// the operator vocabulary
A hand-authored glossary of operator vocabulary — malware, exploitation, OSINT, web, crypto, forensics, threat intel. 173 entries, cross-linked, source-checked. Privacy is normal; clarity is rare.
Python CTF toolkit by Gallopsled. Wraps socket I/O, ELF parsing, ROP-gadget search, shellcode generation, and process spawning into a 5-line exploit script.
read the full entry →
showing 173 of 173 terms
Microsoft's directory service for managing Windows networks: users, groups, computers, group policies, Kerberos auth. The flagship target of internal pentests because compromising one user often leads to compromising thousands.
Symmetric block cipher standardized by NIST in 2001 (FIPS-197) as the successor to DES. Operates on 128-bit blocks with 128, 192, or 256-bit keys; AES-256 is the modern default for data-at-rest.
American Fuzzy Lop — coverage-guided greybox fuzzer (Michał Zalewski, 2014). AFL++ is the community-maintained fork with better mutators, persistent mode, and QEMU/Frida modes for closed-source binaries.
The classic Wi-Fi security testing suite — `airmon-ng`, `airodump-ng`, `aireplay-ng`, `aircrack-ng`. Captures handshakes, deauths clients, cracks WEP/WPA-PSK.
Stripping personally-identifiable information so the remaining data can't be linked back to an individual. Pseudonymization (replacing identifiers with stable tokens) is weaker; true anonymization is irreversible.
A well-resourced adversary — typically nation-state or state-sponsored — that maintains long-term, low-noise access to a target network. The defining traits are patience, custom tooling, and operational security, not technical novelty.
Memory-hard password-hashing function, winner of the 2015 Password Hashing Competition. The argon2id variant is the current OWASP recommendation for new applications — tunable memory, time, and parallelism resist GPU/ASIC attacks.
Sending unsolicited ARP replies on a local network so that a victim's IP-to-MAC mapping points to the attacker. The result: the attacker silently relays the victim's LAN traffic.
Blowfish-derived password hashing function from 1999, intentionally slow with a tunable cost factor. Still acceptable for new applications, though Argon2id is the modern preference for fresh greenfield work.
Offensive framework that hooks a browser via a JavaScript payload and exposes a control panel for running browser-side modules. Used in red-team engagements to demonstrate the post-XSS attack surface.
A shell that listens on a port on the victim and waits for the attacker to connect inbound. Increasingly impractical because most firewalls block inbound connections — reverse shells are the modern default.
Active Directory attack-path visualizer that ingests data collected by SharpHound and renders graph queries like 'shortest path to Domain Admin'. Essential post-exploit tool on Windows engagements.
The defender side of the house: SOC analysts, incident responders, threat hunters, detection engineers, security architects. Less glamorous than red team, more economically essential.
A network of compromised devices ('bots') controlled remotely by an operator. Sold or rented for DDoS, spam, credential stuffing, click fraud, or cryptocurrency mining.
The OWASP Top-10 #1 issue (2021). Covers IDOR, missing function-level authorization, JWT misvalidation, and 'admin-only' endpoints that anyone can call. Pure logic flaw — neither input nor crypto, just bad checks.
Trying every possible value in a search space until something works — typically passwords, session tokens, or short keys. Defeated by rate-limiting, lockouts, and high-entropy secrets.
Writing past the allocated bounds of a buffer, typically on the stack, to overwrite the saved return address and redirect execution. Mitigations like NX, ASLR, and stack canaries make this far harder than in the 1990s — but still alive in C/C++ code.
A paid program where companies invite researchers to find and report security vulnerabilities under defined rules of engagement. Payouts range from a hat-tip to six figures depending on impact.
PortSwigger's intercepting HTTP proxy and the de facto standard for web application testing. The free Community edition has Repeater and Decoder; Pro adds the active scanner and Intruder at full speed.
The infrastructure an attacker uses to issue commands to implants and receive exfiltrated data. Modern C2 frameworks tunnel over HTTPS, DNS, Slack, or Discord to blend with normal traffic.
Internet-scale scanning platform — like Shodan, but originally academic (University of Michigan, 2015) and with richer certificate-transparency integration.
A signed document binding a public key to an identity (a domain, a person, a device). The structure is defined by ITU-T X.509 and the trust chain is anchored in a set of root Certificate Authorities.
