Index

A

• activities
  • about / Activities
• adb
  • about / ADB Primer
  • SQL Injection, exploiting in content providers / Exploiting SQL Injection in content providers using adb
  • used, for bypassing pattern lock / Bypassing pattern lock using adb
  • used, for bypassing password/PIN / Bypassing password/PIN using adb
• ADB Primer
  • about / ADB Primer
  • connected devices, checking for / Checking for connected devices
  • shell, obtaining / Getting a shell
  • shell, listing / Listing the packages
  • files, pushing to device / Pushing files to the device
  • files, pulling from device / Pulling files from the device
  • apps, installing with / Installing apps using adb
  • adb connections, troubleshooting / Troubleshooting adb connections
• adb shell commands
  • reference / What does exported behavior mean to an activity?
• advanced footprinting
  • using / Using advanced footprinting
  • scan, interpreting / Interpreting the scan and building on the result
  • poor patch management, exploiting / Exploiting poor patch management
  • logged in user, checking for / Finding out whether anyone is home
• Advanced REST Client
  • about / Advanced REST Client for Chrome
  • for Chrome / Advanced REST Client for Chrome
• AIDL services
  • attacking / Attacking AIDL services
  • reference / Attacking AIDL services
• AJAX
  • about / Introduction to AJAX
  • benefits / Introduction to AJAX
  • building blocks / Building blocks of AJAX
  • JavaScript / Building blocks of AJAX
  • Dynamic HTML (DHTML) / Building blocks of AJAX
  • Document Object Model (DOM) / Building blocks of AJAX
  • workflow / The AJAX workflow
  • security issues / AJAX security issues
  • client-side code, analyzing / Analyzing client-side code – Firebug
• AJAX applications
  • challenges of pentesting / Challenges of pentesting AJAX applications
  • crawling / Crawling AJAX applications
• AJAX crawling tool (ACT)
  • about / AJAX crawling tool
  • download link / AJAX crawling tool
  • starting / AJAX crawling tool
• AJAX engine / The AJAX workflow
• AJAX spider
  • about / AJAX spider – OWASP ZAP
• Amap version scan
  • about / The Amap version scan
• Amazon cloud
  • Kali Linux, installing on / Kali Linux on Amazon cloud
• Analyser, Introspy
  • about / Cydia Substrate and Introspy
• Android
  • rooting / What is rooting?
• Android app
  • basics / Basics of Android apps
  • structure / Android app structure
  • components / Android app components
• Android app build process
  • about / Android app build process
• Android apps
  • about / Introduction to Android apps
  • web based apps / Web Based apps, Different types of mobile apps and their threat model
  • native apps / Native apps, Different types of mobile apps and their threat model
  • hybrid apps / Hybrid apps, Different types of mobile apps and their threat model
• Android app vulnerabilities
  • identifying / Identifying and exploiting Android app vulnerabilities using Drozer
  • exploiting, Drozer used / Identifying and exploiting Android app vulnerabilities using Drozer
• Android Asset Packaging Tool (aapt) / Android app build process
• Android Backup Extractor
  • URL / Convert .ab format to tar format using Android backup extractor
• Android Interface Definition Language (AIDL)
  • about / Using AIDL
• Android Interface Definition Language (aidl) / Android app build process
• Android local data storage techniques
  • about / Android local data storage techniques
  • shared preferences / Shared preferences
  • SQLite databases / SQLite databases
  • internal storage / Internal storage
  • external storage / External storage
• Android malwares
  • characteristics / What do Android malwares do?
  • writing / Writing Android malwares
  • simple reverse shell Trojan, writing with socket programming / Writing a simple reverse shell Trojan using socket programming
  • general tips, for safety / How to be safe from Android malwares?
• Android Runtime (ART)
  • about / ART – the new Android Runtime
• Android security assessments
  • performing, with Drozer / Performing Android security assessments with Drozer
• AndroidSSLTrustKiller
  • about / Bypassing certificate pinning
  • used, for bypassing SSL pinning / Bypass SSL pinning using AndroidSSLTrustKiller
  • download link / Bypass SSL pinning using AndroidSSLTrustKiller
• Android Studio
  • about / Android Studio
  • download link / Android Studio
  • installing / Android Studio
• Android Virtual Device (AVD)
  • about / Installing the required tools
  • setting up / Setting up an AVD
  • real device / Real device
  • Apktool / Apktool
  • Dex2jar / Dex2jar/JD-GUI
  • JD-GUI / Dex2jar/JD-GUI
  • Burp Suite / Burp Suite
  • configuring / Configuring the AVD
  • Drozer / Drozer
  • QARK / QARK (No support for windows)
  • Advanced REST Client, for Chrome / Advanced REST Client for Chrome
  • Droid Explorer / Droid Explorer
  • Introspy / Cydia Substrate and Introspy
  • Cydia Substrate / Cydia Substrate and Introspy
  • SQLite browser / SQLite browser
  • Frida / Frida
  • vulnerable apps / Vulnerable apps
  • Kali Linux / Kali Linux
• Antivirus
  • evading, Backdoor-Factory used / Using Backdoor-Factory to Evade Antivirus
• API key for Bing
  • URL / The Recon-ng tool – a framework for information gathering
• APK
  • about / Android app structure
  • download link / How to get an APK file?
• APK file
  • uncompressing / Android app structure
  • obtaining / How to get an APK file?
• app
  • attack surface / Understanding the app's attack surface
• application components
  • attacking / Attacking application components
• applications of fuzzing
  • about / Applications of fuzzing
  • network protocol fuzzing / Network protocol fuzzing
  • file fuzzing / File fuzzing
  • user interface fuzzing / User interface fuzzing
  • web application fuzzing / Web application fuzzing
  • web browser fuzzing / Web browser fuzzing
• application version fingerprinting
  • about / Application version fingerprinting
  • Nmap version scan / The Nmap version scan
  • Amap version scan / The Amap version scan
• apps, with network level access
  • issues / Dangers with apps that provide network level access
• app sandboxing
  • about / Understanding app sandboxing, App sandboxing
• arbitrary code execution (ACE)
  • about / Exploiting shellshock
• ARMEL / VMware and ARM images of Kali Linux
• ARMHF / VMware and ARM images of Kali Linux
• ARM images
  • of Kali Linux / VMware and ARM images of Kali Linux
• Armitage
  • about / Arm yourself with Armitage
  • Find Attacks / Arm yourself with Armitage
  • Hail Mary / Arm yourself with Armitage
  • single known host, working with / Working with a single known host
  • new machines discovering, NMap used / Discovering new machines with NMap
• asymmetric encryption
  • about / Asymmetric encryption versus symmetric encryption
• asymmetric encryption algorithms
  • Diffie-Hellman key exchange / Asymmetric encryption algorithms
  • Rivest Shamir Adleman (RSA) / Asymmetric encryption algorithms
  • Elliptic Curve Cryptography (ECC) / Asymmetric encryption algorithms
• attack path
  • creating / Creating the attack path
  • system, grabbing on target / Grabbing system on the target
  • route, setting up / Setting Up the route
  • inner network, exploring / Exploring the inner network
  • Windows NET USE command, abusing / Abusing the Windows NET USE command
• attack potentials, of cross-site scripting attacks / Attack potential of cross-site scripting attacks
• attacks, on activities
  • about / Attacks on activities, What does exported behavior mean to an activity?
• attacks, on broadcast receivers
  • about / Attacks on broadcast receivers
• attacks, on content providers
  • about / Attacks on content providers
• attacks, on exported activities / Attacks on exported activities
• attacks, on services
  • about / Attacks on services
  • Binder class, extending / Extending the Binder class:
  • Messenger, using / Using a Messenger
  • AIDL, using / Using AIDL
• attack surface
  • identifying / Identifying the attack surface
• attack types, Burp intruder
  • Sniper / Fuzzing using Burp intruder
  • Battering ram / Fuzzing using Burp intruder
  • Pitchfork / Fuzzing using Burp intruder
  • Cluster bomb / Fuzzing using Burp intruder
• authentication
  • basic authentication / Basic authentication
  • digest authentication / Digest authentication
  • integrated authentication / Integrated authentication
  • form-based authentication / Form-based authentication
  • vulnerabilities / Authentication vulnerabilities
• authentication flaws
  • about / Authentication protocols and flaws
• authentication issues
  • about / Authentication issues
• authentication protocols
  • about / Authentication protocols and flaws
• authorization
  • vulnerabilities / Authorization vulnerabilities
• automated Android app assessments, with Drozer
  • about / Automated Android app assessments using Drozer
  • modules, listing out / Listing out all the modules
  • package information, retrieving / Retrieving package information
  • target application package name, finding out / Finding out the package name of your target application
  • package information, obtaining / Getting information about a package
  • AndroidManifes.xml file, dumping / Dumping the AndroidManifes.xml file
  • attack surface, finding out / Finding out the attack surface:
  • attacks, on activities / Attacks on activities
  • attacks, on services / Attacks on services
  • broadcast receivers / Broadcast receivers
  • content provider leakage / Content provider leakage and SQL Injection using Drozer
  • SQL Injection / Content provider leakage and SQL Injection using Drozer
  • SQL Injection, attacking / Attacking SQL Injection using Drozer
  • path travesal attacks, in content providers / Path traversal attacks in content providers
  • debuggable apps, exploiting / Exploiting debuggable apps
• automated tools
  • about / Automated tools
  • Drozer / Drozer
• Autopsy
  • about / Diving into Autopsy
  • using / Diving into Autopsy
  • URL / Diving into Autopsy
  • case, creating / Diving into Autopsy
  • host, adding / Diving into Autopsy
  • disk image, adding / Diving into Autopsy
  • files, verifying / Diving into Autopsy
  • verifiable hash, setting up / Diving into Autopsy
  • image, adding / Diving into Autopsy
  • example / Diving into Autopsy
• auxiliary modules
  • Dir_listing / Testing web servers using auxiliary modules in Metasploit
  • Dir_scanner / Testing web servers using auxiliary modules in Metasploit
  • Enum_wayback / Testing web servers using auxiliary modules in Metasploit
  • Files_dir / Testing web servers using auxiliary modules in Metasploit
  • http_login / Testing web servers using auxiliary modules in Metasploit
  • robots_txt / Testing web servers using auxiliary modules in Metasploit
  • webdav_scanner / Testing web servers using auxiliary modules in Metasploit

