Glossary of Penetration Testing Terms
#Active Directory & Kerberos
| Term | Definition |
|---|---|
| ACL | Access Control List — defines who has what permissions on AD objects |
| ADCS | Active Directory Certificate Services — PKI for AD, vulnerable to ESC1-ESC15 |
| AS-REP | Authentication Service Response — part of Kerberos pre-auth; can be cracked if pre-auth disabled |
| BloodHound | Tool for analyzing AD attack paths via graph theory |
| BloodHound CE | BloodHound Community Edition (2024+). Docker-based deployment, web UI at port 8080. Uses built-in SharpHound CE collector. Replaces legacy BloodHound + Neo4j standalone setup |
| Constrained Delegation | Kerberos delegation limited to specific SPNs |
| DACL | Discretionary Access Control List — permissions on an object |
| DC | Domain Controller — server that handles authentication and directory services |
| DCSync | Attack that impersonates a DC to replicate credentials (requires Replication-Get-Changes-All) |
| Diamond Ticket | Forged TGT using stolen krbtgt key, modified post-detection |
| FQDN | Fully Qualified Domain Name (e.g., dc01.htb.local) |
| GenericAll | Full control over an AD object — can reset passwords, add members, etc. |
| GenericWrite | Write access to an AD object's attributes |
| Golden Ticket | Forged TGT signed with krbtgt hash — grants unlimited domain access |
| gMSA | Group Managed Service Account — auto-managed service account with retrievable password |
| GPP / Groups.xml | Group Policy Preferences — historically stored encrypted passwords (cpassword) |
| IPC$ | Hidden SMB share used for inter-process communication and null session enumeration. Target of RPC enumeration via anonymous access |
| Kerberoasting | Requesting TGS tickets for SPNs and cracking them offline |
| krbtgt | Kerberos Ticket Granting Ticket account — compromising it = domain compromise |
| LAPS | Local Administrator Password Solution — manages unique local admin passwords |
| LDAP | Lightweight Directory Access Protocol — queries AD directory |
| NTDS.dit | Active Directory database file containing all domain hashes |
| NTLM | NT LAN Manager — Windows authentication protocol (v1 insecure, v2 better) |
| NTLM Relay | Attack where NTLM authentication is intercepted and forwarded to a target server. Requires SMB signing disabled on the target. Tools: ntlmrelayx, Responder |
| OU | Organizational Unit — AD container for grouping objects |
| RBCD | Resource-Based Constrained Delegation — controls who can delegate to a computer |
| RID | Relative Identifier. Unique number within a domain that, combined with the domain SID, forms a user/computer SID. Administrator = 500, Guest = 501, KRBTGT = 502 |
| S4U2Self | Service-for-User-to-Self — allows a service to get a TGS for itself on behalf of a user |
| S4U2Proxy | Service-for-User-to-Proxy — allows a service to use a user's TGS to access another service |
| SAM | Security Account Manager — local account database |
| SharpHound | BloodHound data collector (C#/.NET). Runs on-target, generates Event ID 4688 (process creation) and triggers AMSI. BloodHound CE has built-in collection |
| Silver Ticket | Forged TGS for a specific service (vs. Golden Ticket which is a TGT) |
| SPN | Service Principal Name — associates a service with a domain account |
| TGT | Ticket Granting Ticket — obtained after Kerberos authentication |
| TGS | Ticket Granting Service — ticket for accessing a specific service |
| Unconstrained Delegation | Service can impersonate any user to any service |
| WriteDACL | Permission to modify an object's DACL |
| WriteOwner | Permission to change an object's owner |
#Windows Internals & Privilege Escalation
| Term | Definition |
|---|---|
| AppLocker | Windows application whitelisting |
| AMSI | Anti-Malware Scan Interface. Windows API that allows antivirus software to scan PowerShell scripts and .NET assemblies before execution. Bypassed via memory patching or alternative execution methods |
| CLM (Constrained Language Mode) | PowerShell restriction that limits available cmdlets and language features. Enforced by AppLocker or Device Guard. Bypass via PowerShell v2 downgrade, PowerShell Core, or C# tools |
| DPAPI | Data Protection API. Windows system for encrypting user secrets (browser passwords, WiFi keys, certificates). Master keys stored in user profile. Domain backup key can decrypt any user's DPAPI blobs |