An algorithm for transforming plaintext into ciphertext (and back) using a key. Modern ciphers come in two main flavors: symmetric (AES, ChaCha20) where both sides share a key, and asymmetric (RSA, ECC) where keys come in pairs.
Commercial adversary-simulation framework by Fortra (formerly HelpSystems). The 'Beacon' implant is the gold standard for post-exploitation tradecraft — and, ironically, the most-abused tool in ransomware operations after pirated copies leaked.
An HTTP response header (`Content-Security-Policy`) that tells the browser which sources are allowed for scripts, styles, frames, etc. The single most effective XSS mitigation when configured strictly.
.NET-based open-source C2 framework with a web UI. Less polished than Cobalt Strike but free, scriptable, and a common choice in CTFs and budget red-team work.
Swiss-army knife for AD post-exploitation — sprays credentials over SMB/WinRM/MSSQL/LDAP, enumerates shares, executes commands, dumps SAM, and integrates with BloodHound ingestion.
Forcing a logged-in user's browser to issue an unwanted request to a target site by visiting an attacker-controlled page. Defenses: anti-CSRF tokens, SameSite cookies, custom request headers.
Competitive hacking puzzles where solving a challenge reveals a 'flag' string that you submit for points. Two main formats: Jeopardy (categories of independent puzzles) and Attack-Defense (you exploit + patch a running service).
A unique identifier for a publicly disclosed vulnerability, issued by MITRE-affiliated CVE Numbering Authorities (CNAs). The numbering scheme is `CVE-<year>-<sequence>`.
A formula for producing a 0.0–10.0 severity score for a vulnerability, owned by FIRST.org. Current version is 4.0 (2023); 3.1 is still the most quoted in advisories.
Lockheed Martin's 7-stage model of an intrusion: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. Useful as a teaching tool; superseded operationally by MITRE ATT&CK.
Content that lives on overlay networks (Tor, I2P, Freenet) requiring specific software to access. The 'darknet' subset of the broader 'deep web' (everything not indexed by search engines).
Security testing that pokes a running application from the outside — black-box, behavior-based. Strong on auth bugs and config flaws; weak on logic flaws and dead-code vulnerabilities.
Overwhelming a service from many distinct sources so legitimate users can't reach it. Modern attacks reach terabits per second by abusing UDP amplification (memcached, NTP, DNS).
The discipline of reconstructing what happened after a security incident: triage, containment, evidence preservation, analysis, and reporting. Sits at the intersection of incident response and traditional forensics.
A brute-force variant that tries words from a curated wordlist rather than every possible string. Drastically cuts the search space for human-chosen passwords.
Tricking a legitimate Windows program into loading a malicious DLL by exploiting the search order or planting a same-named DLL in a writable directory. A favorite persistence + UAC-bypass technique.
Injecting forged DNS responses into a resolver's cache so that legitimate queries resolve to attacker IPs. Mostly mitigated by DNSSEC and source-port randomization, but local-network variants still work.
Aggregating publicly-available information to expose a person's real-world identity — name, employer, address, photos, family. Distinct from hacking: it's research, not intrusion. Usually used as harassment.
Public-key cryptography built on the algebra of elliptic curves over finite fields. Achieves the same security as RSA with much smaller keys — a 256-bit ECC key matches a 3072-bit RSA key.
Agent on every endpoint that records behavior (process trees, network, file/registry changes) and either flags or kills suspicious activity. CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint are the major players.
A measure of unpredictability in a system, expressed in bits. Cryptographic keys, session tokens, and password salts must be drawn from a source with enough entropy that they can't be guessed.
The phase of an engagement where you list everything the target exposes: open ports, running services, valid usernames, accessible files, AD objects. The unglamorous step where most engagements are actually won.
Classic LAN MITM framework — ARP poisoning, DNS spoofing, SSL stripping (in older variants), filter plugins. Largely superseded by Bettercap, but still alive on old engagements.
The act of moving stolen data out of the victim environment. Modern attackers use HTTPS, DNS tunneling, or legitimate cloud services (Dropbox, Mega, Discord) to evade DLP.
Joohoi's 'Fuzz Faster U Fool' — a fast Go web fuzzer. Replaces Burp's Intruder when speed matters; brute-forces directories, parameters, headers, virtual hosts.
