES encryption in Kerberos authentication, Active downgrade and offline brute-force
design review, Design review
desktop software packages
- attack surface presented by, Attacker Economics
- OpenSSL TLS heartbeat information leak, OpenSSL TLS heartbeat extension information leak
destination unreachable messages (ICMP), TCP
destructors, Overwriting memory structures for gain
DHCP (Dynamic Host Configuration Protocol), DHCP-Active DHCP attacks
- active attacks, Active DHCP attacks
- identifying servers and configuration, Identifying DHCP servers and configuration
DHCPv6, Intercepting local IPv6 traffic
dictionary attack, forward DNS grinding, Dictionary attack
Diffie-Hellman (DH) key exchange, IKE Assessment, Client Certificate and Key Exchange
- flaws in, Exploitable IPsec Weaknesses
- in TLS, DH key exchange
  - parameter selection and negotiation, DH parameter selection and negotiation
  - static versus ephemeral mode, DH key exchange
Diffie-Hellman ephemeral (DHE) key exchange, Key Exchange and Authentication
dig utility
- identifying private IP addresses with, NSEC and NSEC3 enumeration
- Kerberos realm enumeration with, Realm enumeration
- retrieving individual DNS records, NSEC and NSEC3 enumeration
- using to perform forward DNS grinding, Dictionary attack
- using to perform zone transfers, DNS Zone Transfer Techniques
Digest authentication, HTTP authentication mechanisms
DIGEST-MD5 authentication, Brute-Force Password Grinding, Brute-Force Password Grinding
Digital Signature Algorithm (DSA), DH key exchange
Digital Signature Standard (DSS), DH key exchange
directory structure (LDAP), LDAP Directory Structure
Distinguished Names (DNs) in LDAP, LDAP Directory Structure
distributed file systems, The Data Tier
Django, Django
- remotely exploitable flaws, Django
DKIM (DomainKeys Identified Mail), DKIM
DMARC (Domain-based Message Authentication, Reporting and Conformance), DMARC
DNS, DNS-NTP
- classes of attack against, DNS
- fingerprinting, Fingerprinting
- hardening servers, Service Hardening and Countermeasures
- known server flaws, Known DNS Server Flaws
  - BIND, BIND
  - Microsoft DNS, Microsoft DNS
- multicast (mDNS), Multicast DNS
- serving IPv6 DNS responses to clients, Intercepting local IPv6 traffic
- testing for recursion support, Testing for Recursion Support
DNS querying, DNS Querying-SMTP Probing
- countermeasures for, Enumeration Countermeasures
- cross-referencing DNS datasets, Cross-Referencing DNS Datasets
- forward, Forward DNS Querying
  - automated querying, Automated querying
- forward DNS grinding, Forward DNS Grinding
- reverse DNS sweeping, Reverse DNS Sweeping
- useful DNS resource records, DNS Querying
- zone transfers, DNS Zone Transfer Techniques
dns-srv-enum script, Obtaining SRV records
DNS64, Intercepting local IPv6 traffic
dnsdict6 utility, IPv6 Host Enumeration
dnsenum, Automated querying
dnsrevenum6 utility, IPv6 Host Enumeration
DNSSEC, querying servers supporting, NSEC and NSEC3 enumeration
DomainKeys Identified Mail (DKIM), DKIM
DomainTools, using for network discovery, DomainTools
double-tagging VLAN frames, 802.1Q double-tagging
DROWN attacks (TLS), SSL and TLS protocol weaknesses
Drupal CMS
- exploitable flaws in, PHP CMS Packages
- fingerprinting with BlindElephant, Framework and Data Store Profiling
DSA (Digital Signature Algorithm), DH key exchange
- DSA key exchange and authentication (in TLS), DH key exchange
  - DSA authentication with DH key exchange, DH key exchange
  - ECC version of DSA, ECC
DSA and RSA SSH host keys, Retrieving RSA and DSA host keys
- insecurely generated, Insecurely Generated Host Keys
DSS (Digital Signature Standard), DH key exchange
DTLS (Datagram Transport Layer Security), Assessing TLS Services
DTP (Dynamic Trunking Protocol), Dynamic trunking
dtpscan.sh utility, Dynamic trunking
dynamic testing, Dynamic Testing
dynamic trunking, Dynamic trunking

E

EAP (Extensible Authentication Protocol), 802.1X PNAC
- attack tactics against 802.X implementations, 802.1X PNAC
- capabilities of 802.1X testing tools, 802.1X PNAC
- EAP message capture and offline attack, EAP message capture and offline attack
- EAP-MD5 authentication, 802.1X PNAC
  - forcing, Forcing EAP-MD5 authentication
  - using eapmd5pass to compromise user crendentials, EAP-MD5
- EAP-TLS authentication, 802.1X PNAC
- PEAP authentication, 802.1X PNAC
  - capturing and cracking PEAP credentials, PEAP
  - deploying a rogue authenticator, PEAP
ebp processor registers (Intel IA-32), Processor Registers and Memory
ebrute
- Kerberos brute-force password grinding, Brute-force password grinding
- LDAP brute-force password grinding, Brute-Force Password Grinding
ECDH (see elliptic curve Diffie-Hellman)
echo requests (ICMPv4), ICMP
economics, attacker, Attacker Economics
EHLO command, enumerating authentication methods, Brute-Force Password Grinding
EIGRP (Enhanced Interior Gateway Routing Protocol), Local IP Protocols, EIGRP
eip processor registers (Intel IA-32), Processor Registers and Memory
elevation of privilege, Adversarial Goals
elliptic curve Diffie-Hellman (ECDH), Client Certificate and Key Exchange
- modes for TLS, ECC
encapsulation flaws, A Taxonomy of Software Security Errors, Logic Flaws and Other Bugs
encryption
- cipher suites with weak encryption algorithms, Weak cipher suites
- FDE (full-disk encryption), PXE
- IKE transform sets, Supported transform enumeration
- Microsoft ticket block encryption (Kerberos), Ticket block encryption and signing
- Microsoft Windows encryption types (Etypes), Active downgrade and offline brute-force
enum4linux utility, Anonymous IPC Access via SMB
enumeration of supported features, Common Network Service Assessment Recap
enumeration techniques (Internet-based querying), Enumeration Technique Recap
- countermeasures for, Enumeration Countermeasures
enumeration tools, automated, for Internet-based network and hosts, Automating Enumeration
environment, vulnerabilities in, A Taxonomy of Software Security Errors
errors, exploitation of, A Taxonomy of Software Security Errors
esp processor registers (Intel IA-32), Processor Registers and Memory
Ethernet
- 802.3 Ethernet network using STP, 802.1D STP
- 802.3 Ethernet testing, 802.3 Ethernet Testing-802.1Q VLAN
  - ARP cache poisoning, ARP cache poisoning
  - CAM table overflow, CAM table overflow
  - passive network sniffing, Passive network sniffing
Ettercap
- combining with John the Ripper to crack RIPv2 MD5 hashes, Cracking authentication keys
- using to bridge two interfaces, Root bridge takeover
Etypes (encryption types), Microsoft Windows, Active downgrade and offline brute-force
events and conferences (security), Security Events and Conferences
Evil Foca utility, Intercepting local IPv6 traffic
Exchange servers, LDAP
- flaws in, Remotely Exploitable Flaws
- protocols supporting, Assessing Microsoft Services
execution context, System Access and Execution Context
Exim, flaws in, Remotely Exploitable Flaws
EXPN command, using to enumerate local users, EXPN
exposed logic, Exposed Logic
- assessment through dynamic testing, Dynamic Testing
- exploiting, Exploiting exposed logic
Extensible Authentication Protocol (see EAP)
extensions (SMTP), listing supported, Enumerating Supported Commands and Extensions
extensions (TLS), listing supported, Listing supported TLS extensions

F

fallback, TLS sessions
- insecure fallback, SSL and TLS protocol weaknesses
- testing support for, Fallback support
FDE (full-disk encryption), PXE
fierce utility, forward DNS grinding, Dictionary attack
file extensions for server-side technologies, Crawling and Investigation of Content
fingerprinting, Common Network Service Assessment Recap
Firewalk, Manipulating TTL to Reverse Engineer ACLs
firewalls, Threats and Attack Surface
- identifying WAF mechanisms, Active Scanning
- review of, Configuration review
format string protection, Compiler and OS Security Features
forward DNS grinding, Forward DNS Grinding
- dictionary attack, Dictionary attack
- IPv6 address enumeration through, IPv6 Host Enumeration
- using dig, Dictionary attack
frame pointers, saved, Overwriting memory structures for gain
free function, The heap
Frei, Stefan, Private vulnerability sources
FTP, FTP-TFTP
- classes of attack against, FTP
- fingerprinting FTP services, Fingerprinting FTP Services
- known vulnerabilities, Known FTP Vulnerabilities
Full Disclosure mailing list, Public vulnerability sources
full-disk encryption (FDE), PXE
function pointers, Overwriting memory structures for gain

G

garbage collector, RMI distributed garbage collector, Exploiting the RMI Distributed Garbage Collector
gateway-finder.py, Identifying Local Gateways
gateways
- advertising new default IPv6 gateway, Intercepting local IPv6 traffic
- ICMP redirect spoofing, ICMP redirect messages
- identifying local gateways, Identifying Local Gateways
genkeys utility, PEAP
GET method (HTTP), HTTP
Git respositories, examining, Reviewing Exposed Content
global offset table (GOT) entries, Overwriting memory structures for gain
global variables, Overwriting memory structures for gain
GNU wget, using to scrape websites, Crawling and Investigation of Content
gnuplot utility, IP ID sampling with Scapy
golden tickets, Kerberos
Google
- Project Zero, Public vulnerability sources
- V8 JavaScript engine, Node.js
Google Chrome
- attack graph for, Attacker Economics
- exploitation of flaws in, Exploiting exposed logic
Google Hacking Database, Querying Search Engines and Websites
Google Search, using for network discovery, Google Search
grep utility
- exposing hidden form fields with, Parsing HTML
- formatting reverse DNS sweeping results, Reverse DNS Sweeping
- identifying private IP addresses with, NSEC and NSEC3 enumeration
Group Policy Object (GPO) settings, Microsoft Services Countermeasures
groups (DH), Supported transform enumeration, Exploitable IPsec Weaknesses
groups (IKE), VPN Services Countermeasures
- aggressive mode enumeration, Aggressive mode IKE group enumeration
- obtaining by network sniffing, Aggressive mode IKE group enumeration
GSSAPI authentication, Brute-Force Password Grinding

