0 / 10 flipped
Concept
What must be established before any penetration testing begins, and what six elements does it contain?
Answer
Rules of Engagement — a formal written agreement signed before the first probe.
Six required elements:
• Type of testing — external, internal, physical, social engineering
• Permitted timing — hours when testing is allowed (often after-hours only)
• In-scope systems — specific IPs, ranges, domains authorized for testing
• Out-of-scope systems — explicitly excluded; must not be touched even if discovered
• Emergency contacts — both testing team and client contacts for immediate halt
• Sensitive data handling — procedures for discovered credentials, PII, financial data
Six required elements:
• Type of testing — external, internal, physical, social engineering
• Permitted timing — hours when testing is allowed (often after-hours only)
• In-scope systems — specific IPs, ranges, domains authorized for testing
• Out-of-scope systems — explicitly excluded; must not be touched even if discovered
• Emergency contacts — both testing team and client contacts for immediate halt
• Sensitive data handling — procedures for discovered credentials, PII, financial data
Concept
What are the four phases of penetration testing, in order?
Answer
1. Initial exploitation — gain the first foothold by exploiting a perimeter vulnerability (buffer overflow, phishing, SQL injection, social engineering, brute force)
2. Lateral movement — use the foothold to move from system to system within the internal network; exploits inadequate internal segmentation and implicit internal trust
3. Persistence — establish backdoors, unauthorized accounts, or startup modifications to maintain access even if the original vulnerability is patched
4. The pivot — use a compromised system as a proxy to reach systems that were otherwise architecturally inaccessible from the attacker's original position
2. Lateral movement — use the foothold to move from system to system within the internal network; exploits inadequate internal segmentation and implicit internal trust
3. Persistence — establish backdoors, unauthorized accounts, or startup modifications to maintain access even if the original vulnerability is patched
4. The pivot — use a compromised system as a proxy to reach systems that were otherwise architecturally inaccessible from the attacker's original position
Term
Initial Exploitation — why it is the most challenging phase
Definition
Initial exploitation is gaining the first foothold inside the target environment.
Why it is most challenging: Organizations concentrate defensive investment at the perimeter — firewalls, IDS/IPS, email filtering, endpoint protection. The tester must find a weakness in this hardened outer layer.
Common techniques: Exploit unpatched internet-facing services, phishing (delivering a payload via email), credential brute force on exposed login pages, SQL injection on web applications, social engineering to obtain credentials, physical entry through unsecured access points.
Outcome required: Any form of inside access — a shell, a session, a position from which subsequent phases can begin.
Why it is most challenging: Organizations concentrate defensive investment at the perimeter — firewalls, IDS/IPS, email filtering, endpoint protection. The tester must find a weakness in this hardened outer layer.
Common techniques: Exploit unpatched internet-facing services, phishing (delivering a payload via email), credential brute force on exposed login pages, SQL injection on web applications, social engineering to obtain credentials, physical entry through unsecured access points.
Outcome required: Any form of inside access — a shell, a session, a position from which subsequent phases can begin.
Concept
Why does lateral movement succeed in most organizational networks?
Answer
Core reason: Internal systems are significantly less protected than perimeter systems. Administrators traditionally assumed that anyone inside the network is trustworthy — so internal traffic is implicitly trusted and rarely monitored for attacker activity.
What this means in practice: Workstations can communicate freely with servers; remote management ports (RDP, WinRM) are open internally; credentials from one system are valid on many others; network shares are accessible without additional authentication.
Common techniques: Pass-the-hash, credential theft from memory (Mimikatz), shared folder exploitation, remote management protocol abuse with stolen credentials.
Defense: Network segmentation, least-privilege access, internal monitoring for lateral movement indicators.
What this means in practice: Workstations can communicate freely with servers; remote management ports (RDP, WinRM) are open internally; credentials from one system are valid on many others; network shares are accessible without additional authentication.
Common techniques: Pass-the-hash, credential theft from memory (Mimikatz), shared folder exploitation, remote management protocol abuse with stolen credentials.
Defense: Network segmentation, least-privilege access, internal monitoring for lateral movement indicators.
Term
Persistence — five techniques and why the phase matters defensively
Definition
Persistence ensures continued access after the original vulnerability is patched or the initial session is lost.
Five common techniques:
• Unauthorized administrative account creation
• Default password modification on service accounts
• Backdoor installation (RAT that beacons to C2)
• Startup service / scheduled task modification
• Web shell placed in web server directory
Defensive significance: Patching the entry vulnerability does NOT remove an attacker who has established persistence. Post-compromise remediation requires finding and removing ALL persistence mechanisms — new accounts, startup changes, scheduled tasks, web files — not just closing the original entry point.
Five common techniques:
• Unauthorized administrative account creation
• Default password modification on service accounts
• Backdoor installation (RAT that beacons to C2)
• Startup service / scheduled task modification
• Web shell placed in web server directory
Defensive significance: Patching the entry vulnerability does NOT remove an attacker who has established persistence. Post-compromise remediation requires finding and removing ALL persistence mechanisms — new accounts, startup changes, scheduled tasks, web files — not just closing the original entry point.
Term
The Pivot — what it is, how it works, and what it reveals
Definition
What it is: Using a compromised system as a proxy or relay to reach other systems that are architecturally isolated from the attacker's original position — systems that are not directly reachable from outside.