Malware that lives in memory, the registry, or WMI — never writing a payload to disk. Bypasses traditional file-scanning AV; relies on living-off-the-land binaries (LOLBins) to execute.
Identifying the software, version, or platform behind a service from observable behavior — banners, response quirks, TLS extensions, response timing. The step before exploit selection.
A device or software that enforces traffic-flow policy between network zones. Modern 'next-generation' firewalls also do deep packet inspection, application identification, and threat intelligence lookups.
Feeding mutated, malformed, or random inputs to a program until it crashes, hangs, or behaves anomalously. Coverage-guided fuzzers like AFL++ and libFuzzer find an enormous fraction of memory-corruption bugs.
NSA's open-source reverse-engineering framework, released 2019. Free alternative to IDA Pro with a strong decompiler across many architectures.
Fast directory and DNS-subdomain brute-forcer written in Go. The modern replacement for `dirb` and a building block of nearly every web CTF methodology.
A forged Kerberos TGT (Ticket Granting Ticket) signed with the KRBTGT account's NTLM hash. Grants the attacker arbitrary-user impersonation domain-wide, and survives password rotations until KRBTGT is reset twice.
A one-way function that maps arbitrary input to a fixed-size output. Three properties matter: preimage resistance, second-preimage resistance, and collision resistance. MD5 and SHA-1 are broken on the last; SHA-2 and SHA-3 are still strong.
The fastest open-source password recovery tool, with GPU acceleration on virtually every hash mode in the wild. Mode numbers (`-m 0`, `-m 1000`, `-m 1800`) select the algorithm; attack modes (`-a 0`, `-a 3`) select the strategy.
Pre-allocating large amounts of memory containing controlled data (often shellcode + NOP sled) so that a 'use-after-free' or other heap-corruption bug lands execution somewhere useful. Historically common in browser exploits.
A deliberately exposed system that no legitimate user should ever touch — any interaction is, by definition, suspicious. Used both to gather threat intelligence and to detect lateral movement inside a network.
HTTP wrapped in TLS, served by default on port 443. Provides confidentiality, integrity, and (with a valid certificate) authenticity of the server endpoint.
Hex-Rays' interactive disassembler and decompiler — the longstanding gold standard for reverse engineering. Pricey commercial license; free IDA Home for personal use.
Accessing another user's data by manipulating an identifier in the URL or request body when the server fails to verify ownership. One of the most common — and lucrative — bug-bounty findings.
Passive system that inspects traffic or events and raises alerts when patterns match known-bad signatures or anomalies. Two flavors: network (NIDS — Snort, Suricata, Zeek) and host (HIDS — OSSEC, Wazuh).
The structured process of detecting, containing, eradicating, and recovering from a security incident. SANS PICERL (Preparation → Identification → Containment → Eradication → Recovery → Lessons learned) is the canonical model.
Commodity malware focused on harvesting credentials, browser cookies, autofill data, crypto wallets, and saved passwords — then bundling everything into a 'log' the operator sells on Russian forums.
An observable artifact of an intrusion: a file hash, a malicious domain, a C2 IP, a unique mutex name. The atoms of threat intelligence sharing.
An IDS that doesn't just alert — it also drops or resets the offending connection inline. Trade-off: false positives now break legitimate traffic.
Open-source password cracker with the most diverse format support of any open tool — every shadow-style hash plus dozens of obscure formats. Hashcat is faster on GPUs; John is more flexible on CPU and weird formats.
Requesting Kerberos service tickets (TGS) for accounts with a SPN, then cracking the encrypted portion offline to recover the service account password. Works against any AD account that has a Service Principal Name registered.
Software (or hardware) that records every keystroke a user types. Software keyloggers are a staple of commodity infostealers like RedLine, Vidar, and Raccoon.
Moving from one compromised host to another inside the same network, expanding access without re-entering from outside. The phase where engagements either get sloppy and get caught — or stay quiet and reach DA.
A web app reading a server-side file path supplied by the user. Classic example: `?page=../../../../etc/passwd`. Can escalate to RCE if the included file is a log, session file, or PHP wrapper.
Using legitimate, signed system binaries to do the attacker's work — `powershell.exe`, `certutil`, `wmic`, `regsvr32`. Evades AV/EDR because nothing 'foreign' is dropped on disk.
Reconstructing an event timeline from system, network, and application logs. The first line of investigation in nearly every IR engagement — and the source of every 'we knew, we just didn't look' post-mortem.