H

HackerOne Internet bug bounty, Public vulnerability sources
“Hacking Team: a zero-day market case study”, Private vulnerability sources
hacking, fundamental concept of, The Fundamental Hacking Concept
hacks and scrambles (SniffJoke), Data Insertion and Scrambling with SniffJoke
Hadoop (see Apache Hadoop)
Hadoop Distributed File System (HDFS), Apache Hadoop
handshake message flow in TLS, Session Negotiation
Handshake records (TLS), Session Negotiation
hardware platforms, runtime memory layout, Runtime Memory Layout
HE BGP Toolkit
- cross-referencing AS numbers with IP address blocks, BGP Enumeration
- mapping DNS with, Reverse DNS Sweeping
HEAD method (HTTP)
- issuing HEAD request to www.apache.org, Analyzing Server Responses
- issuing HEAD request to www.microsoft.com, Analyzing Server Responses
headers
- HTTP request methods, Common request method headers
- IPv4 and TCP, Low-Level IP Assessment
- reviewing HTTP headers in server responses, HTTP Header Review
- SMTP
  - information from NDN header, Mapping SMTP Architecture
  - inserted by content filter, Identifying antivirus and content checking mechanisms
heap memory, The heap
- control structures, targeting, Overwriting memory structures for gain
heap pointers, Overwriting memory structures for gain
heap protection, Compiler and OS Security Features
heartbleed flaw (OpenSSL), OpenSSL TLS heartbeat extension information leak
HMAC (hashed message authentication code), Session Negotiation
- listing function for integrity checking, Cipher Suites
hostapd-wpe.conf file, PEAP
hostnames
- internal, SMTP Probing
- revealing via reverse DNS sweeping, Reverse DNS Sweeping
- valid, building list within an environment, Reverse DNS Sweeping
hosts
- enumerating valid hosts, Enumerating Valid Hosts
- IPv6 host enumeration via forward DNS grinding, IPv6 Host Enumeration
HP Fortify team, study of software security errors, Static code analysis
Hping3, crafting TCP packets and performing a TCP SYN scan, Crafting Arbitrary Packets-TCP/IP Stack Fingerprinting
HSRP (Hot Standby Routing Protocol), Local IP Protocols, HSRP and VRRP
- attacking, Attacking HSRP
hsrp utility (Kali Linux), Attacking HSRP
HTML
- parsing scraped website content, Parsing HTML
- phishing email content, Sending email
HTML injection, System Access and Execution Context
HTTP
- authentication mechanisms, HTTP authentication mechanisms
- headers in server responses, reviewing, HTTP Header Review
- in web applications, HTTP
  - client request methods, Client request methods
  - client/server features, HTTP
  - common request method headers, Common request method headers
  - Microsoft HTTP extensions, Microsoft HTTP extensions
  - server status codes, Server status codes
  - support for persistent connections and caching, Support for persistent connections and caching
  - WebDAV HTTP extensions, WebDAV HTTP extensions
- setting cookies via, Setting cookies
- supported methods, investigating for web servers, Investigating Supported HTTP Methods
HTTPS
- compromise of sessions through downgrading, Weak cipher suites
- hardening web applications with HTTPS components, Web Application Hardening
hypervisors, System Components

I

IBM Domino servers, LDAP, LDAP Server Implementation Flaws
- flaws in, Remotely Exploitable Flaws
ICMP
- destination unreachable (Type 3) message codes, TCP
- ICMPv6 message types defined by NDP, IPv6 Network Discovery
- message types, ICMP Message Types
- network scanning in Nmap, ICMP-TCP
  - ICMPv4 sweeping, ICMPv4 Sweeping with Nmap
- redirect messages, ICMP redirect messages
  - spoofing within Kali Linux, ICMP redirect messages
- traffic captured with tcpdump, ARP cache poisoning
IDEA cipher, Weak cipher suites
IDS and IPS evasion, IDS and IPS Evasion-Network Scanning Recap
- configuring and running SniffJoke, Configuring and Running SniffJoke
- TTL manipulation, TTL Manipulation
IEEE 802.1, 802,2 and 802.3 standards, Data Link Protocols
ifconfig utility, Attacking specific VLANs
IFID values, Identifying Exposed RPC Services
ifids tool, Identifying Exposed RPC Services
IIS (see Microsoft IIS)
IKE (Internet Key Exchange), IPsec, ISAKMP, IKE, and IKEv2
- aggressive mode IKE group enumeration, Aggressive mode IKE group enumeration
- aggressive mode IKE PSK cracking, Aggressive Mode IKE PSK Cracking
- assessment of, IKE Assessment-Exploitable IPsec Weaknesses
- DH key exchange, weaknesses of, Exploitable IPsec Weaknesses
- ISAKMP, IKE, and IKEv2, ISAKMP, IKE, and IKEv2
ike-scan utility, IKE Assessment
- enumerating supported transforms, Supported transform enumeration
- running with custom transform attributes, Supported transform enumeration
IKEv2, ISAKMP, IKE, and IKEv2
IMAP, IMAP-Mail Services Testing Recap
- brute-force password grinding, Brute-Force Password Grinding
- known server flaws, Known IMAP Server Flaws
- service fingerprinting, Service Fingerprinting
Immunity CANVAS, Exploitation of Vulnerabilities
Impacket scripts, Remote command execution
implementation flaws, TLS and DTLS, TLS implementation flaws
in-memory key-value stores, The Data Tier
information leak bugs, Web application testing
information leaks, Logic Flaws and Other Bugs
- OpenSSL TLS heartbeat information leak, OpenSSL TLS heartbeat extension information leak
Infrastructure as a Service (IaaS) platforms, load balancing in, Load Balancers
INIT (SCTP) chunks, Nmap scan of, Nmap support
input validation and representation, A Taxonomy of Software Security Errors
instruction pointers (eip), Processor Registers and Memory
- saved, Overwriting memory structures for gain
Intel processor registers and runtime memory layout, Processor Registers and Memory
intermediate certificates, CAs and chaining
internal routing protocols, Local IP Protocols, Internal Routing Protocols-IPv6 Network Discovery
- cracking authentication keys, Cracking authentication keys
- EIGRP, EIGRP
- HSRP and VRRP, HSRP and VRRP
  - attacking HSRP, Attacking HSRP
  - attacking VRRP, Attacking VRRP
- ICMP redirect messages, ICMP redirect messages
- OSPF, OSPF
- RIP, RIP
Internet network discovery, Internet Network Discovery-Enumeration Countermeasures
- automated enumeration tools, Automating Enumeration
- BGP enumeration, BGP Enumeration
- DNS querying, DNS Querying-SMTP Probing
- domain WHOIS, Domain WHOIS
  - manual querying, Manual WHOIS Querying
- enumeration countermeasures, Enumeration Countermeasures
- IP WHOIS, IP WHOIS
  - querying tools and examples, IP WHOIS Querying Tools and Examples-Using WHOIS web interfaces
- querying search engines and websites, Querying Search Engines and Websites-Searching LinkedIn
- recap of enumeration techniques, Enumeration Technique Recap
- SMTP probing, SMTP Probing
Internet-based social engineering, Internet-based social engineering
Internet-exposed services, identifying with Shodan, Using Shodan
Internet-Wide Scan Data Repository, Using Shodan
interpreted languages, arbitrary code execution through, System Access and Execution Context
investigation of materials obtained, Common Network Service Assessment Recap
invoker servlets (JBoss), Web Consoles and Invoker Servlets
IP addresses
- cross-referencing AS numbers with IP address blocks, BGP Enumeration
- internal, revealing, Revealing Internal IP Addresses
- IP WHOIS, IP WHOIS-BGP Enumeration
- reverse IP lookup with DomainTools, DomainTools
IP ID analysis, IP ID Analysis-Stealth IP ID scanning with Nmap
- stealth IP ID scanning with Nmap, Stealth IP ID scanning with Nmap
- using Nmap, IP ID sampling with Nmap
- using Scapy, IP ID sampling with Scapy
IP network scanning, IP Network Scanning-Network Scanning Countermeasures
- bulk vulnerability scanning, Bulk Vulnerability Scanning
- countermeasures for, Network Scanning Countermeasures
- IDS and IPS evasion, IDS and IPS Evasion-Network Scanning Recap
- initial scanning with Nmap, Initial Network Scanning with Nmap-Low-Level IP Assessment
- low-level IP assessment, Low-Level IP Assessment-Vulnerability Scanning with NSE
- recap of techniques, Network Scanning Recap
- revealing internal IP addresses, Revealing Internal IP Addresses
IP protocols (local), Local IP Protocols-Local Network Discovery Recap
- DHCP, DHCP-Active DHCP attacks
- identifying local gateways, Identifying Local Gateways
- internal routing protocols, Internal Routing Protocols-IPv6 Network Discovery
- IPv6 network discovery, IPv6 Network Discovery-Identifying Local Gateways
- LLMNR, NBT-NS, and mDNS, LLMNR, NBT-NS, and mDNS
- PXE, PXE
- WPAD, WPAD
IPC (interprocess communication)
- anonymous access to IPC share via SMB, Anonymous IPC Access via SMB
- Microsoft share via SMB, SMB
iplist.net, Cross-Referencing DNS Datasets
IPMI services, IPMI
IPsec, Reading memory structures for gain, IPsec-PPTP
- exploitable weaknesses, Exploitable IPsec Weaknesses
  - aggressive mode IKE group enumeration, Aggressive mode IKE group enumeration
  - aggressive mode IKE PSK cracking, Aggressive Mode IKE PSK Cracking
  - attacking XAUTH, Attacking XAUTH
- IKE assessment, IKE Assessment
- ISAKMP, IKE, and IKEv2, ISAKMP, IKE, and IKEv2
- packet format, Packet Format
- testing services, recap, VPN Testing Recap
- VPN client variables, Obtaining VPN configuration files
IPv4
- headers, Low-Level IP Assessment
- scanning, IPv4 scanning
IPv6
- address enumeration via forward grinding, IPv6 Host Enumeration
- network discovery, IPv6 Network Discovery
  - implementing malicious IPv6 overlay network, Intercepting local IPv6 traffic
  - intercepting local IPv6 traffic, Intercepting local IPv6 traffic
  - local host enumeration, Local IPv6 host enumeration
- review of local IPv6 configuraton, Reviewing local IPv6 configuration
- scanning, IPv6 scanning
IRIX, heap management algorithm, The heap
IRPAS, Internal Routing Protocols
ISAKMP (Internet Security Association and Key Management Protocol), ISAKMP, IKE, and IKEv2
ISC BIND
- fingerprinting name servers, Fingerprinting
- vulnerabilities, BIND
iSCSI, iSCSI
iterative assessment approach, An Iterative Assessment Approach