B

• Backdoor-Factory
  • used, for evading Antivirus / Using Backdoor-Factory to Evade Antivirus
• backend threats
  • about / Threats at the backend
  • OWASP top 10 mobile risks / Relating OWASP top 10 mobile risks and web attacks
  • web attacks / Relating OWASP top 10 mobile risks and web attacks
  • authentication/authorization issues / Authentication/authorization issues, Authentication vulnerabilities, Authorization vulnerabilities
  • session management issues / Session management
  • Insufficient Transport Layer Security / Insufficient Transport Layer Security
  • input validation related issues / Input validation related issues
  • improper error handling / Improper error handling
  • insecure data storage / Insecure data storage
  • attacks, on database / Attacks on the database
• backup techniques
  • about / Backup techniques
  • app data, backing up with adb backup command / Backup the app data using adb backup command
  • .ab format, converting to tar format with Android backup extractor / Convert .ab format to tar format using Android backup extractor
  • tar file, extracting with pax or star utility / Extracting the TAR file using the pax or star utility
  • extracted content, analyzing for security issues / Analyzing the extracted content for security issues
• basic authentication
  • about / Basic authentication
• BBQSQL
  • about / BBQSQL – the blind SQL injection framework
• BeEF hook
  • injecting, MITM used / Injecting the BeEF hook using MITM
• BeEF hook injection
  • about / BeEF hook injection
  • browser reconnaissance / Browser reconnaissance
  • exploit modules / Exploit modules
  • host information gathering / Host information gathering
  • persistence module / Persistence module
  • network recon / Network recon
  • Inter-protocol exploitation and communication (IPEC) node / Inter-protocol exploitation and communication
• Boolean logic
  • about / Working with Boolean logic
  • While loop structure, reviewing / Reviewing a while loop structure
  • For loop structure, reviewing / Reviewing the for loop structure
• boot loader
  • about / Locked and unlocked boot loaders
  • unlock status, determining on Sony devices / Determining boot loader unlock status on Sony devices
  • unlocking, on Sony through vendor specified method / Unlocking boot loader on Sony through a vendor specified method
  • unlocked boot loaders, rooting on Samsung device / Rooting unlocked boot loaders on a Samsung device
• broadcast receivers
  • about / Broadcast receivers
• browser exploitation framework
  • about / Browser exploitation framework
• browser exploitation framework (BeEF)
  • about / Browser exploitation framework, Introducing BeEF
  • hook injection / BeEF hook injection
  • mutillidae XSS flaw, exploiting with / Exploiting the mutillidae XSS flaw using BeEF
• brute forcing credentials
  • about / Brute forcing credentials
• buffer overflows
  • reducing / Reducing buffer overflows
• bug
  • about / Demystifying debuggers
• building blocks, AJAX
  • about / Building blocks of AJAX
• Burp intruder
  • about / Fuzzing using Burp intruder
  • used, for fuzzing / Fuzzing using Burp intruder
  • setting up / Fuzzing using Burp intruder
  • attack types / Fuzzing using Burp intruder
• Burp proxy
  • about / Burp proxy
  • client interception, customizing / Customizing client interception
  • requests, modifying / Modifying requests on the fly
  • with SSL-based websites / Burp proxy with SSL-based websites
  / Tools to analyze tokens
• burp proxy
  • used, for attacking path traversal / Attacking path traversal using Burp proxy
• Burp spider / The Burp spider
• Burp Spider
  • used, for spidering site / Spidering a site with Burp Spider
• Burp Suite
  • using, for search / Search and destroy with Burp Suite
  • using, for destroy / Search and destroy with Burp Suite
  • about / Search and destroy with Burp Suite
  • test subject, targeting / Targeting the test subject
  • using, as proxy / Using Burp Suite as a Proxy
  • security certificate, installing / Installing the Burp Suite security certificate
  • site, spidering with Burp Spider / Spidering a site with Burp Spider
• Burp suite / Tools to analyze tokens
• Burp Suite Proxy
  • setting up, for testing / Setting up Burp Suite Proxy for testing
  • setting up, via APN / Proxy setting via APN
  • setting up, via Wi-Fi / Proxy setting via Wi-Fi
• BusyBox / Installing additional apps