Signed Microsoft binaries that can be repurposed for attacker actions — code execution, download, persistence, evasion. The community catalogues these at lolbas-project.github.io.
Visual link-analysis platform for OSINT. Drag a 'person' or 'domain' onto the canvas, run 'transforms', and watch the graph grow as related entities are pulled from data sources.
Analyzing the contents of a system's RAM image to recover running processes, network connections, injected code, encryption keys, and decrypted artifacts that never touched disk.
Open-source exploitation framework maintained by Rapid7. Ships with thousands of exploit modules, auxiliary scanners, and payloads — the entry point for most people learning offensive security.
Metasploit's flagship in-memory payload. Speaks an encrypted protocol over a single TCP socket and exposes hundreds of post-exploitation commands (`hashdump`, `migrate`, `getsystem`, `keyscan_start`).
Requiring two or more independent factors — something you know, something you have, something you are — for authentication. TOTP/HOTP, push, hardware tokens (FIDO2/WebAuthn) are the modern shapes.
The Swiss Army knife of Windows credential theft. Dumps NTLM hashes, Kerberos tickets, plaintext passwords from LSASS, and forges Golden/Silver tickets. Written by Benjamin Delpy as an 'educational' tool.
Positioning yourself between two communicating parties so that all traffic flows through you — readable, modifiable, redirectable. Harder than it used to be thanks to ubiquitous TLS, but local-network MITM still works.
A globally-accessible knowledge base of adversary tactics and techniques observed in real intrusions, maintained by MITRE. Each technique has a `T####` ID and maps onto a tactic (Initial Access, Persistence, Lateral Movement, etc.).
The 'TCP/IP Swiss Army knife' — reads and writes to arbitrary TCP/UDP sockets. Used for port scanning, file transfer, banner grabbing, and the canonical reverse/bind shell setups.
Web server security scanner that probes for thousands of misconfigurations, default files, and known vulnerable scripts. Loud (no stealth) but cheap and surprisingly effective on legacy installs.
The 'Network Mapper' — Fyodor's port-scanner and host-discovery tool that turns 26 years old in 2024. Implements SYN/connect/UDP scans, OS fingerprinting, version detection, and the Nmap Scripting Engine (NSE).
Microsoft's pre-Kerberos challenge-response authentication protocol, and the format of Windows password hashes (MD4 of the UTF-16LE password). Vulnerable to relay attacks, Pass-the-Hash, and offline cracking; deprecated but still everywhere.
The U.S. government-funded repository of CVE data, hosted by NIST. Adds CVSS scores, CPE product mappings, and reference links on top of the raw MITRE CVE feed.
Transforming code or data to make analysis harder without changing behavior — string encryption, control-flow flattening, opaque predicates, packing. Slows down RE but never stops a determined analyst.
Layered encryption + multi-hop relay design: each relay in a circuit only knows its predecessor and successor, never the full path. The basis of Tor's anonymity guarantee.
The discipline of denying an adversary actionable information about your operations, identity, or capabilities. Originally military doctrine; today applied to anything from red-team engagements to whistleblower comms.
Offensive Security's hands-on penetration-testing certification. A 24-hour practical exam against a lab network, scored on root-level access to multiple machines. The de facto entry credential for junior pentest roles.
Intelligence collected from publicly-available sources: social media, public records, leaked credentials, search engines, archived web pages, certificate transparency logs. The first phase of every engagement.
OWASP's periodic ranking of the most critical web application security risks. Latest is 2021; 2025 is in draft. A1 in 2021 is 'Broken Access Control'.
Free, open-source web app scanner from OWASP. The community alternative to Burp Suite — slightly less polished but the active scanner is free and the CLI/API integration is excellent for CI.
Authenticating to a Windows service using the NTLM hash directly, without ever knowing the plaintext password. Works because the NTLM protocol uses the hash as the secret in its challenge-response.
The code that actually runs on the target after a successful exploit. Shellcode, a reverse shell, a Meterpreter session, a Cobalt Strike Beacon — anything that gives the attacker leverage.
Authorized, time-boxed offensive engagement against a defined scope to find and demonstrate impact of security issues. Different from red-teaming (covert, objective-based, no time box) and bug bounties (continuous, broad scope).