| IFEO | Image File Execution Options — registry key for debugging; can be abused for persistence |
| LSASS | Local Security Authority Subsystem Service — stores credentials in memory |
| Mimikatz | Post-exploitation tool for credential extraction from LSASS memory. Heavily signatured by AV/EDR. Commonly used via Invoke-Mimikatz (PowerSploit) for in-memory execution |
| NT AUTHORITY\SYSTEM | Highest privilege account on Windows (equivalent to root) |
| SeBackupPrivilege | Can read any file on the system (backup operators) |
| SeImpersonatePrivilege | Can impersonate tokens — exploited via Potato family attacks |
| Token | Security context for a process (primary or impersonation) |
| UAC | User Account Control — limits admin privileges until elevation confirmed |
| WDigest | Windows Digest authentication protocol. When enabled, stores plaintext passwords in LSASS. Disabled by default on Windows 8.1+/2012 R2+. Check: reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential |
#Linux Internals & Privilege Escalation
| Term | Definition |
|---|---|
| Capabilities | Fine-grained Linux privileges (CAP_SETUID, CAP_DAC_READ_SEARCH, etc.) |
| Cron | Scheduled task system — often exploitable via writable scripts or PATH hijacking |
| GTFOBins | "GTFO Bins" — list of Unix binaries that can be abused for privesc |
| LD_PRELOAD | Environment variable that loads a shared library before all others |
| NFS | Network File System — exploitable if no_root_squash is set |
| SUID | Set owner User ID — binary runs as its owner (often root) |
| SGID | Set owner Group ID — binary runs with its group privileges |
#Web Vulnerabilities
| Term | Definition |
|---|---|
| CSRF | Cross-Site Request Forgery — forces user to execute unwanted actions |
| Deserialization | Converting serialized data back to objects — unsafe deserialization leads to RCE |
| IDOR | Insecure Direct Object Reference — accessing unauthorized resources via ID manipulation |
| LFI | Local File Inclusion — including local files via vulnerable parameter |
| RFI | Remote File Inclusion — including remote files (often leads to RCE) |
| SQLi | SQL Injection — injecting SQL queries via user input |
| SSRF | Server-Side Request Forgery — making server request arbitrary URLs |
| SSTI | Server-Side Template Injection — injecting template expressions for RCE |
| XSS | Cross-Site Scripting — injecting client-side scripts |
| XXE | XML External Entity — exploiting XML parsers to read files/SSRF |
#General Pentesting
| Term | Definition |
|---|---|
| C2 | Command & Control — infrastructure for managing compromised hosts |
| ConPtyShell | Windows ConPTY (Pseudo Console) based reverse shell. Provides fully interactive terminal on Windows 10 1809+. Reforms rlwrap approach for stable Windows shells |
| CVE | Common Vulnerabilities and Exposures — identifier for known vulnerabilities |
| EDR | Endpoint Detection and Response — advanced AV monitoring endpoints |
| Foothold | Initial access / code execution on the target |
| Kill Chain | Stages of an attack: recon → weaponization → delivery → exploitation → installation → C2 → actions |
| LNK File | Windows Shortcut file. Can embed icon paths pointing to attacker SMB shares for credential capture |
| Lateral Movement | Moving from one compromised host to another within a network |
| NetExec (nxc) | Maintained successor to CrackMapExec (deprecated 2023). Network execution tool for SMB, LDAP, MSSQL, WinRM, SSH, RDP, VNC, FTP. Same syntax as CME |
| OPSEC | Operational Security — avoiding detection during operations |
| OSINT | Open Source Intelligence — gathering information from public sources |
| Pivoting | Routing traffic through a compromised host to reach otherwise inaccessible networks |
| PoC | Proof of Concept — code demonstrating a vulnerability |
| Privilege Escalation | Gaining higher-level access (horizontal = same level, different user; vertical = higher privileges) |
| Shell | Command execution on target (bind shell = target listens; reverse shell = target connects back) |
| SCF File | Shell Command File. Custom shortcut file that can force Windows to authenticate to an attacker-controlled SMB share when browsed via Explorer |
| TTY | Teletype — interactive terminal; upgrading a shell means getting full TTY functionality |