C

• calculator application
  • activity / Activities
• Capstone
  • disassembling code, creating / Create your own disassembling code with Capstone
  • URL / Create your own disassembling code with Capstone
• CAPTCHA / Cross-site request forgery
• Casefile
  • about / Using Maltego
• Case structures
  • about / Working with Boolean logic, Understanding the decision points
• certificate authority (CA) / SSL encryption process
• certificate pinning
  • bypassing / Bypassing certificate pinning
• certificate warnings
  • bypassing / Bypass certificate warnings and HSTS
• chntpw
  • used, for owing registry / Owning the registry with chntpw
• CIA triad
  • confidentiality / SSL in web applications
  • message integrity / SSL in web applications
  • availability / SSL in web applications
• Classless Inter-Domain Routing (CIDR)
  • about / Using Unicorn-Scan
  • URL / Discovering new machines with NMap
• clearev / Exploring the inner network
• CMS identification tools
  • about / CMS identification tools
  • Plecost / CMS identification tools
  • Joomscan / CMS identification tools
• command-line application
  • about / Where can you find instructions on this thing?
  • Help page / Where can you find instructions on this thing?
  • Man page / Where can you find instructions on this thing?
  • Info pages / Where can you find instructions on this thing?
• command injection
  • about / Command injection, Command injection
  • parameters, identifying to inject data / Identifying parameters to inject data
  • error-based and blind command injection / Error-based and blind command injection
  • metacharacters, for command separator / Metacharacters for command separator
  • scanning / Scanning for command injection
  • exploiting, Metasploit used / Exploiting command injection using Metasploit
  • PHP shell and Metasploit / PHP shell and Metasploit
  • shellshock, exploiting / Exploiting shellshock
• command injection, scanning for
  • about / Scanning for command injection
  • cookie file, creating for authentication / Creating a cookie file for authentication
  • Wapiti, executing / Executing Wapiti
• command line
  • DEX files, building from / Building DEX files from the command line
• Command Line Interface (CLI)
  • about / Zenmap
• commands
  • $audit_suidsgid / Getting help in Weevely
  • $audit_phpconf / Getting help in Weevely
  • $audit_etcpasswd / Getting help in Weevely
  • $audit_filesystem / Getting help in Weevely
  • $shell_php / Getting help in Weevely
  • $shell_sh / Getting help in Weevely
  • $shell_su / Getting help in Weevely
  • $system_extensions / Getting help in Weevely
  • $system_info / Getting help in Weevely
  • $backdoor_reversetcp / Getting help in Weevely
  • $backdoor_tcp / Getting help in Weevely
  • $bruteforce_sql / Getting help in Weevely
  • $file_cd / Getting help in Weevely
  • $file_grep / Getting help in Weevely
  • $file_find / Getting help in Weevely
  • $file_rm / Getting help in Weevely
  • $file_cp / Getting help in Weevely
  • $file_zip / Getting help in Weevely
  • $file_enum / Getting help in Weevely
  • $file_check / Getting help in Weevely
  • $file_edit / Getting help in Weevely
  • $file_upload2web / Getting help in Weevely
  • $file_gzip / Getting help in Weevely
  • $file_download / Getting help in Weevely
  • $file_touch / Getting help in Weevely
  • $file_webdownload / Getting help in Weevely
  • $file_ls / Getting help in Weevely
  • $file_read / Getting help in Weevely
  • $file_mount / Getting help in Weevely
  • $file_bzip2 / Getting help in Weevely
  • $file_tar / Getting help in Weevely
  • $file_upload / Getting help in Weevely
  • $sql_console / Getting help in Weevely
  • $sql_dump / Getting help in Weevely
  • $net_scan / Getting help in Weevely
  • $net_curl / Getting help in Weevely
  • $net_proxy / Getting help in Weevely
  • $net_ifconfig / Getting help in Weevely
  • $net_phpproxy / Getting help in Weevely
• commands, for meterpreter
  • getsystem / Exploitation – Metasploit
  • download / Exploitation – Metasploit
  • hashdump / Exploitation – Metasploit
  • sysinfo / Exploitation – Metasploit
  • help / Exploitation – Metasploit
• components, Android app
  • activities / Activities
  • services / Services
  • broadcast receivers / Broadcast receivers
  • content providers / Content providers
• content providers
  • about / Content providers
  • querying / Querying content providers:, Querying the content provider
  • SQL Injection, exploiting in / Exploiting SQL Injection in content providers using adb
  • where condition, writing / Writing a where condition:
• cookie stealing / Cookie stealing
• core commands
  • ? / Starting Metasploit
  • previous / Starting Metasploit
  • back / Starting Metasploit
  • pushm / Starting Metasploit
  • banner / Starting Metasploit
  • quit / Starting Metasploit
  • cd / Starting Metasploit
  • reload_all / Starting Metasploit
  • color / Starting Metasploit
  • rename_job / Starting Metasploit
  • connect / Starting Metasploit
  • resource / Starting Metasploit
  • edit / Starting Metasploit
  • route / Starting Metasploit
  • exit / Starting Metasploit
  • save / Starting Metasploit
  • get / Starting Metasploit
  • search / Starting Metasploit
  • getg / Starting Metasploit
  • sessions / Starting Metasploit
  • go_pro / Starting Metasploit
  • set / Starting Metasploit
  • grep / Starting Metasploit
  • setg / Starting Metasploit
  • help / Starting Metasploit
  • show / Starting Metasploit
  • info / Starting Metasploit
  • sleep / Starting Metasploit
  • irb / Starting Metasploit
  • spool / Starting Metasploit
  • jobs / Starting Metasploit
  • threads / Starting Metasploit
  • kill / Starting Metasploit
  • unload / Starting Metasploit
  • load / Starting Metasploit
  • unset / Starting Metasploit
  • loadpath / Starting Metasploit
  • unsetg / Starting Metasploit
  • makerc / Starting Metasploit
  • use / Starting Metasploit
  • popm / Starting Metasploit
  • version / Starting Metasploit
• Core FTP
  • about / Basic sniffing with tcpdump
• Couchbase
  • about / NoSQL demo application functionality
• credential harvester attack
  • about / Credential harvester attack
• cross-site faxing (XSF) module / Inter-protocol exploitation and communication
• cross-site request forgery (CSRF)
  • about / Cross-site request forgery
  • attack dependencies / Attack dependencies
  • attack methodology / Attack methodology
  • mitigation techniques / CSRF mitigation techniques
• cross-site request forgery attack (CSRF)
  • about / Cross-site request forgery
• cross-site scripting
  • quick solutions / Quick solutions to cross-site scripting
  • about / Cross-site scripting
  • origin / The origin of cross-site scripting
  • overview / An overview of cross-site scripting
  • types / Types of cross-site scripting
• cross-site scripting (XSS) / The TRACE method
• cross-site scripting attacks
  • attack potentials / Attack potential of cross-site scripting attacks
• Cross-site tracing (XST) attack / The TRACE method
• CsiTool / Robbing the Hives with samdump2
• CSRF flaw
  • testing for / Testing for CSRF flaws
• Custom recovery
  • about / Stock recovery and Custom recovery
  • prerequisites / Prerequisites
• Custom ROM
  • flashing, to phone / Flashing the Custom ROM to the phone
• Custom ROM installation
  • about / Rooting Process and Custom ROM installation
  • recovery, installing / Installing recovery softwares
• CVE-2013-6271
  • used, for bypassing screen locks / Bypassing screen locks using CVE-2013-6271
• CVE-2014-6271
  • about / Command injection
• CyanogenMod 11 / Flashing the Custom ROM to the phone
• Cydia Substrate
  • about / Introduction to Cydia Substrate
  • reference / Introduction to Cydia Substrate
• Cygwin
  • URL / NoSQL demo application functionality