J

Jasper, Apache Tomcat
Java
- application server components, The Application Tier
- exploiting in attack on Chrome, Attacker Economics
- memory safety, Adversarial Goals
Java Debug Wire Protocol (JDWP), JDWP
JavaScript, System Access and Execution Context, Presentation-Tier Data Formats
JBoss
- fingerprinting with clusterd, Framework and Data Store Profiling
- testing, JBoss Testing-Apache Struts
  - automated vulnerability scanning, Automated JBoss Scanning
  - exploiting MBeans, Exploiting MBeans
  - exploiting RMI distributed garbage collector, Exploiting the RMI Distributed Garbage Collector
  - identifying MBeans, Identifying MBeans
  - known vulnerabilities, Known JBoss Vulnerabilities
  - server profiling via HTTP, Server Profiling via HTTP
  - web consoles and invoker servlets, Web Consoles and Invoker Servlets
JDWP (Java Debug Wire Protocol), JDWP
JexBoss utility, Automated JBoss Scanning
JMX console
- enumerating MBeans via, Enumerating MBeans via HTTP
- interacting with MBeans manually, Over HTTP
John the Ripper, Internal Routing Protocols
- cracking leaked LDAP passwords, Obtaining Sensitive Data
- cracking NTLMv2 hashes, LLMNR, NBT-NS, and mDNS
- cracking RIPv2 MD5 hashes, Cracking authentication keys
- OSPF attacks, OSPF
Joomla, Framework and Data Store Profiling
- exploitable flaws in, PHP CMS Packages
JSESSIONID values, application servers, Cookie analysis
just-in-time (JIT) compilers, The text segment

K

Kali Linux, Your Testing Platform
- updating, Updating Kali Linux
KDC (Key Distribution Center), Kerberos
KDC master keys, Kerberos Keys
keep-alive sessions, Support for persistent connections and caching
Kerberos, Kerberos-VNC
- attack surface, Kerberos Attack Surface
- hardening servers, Service Hardening and Countermeasures
- implementation flaws, Kerberos Implementation Flaws
- in Negotiate authentication, HTTP authentication mechanisms
- keys, Kerberos Keys
- local attacks, Local Attacks
  - active downgrade and offline brute-force, Active downgrade and offline brute-force
  - passive network sniffing, Passive network sniffing
  - password hash, Kerberos key, and ticket compromise, Password hash, Kerberos key, and ticket compromise
- messages, Kerberos
- ticket format, Ticket Format
  - Microsoft PAC fields, Microsoft PAC fields
- unauthenticated remote attacks, Unauthenticated Remote Attacks
  - brute-force password grinding, Brute-force password grinding
  - realm enumeration, Realm enumeration
  - username enumeration, Username enumeration
kernel exploits, Attacker Economics
key block
- generation during DH key exchange, DH key exchange
- generation during RSA key exchange, Generating the master secret and key block
key exchange
- client certificate and key exchange in TLS, Client Certificate and Key Exchange
- in TLS, Key Exchange and Authentication-ECC
- server certificate and key exchange in TLS, Server Certificate and Key Exchange
key generation and handling (X.509 certificates), Key generation and handling
keyboard-interactive SSH authentication, Supported authentication mechanisms
keys (Kerberos), Kerberos Keys
- compromising, Password hash, Kerberos key, and ticket compromise
“The Known Unknowns”, Private vulnerability sources

L

LDAP, LDAP-Kerberos
- attacks on LDAP servers, LDAP
- authentication, LDAP Authentication
- brute-force password grinding in, Brute-Force Password Grinding
- directory structure, LDAP Directory Structure
- fingerprinting and anonymous binding, Fingerprinting and Anonymous Binding
- layers when using TLS, LDAP Operations
- obtaining sensitive data from, Obtaining Sensitive Data
- operations, LDAP Operations
- server implementation flaws, LDAP Server Implementation Flaws
- structures and attributes in Microsoft Active Directory, LDAP Directory Structure
libraries (TLS), Identifying the TLS Library and Version
LinkedIn, searching, Searching LinkedIn
Linux
- heap management algorithm, The heap
- Kali Linux for penetration testing, Your Testing Platform
- Linux kernel, public bug tracker, Public vulnerability sources
- local OS command execution via MySQL, Local OS command execution via MySQL
- security features, Compiler and OS Security Features
LLMNR (Link-Local Multicast Name Resolution), Local IP Protocols, LLMNR, NBT-NS, and mDNS
- poisoning attacks, LLMNR, NBT-NS, and mDNS
load balancers, System Components, Identifying Proxy Mechanisms
- identifying presence of proxy load balancer, Identifying Proxy Mechanisms
- in web application presentation tier, Load Balancers
local IP protocols (see IP protocols (local))
local network discovery, Local Network Discovery-Local Network Attack Countermeasures
- attack countermeasures, Local Network Attack Countermeasures
- data link protocols, Data Link Protocols-Root bridge takeover
- local IP protocols, Local IP Protocols-Local Network Discovery Recap
- recap of attack techniques, Local Network Discovery Recap
log files, examining, Reviewing Exposed Content
logic flaws, Logic Flaws and Other Bugs
LOGIN authentication (SMTP), Brute-Force Password Grinding
Logjam attacks (TLS), SSL and TLS protocol weaknesses
Loki, Internal Routing Protocols
- advertising new OSPF route with, OSPF
- OSPF attacks, OSPF
LSARPC, Querying LSARPC and SAMR interfaces
- RID cycling via, Querying LSARPC and SAMR interfaces
Lucky 13 attacks, Mitigating TLS Exposures, Weak cipher suites
- mitigation within web applications, Lucky 13 and RC4 byte bias mitigation within web applications

