Security+ Glossary

Password + PIN = NOT 2FA (both are knowledge factors). Password + authenticator app = 2FA (knowledge + possession). MFA = two or more factors. Strong 2FA: FIDO2/WebAuthn hardware key (possession) + biometric (inherence). SMS is weak 2FA (SIM swapping). Better than nothing, but upgrade when possible.

Wi-Fi 6 (ax) and Wi-Fi 6E (adds 6GHz band) are current standards. Backward compatible within band. 5GHz = faster but shorter range. 6GHz (Wi-Fi 6E) = least interference, newest.

Automated scanners are starting points, not substitutes for manual testing. They produce false positives — verify findings manually before reporting. Authenticated scans find 3-5x more vulnerabilities than unauthenticated. Web app scanners (Nikto, OWASP ZAP) supplement network scanners for web targets.

Notify legal counsel first — they guide the notification process. GDPR 72-hour clock starts when you become aware. HIPAA notification to individuals if PHI was accessed. Some states (California CCPA) have strict notification requirements. Document the decision-making process for all notifications made (and not made).

Tools: Spray (dedicated spray tool), MSOLSpray (O365), SprayingToolkit. Effective against: O365, Citrix, VPN portals. Defense bypass: spray at 1 attempt per account per hour. Detection: multiple accounts with failed logins from same source. Modern Entra ID (Azure AD) Smart Lockout detects and blocks spray attacks.

DoS testing authorization must be very specific: exact systems, attack types, timing, impact acceptance. Never DoS test without written approval including acceptable impact thresholds. Application-layer DoS (slowloris, HTTP flood) is often more revealing than volumetric — tests application resilience specifically.

searchsploit [software name] searches the offline exploit database. Common workflow: Nmap version scan → searchsploit [identified service version] → find matching exploits. Always verify exploits match exact version — wrong version = service crash risk. Verify PoC code before executing (may contain malicious code itself).

Timelines reveal: initial access time, dwell time, when persistence was established, when lateral movement occurred, when exfiltration happened. Tools: Plaso (log2timeline) automates timeline creation from multiple sources. Critical: all timestamps must be in UTC for correlation. Attackers use timestomping to manipulate file timestamps — cross-verify with other log sources.

GPO processing order: Local → Site → Domain → OU (LSDOU). Last applied wins. Essential enterprise hardening tool. Auditing GPO changes is critical — a malicious GPO can deploy malware to all domain computers.

TLS uses hybrid: ECDHE establishes a shared symmetric key, then AES-GCM encrypts the session data. Pure asymmetric is too slow for bulk data. Symmetric alone has the key distribution problem. Hybrid solves both.

Impacket is essential for Windows/AD pen testing. GetUserSPNs.py -request: Kerberoasting. GetNPUsers.py: AS-REP roasting. secretsdump.py via DCSync or local NTDS: credential extraction. smbclient.py: enumerate SMB shares. All run from Linux against Windows targets.

Standard MTU 1,518 bytes. Jumbo frame MTU typically 9,000 bytes. Reduces per-packet overhead for large transfers. Must be configured consistently end-to-end — mismatched MTU causes fragmentation or packet drops. Common in data center storage (iSCSI, NFS) and virtualization environments.

DH solves the symmetric key distribution problem. Ephemeral DH (DHE/ECDHE) generates new keys per session for Perfect Forward Secrecy. Used in TLS handshake. Quantum computers threaten DH/ECDH — post-quantum alternatives (CRYSTALS-Kyber) are being standardized.

802.3ad standard. Also called bonding (Linux), teaming, or port-channel (Cisco). Two 1G ports → one logical 2G link. If one port fails, traffic continues on remaining ports. Common for server uplinks and switch-to-switch connections. Load balancing algorithm determines which link each flow uses.

Android: decompile APK with jadx. iOS: jailbreak for filesystem access. Frida hooks app functions at runtime — bypasses certificate pinning to intercept HTTPS. OWASP MSTG (Mobile Security Testing Guide) is the comprehensive reference. Check: hardcoded credentials, insecure data storage, excessive permissions.

Internal enumeration workflow: Nmap live host scan → service version scan → AD enumeration (BloodHound) → share enumeration → identify high-value targets (DC, SQL servers, admin workstations). Document every finding — topology maps are crucial for reporting and explaining attack paths to clients.

Google Dorks: site:company.com filetype:pdf (find company PDFs), site:company.com inurl:admin (find admin pages), "company.com" ext:sql (find exposed databases). Shodan: org:"Target Corp" port:3389 (find exposed RDP). LinkedIn: company filter + connections + tech stack from job postings.

Post-exploitation should demonstrate business impact, not just technical capability. "We got domain admin" is less impactful than "We got domain admin and demonstrated access to 500,000 customer records and your complete intellectual property." Impact drives remediation prioritization.

DSCP (Differentiated Services Code Point) marks packets with priority level in IP header. EF (Expedited Forwarding) = highest priority for VoIP. AF (Assured Forwarding) = medium priority. BE (Best Effort) = default. Queue management drops lower-priority packets first during congestion. Security: mark traffic at ingress, enforce at each hop.

Never pay ransom without involving legal counsel. Paying doesn't guarantee decryption. Double extortion: even after paying, stolen data threat remains. Backup viability is the #1 factor in ransomware response success. Test backups regularly — discovering they're corrupted during a ransomware incident is catastrophic.