D

• damn vulnerable web application (DVWA)
  • about / Scanning for command injection
• data
  • pulling, from sdcard / Pulling data from the sdcard
• database back-end commands
  • creds / Starting Metasploit
  • db_status / Starting Metasploit
  • db_connect / Starting Metasploit
  • hosts / Starting Metasploit
  • db_disconnect / Starting Metasploit
  • loot / Starting Metasploit
  • db_export / Starting Metasploit
  • notes / Starting Metasploit
  • db_import / Starting Metasploit
  • services / Starting Metasploit
  • db_nmap / Starting Metasploit
  • vulns / Starting Metasploit
  • db_rebuild_cache / Starting Metasploit
  • workspace / Starting Metasploit
• database exploitation / Database exploitation
• data storage
  • about / What is data storage?
• data structures
  • about / Working with Boolean logic
• Debian Ncurses
  • about / Running Kali from the live CD
• debuggers
  • about / Practicing reverse engineering
  • demystifying / Demystifying debuggers
  • Valgrind Debugger, using / Using the Valgrind Debugger to discover memory leaks
  • app, translating to assembler with EDB-Debugger / Translating your app to assembler with the EDB-Debugger
  • OllyDbg, executing / Running OllyDbg
• Decision Points
  • about / Working with Boolean logic
• decision points
  • about / Understanding the decision points
• defence against, DOM-based XSS / Defence against DOM-based XSS
• Denial
  • about / Dealing with Denial
• Denial of Service (DoS)
  • about / Choosing the appropriate time and tool
• DEX files
  • building, from command line / Building DEX files from the command line
• dexopt
  • about / Example of extracting user installed apps
• different testing methodology
  • about / Different testing methodologies
  • ethical hacking / Ethical hacking
  • penetration testing / Penetration testing
  • vulnerability assessment / Vulnerability assessment
  • security audit / Security audits
• digest authentication
  • about / Digest authentication
• Digital Forensics
  • about / Getting into Digital Forensics
• dirb
  • about / Scanning – dirb
• DirBuster
  • used, in directory browsing / Directory browsing using DirBuster
• directory browsing
  • about / Directory browsing
  • with DirBuster / Directory browsing using DirBuster
  • comments, in HTML code / Comments in HTML code
  • mitigation / Mitigation
• disassemblers
  • about / Introduction to disassemblers
  • JAD, executing / Running JAD
  • disassembling code, creating with Capstone / Create your own disassembling code with Capstone
• disassembly tool
  • about / Practicing reverse engineering
• Document Object Model (DOM)
  • about / Introduction to JavaScript
• DOM-based XSS
  • about / DOM-based XSS
  • example / DOM-based XSS
  • defence against / Defence against DOM-based XSS
• domain error spoofing / Spoofing network traffic
• Domain Internet Groper (dig) / Zone transfer using dig
• domain registration details, reconnaissance
  • about / Domain registration details
  • Whois / Whois – extracting domain information
  • domain information, extracting / Whois – extracting domain information
• domain spoofing / Spoofing network traffic
• Dradis
  • about / Dradis – the web-based document organizer
  • configuring / Dradis – the web-based document organizer
  • URL / Dradis – the web-based document organizer
• Droidbox
  • about / Tools for automated analysis
• Droid Explorer
  • about / Droid Explorer
  • download link / Droid Explorer
• Dropbox
  • about / The Dropbox
• Drozer
  • about / Drozer, Drozer
  • prerequisites / Prerequisites
  • download link / Prerequisites
  • installing / Prerequisites
  • installation, validating / Prerequisites
  • Android security assessments, performing with / Performing Android security assessments with Drozer
  • used, for exploiting Android app vulnerabilities / Identifying and exploiting Android app vulnerabilities using Drozer
• Drozer modules
  • listing / Listing out all the modules
  • package information, retrieving / Retrieving package information
• dynamic analysis
  • about / Mobile application architecture
• dynamic analysis, malware analysis
  • about / Dynamic analysis
  • HTTP/HTTPS traffic, analyzing with Burp / Analyzing HTTP/HTTPS traffic using Burp
  • network traffic, analyzing with tcpdump and Wireshark / Analysing network traffic using tcpdump and Wireshark
• dynamic instrumentation
  • Frida used / Dynamic instrumentation using Frida

E

• EDB-Debugger
  • app, translating to assembler / Translating your app to assembler with the EDB-Debugger
  • symbol mapper / EDB-Debugger symbol mapper
• email spoofing / Spoofing network traffic
• encrypted USB drive
  • Kali Linux, installing / Installing Kali Linux to an encrypted USB drive
• EtherApe
  • about / Monkeying around the network
  • executing / Monkeying around the network
• Etherape
  • installing / EtherApe – the graphical protocol analysis tool
  • configuring / EtherApe – the graphical protocol analysis tool
• ethical hacking
  • about / Ethical hacking
• Ettercap
  • about / Ettercap, MitM attacks
  • using, on command line / Using Ettercap on the command line
• evilattacker
  • URL / XSS using the POST Method
• executable
  • replacing / Replacing the executable
• existing exploits
  • using / Using existing exploits
• external storage
  • about / External storage, External storage

F

• file fuzzing
  • about / File fuzzing
• file inclusion vulnerability
  • about / File inclusion vulnerability
  • remote file include / Remote file include
  • local file include / Local file include
  • mitigation / Mitigation for file inclusion attacks
• files/folders, APK
  • AndroidManifest.xml / Android app structure
  • classes.dex / Android app structure
  • resources.arsc / Android app structure
  • Res / Android app structure
  • Assets / Android app structure
  • META-INF / Android app structure
• Firebug
  • about / Analyzing client-side code – Firebug
  • URL / Analyzing client-side code – Firebug
  • Script panel / The Script panel
  • Console panel / The Console panel
  • Network panel / The Network panel
• firewalls and IPS, evading with Nmap
  • ACK scan / Evading firewalls and IPS using Nmap
  • hardcoded source port, in firewall rules / Evading firewalls and IPS using Nmap
  • custom packet size / Evading firewalls and IPS using Nmap
  • custom MTU / Evading firewalls and IPS using Nmap
  • MAC address spoofing / Evading firewalls and IPS using Nmap
• Footprinting
  • about / Footprinting the network
• Forensics
  • Kali, using / Starting Kali for Forensics
  • online resources / Mounting image files
• For loop
  • structure, reviewing / Reviewing the for loop structure
  • decision points / Understanding the decision points
• form-based authentication
  • about / Form-based authentication
• Frida
  • about / Frida, What is Frida?
  • references / Frida
  • prerequisites / Frida, Prerequisites
  • used, for dynamic instrumentation / Dynamic instrumentation using Frida
  • used, for performing dynamic hooking / Steps to perform dynamic hooking with Frida
• Frida's JavaScript API
  • reference / Steps to perform dynamic hooking with Frida
• frida-client
  • setting up / Setting up frida-client
  • setup, testing / Testing the setup
• Frida server
  • setting up / Setting up Frida server
• fuzzdb
  • reference / Fuzzing using Burp intruder
• fuzzer frameworks
  • about / Fuzzer frameworks
  • SPIKE / Fuzzer frameworks
  • Peach / Fuzzer frameworks
  • Sulley / Fuzzer frameworks
• fuzzing
  • about / Fuzzing basics
  • basics / Fuzzing basics
  • advantages / Fuzzing basics
  • disadvantages / Fuzzing basics
  • types / Types of fuzzing techniques
  • mutation fuzzing / Mutation fuzzing
  • generation fuzzing / Generation fuzzing
  • applications of fuzzing / Applications of fuzzing
• fuzzing input, in web applications
  • about / Fuzzing input in web applications
  • request URI / Request URI
  • headers / Headers
  • form fields / Form fields
• fuzzing steps
  • about / Fuzzing steps

G

• GAPPS
  • reference / Flashing the Custom ROM to the phone
• Gedit
  • installing / Gedit – the Gnome text editor
  • configuring / Gedit – the Gnome text editor
• gedit
  • about / Using the Valgrind Debugger to discover memory leaks
• generation-based fuzzers
  • about / Generation fuzzing
• Geocoder and reverse geocoder / Reporting modules
• getsystem / Gaining access with Metasploit
• GoatDroid
  • about / What does exported behavior mean to an activity?
  • reference / What does exported behavior mean to an activity?
• Gramm-Leach-Bliley Act (GLBA) / Sensitive data handling
• Graphical Installer
  • about / Running Kali from the live CD
• GUI Application Droid Explorer / Real world application demo
• Guymager
  • about / Exploring Guymager
  • exploring / Exploring Guymager
  • drive, acquiring for legal evidence / Acquiring a drive to be legal evidence
  • used, for cloning / Cloning With Guymager