M

MAC addresses
- mapping IPv4 addresses to, in ARP cache, ARP cache poisoning
- removing MAC filter on Ethernet adapters, 802.3 Ethernet Testing
macof utility, creating CAM table overflow, CAM table overflow, Root bridge takeover
mail server software packages, vulnerabilities in, Remotely Exploitable Flaws
mail services, assessing, Assessing Mail Services-Mail Services Countermeasures
- countermeasures when hardening mail systems, Mail Services Countermeasures
- IMAP, IMAP-Mail Services Testing Recap
- mail protocols, Mail Protocols
- POP3, POP3-IMAP
- recap of testing tactics, Mail Services Testing Recap
- SMTP, SMTP-Sending email
mailing lists for security vulnerablities, Mailing Lists
malicious PHP file creation, System Access and Execution Context
malloc function, The heap
man-in-the-middle (MITM) attacks, ARP cache poisoning, ARP cache poisoning
managed security service providers (MSSPs), SMTP
Management Information Base (MIB), SNMP, SNMP
MapReduce, Apache Hadoop
marshalling, Application-Tier Data Formats
- (see also serialization)
master secret generation, Generating the master secret and key block, DH key exchange
MBeans, Identifying MBeans
- enumerating via HTTP, Enumerating MBeans via HTTP
- enumerating via RMI registry service, Enumerating MBeans via the RMI registry service
- exploiting, Exploiting MBeans
  - over HTTP, Over HTTP
McGraw, Gary, A Taxonomy of Software Security Errors
MD5 cryptographic hash
- Digest authentication via, HTTP authentication mechanisms
- weaknesses in, X.509 signatures, Signature algorithm flaws
mDNS (multicast DNS), Local IP Protocols, LLMNR, NBT-NS, and mDNS, Multicast DNS
media types, Presentation-Tier Data Formats
Memcached, Memcached
- querying and extracting key-values, Memcached
memory
- processor registers and, Processor Registers and Memory
- reading from, Reading from Memory
- runtime memory layout, Runtime Memory Layout
  - data and BSS segments, Data and BSS segments
  - heap, The heap
  - stack, The stack
  - text segment, The text segment
- writing to, Writing to Memory
  - overwriting memory structures for gain, Overwriting memory structures for gain
memory safety, programming languages and, Adversarial Goals
message transfer agents (MTAs), SMTP
message types (ICMP), ICMP, ICMP Message Types
Metagoofil tool, Google Search
Metasploit, Exploitation of Vulnerabilities, Your Testing Platform
- Apache Struts DefaultActionMapper, exploiting, Exploiting the DefaultActionMapper
- CDP frame manipulation, CDP
- JBoss vulnerability scanning with, Automated JBoss Scanning
- MBeans, exploiting, Over HTTP
- Microsoft SQL Server, authenticated modules for, Authenticating and Evaluating Configuration
- MySQL modules, authenticated, Authenticated MySQL Attacks
- obtaining link-local addresses via router advertisement, Local IPv6 host enumeration
- Oracle Database exploitable flaws, Privilege Escalation and Pivoting
- Oracle SID values, grinding, Oracle SID Grinding
- PostgreSQL brute-force password grinding, Brute-Force Password Grinding
- PostgreSQL, authenticated modules for, Authenticated PostgreSQL Attacks
- querying RMI registry service, Enumerating MBeans via the RMI registry service
- search directive, Known FTP Vulnerabilities
- Shodan search module, Using Shodan
- SNMP community dictionary, SNMP community string and password grinding
- testing SSH public key, Enumerating valid keys
- tomcat_mgr_deploy module, The Manager Application
- vhost scanner module, Enumerating Valid Hosts
Metasploitable 2, Deploying a Vulnerable Server
MIB (Management Information Base), SNMP, SNMP
Microsoft
- PXE boot sequence, PXE
- web applications, protocols in application tier, The Application Tier
- web servers, additional types of authentication supported, HTTP authentication mechanisms
Microsoft .NET, memory safety, Adversarial Goals
Microsoft Active Directory
- LDAP service in, LDAP
- structures and attributes in, LDAP Directory Structure
Microsoft ASP.NET, Microsoft ASP.NET
Microsoft DNS server, defects of, Microsoft DNS
Microsoft Exchange (see Exchange servers)
Microsoft HTTP extensions, Microsoft HTTP extensions
Microsoft IIS
- fingerprinting using WhatWeb, Server and Application Framework Fingerprinting
- FTP server vulnerabilities, Known FTP Vulnerabilities
- known vulnerabilities, Known Microsoft IIS Vulnerabilities
  - Windows authentication information leak, Windows authentication information leak
Microsoft Kerberos implementation
- Kerberos armoring, Active downgrade and offline brute-force
- Kerberos ticket format, Ticket Format
- ports used by, Kerberos Attack Surface
- remotely exploitable flaws, Kerberos Implementation Flaws
- ticket block encryption and signing, Ticket block encryption and signing
Microsoft Outlook (see Outlook)
Microsoft services, assessing, Assessing Microsoft Services-Microsoft Services Countermeasures
- anonymous IPC access via SMB, Anonymous IPC Access via SMB
- attacking SMB and RPC, Attacking SMB and RPC-Remote Desktop Services
  - authenticating and using access, Authenticating and Using Access
  - brute-force password grinding, Brute-Force Password Grinding
  - identifying exposed RPC services, Identifying Exposed RPC Services
  - iterative testing of services, Attacking SMB and RPC
  - mapping network attack surface, Mapping Network Attack Surface
  - SMB implementation flaws, SMB Implementation Flaws
- hardening steps within Microsoft environments, Microsoft Services Countermeasures
- NetBIOS name and datagram services, NetBIOS Name Service-SMB
- protocols supporting Microsoft Exchange and Outlook, Assessing Microsoft Services
- recap of testing techniques, Microsoft Services Testing Recap
- remote desktop services, Remote Desktop Services-Microsoft Services Testing Recap
  - brute-force password grinding, Brute-Force Password Grinding
  - RDP implementation flaws, RDP Implementation Flaws
  - transport security, Assessing Transport Security
- RPC services, Microsoft RPC Services
- services using open protocols, Assessing Microsoft Services
- services using proprietary protocols, Assessing Microsoft Services
- SMB (Server Message Block), SMB
Microsoft SQL Server, Microsoft SQL Server-Authenticating and Evaluating Configuration
- authenticating and evaluating configuration, Authenticating and Evaluating Configuration
- brute-force password grinding, Brute-Force Password Grinding
- exploitable vulnerabilities, Microsoft SQL Server
- fingerprinting instances via Nmap, Microsoft SQL Server
- SQL injection attack, Framework and Data Store Profiling
Microsoft Windows (see Windows)
Microsoft Windows Server
- LDAP servers in, weaknesses of, LDAP Server Implementation Flaws
- RPC server in, vulnerabilities, Identifying Exposed RPC Services
MIME headers, modifying to circumvent content checking, Content Checking Circumvention
Mimikatz
- loading Kerberos tickets into memory, Passing of tickets
- password hash, Kerberos key, and ticket compromise, Password hash, Kerberos key, and ticket compromise
- using to obtain password hashes and keys, Obtaining secrets
MIT Kerberos, Kerberos Attack Surface
- remotely exploitable flaws, Kerberos Implementation Flaws
MITM (man-in-the-midddle) attacks, ARP cache poisoning, ARP cache poisoning
modification of ciphertext, Cryptographic Weaknesses
MongoDB, MongoDB
- known vulnerabilities, MongoDB
- Nmap interrogation of available services, MongoDB
mountd service (NFS), querying, NFS
MS-CHAPv2 material, capturing, PEAP
MSSPs (managed security service providers), SMTP
MTAs (message transfer agents), SMTP
MX lookup, reverse, DomainTools
MX records, querying, Manual querying
MySQL, MySQL-PostgreSQL
- authenticated attacks, Authenticated MySQL Attacks
  - local OS command execution via MySQL, Local OS command execution via MySQL
- brute-force password grinding, Brute-Force Password Grinding
- remotely exploitable flaws, MySQL
- service fingerprinting via Nmap, MySQL

N

name resolution protocols, local, Local IP Protocols
name service (NetBios), NetBIOS Name Service
NASA, listing web servers supporting directory indexing, Identifying web servers
NAT-PT configuration, Intercepting local IPv6 traffic
NAT64, Intercepting local IPv6 traffic
native code execution, goal in attack on Google Chrome, Attacker Economics
NBT-NS (NetBIOS Name Service), Local IP Protocols, LLMNR, NBT-NS, and mDNS
- poisoning attacks, LLMNR, NBT-NS, and mDNS
NDP (Neighbor Discovery Protocol), IPv6 Network Discovery
negative scanning, UDP
Negotiate authentication, HTTP authentication mechanisms
Nemesis, Internal Routing Protocols
- RIP protocol attacks, RIP
- setup and configuration in Kali Linux, RIP
Nessus, Bulk Vulnerability Scanning
NetBIOS, name and datagram services, NetBIOS Name Service-SMB
- name table entries, NetBIOS Name Service
- querying the name service, NetBIOS Name Service
Netcraft, querying with, Querying Netcraft
Netscape SSL, Assessing TLS Services
network discovery, local (see local network discovery)
network infrastructure testing, Network infrastructure testing
network scanning tools, Vulnerability Scanning
network security assessment methodology, Network Security Assessment Methodology-Your Testing Platform
- exploitation of vulnerabilities, Exploitation of Vulnerabilities
- investigation of vulnerabilities, Investigation of Vulnerabilities
  - private vulnerability sources, Private vulnerability sources
  - public vulnerability sources, Public vulnerability sources
- iterative assessment approach, An Iterative Assessment Approach
- reconnaissance, Reconnaissance
network services (common), assessing, Assessing Common Network Services-Service Hardening and Countermeasures
- DNS, DNS-NTP
- FTP, FTP-TFTP
- IPMI, IPMI
- Kerberos, Kerberos-VNC
- LDAP, LDAP-Kerberos
- recap of techniques for uncovering vulnerabilities, Common Network Service Assessment Recap
- service hardening and countermeasures, Service Hardening and Countermeasures
- SNMP, SNMP-LDAP
- SSH, SSH-Telnet
- Telnet, Telnet-IPMI
- TFTP, TFTP
- Unix RPC services, Unix RPC Services-Common Network Service Assessment Recap
- VNC (Virtual Network Computing), VNC-Unix RPC Services
networks
- exploiting TLS flaws with network access, Understanding TLS Vulnerabilities
- mapping attack surface for Microsoft services, Mapping Network Attack Surface
- obtaining internal network details with SNMP exploitation, Exposing useful information via SNMP
- reducing attack surface, Service Hardening and Countermeasures
Nexpose, Bulk Vulnerability Scanning
NFS (Network File System), NFS-Apple Filing Protocol
- components in RPC services, Unix RPC Services
- enumerating and accessing exports, NFS
- known severe flaws within components, NFS
- listing and mounting NFS exports, Manually Querying Exposed RPC Services
Nginx, Attacking Server Software
- Coucho Resin 4.0 application server running behind, Cookie analysis
- known defects, Known Nginx Defects
Nikto web server assessment tool, Identifying Exposed Content
NIS components, RPC services, Unix RPC Services
- common NIS maps and corresponding files, Manually Querying Exposed RPC Services
- querying NIS and obtaining material, Manually Querying Exposed RPC Services
NIST National Vulnerability Database, Public vulnerability sources
NIST SP 800-115, exploitation tasks, Exploitation of Vulnerabilities
Nmap, Your Testing Platform
- IDS and IPS evasion features, IDS and IPS Evasion
- initial network scanning, Initial Network Scanning with Nmap-Low-Level IP Assessment
  - ICMP, ICMP-TCP
  - IPv4 scanning, Bringing Everything Together
  - IPv6 scanning, IPv6 scanning
  - TCP, TCP-UDP
  - UDP, UDP-SCTP
- IP ID sampling with, IP ID sampling with Nmap
  - stealth sampling, Stealth IP ID scanning with Nmap
- MongoDB enumeration via, MongoDB
- MySQL service fingerprinting, MySQL
- running against valid IPv6 addresses, Local IPv6 host enumeration
- SMTP endpoint fingerprinting, Service Fingerprinting
- vulnerability scanning with NSE, Vulnerability Scanning with NSE
Node.js, Node.js
- remotely exploitable flaws in modules, Node.js
nondelivery notification messages (NDNs), SMTP Probing, SMTP
- configuring SMTP servers not to send, Enumeration Countermeasures
Novell eDirectory servers, LDAP Server Implementation Flaws
NS lookup, reverse, DomainTools
NSE (Nmap)
- listing scripts from command line, Vulnerability Scanning with NSE
- running default NSE scripts with Nmap, Vulnerability Scanning with NSE
- script categories, Vulnerability Scanning with NSE
NSEC and NSEC3 enumeration, NSEC and NSEC3 enumeration
NSID querying with Nmap, Fingerprinting
nslookup, obtaining MX records with, Manual querying
NTLM authentication, Brute-Force Password Grinding, Brute-Force Password Grinding, HTTP authentication mechanisms
NTLM hash, authentication with SMB using, SMB authentication