A site-wide secret mixed into password hashing in addition to per-user salt. Unlike salt, pepper is not stored alongside the hash — it lives in app config or an HSM. If the DB leaks but the pepper doesn't, hashes stay safer.
Mechanisms that keep an attacker's access alive across reboots, user logouts, and credential resets. Registry run keys, scheduled tasks, WMI subscriptions, service installs — anything that survives the next reboot.
Pretty Good Privacy (Phil Zimmermann, 1991) and its free reimplementation GnuPG — public-key encryption and signing for email and files. Decentralized 'web of trust' model rather than CAs.
Mass-sent fraudulent communication — typically email — designed to trick recipients into clicking, opening, or replying with credentials. The most common Initial Access vector in real intrusions year after year.
Using one compromised host as a stepping stone to reach networks the attacker can't touch directly. Implemented via tunnels, SOCKS proxies, or implant-relayed traffic.
The system of certificates, certificate authorities, revocation lists, and policies that lets two strangers establish trust online. The reason your browser believes that the server claiming to be `bank.com` actually is.
2018 Jens Steube technique that captures the RSN PMKID from a single EAPOL frame, then cracks the WPA2 passphrase offline — without ever having to capture a full 4-way handshake.
Malware that changes its observable form on every infection — different file hashes, different encryption keys, different code layout — while keeping the same underlying behavior. Defeats hash-based and naive signature AV.
Probing a remote host's TCP/UDP ports to determine which ones are open, closed, or filtered. The opening move of essentially every external engagement.
Mattifestation's collection of offensive PowerShell modules — Invoke-Mimikatz, Invoke-Kerberoast, PowerView for AD enumeration, PowerUp for privilege escalation. No longer actively maintained but the scripts still run.
PowerShell cmdlet collection for AD enumeration — `Get-NetUser`, `Get-NetGroup`, `Find-LocalAdminAccess`. Originally part of PowerSploit; the read-only counterpart to BloodHound's graph queries.
Building a fabricated scenario (a 'pretext') to manipulate a target into divulging information or performing an action. The narrative discipline behind every social-engineering call.
Going from a low-privilege foothold to a higher-privilege user — vertical (user → root/admin/SYSTEM) or horizontal (one user → another user's data). The phase between initial access and lateral movement.
Executing attacker code inside the address space of another process. Used to evade detection, inherit privileges, and steal handles. Dozens of techniques exist — CreateRemoteThread, APC injection, process hollowing, early-bird injection.
An intermediary that forwards requests between client and server. Used for caching, filtering, anonymization, and — in offensive contexts — to insert an intercepting tool into the traffic flow.
A collaborative engagement where Red Team and Blue Team work side-by-side, real-time — Red runs a technique, Blue confirms detection, gaps get tuned in the same session. Far faster than the traditional 'Red attacks, Blue learns months later from the report' cycle.
Open-source, command-line-first reverse-engineering framework. Steep learning curve; immense capability once mastered. Cutter is the GUI on top.
Precomputed chains of hash → reduction → hash that trade storage for crack time. Largely obsolete against properly-salted hashes (modern OS shadow files) and against fast GPU brute-force, but still works on legacy unsalted hashes.
Malware that encrypts a victim's data and demands payment for the decryption key. Modern variants also exfiltrate data first and threaten to publish — 'double extortion'.
Malware that gives an attacker full remote control over an infected host — keystrokes, files, webcam, screen. The hobbyist cousin of commercial C2 frameworks.
A vulnerability that lets an attacker run arbitrary code on a remote target. The top of the bug-severity ladder; every other web bug is judged by how close it gets to RCE.
Goal-oriented adversary simulation: 'pretend to be APT29 for a month and try to exfiltrate the M&A folder'. Broader scope, longer timeline, and stealthier than a pentest.
Lawrence Hummel's LLMNR/NBT-NS/MDNS poisoning toolkit. Sits on a Windows network, answers broadcast name-resolution queries on behalf of nonexistent hosts, and harvests NTLM hashes from clients that try to authenticate.
Privately reporting a vulnerability to the affected vendor and giving them a reasonable window to patch before public release. Industry norm: 90 days. Google Project Zero originated the modern public-deadline variant.
A shell where the victim initiates the connection outward to the attacker, who is listening. Bypasses inbound firewall rules — the modern default since the 2000s.