H

• .htaccess
  • about / Concept of .htaccess
• hacker
  • about / Who is a hacker?
• hacking
  • about / Who is a hacker?
• hard drive
  • Kali Linux, installing on / Installing Kali Linux on a hard drive
• hashing functions
  • about / Hashing for message integrity
• Health Insurance Portability and Accountability Act (HIPAA) / Sensitive data handling
• heartrate
  • download link / Example of extracting user installed apps
• Heimdall Suite
  • reference / Using Heimdall
• Hip Hop Virtual machine (HHVM) / The HTTP header
• hooking
  • Xposed framework used / Hooking using Xposed framework
• hosts, identifying with DNS
  • about / Identifying hosts using DNS
  • zone transfer, using dig / Zone transfer using dig
  • brute force DNS records, using Nmap / Brute force DNS records using Nmap
• hosts command
  • using / Using the hosts and services commands
• HSTS / HSTS – HTTP Strict Transport Security
• Htop
  • used, for monitoring resource use / Monitoring resource use with Htop
• HTTP error codes
  • reference / Detecting result of fuzzing
• HTTP methods, for penetration testing
  • GET method / The GET/POST method
  • POST method / The GET/POST method
  • HEAD method / The HEAD method
  • TRACE method / The TRACE method
  • PUT method / The PUT and DELETE methods
  • DELETE method / The PUT and DELETE methods
  • OPTIONS method / The OPTIONS method
• HTTP parameter pollution
  • about / HTTP parameter pollution
  • mitigation / Mitigation
• HTTP response splitting
  • about / HTTP response splitting
  • mitigation / Mitigation
• HTTP Strict Transport Security (HSTS) / SSL stripping limitations
• hybrid apps
  • about / Hybrid apps, Different types of mobile apps and their threat model
• Hydra
  • about / Hydra – a brute force password cracker

I

• If structures
  • about / Working with Boolean logic, Understanding the decision points
• image files
  • mounting / Mounting image files
• improvements, in Kali Linux 2.0
  • continuous rolling updates / Improvements in Kali Linux 2.0
  • frequent tool updates / Improvements in Kali Linux 2.0
  • revamped desktop environment / Improvements in Kali Linux 2.0
  • support, for various hardware platforms / Improvements in Kali Linux 2.0
  • major tool changes / Improvements in Kali Linux 2.0
• incrementer
  • about / Reviewing the for loop structure
• information gathering, reconnaissance
  • about / Reconnaissance – information gathering
  • domain registration details / Domain registration details
  • hosts, identifying with DNS / Identifying hosts using DNS
  • Recon-ng tool / The Recon-ng tool – a framework for information gathering
• information leakage
  • about / Information leakage
• injection-based flaws
  • about / Injection-based flaws
  • command injection / Command injection
  • SQL injection / SQL injection
• insecure data storage
  • NoSQL database / Insecure data storage – NoSQL database
• installation, Kali Linux
  • about / Installing Kali Linux
  • on USB drive / USB mode
  • on Amazon cloud / Kali Linux on Amazon cloud
  • on hard drive / Installing Kali Linux on a hard drive
• Insufficient Transport Layer Security
  • about / Insufficient Transport Layer Security
• integrated authentication
  • about / Integrated authentication
• intent filter
  • about / Intent filters
• Inter-Process Communication (IPC) mechanism
  • about / Drozer
• interactive mode
  • QARK (Quick Android Review Kit), running in / Running QARK in interactive mode
• internal command / Getting help in Weevely
• internal storage
  • about / Internal storage, Internal storage
• Internet Assigned Numbers Authority (IANA) / Application version fingerprinting
• interprocess communication (IPC)
  • about / Attacks on services
• Introspy
  • about / Cydia Substrate and Introspy
  • Tracer / Cydia Substrate and Introspy
  • Analyser / Cydia Substrate and Introspy
  • setting up / Cydia Substrate and Introspy
  • installing / Cydia Substrate and Introspy
  • used, for runtime monitoring and analysis / Runtime monitoring and analysis using Introspy
• Intrusion Detection System (IDS)
  • about / Zenmap
• intrusion detection system (IDS) / Phoning Home with Metasploit
• IPInfoDB GeoIP / Reporting modules
• IP spoofing / Spoofing network traffic

J

• JAD
  • executing / Running JAD
  • URL / Running JAD
• jarsigner / Android app build process
• Java
  • about / Java
  • URL / Java
  • installing / Java
• Java applet attack
  • about / Java applet attack
• JavaScript
  • about / Introduction to JavaScript
• JavaScript, in HTML code
  • script tag / Introduction to JavaScript
  • body tag / Introduction to JavaScript
  • image tag / Introduction to JavaScript
• JDB / Exploiting debuggable apps
• JDWP (Java Debug Wire Protocol) / Exploiting debuggable apps
• Johnny
  • about / My friend Johnny
  • using / My friend Johnny
• Johnny Cracking Tool / Exploiting poor patch management
• John the Ripper
  • about / John the Ripper (command line)
  • using / John the Ripper (command line)
• Joomscan
  • about / CMS identification tools

K

• Kali
  • URL / Prerequisites for installation, Running Kali from the live CD
  • executing / Running Kali from the live CD
  • used, for Forensics / Starting Kali for Forensics
• Kali 2.x
  • Main Menu, customizing / Adding a tool to the main menu in Kali 2.x
• Kali Linux
  • installing, to encrypted USB drive / Installing Kali Linux to an encrypted USB drive
  • prerequisites, for installation / Prerequisites for installation
  • booting up / Booting Up
  • configuration, installing / Installing configuration
  • drive, setting up / Setting up the drive
  • installation, booting / Booting your new installation of Kali
  • services, executing / Running services on Kali Linux
  • security tools / Exploring the Kali Linux Top 10 and more
  • about / Kali Linux, Kali Linux
  • installing / Installing Kali Linux
  • installing, on USB drive / USB mode
  • URL, for downloading / USB mode
  • installing, on Amazon cloud / Kali Linux on Amazon cloud
  • installing, on hard drive / Installing Kali Linux on a hard drive
  • virtualization, versus installation on physical hardware / Kali Linux-virtualizing versus installing on physical hardware
  • tools / Important tools in Kali Linux
  • URL / Kali Linux
• Kali Linux 2.0
  • improvements / Improvements in Kali Linux 2.0
• Kali Linux image, Amazon marketplace
  • reference link / Kali Linux on Amazon cloud
• KeepNote
  • about / KeepNote – the standalone document organizer, Using Unicorn-Scan
  • configuring / KeepNote – the standalone document organizer
  • using / Using advanced footprinting
• key logger / Key logger
• Keytool / Android app build process

L

• Leafpad
  • about / Gedit – the Gnome text editor
• legitimate apps
  • infecting / A note on infecting legitimate apps
• LinkedIn authenticated contact enumerator / Reporting modules
• Linux Unified Key Setup (LUKS)
  • about / USB mode
• Live Forensic mode
  • about / Starting Kali for Forensics
• load balancers
  • identifying / Identifying load balancers, Other ways of identifying load balancers
  • cookie-based load balancer / Cookie-based load balancer
• load balancers, identifying
  • SSL differences between servers, analyzing / Other ways of identifying load balancers
  • different URL, redirecting to / Other ways of identifying load balancers
  • DNS records, for load balancers / Other ways of identifying load balancers
  • load balancer detector / Other ways of identifying load balancers
  • web application firewall (WAF) / Other ways of identifying load balancers
• local file include / Local file include
• local privilege escalation
  • standalone tool, using / Local privilege escalation with a standalone tool
• Local Security Authority (LSA) / Phoning Home with Metasploit
• logging based vulnerabilities
  • about / Logging based vulnerabilities