O

object-relational database management system (ORDBMS), PostgreSQL
objects, marsahlling/unmarshalling, Application-Tier Data Formats
OCLHashcat, Aggressive Mode IKE PSK Cracking
Offensive-Security Exploit Database, Public vulnerability sources, Your Testing Platform
OID (Object Identifier) values
- in LDAP, Fingerprinting and Anonymous Binding
- in SNMP MIB, SNMP
  - exposing for Windows SNMP, Exposing useful information via SNMP
Open Shortest Path First (OSPF), Local IP Protocols
Open Web Application Security Project (OWASP) Top 10, Web application testing
OpenLDAP utilities package, LDAP Operations
OpenSSH, Fingerprinting
- remotely exploitable flaws, SSH Server Software Flaws
OpenSSL
- listing supported cipher suites, Cipher Suites
- public bug tracker, Public vulnerability sources
- TLS heartbeat information leak, OpenSSL TLS heartbeat extension information leak
OpenVAS, Bulk Vulnerability Scanning
OpenVPN, getting information on via Google search, Obtaining VPN configuration files
operating systems
- configuration guidelines for, Configuration review
- default TCP/IP values, TCP/IP Stack Fingerprinting
- exposed logic in, Exposed Logic
- heap management algorithms, The heap
- identifying for TLS services, Identifying the TLS Library and Version
- local OS command execution via MySQL, Local OS command execution via MySQL
- local OS command execution via SQL Server, Authenticating and Evaluating Configuration
- runtime memory layout, Runtime Memory Layout
- security features, Compiler and OS Security Features
OPTIONS method (HTTP), Analyzing Server Responses
Oracle Database, Oracle Database-MongoDB
- authenticating with, Authenticating with Oracle Database
- database account password grinding, Database Account Password Grinding
- hardening recommendations, Data Store Countermeasures
- interacting with TNS listener, Interacting with the TNS Listener
- privilege escalation and pivoting, Privilege Escalation and Pivoting
- SID grinding, Oracle SID Grinding
organizational units (OUs) in LDAP, LDAP Directory Structure
OS X
- heap management algorithm, The heap
- security features, Compiler and OS Security Features
- virtualization software for, Your Testing Platform
OSI Layer 2
- attacking specific VLANs, Attacking specific VLANs
- local network, common attack methods, Local Network Discovery Recap
- MiTM attacks, Local IP Protocols
OSI Layer 3, attack methods for local networks, Local Network Discovery Recap
OSI network model, Data Link Protocols
OSPF (Open Shortest Path First), OSPF
Outlook
- messages sent via, content checking circumvention, Content Checking Circumvention
- protocols supporting, Assessing Microsoft Services
over-reads, Adversarial Goals
OWASP vulnerable web applications directory, Deploying a Vulnerable Server

P

PAC (privilege attribute certificate) data structure, Ticket Format
- Microsoft PAC fields, Microsoft PAC fields
Packet Storm, Public vulnerability sources
packets
- IPsec, format of, Packet Format
- malformed and fragmented, by SniffJoke, Data Insertion and Scrambling with SniffJoke
parameters (DH public keys), DH key exchange
- selection of, DH parameter selection and negotiation
passive network sniffing, Kerberos authentication requests, Passive network sniffing
passwords
- changing user password with long-term key in Kerberos, Changing a user password with a long-term key
- for PostgreSQL, obtaining and cracking password hashes, Authenticated PostgreSQL Attacks
- found in PCFs, decryption of, Obtaining VPN configuration files
- grinding in SNMP with THC Hydra, SNMP community string and password grinding
- leaked via LDAP, cracking, Obtaining Sensitive Data
- MySQL root password, uncovering, Brute-Force Password Grinding
payload scanning, UDP
PCFs (profile configuration files), querying via Google search, Obtaining VPN configuration files
PEAP (Protected EAP), 802.1X PNAC
- capturing and cracking PEAP credentials, PEAP
- deploying rogue authenticator to capture MS-CHAPv2 material, PEAP
penetration testing, Exploitation of Vulnerabilities
- using Kali Linux, Your Testing Platform
PentesterLab, Deploying a Vulnerable Server
PGP public key servers, querying, PGP Public Key Servers
phishing
- Internet-based social engineering, Internet-based social engineering
- via SMTP, Phishing via SMTP-Sending email
  - landing page preparation, Landing page preparation
  - reconnaissance, important details, Reconnaissance
  - sending email, Sending email
PHP
- CMS packages written in, PHP CMS Packages-Apache Tomcat
  - fingerprinting, Framework and Data Store Profiling
- exploitable vulnerabilities, PHP
- malicious file creation, System Access and Execution Context
- management consoles, PHP Management Consoles
phpMyAdmin
- remotely exploitable flaws, PHP Management Consoles
- weak usname/password combinations for, PHP Management Consoles
physical access, direct, to system components, System Access and Execution Context
physical, data link, and network layers, Data Link Protocols
ping, ARP cache poisoning
- ICMP Type 8 message (echo request), ICMP
- identifying IPv6 neighbors using ping6, Local IPv6 host enumeration
- using with Nmap, ICMPv4 Sweeping with Nmap
PKI, use in Kerberos, Kerberos Keys
PLAIN authentication (SMTP), Brute-Force Password Grinding
Plesk management console, PHP Management Consoles
- remotely exploitable flaws, PHP Management Consoles
PLT (procedure linkage table) entries, Overwriting memory structures for gain
PNAC (port-based network access control), 802.1X PNAC-CDP
Point-to-Point Tunneling Protocol (see PPTP)
pointer encoding, Compiler and OS Security Features
pointers, abuse of, Adversarial Goals
points of presence (POPs), maintained by CDNs, CDNs
POODLE attacks (TLS), SSL and TLS protocol weaknesses
POP3, POP3-IMAP
- brute-force password grinding, Brute-Force Password Grinding
- service fingerprinting, Service Fingerprinting
port isolation settings, Layer 3 private VLAN bypass
port states
- in STP networks, 802.1D STP
- returned by Nmap in IPv4 TCP network scan, TCP
portmapper service (RPC), Unix RPC Services
POST method (HTTP), HTTP
Postfix, flaws in, Remotely Exploitable Flaws
PostgreSQL, PostgreSQL-Microsoft SQL Server
- authenticated attacks, Authenticated PostgreSQL Attacks
- brute-force password grinding, Brute-Force Password Grinding
PPTP, PPTP-VPN Testing Recap
- fingerprinting services with Nmap, PPTP
- server brute-force password grinding, PPTP
- testing services, recap, VPN Testing Recap
Preboot Execution Environment (PXE), Local IP Protocols
premaster secret, Client Certificate and Key Exchange
- generation by peers, in DH key exchange, DH key exchange
- in RSA key exchange and authentication, RSA key exchange and authentication
presentation tier (web applications), The Presentation Tier
- CDNs, CDNs
- data formats, Presentation-Tier Data Formats
- HTTP in, HTTP
- load balancers, Load Balancers
- TLS in, TLS
principal long-term keys (Kerberos), Kerberos Keys
principals (Kerberos), Kerberos
private keys
- exposure through information leaks, Reading memory structures for gain
- extraction through OpenSSL heartbleed flaw, OpenSSL TLS heartbeat extension information leak
- known, X.509 certificates with, X.509 certificates with known private keys
private VLAN attacks, Layer 3 private VLAN bypass
privileges, elevation of, Adversarial Goals
PRNGs (pseudorandom number generators), Cryptographic Weaknesses
procedure linkage table (PLT) entries, Overwriting memory structures for gain
processsor registers and memory, Processor Registers and Memory
ProFTPD, vulnerabilities, Known FTP Vulnerabilities
programming languages
- interpreted, arbitrary code execution through, System Access and Execution Context
- with memory safety problems, Adversarial Goals
promiscuous mode, 802.3 Ethernet Testing
PROPFIND method (HTTP), WebDAV methods
PROPPATCH method (HTTP), Analyzing Server Responses
Protected EAP (see PEAP)
protocols
- in application tier of web application , The Application Tier
- supported, enumerating for TLS endpoint, Enumerating Supported Protocols and Cipher Suites
- used within web applicaton presentation tier, The Presentation Tier
proxies
- identifying, Identifying Proxy Mechanisms
- misconfigured, abusing, Identifying Proxy Mechanisms
proximity, close, system access through, System Access and Execution Context
PSK (pre-shared key) authentication, Supported transform enumeration, Aggressive mode IKE group enumeration
- aggressive mode IKE PSK cracking, Aggressive Mode IKE PSK Cracking
PTR records, querying, DNS Zone Transfer Techniques, Reverse DNS Sweeping
Pure-FTPd, vulnerabilities, Known FTP Vulnerabilities
PUT method (HTTP), Analyzing Server Responses, PUT and DELETE
PXE (Preboot Execution Environment), PXE
- attacks in PXE environments, PXE
Python, System Access and Execution Context