Like LFI, but the included path points at an attacker-hosted URL — and PHP fetches+executes it. Now rare thanks to `allow_url_include=0` being default since PHP 5.2.
Malware that hides itself and other artifacts from the OS by patching kernel structures, hooking syscalls, or running below the OS entirely. The deeper, the harder to detect — bootkits, UEFI implants.
Building shellcode-equivalent behavior by chaining short instruction sequences ('gadgets') that already exist in the target binary, ending in `ret`. Defeats NX/DEP, which marks the stack non-executable.
Public-key cryptosystem (Rivest, Shamir, Adleman, 1977). Security rests on the practical difficulty of factoring large composite numbers. Keys at 2048+ bits remain unbroken; ECC is now preferred for new code due to smaller key sizes.
A random per-user value mixed into a password before hashing. Defeats precomputed attacks (rainbow tables) by ensuring two users with the same password get different stored hashes.
A cookie attribute controlling whether the cookie is sent on cross-site requests. `Strict`, `Lax`, and `None` (which requires `Secure`). Modern browsers default to `Lax` — single-handedly killing a huge class of CSRF attacks.
An isolated execution environment used to safely analyze potentially-malicious code. Modern sandboxes (Cuckoo, Joe Sandbox, ANY.RUN) instrument syscalls, network activity, and file changes for automated triage.
Security testing that analyzes source code or binaries without running them. Strong on logic flaws, hardcoded secrets, taint analysis; weak on configuration and dependency vulnerabilities.
Python library for crafting, sending, sniffing, and dissecting arbitrary network packets. The hacker's `wireshark + tcpdump + hping3` combined, scriptable from a REPL.
Dave Kennedy's Python-based social-engineering toolkit. Spawns phishing pages cloned from real targets, generates malicious payloads, runs mass-mailer campaigns. The CLI you'll see in 95% of 'phishing demo' YouTube videos.
The C# collector for BloodHound. Crawls AD via LDAP and SMB, dumps users, groups, sessions, and ACLs to JSON for BloodHound ingestion.
Position-independent machine code injected during exploitation and executed in the target's address space. Historically literally spawned `/bin/sh`; modern shellcode is usually a downloader or staged loader.
Search engine for internet-connected devices — open ports, banners, certificates, screenshots. Indexes every IPv4 host. Often called 'Google for hackers' but it's really 'nmap as a service' at internet scale.
Centralized platform that ingests logs from across an environment, normalizes them, and lets analysts search, correlate, and alert. Splunk, Elastic, Sentinel, and Chronicle are the major players.
Bishop Fox's open-source cross-platform adversary-emulation framework — a Cobalt Strike alternative gaining momentum since 2021 in both legitimate red-team work and ransomware operations.
Catching an NTLM authentication attempt (often via Responder or coerced via PetitPotam/PrinterBug) and relaying it to another service rather than cracking it. Devastating in any environment where SMB signing isn't enforced.
Phishing via SMS. Less spam-filtered than email and increasingly used for MFA-bypass via fake delivery notifications and bank alerts.
Playbook automation for the SOC — when alert X fires, automatically pull threat intel, isolate the host, page on-call, open a ticket. Splunk SOAR (Phantom), Tines, Palo Alto Cortex XSOAR are common platforms.
The team — usually 24/7 — that monitors security telemetry and triages alerts. Tiers 1/2/3 map roughly onto triage, investigation, and threat-hunting.
A protocol for routing arbitrary TCP/UDP traffic through a proxy. SOCKS5 (RFC 1928) adds authentication and IPv6. Common in pivoting and anonymization stacks.
Targeted phishing: research a specific individual, craft a message that maps onto their role and current projects, send to that one person. Far higher conversion rate than mass phishing.
Injecting attacker-controlled syntax into a SQL query the application sends to its database. Causes are always the same: concatenated query strings instead of parameterized statements.
Automated SQL-injection exploitation tool — fingerprints the database, dumps tables, reads/writes files, and even opens an OS shell when stars align. The reason 'is this SQLi' is a 5-minute question.
Moxie Marlinspike's 2009 MITM technique: convert HTTPS links to HTTP on the victim's side while you proxy as HTTPS to the real server. HSTS preloading kills this on serious sites, but loose intranet apps still suffer.