M

• Mail exchanger (MX) / Zone transfer using dig
• Maltego
  • about / Using Maltego
  • using / Using Maltego
• malware
  • about / Malware
• malware analysis
  • about / Malware analysis
  • static analysis / Static analysis
  • dynamic analysis / Dynamic analysis
• man-in-the-middle attack (MitM) / Sniffing and spoofing network traffic
• man-in-the-middle attack (MITM) / Sniffing tokens and man-in-the-middle attacks
• man in the middle attack (MITM)
  • about / SSL man-in-the-middle attack
• Metasploit
  • about / Installing Kali Linux to an encrypted USB drive, Basic sniffing with tcpdump
  • version, selecting / Choosing the right version of Metasploit
  • starting / Starting Metasploit
  • used, for gaining access / Gaining access with Metasploit
  • used, for Phoning Home / Phoning Home with Metasploit
• metasploit browser exploit
  • about / Metasploit browser exploit
• meterpreter
  • commands / Exploitation – Metasploit
  • about / Exploitation – Metasploit
• Meterpreter session / Exploiting poor patch management
• micoOLAP
  • URL / Basic sniffing with tcpdump
• MitM (Man in the Middle)
  • about / Threats at the client side, MitM attacks
• mobile application architecture
  • about / Mobile application architecture, Mobile application architecture
• mobile applications service side attack surface
  • about / Mobile applications server-side attack surface
• mobile apps
  • types / Different types of mobile apps and their threat model
  • threat model / Different types of mobile apps and their threat model
• mobile apps, securing
  • guidelines / Guidelines for testing and securing mobile apps
• modes, Zed Attack Proxy (ZAP)
  • safe mode / Modes of operation
  • protected mode / Modes of operation
  • standard mode / Modes of operation
• msfconsole / Phoning Home with Metasploit
• msfvenom / Phoning Home with Metasploit
• multi-tier web application
  • about / Multi-tier web application
  • presentation layer / Multi-tier web application
  • application layer / Multi-tier web application
  • data access layer / Multi-tier web application
• mutation fuzzers
  • about / Mutation fuzzing
• mutation fuzzing
  • about / Mutation fuzzing
• Mutillidae
  • reference link / Attacking path traversal using Burp proxy
• mutillidae
  • about / Exploiting the mutillidae XSS flaw using BeEF

N

• NAC (Network Access Controller)
  • cracking / Cracking the NAC (Network Access Controller)
• native apps
  • about / Native apps, Different types of mobile apps and their threat model
• netcat (nc) utility / The OPTIONS method
• NetCat (Ncat)
  • used, for maintaining access / Maintaining access with Ncat
• Netcraft hostname enumerator / Reporting modules
• NET USE command / Abusing the Windows NET USE command
• network
  • mapping, to pivot / Mapping the network to pivot
• network footprinting
  • about / Footprinting the network
  • network exploring, with Nmap / Exploring the network with Nmap
  • Zenmap / Zenmap
  • network range, scanning / Scanning a network range
• network protocol fuzzing
  • about / Network protocol fuzzing
• network range
  • difference verbosity makes, viewing / The difference verbosity makes
  • scanning / Scanning a network range
• Nikto
  • about / Nikto
  • features / Nikto
• NMap
  • used, for discovering new machines / Discovering new machines with NMap
• Nmap
  • network, exploring / Exploring the network with Nmap
  • URL, for downloading / Exploring the network with Nmap
  • URL / Scanning a network range
• Nmap version scan
  • about / The Nmap version scan
• NoSQL database
  • about / Insecure data storage – NoSQL database
  • NoSQL demo application functionality / NoSQL demo application functionality
• NoSQL demo application functionality
  • about / NoSQL demo application functionality

O

• Object Relational Model (ORM) / Avoiding SQL injection
• Offensives Security's exploit
  • reference link / Replacing the executable
• OllyDbg
  • executing / Running OllyDbg
• open source intelligence (OSINT) gathering / Reconnaissance – information gathering
• OpenSSL command-line tool
  • about / OpenSSL command-line tool
• OpenVAS
  • about / Running Kali from the live CD, A return to OpenVAS, OpenVAS
  • setting up / Setting up and configuring OpenVAS
  • configuring / Setting up and configuring OpenVAS
  • considerations / A return to OpenVAS
  • executing / A return to OpenVAS
• Open Web Application Security Project (OWASP)
  • about / WebScarab and Zed Attack Proxy
• OWASP
  • URL / Testing for CSRF flaws
• OWASP broken web applications
  • reference link / Attacking path traversal using Burp proxy
• OWASP GoatDroid
  • installing / Installing OWASP GoatDroid
  • download link / Installing OWASP GoatDroid
• OWASP Mobile Top 10 vulnerabilities
  • about / OWASP Top 10 Mobile Risks (2014)
  • weak server-side controls / M1: Weak Server-Side Controls
  • insecure data storage / M2: Insecure Data Storage
  • insufficient transport layer protection / M3: Insufficient Transport Layer Protection
  • unintended data leakage / M4: Unintended Data Leakage
  • poor authorization and authentication / M5: Poor Authorization and Authentication
  • broken cryptography / M6: Broken Cryptography
  • client-side injection / M7: Client-Side Injection
  • security decisions, via untrusted inputs / M8: Security Decisions via Untrusted Inputs
  • improper session handling / M9: Improper Session Handling
  • lack of binary protection / M10: Lack of Binary Protections
• OWASP SQL injection
  • URL / Avoiding SQL injection
• OWASP top 10 mobile risks
  • about / Relating OWASP top 10 mobile risks and web attacks
• OWASP Top 10 Proactive Controls Document
  • URL / Quick solutions to cross-site scripting
• OWASP ZAP
  • used, for zinging Windows servers / Zinging Windows servers with OWASP ZAP
  • using, as attack proxy / Using ZAP as an attack proxy
  • interface, reading / Reading the ZAP interface
  • about / AJAX spider – OWASP ZAP

P

• Packet Capture File / Basic sniffing with tcpdump
• passive reconnaissance
  • versus active reconnaissance / Passive reconnaissance versus active reconnaissance
• passphrase
  • about / Setting up the drive
• password/PIN
  • bypassing, with adb / Bypassing password/PIN using adb
• password attack
  • planning / Password attack planning
  • NTLM code, cracking / Cracking the NTLM code (Revisited)
  • password lists, using / Password lists
  • password lists, cleaning / Cleaning a password list
• Password Based Encryption (PBE) / Being safe
• Paterva
  • URL / Using Maltego
• path traversal
  • about / Path traversal
  • attacking, burp proxy used / Attacking path traversal using Burp proxy
  • mitigation / Mitigation
• path traversal attacks, in content providers
  • about / Path traversal attacks in content providers
  • /etc/hosts, reading / Reading /etc/hosts
  • kernel version, reading / Reading kernel version
• pattern lock, bypassing with adb
  • about / Bypassing pattern lock using adb
  • gesture.key file, removing / Removing the gesture.key file
  • SHA1 hashes, cracking from gesture.key file / Cracking SHA1 hashes from the gesture.key file
• Payment Card Industry (PCI) / The need for testing web applications
• Payment Card Industry Digital Security Standard
  • about / Installing Kali Linux to an encrypted USB drive
• penetration testing / Proactive security testing
  • about / Penetration testing
  • limitations / The limitations of penetration testing
  • Tor, using for / Using Tor for penetration testing
• permissions
  • registering / Registering permissions
  • simple SMS stealer, writing / Writing a simple SMS stealer
• persistent connections
  • about / Maintaining access
• persistent XSS
  • about / Persistent XSS
• Phoning Home
  • about / Maintaining access
• PHP shell
  • about / PHP shell and Metasploit
• pinata-csrf-tool
  • URL / Testing for CSRF flaws
• pivot
  • about / Using the pivot
  • using / Using the pivot
  • network, mapping / Mapping the network to pivot
• Plecost
  • about / CMS identification tools
• plugins, w3af
  • crawl / Plugins
  • audit / Plugins
  • grep / Plugins
  • infrastructure / Plugins
  • output / Plugins
  • auth / Plugins
• pm (package manager) / Listing the packages
• poor patch management
  • exploiting / Exploiting poor patch management
• port scanning, using Nmap
  • about / Port scanning using Nmap
  • different options for port scan / Different options for port scan
  • firewalls and IPS, evading with Nmap / Evading firewalls and IPS using Nmap
  • firewall, spotting with back checksum option / Spotting a firewall using back checksum option in Nmap
• POST method
  • used, for executing XSS / XSS using the POST Method
• PowerFuzzer
  • about / PowerFuzzer tool
• preinstalled apps
  • extracting, examples / Example of extracting preinstalled apps
• prerequisites, for brute forcing login page
  • host / Hydra – a brute force password cracker
  • method / Hydra – a brute force password cracker
  • URL / Hydra – a brute force password cracker
  • form parameters / Hydra – a brute force password cracker
  • failure response / Hydra – a brute force password cracker
  • list of username / Hydra – a brute force password cracker
  • password dictionary / Hydra – a brute force password cracker
  • threads / Hydra – a brute force password cracker
  • timeout period / Hydra – a brute force password cracker
  • output file / Hydra – a brute force password cracker
• privilege escalation
  • physical access, using / Escalating privileges with physical access
  • samdump2 tool, used for robbing hives / Robbing the Hives with samdump2
  • registry, owing with chntpw / Owning the registry with chntpw
• privileges
  • escalating, with physical access / Escalating privileges with physical access
• Privoxy
  • setting up / Steps to set up Tor and connect anonymously
• proactive security testing
  • about / Proactive security testing
  • hacker / Who is a hacker?
  • different testing methodology / Different testing methodologies
• proxy
  • Burp Suite, using as / Using Burp Suite as a Proxy
• proxy listener / Using Burp Suite as a Proxy
• ProxyStrike
  • about / ProxyStrike
• Pushin modules
  • about / Reporting modules
  • Twitter geolocation search / Reporting modules
  • Flickr geolocation search / Reporting modules