Q

Qualys, Bulk Vulnerability Scanning

R

Rails, Attacking Server Software, Rails-Node.js
- exploitable vulnerabilities in gems used by, Rails
- identifying its presence, Rails
- remotely exploitable flaws, Rails
- using an application's secret token, Using an Application’s Secret Token
Rapid7
- Metasploit, Exploitation of Vulnerabilities
  - (see also Metasploit)
- Metasploitable 2, Deploying a Vulnerable Server
- Nexpose, Bulk Vulnerability Scanning
RC2 cipher, Weak cipher suites
RC4 byte bias attacks, mitigating, Lucky 13 and RC4 byte bias mitigation within web applications
RC4 byte biases, SSL and TLS protocol weaknesses
RC4 cipher, Weak cipher suites
RC4 encryption in Kerberos authentication, Active downgrade and offline brute-force
RCPT TO command, using to enumerate local users, RCPT TO
RDP (Remote Desktop Protocol), Remote Desktop Services
- (see also remote desktop services (Microsoft), assessing)
rdp-sec-check utility, Assessing Transport Security
reading from memory, Reading from Memory
- reading memory structures for gain, Reading memory structures for gain
realm enumeration (Kerberos), using dig, Realm enumeration
reconnaissance in network security assessment, Reconnaissance
records (TLS), TLS Mechanics
recursion support in DNS, testing for, Testing for Recursion Support
Redis, Redis-Memcached
- abusing to write malicious content to disk, Known Weaknesses
- known weaknesses, Known Weaknesses
- reading data using redis-cli utility, Redis
Regional Internet Registries (RIRs), IP WHOIS
registry
- enumerating system registry using regdmp, Accessing the registry
- modifying registry keys using regini, Accessing the registry
relocation read-only (RELRO), Compiler and OS Security Features
remote desktop services (Microsoft), assessing, Remote Desktop Services-Microsoft Services Testing Recap
- RDP brute-force password grinding, Brute-Force Password Grinding
- RDP implementation flaws, RDP Implementation Flaws
- transport security, Assessing Transport Security
Remote Development Services (RDS) in ColdFusion, Exposed Management Interfaces
remote framebuffer (RFB) protocol, VNC
- security types, VNC
renegotiation, TLS sessions, Session Renegotiation, Session renegotiation
- insecure, SSL and TLS protocol weaknesses
replay of ciphertext, Cryptographic Weaknesses
resource records (DNS), DNS Querying
- enumerating SRV records with Nmap, Obtaining SRV records
- manual assessment of, Automated querying
- NSEC and NSEC3 enumeration, NSEC and NSEC3 enumeration
- querying MX records, Manual querying
- querying PTR records, DNS Zone Transfer Techniques
- retrieving individual SRV records, NSEC and NSEC3 enumeration
Responder
- DHCP script, Active DHCP attacks
- ICMP redirect spoofing, ICMP redirect messages
- WPAD attack automation, WPAD
REST APIs, testing, Web service testing
resumption modes, TLS sessions, Session Resumption
resumption, TLS sessions, Session resumption
return-oriented programming (ROP) chains, Bypassing DEP
reverse DNS sweeping, Reverse DNS Sweeping
- reverse grinding using dnsrevenum6, IPv6 Host Enumeration
RID cycling via LSARPC, Querying LSARPC and SAMR interfaces
RIP (Routing Information Protocol), RIP
- Nemesis and Scapy attacks against different versions, RIP
RIPE database, searching, Using WHOIS web interfaces
RIPv2 MD5 hashes, cracking with John the Ripper, Cracking authentication keys
RMI
- distributed garbage collector, exploiting, Exploiting the RMI Distributed Garbage Collector
- enumerating MBeans via registry service, Enumerating MBeans via the RMI registry service
- exploiting MBeans over, Over RMI
robots.txt directives, Enumeration Countermeasures
rogue server setup, DHCP attacks, DHCP
root bridge takeover (STP networks), Root bridge takeover
root CA certificates, CAs and chaining
ROP (return-oriented programming) chains, Bypassing DEP
ROP gadgets, ROP gadgets
ROPEME, CPU opcode sequences
ROPGadget, CPU opcode sequences
Routing Information Protoccol (see RIP)
routing protocols, internal (see internal routing protocols)
RPC over HTTP, Microsoft Exchange Server, Microsoft HTTP extensions
RPC services
- Microsoft, Microsoft RPC Services
  - attacking SMB and RPC, Attacking SMB and RPC-Remote Desktop Services
  - hardening steps, Microsoft Services Countermeasures
  - identifying exposed services, Identifying Exposed RPC Services
  - remote command execution, Remote command execution
- Unix, Unix RPC Services-Common Network Service Assessment Recap
  - manually querying exposed services, Manually Querying Exposed RPC Services
  - querying portmapper service, Unix RPC Services
  - vulnerabilities, RPC Service Vulnerabilities
rpcclient utility, Querying LSARPC and SAMR interfaces
rpcdump tool, Identifying Exposed RPC Services
- enumerating RCP interfaces, Identifying Exposed RPC Services
- listing registered RPC endpoints and interfaces, Identifying Exposed RPC Services
RSA key exchange and authentication (in TLS), RSA key exchange and authentication
- compromise of private keys for TLS endpoints, Certificates generated insecurely
- DH key exchange, DH key exchange
- key generation for X.509 certificates, Key generation and handling
- master secret and key block, generating, Generating the master secret and key block
- RSA authentication with DH key exchange, DH key exchange
RSA keys, Client Certificate and Key Exchange
RSA SSH host keys, Retrieving RSA and DSA host keys
- insecurely generated, Insecurely Generated Host Keys
rstatd daemon, Unix RPC Services
- querying, Manually Querying Exposed RPC Services
Ruby, System Access and Execution Context, Rails
- (see also Rails)
runtime memory layout, Runtime Memory Layout-The stack
ruserd, identifying active user sessions with, RPC rusers

S

Samba client utilities, Querying LSARPC and SAMR interfaces
SAMR, listing users via, Querying LSARPC and SAMR interfaces
SAs (Security Associations), IPsec
SASL (Simple Authentication and Security Layer), LDAP Authentication
scanning tools, Network infrastructure testing
Scapy, Internal Routing Protocols
- and IPv6 networking, Intercepting local IPv6 traffic
- HSRP packet generation with, Attacking HSRP
- IP ID sampling with, IP ID sampling with Scapy
- RIP attack, injectng a route on victim host, RIP
- using to manipulate CDP frames, CDP
- VRRP packet generation with, Attacking VRRP
scraping websites, using GNU wget, Crawling and Investigation of Content
SCTP, SCTP-Nmap support
- common services, Nmap support
- NMAP SCTP scanning, Nmap support
- packet format, Packet format
search engines
- preventing indexing of content on web servers, Enumeration Countermeasures
- using for network discovery, Querying Search Engines and Websites
searchsploit, using in Kali Linux, Known FTP Vulnerabilities
secret_token value, Rails applications, Using an Application’s Secret Token
security
- events and conferences, Security Events and Conferences
- SMTP mail security features, Review of Mail Security Features-DMARC
Security Associations (SAs), IPsec
security errors, taxonomy of, A Taxonomy of Software Security Errors
security features, A Taxonomy of Software Security Errors
- circumventing, Circumventing Common Safety Features-Logic Flaws and Other Bugs
- compiler and OS, Compiler and OS Security Features
- compiler and OS, exposure of sensitive values, Reading memory structures for gain
Security Support Providers (SSPs), HTTP authentication mechanisms
SecurityFocus, Public vulnerability sources
SEHOP, Compiler and OS Security Features
Sendmail, flaws in, Remotely Exploitable Flaws
SensePost Auto Domain Admin and Network Exploitation (autoDANE) utility, Automating the process
Sentinel, Assessment Workflow and Tools
serialization, Application-Tier Data Formats
server applications, increasing decoupling of, System Access and Execution Context
Server header, Analyzing Server Responses
Server Hello message (TLS), Server Hello
Server Message Block (see SMB)
server software, attacking, Attacking Server Software
server status codes (HTTP), Server status codes
server-side file upload and content modification, methods supporting, Analyzing Server Responses
session management flaws, Web application testing
session tokens, Reading memory structures for gain
sessions
- common session variables set by application frameworks, Cookie analysis
- in TLS
  - renegotiation of, Session Renegotiation, Session renegotiation
  - resumption of sessions, Session Resumption, Session resumption
- persistent HTTP sessions, Support for persistent connections and caching
- session management issues, Logic Flaws and Other Bugs
- TLS, negotiating, Session Negotiation
SET (Social Engineer Toolkit), Phishing via SMTP
Set-Cookie server header, Setting cookies
SHA-1 cryptographic hashing function, known weaknesses, Signature algorithm flaws
Shodan database of network scan data, Using Shodan
SID values (Oracle), grinding, Oracle SID Grinding
side channel attacks, Cryptographic Weaknesses
signature algorithm flaws (X.509 certificates), Signature algorithm flaws
signing of data, Cryptographic Weaknesses
SIGTRAN. SCTP protocol family, SCTP
SilverStripe, PHP CMS Packages
- exploitable flaws in, PHP CMS Packages
simple authentication (LDAP), LDAP Authentication
Simple Authentication and Security Layer (SASL), LDAP Authentication
site certificates, CAs and chaining
SMB (Server Message Block), SMB
- anonymous IPC access via, Anonymous IPC Access via SMB
- authenticating with and using access, Authenticating and Using Access
- brute-force password grinding using Hydra, Brute-Force Password Grinding
- capturing and cracking credentials using Kali Linux, LLMNR, NBT-NS, and mDNS
- exploitable implementation flaws, SMB Implementation Flaws
- remote command execution over, Remote command execution
- service hardening and countermeasures, Microsoft Services Countermeasures
- shares exposed to clients, SMB
- using walksam over SMB and named pipes, Querying LSARPC and SAMR interfaces
SMTP
- brute-force password grinding, Brute-Force Password Grinding
- content checking circumvention, Content Checking Circumvention
- enumerating supported commands and extensions, Enumerating Supported Commands and Extensions-Enumerating Supported Commands and Extensions
- mapping SMTP architecture, Mapping SMTP Architecture-Enumerating Supported Commands and Extensions
- phishing via, Phishing via SMTP-Sending email
- probing, SMTP Probing
- remotely exploitable flaws, Remotely Exploitable Flaws
- review of mail security features, Review of Mail Security Features-DMARC
- server hostnames, revealing, Manual querying
- service fingerprinting, Service Fingerprinting
- TLS session over, STARTTLS
- user account enumeration, User Account Enumeration-Brute-Force Password Grinding
smtp-user-enum utility, User Account Enumeration
SniffJoke, IDS and IPS Evasion
- configuring and running, Configuring and Running SniffJoke
SNMP, SNMP-LDAP
- exploiting, Exploiting SNMP
  - community string and password grinding, SNMP community string and password grinding
  - compromising devices by writing to SNMP, Compromising devices by writing to SNMP
  - exposing useful information, Exposing useful information via SNMP
  - known SNMP implementation flaws, Known SNMP implementation flaws
  - username enumeration via SNMPv3, Username enumeration via SNMPv3
- obtaining an MIB, SNMP
- versions, SNMP
Social Engineer Toolkit (SET), Phishing via SMTP
social engineering
- Internet-based, Internet-based social engineering
- preventing, Enumeration Countermeasures
- successful professional campaigns in, Sending email
software security errors, A Taxonomy of Software Security Errors
software switches, System Components
software, reasons for vulnerability in, Why Software Is Vulnerable
Solaris, heap management algorithm, The heap
Spanning Tree Protocol (see STP)
SPF (Sender Policy Framework), SPF
SQL injection attack, on Microsoft SQL Server, Framework and Data Store Profiling
SQL Server (see Microsoft SQL Server)
sqlplus utility, Authenticating with Oracle Database
- using Oracle client, Authenticating with Oracle Database
SRV records, obtaining, Obtaining SRV records, NSEC and NSEC3 enumeration
SSH, Reading memory structures for gain, SSH-Telnet
- classes of attack against, SSH
- configuration files, querying via Google search, Obtaining VPN configuration files
- default and hardcoded credentials, Default and Hardcoded Credentials
- enumerating features of, Enumerating Features
  - sources of exploitable weaknesses, Supported algorithms
  - supported algorithms, Supported algorithms
  - supported authentication mechanisms, Supported authentication mechanisms
  - valid keys, Enumerating valid keys
- fingerprinting, Fingerprinting
  - retrieving RSA and DSA host keys, Retrieving RSA and DSA host keys
- hardening servers, Service Hardening and Countermeasures
- how it works, SSH
- insecurely generated host keys, Insecurely Generated Host Keys
- server software flaws, SSH Server Software Flaws
SSL (Secure Sockets Layer), Assessing TLS Services
- exploitable flaws, Exploitable Flaws
ssl-enum-ciphers script, Enumerating Supported Protocols and Cipher Suites
ssl-known-key script, X.509 certificates with known private keys
sslsqueeze utility, Stress Testing TLS Endpoints
SSLyze, Session resumption
SSPs (Security Support Providers), HTTP authentication mechanisms
stack, The stack
stack canaries, Compiler and OS Security Features
- bypassing, Bypassing stack canaries
stack frames, The stack
standalone web applications, Web Application Types
STARTTLS command, STARTTLS, Enumerating Supported Protocols and Cipher Suites
state vulnerabilities, A Taxonomy of Software Security Errors
stateless address autoconfiguration (SLAAC), Local IPv6 host enumeration
static code analysis, Static code analysis
status codes, HTTP server, Server status codes
Stonesoft Evader, IDS and IPS Evasion
storage nodes, System Components
STP (Spanning Tree Protocol), 802.1D STP-Root bridge takeover
- root bridge takeover, Root bridge takeover
stress testing TLS endpoints, Stress Testing TLS Endpoints
Stunnel utility, Manually Accessing TLS-Wrapped Services
Stuxnet worm, The State of the Art
subnets
- getting information on, using ping and ICMP echo requests, Using broadcast addresses
- subnet mask requests (ICMP), ICMPv4 Sweeping with Nmap
Supervisory Control And Data Acquisition (SCADA), Exploitation of Vulnerabilities
SVN (Subversion) entries for servers, examining, Reviewing Exposed Content
Swaks, Sending email, Mail Services Testing Recap
- routing email via specific SMTP interfaces, Mapping SMTP Architecture
system access
- and execution context, System Access and Execution Context
- vulnerabilities in, System Access and Execution Context
system components, exploitable vulnerabilities, System Components