How it works: The compromised system has a network connection (required for legitimate operations) to the target segment. The attacker routes attack traffic through the compromised system using port forwarding, SOCKS proxying, or exploiting trusted application connections (database connections, API calls).
What it reveals: Network segmentation that exists on paper but is insufficiently restrictive in practice; over-permissive trust between systems; unnecessary service connections that become pivot paths.
How it works: The compromised system has a network connection (required for legitimate operations) to the target segment. The attacker routes attack traffic through the compromised system using port forwarding, SOCKS proxying, or exploiting trusted application connections (database connections, API calls).
What it reveals: Network segmentation that exists on paper but is insufficiently restrictive in practice; over-permissive trust between systems; unnecessary service connections that become pivot paths.
Concept
Why do rules of engagement restrict testing to off-hours, and what happens if a tester touches an out-of-scope system?
Answer
Why off-hours restriction: Penetration testing carries real risk of service disruption — exploits can crash systems, flood logs, or cause application instability. Testing during business hours risks impacting production users and revenue. Off-hours testing (after 6 PM, weekends) limits operational exposure even if a system becomes unstable.
What happens with out-of-scope contact: Even accidental contact with an out-of-scope system is a rules-of-engagement violation. The tester has performed unauthorized access against a system they were not permitted to touch. The correct response when discovering a path to an out-of-scope system: stop, document the finding (the path itself is a vulnerability), and contact the emergency contact before proceeding. Do not follow the path.
What happens with out-of-scope contact: Even accidental contact with an out-of-scope system is a rules-of-engagement violation. The tester has performed unauthorized access against a system they were not permitted to touch. The correct response when discovering a path to an out-of-scope system: stop, document the finding (the path itself is a vulnerability), and contact the emergency contact before proceeding. Do not follow the path.
Term
Responsible Disclosure — four-step sequence in order
Definition
The ethical framework for reporting vulnerabilities that protects users while giving vendors time to fix.
Four steps in order (exam-tested):
1. Researcher privately reports the vulnerability to the vendor; provides reproduction steps and severity; no public disclosure
2. Vendor investigates and creates a fix; tests the patch; prepares deployment; may take up to 90 days (industry norm)
3. Patch deployed to users; coordinated distribution across platforms
4. Vulnerability publicly disclosed simultaneously with patch availability; CVE assigned; researcher credited
Why timing matters: Disclosing without a patch tells attackers exactly what to exploit while giving users nothing to defend with.
Four steps in order (exam-tested):
1. Researcher privately reports the vulnerability to the vendor; provides reproduction steps and severity; no public disclosure
2. Vendor investigates and creates a fix; tests the patch; prepares deployment; may take up to 90 days (industry norm)
3. Patch deployed to users; coordinated distribution across platforms
4. Vulnerability publicly disclosed simultaneously with patch availability; CVE assigned; researcher credited
Why timing matters: Disclosing without a patch tells attackers exactly what to exploit while giving users nothing to defend with.
Term
Bug Bounty Program — what researchers must provide to earn a bounty
Definition
A formal program that offers financial rewards for valid vulnerability discoveries within a defined scope.
To earn a bounty, researchers must:
• Find a valid vulnerability within defined scope
• Provide complete documentation: reproduction steps, proof-of-concept demonstrating impact, severity assessment
• Report privately through the defined channel (bug bounty platform or security disclosure email)
• Refrain from exploitation beyond what is needed to demonstrate the issue
• Not disclose to third parties or publicly before the vendor releases a fix
Benefit: Vendors access a global testing community; researchers legally test and earn compensation. Google, Microsoft, Meta, Apple run major programs.
To earn a bounty, researchers must:
• Find a valid vulnerability within defined scope
• Provide complete documentation: reproduction steps, proof-of-concept demonstrating impact, severity assessment
• Report privately through the defined channel (bug bounty platform or security disclosure email)
• Refrain from exploitation beyond what is needed to demonstrate the issue
• Not disclose to third parties or publicly before the vendor releases a fix
Benefit: Vendors access a global testing community; researchers legally test and earn compensation. Google, Microsoft, Meta, Apple run major programs.
Concept
Why does fixing a vulnerability take weeks to months, and what is the industry-standard disclosure window?
Answer
Why it takes time: Fixing software vulnerabilities requires multiple sequential steps — identifying the root cause in the codebase, developing a fix that closes the vulnerability without introducing new bugs, testing the fix across all supported configurations and operating systems, building the fix into a new release version, and distributing it to all users. Skipping any step risks a patch that is incomplete or breaks existing functionality.
Industry-standard window: 90 days. This is the widely accepted norm for coordinated disclosure: the researcher gives the vendor 90 days from the private report to produce and deploy a fix. If no fix is produced within 90 days, the researcher may publish the vulnerability to create pressure for remediation (often called "full disclosure" or "deadline disclosure").
Industry-standard window: 90 days. This is the widely accepted norm for coordinated disclosure: the researcher gives the vendor 90 days from the private report to produce and deploy a fix. If no fix is produced within 90 days, the researcher may publish the vulnerability to create pressure for remediation (often called "full disclosure" or "deadline disclosure").