Q

• QARK
  • about / QARK (No support for windows)
  • download link / Getting ready
• QARK (Quick Android Review Kit)
  • about / QARK (Quick Android Review Kit), Static analysis using QARK:
  • modes / QARK (Quick Android Review Kit)
  • running, in interactive mode / Running QARK in interactive mode
  • reporting / Reporting
  • running, in seamless mode / Running QARK in seamless mode:
  • reference / Static analysis using QARK:

R

• Radare2
  • executing / Running Radare2
  • about / Running Radare2
  • URL / Running Radare2
• Radare2 tool suite
  • about / Additional members of the Radare2 tool suite
  • rasm2, executing / Running rasm2
  • rahash2, executing / Running rahash2
  • radiff2, executing / Running radiff2
  • rafind2, executing / Running rafind2
  • rax2, executing / Running rax2
• radiff2
  • executing / Running radiff2
• rafind2
  • executing / Running rafind2
• rahash2
  • executing / Running rahash2
• rasm2
  • executing / Running rasm2
• rax2
  • executing / Running rax2
• rdesktop
  • about / Adding a Windows user from the command line
• Recon-ng tool
  • about / The Recon-ng tool – a framework for information gathering
  • domain enumeration / Domain enumeration using recon-ng
  • top-level domain enumeration / Sub-level and top-level domain enumeration
  • sub-level domain enumeration / Sub-level and top-level domain enumeration
  • modules, reporting / Reporting modules
• reconnaissance
  • about / Reconnaissance
  • aim / Reconnaissance
  • passive reconnaissance, versus active reconnaissance / Passive reconnaissance versus active reconnaissance
  • information gathering / Reconnaissance – information gathering
• reconnaissance modules, in Recon-ng
  • Netcraft hostname enumerator / Reporting modules
  • SSL SAN lookup / Reporting modules
  • LinkedIn authenticated contact enumerator / Reporting modules
  • IPInfoDB GeoIP / Reporting modules
  • Yahoo! hostname enumerator / Reporting modules
  • Geocoder and reverse geocoder / Reporting modules
  • Pushin modules / Reporting modules
• recovery
  • installing / Installing recovery softwares
  • Odin, using / Using Odin
  • Heimdall, using / Using Heimdall
• reflected XSS
  • about / Reflected XSS
• reflected XSS flaw / Cross-site scripting
• Regional Internet Registrars (RIR) / Whois – extracting domain information
• remote access
  • maintaining / Maintaining access
  • tracks, covering / Covering our tracks
  • maintaining, Ncat used / Maintaining access with Ncat
  • Metasploit, used for Phoning Home / Phoning Home with Metasploit
• remote file include / Remote file include
• request header / The request header
• required tools
  • installing / Installing the required tools
  • Java / Java
• resource use
  • monitoring, with Htop / Monitoring resource use with Htop
• response header / The response header
• REST
  • about / Web services
• RESTful web services
  • about / Introducing SOAP and RESTful web services
  • features / Introducing SOAP and RESTful web services
• reverse engineering
  • practicing / Practicing reverse engineering
  • debuggers, demystifying / Demystifying debuggers
  • disassemblers / Introduction to disassemblers
  • tools / Some miscellaneous reverse engineering tools
  • Radare2 tool suite / Additional members of the Radare2 tool suite
• reverse engineering theory
  • about / Reverse engineering theory
  • general theory / One general theory of reverse engineering
• reverse engineering tools
  • about / Some miscellaneous reverse engineering tools
  • Radare2, executing / Running Radare2
• Robots.txt / Concept of Robots.txt
• rooting
  • about / What is rooting?
  • need for / Why would we root a device?
  • advantages / Advantages of rooting
  • disadvantages / Disadvantages of rooting
  • Custom ROM installation / Rooting Process and Custom ROM installation
• rooting, advantages
  • unlimited control over device / Unlimited control over the device
  • additional apps, installing / Installing additional apps
  • features and customization / More features and customization
• rooting, disadvantages
  • about / Disadvantages of rooting
  • security of device, compromising / It compromises the security of your device
  • device, bricking / Bricking your device
  • voids warranty / Voids warranty
• rules of engagement (RoE)
  • about / Rules of engagement
  • black box testing / Black box testing or Gray box testing
  • gray box testing / Black box testing or Gray box testing
  • client contact details / Client contact details
  • client IT team notifications / Client IT team notifications
  • sensitive data handling / Sensitive data handling
  • status meeting / Status meeting
• runtime monitoring and analysis
  • Introspy used / Runtime monitoring and analysis using Introspy