T

Target Vulnerability Validation Techniques, Exploitation of Vulnerabilities
taxonomy of software security errors, Static code analysis, A Taxonomy of Software Security Errors
TCP
- crafting packets and scanning with Hping3, Crafting Arbitrary Packets-TCP/IP Stack Fingerprinting
- headers, Low-Level IP Assessment
- IP network scanning with Nmap, TCP-UDP
- performing TCP ACK and FIN probes with Hping3, Crafting Arbitrary Packets
- ports of common network services, Assessing Common Network Services
- underlying transport protocol for TLS, Assessing TLS Services
TCP ports, TCP Ports
TCP/IP stack fingerprinting, TCP/IP Stack Fingerprinting
tcpdump
- identifying internal IP addresses, Revealing Internal IP Addresses
- normal ARP operation captured by, ARP cache poisoning
- VRRP packet capture and decoding, Attacking VRRP
technical audit and review, Static Analysis
Telnet, Telnet-IPMI
- classes of attack against, Telnet
- default credentials, Default Telnet Credentials
- server software flaws, Telnet Server Software Flaws
text segment (memory), The text segment
TFTP, TFTP
- brute-force and file recovery, TFTP
- classes of attack against, TFTP
- known vulnerabilities, Known TFTP Vulnerabilities
- server configurations permitting arbitrary file uploads, TFTP
- using server in SNMP exploitation, Compromising devices by writing to SNMP
tftp utility, TFTP
THC Hydra
- brute-forcing HTTP Basic authentication, Brute-Force Password Grinding
- POP3 brute-force password grinding, Brute-Force Password Grinding
- SMTP brute-force password grinding, Brute-Force Password Grinding
- SNMP grinding with, SNMP community string and password grinding
THC IPv6 toolkit
- identifying local IPv6 hosts, Local IPv6 host enumeration
- tools inducing traffic interception, Intercepting local IPv6 traffic
thc-pptp-bruter utility, PPTP
thc-ssl-dos utility, Stress Testing TLS Endpoints
threat modeling, Threat Modeling-Attacker Economics
- attacker economics, Attacker Economics
- goals of adversaries, Adversarial Goals
- system access and execution context, System Access and Execution Context
- system components, System Components
threats and attack surface, Threats and Attack Surface-Exploiting exposed logic
- exposed logic, Exposed Logic
“Threats and Countermeasures Guide” (Microsoft), Microsoft Services Countermeasures
ticket-granting ticket (TGT), Kerberos
tickets (Kerberos)
- compromising, Password hash, Kerberos key, and ticket compromise
  - passing of tickets, Passing of tickets
- format, Ticket Format
  - Microsoft PAC fields, Microsoft PAC fields
  - ticket block encryption and signing, Ticket block encryption and signing
- information in, Kerberos
time and state vulnerabilities, A Taxonomy of Software Security Errors
TIME attacks (TLS), SSL and TLS protocol weaknesses
time to live (TTL)
- manipulating to reverse engineer ACLs, Manipulating TTL to Reverse Engineer ACLs
- manipulation in IDS and IPS evasion, TTL Manipulation
timestamp requests (ICMPv4), ICMP
TLS (Transport Layer Security), System Access and Execution Context, Reading memory structures for gain
- as countermeasure for local network attacks, Local Network Attack Countermeasures
- assessing TLS services, Assessing TLS Services-Web Application Hardening
  - assessing endpoints, Assessing TLS Endpoints-TLS Service Assessment Recap
  - attack mitigation strategies, Mitigating TLS Exposures
  - authentication, TLS Authentication-Session Resumption
  - cipher suites, Cipher Suites
  - compression, Compression
  - hardening endpoints, TLS Hardening
  - key exchange and authentication, Key Exchange and Authentication-ECC
  - recap of testing steps, TLS Service Assessment Recap
  - record format, content types, and protocol versions, TLS Mechanics
  - session negotiation, Session Negotiation-Finished
  - session resumption, Session Resumption
  - STARTTLS command, STARTTLS
  - TLS running at OSI Layer 6, Assessing TLS Services
- heartbeat information leak (OpenSSL), OpenSSL TLS heartbeat extension information leak
- in web application presentation tier, TLS
- protocols providing, Cryptographic Weaknesses
- standard, development of, Assessing TLS Services
- TLS Prober, Identifying the TLS Library and Version
- unsafe cipher suites, Unsafe TLS Cipher Suites
- use with FTP, FTP
TNS (Transparent Network Substrate) protocol, Oracle Database
TNS listener, interacting with, Interacting with the TNS Listener
- issuing status commands to, Interacting with the TNS Listener
- known TNS listener weaknesses, Known TNS listener weaknesses
- useful TNS listener commands, Interacting with the TNS Listener
top-level domains (TLDs), querying registries of, Domain WHOIS
TRACE method (HTTP), TRACE
transform sets (IKE), IKE Assessment
- supported transform enumeration with ike-scan, Supported transform enumeration
Transparent Network Substrate (TNS) protocol, Oracle Database
Transport Layer Security (see TLS)
transport protocols, Microsoft RPC services, Microsoft RPC Services
transport security, testing for RDP with Nmap, Assessing Transport Security
tree utility, using to review scraped content, Crawling and Investigation of Content
trusted root certificates, CAs and chaining
Trustwave SpiderLabs Blog, Aggressive Mode IKE PSK Cracking
Tsipenyuk, Katrina, A Taxonomy of Software Security Errors
Tsyrklevich, Vlad, Private vulnerability sources
twiddle.sh utility, interacting with MBeans over RMI, Over RMI

U

UDP, UDP-SCTP
- further probing of ports with Nmap, UDP
- performing UDP port scan using Nmap, UDP
- ports of common network services, Assessing Common Network Services
- using UDP spoofing in SNMP attack, Compromising devices by writing to SNMP
UDP ports, UDP Ports
Unicornscan, UDP
Unix-based platforms
- forward DNS grinding tools, Dictionary attack
- RPC services, assessing, Unix RPC Services-Common Network Service Assessment Recap
unmarshalling, Application-Tier Data Formats
URL paths to server components, Server and Application Framework Fingerprinting
user-defined functions (UDFs), local OS command execution via MySQL, Local OS command execution via MySQL
usernames
- discovering with Internet search engines, Google Search
- enumerating email accounts with IP WHOIS, Enumerating database objects via WHOIS
- enumerating in SNMP exploitation, Username enumeration via SNMPv3
- enumerating via LSARPC and SAMR, Querying LSARPC and SAMR interfaces
- enumerating, using Google search, Enumerating contact details
- inference of, Logic Flaws and Other Bugs
- Kerberos username enumeration with Nmap, Username enumeration
- searching for, with LinkedIn, Searching LinkedIn