Tricking the server into making HTTP (or other-protocol) requests to URLs of the attacker's choosing. Often pivots into internal-only services like `169.254.169.254` (AWS metadata) or `localhost:6379` (Redis).
A payload that includes its full implant code in one shot — no second-stage download. Larger and noisier than staged, but resilient to egress filtering at the C2.
Compromising a target by attacking a trusted dependency — software vendor, package registry, CI/CD pipeline, hardware supplier. Massive blast radius per intrusion.
Following an authorized person through a secured door without badging in yourself. The most embarrassingly effective physical-security bypass.
The command-line packet sniffer that every Unix-like ships with. Tiny syntax, BPF filters, and rock-solid for capturing traffic on headless boxes.
Parallelized online password-guessing tool that speaks dozens of protocols — SSH, FTP, RDP, HTTP forms, SMTP, MySQL. The standard for credential-stuffing protocols that don't have a more specialized tool.
Christian Martorella's OSINT tool that pulls emails, subdomains, employee names, and IPs from public sources — search engines, DNS, certificate transparency, and LinkedIn scraping.
Proactively looking for adversaries that may already be in the environment but haven't tripped automated alerts. Hypothesis-driven, not alert-driven.
Transport Layer Security — the protocol that wraps HTTP, SMTP, MQTT and dozens of others in an authenticated, encrypted channel. 'SSL' is the deprecated predecessor name; current is TLS 1.3 (RFC 8446, 2018).
The Onion Router — anonymity network with thousands of volunteer-run relays. Built by the U.S. Naval Research Lab in the 90s, now run by the Tor Project nonprofit.
Malware that presents itself as a legitimate file or program. Unlike a worm, it doesn't propagate on its own — the user has to run it, having been tricked into thinking it's something else.
How an adversary actually operates — the level above 'tool' and below 'objective'. MITRE ATT&CK's matrix exists precisely to enumerate TTPs at the technique level.
Wrapping one network protocol inside another to bypass filters or reach unreachable networks. SSH tunnels (`-L`, `-R`, `-D`), DNS tunneling, HTTP CONNECT — same idea, different shapes.
Escalating from medium to high integrity on Windows without triggering the UAC consent prompt. Usually achieved by abusing auto-elevating signed binaries (`fodhelper.exe`, `eventvwr.exe`) plus registry hijacking.
Phishing over voice (phone call or VoIP). Increasingly powerful with AI voice cloning — a 3-second sample of a CEO's voice is enough for a convincing call to finance.
The standard open-source memory-forensics framework. Reads raw RAM images and reconstructs running processes, network connections, registry hives, and injected code — across Windows, Linux, and macOS.
A tunnel that encrypts and encapsulates all traffic between a client and a gateway, making the client appear to be on the gateway's network. Used for remote-access (corporate) and for traffic anonymization (commercial).
A reverse proxy that inspects HTTP traffic and blocks requests matching attack patterns — SQLi, XSS, command injection. Cloudflare, AWS WAF, F5 BIG-IP ASM, ModSecurity + OWASP CRS are the common deployments.
Compromising a website the target audience already visits, so victims come to the malicious payload rather than the other way around. Patient, targeted, and a favorite of nation-state operators.
The reference open-source network protocol analyzer. Dissects hundreds of protocols, color-codes anomalies, follows streams. Tcpdump's GUI cousin; an absolutely required skill for network forensics.
Self-propagating malware that spreads from host to host without user interaction. Distinguished from a virus (needs a host file) and a trojan (needs a user to run it).
The marketing-driven evolution of EDR: same agent telemetry, plus email, identity, cloud, and network feeds, correlated into one analyst view. Whether it's a real category or a vendor pitch is contested.
Injecting attacker-controlled JavaScript into a page that another user will load. Three flavors: reflected (in URL params), stored (in DB rendered later), and DOM-based (entirely client-side). Defenses: contextual output encoding + Content Security Policy.
VirusTotal-developed pattern-matching language for classifying samples by content rules. The de facto standard for malware signatures and threat-intel sharing.
An architectural model where no implicit trust is granted by network location — every request is authenticated, authorized, and continuously evaluated. NIST SP 800-207 codifies the model.
A vulnerability that is being actively exploited before the vendor knows it exists (literally: zero days of patch availability). The currency of nation-state and high-end commercial exploit brokers.
// next
The glossary tells you what something is. The labs show you what it does. The arsenal tells you which tool runs it.