V

Virtual Router Redundancy Protocol (see VRRP)
virtualiation software, Your Testing Platform
VLANs (802.1Q), Network infrastructure testing, 802.1Q VLAN
- attacking specific VLANs, Attacking specific VLANs
- double-tagging, 802.1Q double-tagging
- Layer 3 VLAN bypasses, Layer 3 private VLAN bypass
- using Yersinia to enable trunking, Dynamic trunking
VMware Fusion, Your Testing Platform
VMware Workstation, Your Testing Platform
VNC (Virtual Network Computing), VNC-Unix RPC Services
- attacking VNC servers, Attacking VNC Servers
- fingerprinting VNC service with Nmap, VNC
- silently installing VNC server on a target, Accessing the registry
VPNs (virtual private networks)
- assessing VPN services, Assessing VPN Services-VPN Services Countermeasures
  - countermeasures, VPN Services Countermeasures
  - IPsec, IPsec-PPTP
  - PPTP, PPTP
  - testing recap, VPN Testing Recap
- attacks on, Attacking Client Software
- authenticating with IPsec VPN, Authenticating with an IPsec VPN
- getting configuraton files for via Google search, Obtaining VPN configuration files
VRFY command, using to enumerate local users, VRFY
VRRP (Virtual Router Redundancy Protocol), Local IP Protocols, HSRP and VRRP
- attacking, Attacking VRRP
vulnerability information sources, Sources of Vulnerability Information-Security Events and Conferences
vulnerability scanning, Vulnerability Scanning
- bulk scanning, Bulk Vulnerability Scanning
- with NSE, Vulnerability Scanning with NSE
vulnerable server, deploying, Deploying a Vulnerable Server

W

WAF (web application firewall) mechanisms, Active Scanning
- detection and fingerprinting of, WAF Detection
walksam utility, Querying LSARPC and SAMR interfaces, Querying LSARPC and SAMR interfaces
web application firewall mechanisms (see WAF mechanisms)
web application frameworks
- common session variables set by, Cookie analysis
- serialization weaknesses, Application-Tier Data Formats
web application frameworks, assessing, Assessing Web Application Frameworks-Application Framework Security Checklist
- Adobe ColdFusion, Adobe ColdFusion-Apache Solr Vulnerabilities
  - Apache Solr vulnerabilities, Apache Solr Vulnerabilities
  - exposed management interfaces, Exposed Management Interfaces
  - known software defects, Known ColdFusion Software Defects
  - profiling ColdFusion, ColdFusion Profiling
- Apache Struts, Apache Struts-JDWP
  - exploiting DefaultActionMapper, Exploiting the DefaultActionMapper
- Apache Tomcat, Apache Tomcat-JBoss Testing
  - attacking Apache JServ Protocol, Attacking Apache JServ Protocol
  - known Tomcat flaws, Known Tomcat Flaws
  - manager application, The Manager Application
- common framework configurations, Assessing Web Application Frameworks
- Django, Django
- framework and data store profiling, Framework and Data Store Profiling-Framework and Data Store Profiling
- Java Debug Wire Protocol (JDWP), JDWP
- JBoss, JBoss Testing-Apache Struts
  - automated scanning, Automated JBoss Scanning
  - exploiting MBeans, Exploiting MBeans-Exploiting the RMI Distributed Garbage Collector
  - exploiting RMI distributed garbage collector, Exploiting the RMI Distributed Garbage Collector
  - identifying MBeans, Identifying MBeans
  - known JBoss vulnerabilities, Known JBoss Vulnerabilities
  - server profiling via HTTP, Server Profiling via HTTP
  - web consoles and invoker servlets, Web Consoles and Invoker Servlets
- Node.js, Node.js
- PHP, PHP
  - CMS packages, PHP CMS Packages
  - management consoles, PHP Management Consoles
- Rails, Rails-Node.js
- security checklist, Application Framework Security Checklist
- understanding common flaws, Understanding Common Flaws
web applications, Web Application Architecture-The Data Tier
- application tier, The Application Tier
  - data formats, Application-Tier Data Formats
- attacking, Attacking Web Applications
- data tier, The Data Tier
- Lucky 13 and RC4 byte bias mitigation in, Lucky 13 and RC4 byte bias mitigation within web applications
- presentation tier, The Presentation Tier
  - CDNs, CDNs
  - data formats, Presentation-Tier Data Formats
  - HTTP in, HTTP
  - load balancers, Load Balancers
- testing, Web application testing
- tiers, Web Application Tiers
- types of, Web Application Types
- with HTTPS components, hardening, Web Application Hardening
web consoles, exposing JBoss invoker servlets via, Web Consoles and Invoker Servlets
web interfaces (WHOIS), using, Using WHOIS web interfaces
Web Proxy Auto-Discovery (see WPAD)
web servers
- hardening, Enumeration Countermeasures
- identifying and fingerprinting using Netcraft, Querying Netcraft
- identifying via Google, Identifying web servers
- Microsoft, additional types of authentication supported, HTTP authentication mechanisms
- support for HTTP authentication, HTTP authentication mechanisms
web servers, assessing, Assessing Web Servers-Web Server Hardening
- enumerating valid hosts, Enumerating Valid Hosts
- hardening web servers, Web Server Hardening
- identifying proxy mechanisms, Identifying Proxy Mechanisms
- methodology for, Assessing Web Servers
- profiling web servers, Web Server Profiling-Active Scanning
  - analyzing server responses, Analyzing Server Responses
  - crawling and investigating content, Crawling and Investigation of Content
  - HTTP header review, HTTP Header Review
- qualifying server vulnerabilities, Qualifying Web Server Vulnerabilities-Web Server Hardening
  - Apache Coyote weaknesses, Known Apache Coyote Weaknesses
  - Apache HTTP Server flaws, Known Apache HTTP Server Flaws
  - brute-force password grinding, Brute-Force Password Grinding
  - investigating supported HTTP methods, Investigating Supported HTTP Methods
  - Microsoft IIS, Known Microsoft IIS Vulnerabilities
  - Nginx defects, Known Nginx Defects
  - reviewing exposed content, Reviewing Exposed Content
- using active scanning, Active Scanning-Qualifying Web Server Vulnerabilities
  - identifying exposed content, Identifying Exposed Content
  - server and application framework fingerprinting, Server and Application Framework Fingerprinting
  - WAF detection, WAF Detection
web service testing, Web service testing
WebDAV HTTP extensions, WebDAV HTTP extensions
- investigating support for methods, WebDAV methods
WhatWeb, fingerprinting a web server, Server and Application Framework Fingerprinting
WHOIS
- domain, Domain WHOIS
- information obtained with DomainTools, DomainTools
- IP network allocations, IP WHOIS
- IP WHOIS, IP WHOIS
  - querying tools and examples, IP WHOIS Querying Tools and Examples-BGP Enumeration
- querying manually, Manual WHOIS Querying
Wikto
- enumerating valid hostnames with, Enumerating Valid Hosts
- types of assessments performed by, Identifying Exposed Content
WildFly (see JBoss)
Windows Active Directory servers, KDC master keys, Kerberos Keys
Windows systems
- authentication information leaks, Windows authentication information leak
- command execution achieved by MITM attack, ARP cache poisoning
- exposing useful information about users and networks with SNMP exploitation, Exposing useful information via SNMP
- heap management algorithm, The heap
- Kerberos Etypes, Active downgrade and offline brute-force
- local OS command execution via MySQL, Local OS command execution via MySQL
- security features, Compiler and OS Security Features
- SEHOP, Compiler and OS Security Features
- virtualization software for, Your Testing Platform
Wireshark, sniffing local Ethernet traffic, Passive network sniffing
WMI, querying, Querying WMI
WMICracker, Brute-Force Password Grinding
WMIdump, Querying WMI
WordPress, Framework and Data Store Profiling
- exploitable flaws in, PHP CMS Packages
WPAD (Web Proxy Auto-Discovery), Local IP Protocols, WPAD
- attacks against, automation with Responder, WPAD

X

X.500 attributes in LDAP, LDAP Directory Structure
X.509 certificates
- CAs and chaining, CAs and chaining
- in TLS authentication, X.509 format
- key generation and handling, Key generation and handling
- obtaining and processing, X.509 format
- reviewing for TLS endpoints, Certificate Review
  - certificates with known private keys, X.509 certificates with known private keys
  - insecurely generated certificates, Certificates generated insecurely
- signature algorithm flaws, Signature algorithm flaws
- using with Kerberos, Kerberos Keys
XAUTH, ISAKMP, IKE, and IKEv2
- attacking, Attacking XAUTH
XML external entity (XXE) parsing, Attacking Web Applications
XSS (cross-site scripting), System Access and Execution Context
XST (cross-site tracing) attacks, TRACE

Y

YARN (cluster resource management), Apache Hadoop
Yersinia utility, Dynamic trunking
- capturing/displaying HSRP plaintext authentication strings, Attacking HSRP
- CDP frame decode with, CDP
- displaying BPDU frames, Monitoring BPDUs
- enabling bridged interfaces, Root bridge takeover

Z

Zero Day Initiative (ZDI), Investigation of Vulnerabilities
- publicly accessible bug tracker, Public vulnerability sources
zero-day flaw, PHP
zone files (DNS), pruning, Enumeration Countermeasures
zone transfers (DNS), DNS Zone Transfer Techniques, Enumeration Countermeasures

Table of Contents for Network Security Assessment, 3rd Edition

Index

Symbols

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

Table of Contents for
Network Security Assessment, 3rd Edition