S

• samdump2 tool
  • used, for robbing hive registry / Robbing the Hives with samdump2
• Samsung note 2
  • rooting / Rooting a Samsung Note 2
• SandDroid
  • about / Tools for automated analysis
  • URL / Tools for automated analysis
• scanning
  • about / Scanning – probing the target
  • target, probing / Scanning – probing the target
  • port scanning, using Nmap / Port scanning using Nmap
  • operating system, identifying with Nmap / Identifying the operating system using Nmap
  • server, profiling / Profiling the server
• scanning, for XSS flaws
  • about / Scanning for XSS flaws
  • Zed Attack Proxy (ZAP) / Zed Attack Proxy
  • xsser / Xsser, Features
  • w3af / W3af
• screen locks
  • bypassing / Bypassing screen locks
  • bypassing, with CVE-2013-6271 / Bypassing screen locks using CVE-2013-6271
• sdcard
  • data, pulling from / Pulling data from the sdcard
• seamless mode
  • QARK (Quick Android Review Kit), running in / Running QARK in seamless mode:
• second-level domains (SLDs) / Sub-level and top-level domain enumeration
• secure hashing algorithm (SHA)
  • about / Hashing for message integrity
• Secure Preferences
  • about / Being safe
  • reference / Being safe
• secure socket layer (SSL)
  • about / Secure socket layer
  • in web applications / SSL in web applications
  • encryption process / SSL encryption process
  • asymmetric encryption, versus symmetric encryption / Asymmetric encryption versus symmetric encryption
  • hashing, for message integrity / Hashing for message integrity
  • weak SSL implementations, identifying / Identifying weak SSL implementations
  • man in the middle attack (MITM) / SSL man-in-the-middle attack
• Secure Software Development Life Cycle (SDLC)
  • about / Mobile application architecture
• security audit
  • about / Security audits
• security issues, AJAX
  • about / AJAX security issues
  • increase in attack surface / Increase in attack surface
  • exposed programming logic of application / Exposed programming logic of the application
  • insufficient access control / Insufficient access control
• security tools
  • Aircrack-ng / Exploring the Kali Linux Top 10 and more
  • Burpsuite / Exploring the Kali Linux Top 10 and more
  • (THC)Hydra / Exploring the Kali Linux Top 10 and more
  • John (the Ripper) / Exploring the Kali Linux Top 10 and more
  • Maltego / Exploring the Kali Linux Top 10 and more
  • Metasploit Framework / Exploring the Kali Linux Top 10 and more
  • NMap / Exploring the Kali Linux Top 10 and more
  • Owasp-ZAP / Exploring the Kali Linux Top 10 and more
  • SqlMap / Exploring the Kali Linux Top 10 and more
  • Wireshark / Exploring the Kali Linux Top 10 and more
• Seige
  • about / Putting the network under Siege
• sensitive data storing
  • avoiding / Being safe
• sequencer / Tools to analyze tokens
• server, profiling
  • about / Profiling the server
  • application version fingerprinting / Application version fingerprinting
  • web application framework, fingerprinting / Fingerprinting the web application framework
  • virtual hosts, identifying / Identifying virtual hosts
  • load balancers, identifying / Identifying load balancers
  • web servers, scanning for vulnerabilities / Scanning web servers for vulnerabilities and misconfigurations
  • web applications, spidering / Spidering web applications
• services
  • executing, on Kali Linux / Running services on Kali Linux
  • about / Services
• services command
  • using / Using the hosts and services commands
• session-based flaws
  • about / Session-based flaws
• session fixation attack
  • about / Session fixation attack
  • mitigation / Mitigation for session fixation
• Session ID Number / Grabbing system on the target
• session management
  • about / Session management
• session tokens
  • sharing, between application and browser / Session token sharing between application and browser
• session tracking, using cookies
  • about / Session tracking using cookies
  • cookie / Cookie
  • cookie flow between server and client / Cookie flow between server and client
  • non-persistent cookies / Persistent and non-persistent cookies
  • persistent cookies / Persistent and non-persistent cookies
  • cookie parameters / Cookie parameters
• shared preferences
  • about / Shared preferences, Shared preferences
  • real world application demo / Real world application demo
• shellshock
  • exploiting / Exploiting shellshock
  • about / Exploiting shellshock
  • overview / Overview of shellshock
  • scanning, with dirb / Scanning – dirb
  • exploiting, with Metasploit / Exploitation – Metasploit
• shellshock bug
  • about / Command injection
• Siege engine
  • configuring / Configuring your Siege engine
• Simple Service Discovery Protocol (SSDP)
  • about / Using Unicorn-Scan
• simple SMS stealer
  • writing / Writing a simple SMS stealer
  • user interface / The user interface
  • permissions, registering / Registering permissions
  • code on server / Code on the server
• Skipfish
  • about / Skipfish
• Skipfish web application scanner / Vulnerability scanning and graphical reports – the Skipfish web application scanner
• Sleuth Kit Informer
  • URL / Diving into Autopsy
• SmartStealer application / Decompiling Android apps using dex2jar and JD-GUI
• sniffing network traffic
  • about / Sniffing and spoofing network traffic, Sniffing network traffic
  • tcpdump, basic sniffing with / Basic sniffing with tcpdump
  • with WinDump / More basic sniffing with WinDump (Windows tcpdump)
  • packet hunting, with Wireshark / Packet hunting with Wireshark
  • packet, dissecting / Dissecting the packet, Swimming with Wireshark
• SOAP
  • about / Introducing SOAP and RESTful web services
  • advantages / Introducing SOAP and RESTful web services
• Social-Engineering Attacks / Creating a Spear-Phishing Attack with the Social Engineering Toolkit
• social engineering attacks
  • about / Social engineering attacks, Social engineering attacks
  • e-mail spoofing / Social engineering attacks
  • telephone attacks / Social engineering attacks
  • dumpster diving / Social engineering attacks
  • malicious USB drives / Social engineering attacks
  • employees, training to defeat / Training employees to defeat social engineering attacks
  • phishing e-mails / Social engineering attacks
  • adware and malware / Social engineering attacks
  • phishing websites / Social engineering attacks
• social engineering toolkit (SET)
  • about / Social engineering toolkit
• Social Engineering Toolkit (SET)
  • about / Creating a Spear-Phishing Attack with the Social Engineering Toolkit
  • used, for creating Spear-Phishing Attack / Creating a Spear-Phishing Attack with the Social Engineering Toolkit
• spear-phishing attack
  • about / Spear-phishing attack
• Spear-Phishing Attack Vectors
  • options / Creating a Spear-Phishing Attack with the Social Engineering Toolkit
• spidering / Using ZAP as an attack proxy
• spoofing network traffic
  • about / Sniffing and spoofing network traffic, Spoofing network traffic
  • email spoofing / Spoofing network traffic
  • domain spoofing / Spoofing network traffic
  • domain error spoofing / Spoofing network traffic
  • IP spoofing / Spoofing network traffic
  • Ettercap / Ettercap
  • Ettercap, using on command line / Using Ettercap on the command line
• Sprajax
  • about / Sprajax
  • reference / Sprajax
• SQLCipher
  • about / Being safe
  • reference / Being safe
• SQL injection
  • avoiding / Avoiding SQL injection
  • about / SQL injection, SQL injection
  • SQL statements / SQL statements
  • flaw, manipulating / Attack potential of the SQL injection flaw
  • error-handling / Blind SQL injection
  • testing methodology / SQL injection testing methodology
  • scanning for / Scanning for SQL injection
  • information gathering / Information gathering
  • exploitation, automating with sqlmap / Sqlmap – automating exploitation
  • BBQSQL / BBQSQL – the blind SQL injection framework
  • sqlsus / Sqlsus – MySQL injection
  • sqlninja / Sqlninja – MS SQL injection
• SQL Injection
  • exploiting, in content providers / Exploiting SQL Injection in content providers using adb
• SQLite browser
  • about / SQLite browser
  • URL / SQLite browser
• SQLite databases
  • about / SQLite databases, SQLite databases
• sqlmap
  • about / Sqlmap – automating exploitation
  • features / Sqlmap – automating exploitation
• sqlninja
  • about / Sqlninja – MS SQL injection
  • features / Sqlninja – MS SQL injection
• SQL statements
  • about / SQL statements
  • UNION operator / The UNION operator
  • SQL query example / The SQL query example
• sqlsus
  • about / Sqlsus – MySQL injection
• SSL configuration
  • testing, with Nmap / Testing SSL configuration using Nmap
• SSL MITM tools
  • about / SSL MITM tools in Kali Linux
  • SSLsplit / SSLsplit
  • SSLstrip / SSLstrip
• SSL pinning
  • bypassing, AndroidSSLTrustKiller used / Bypass SSL pinning using AndroidSSLTrustKiller
• SSL SAN lookup / Reporting modules
• SSLScan
  • about / SSLScan
• SSL Server Test
  • about / Testing SSL configuration using Nmap
  • URL / Testing SSL configuration using Nmap
• SSLsplit
  • about / SSLsplit
• SSLstrip
  • about / SSLstrip
  • limitations / SSL stripping limitations
• SSLyze
  • about / SSLyze
• Stagefright
  • about / Using existing exploits
  • reference / Using existing exploits
• standalone tool
  • used, for local privilege escalation / Local privilege escalation with a standalone tool
• static analysis
  • about / Mobile application architecture
• static analysis, malware analysis
  • about / Static analysis
  • Android apps, disassembling with apktool / Disassembling Android apps using Apktool
  • AndroidManifest.xml file, exploring / Exploring the AndroidManifest.xml file
  • smali files, exploring / Exploring smali files
  • Android apps, decompiling with dex2jar and JD-GUI / Decompiling Android apps using dex2jar and JD-GUI
• static analysis, with QARK / Static analysis using QARK:
• Stock recovery
  • about / Stock recovery and Custom recovery
  • prerequisites / Prerequisites
• storage location, of APK files
  • about / Storage location of APK files
  • /data/app/ / /data/app/
  • /system/app/ / /system/app/
  • /data/app-private/ / /data/app-private/
• stored XSS flaws / Cross-site scripting
• strategies, for testing mobile backend
  • about / Strategies for testing mobile backend
  • Burp Suite Proxy, setting up / Setting up Burp Suite Proxy for testing
  • certificate pinning, bypassing / Bypassing certificate pinning
  • SSL pinning, bypassing with AndroidSSLTrustKiller / Bypass SSL pinning using AndroidSSLTrustKiller
• stress-testing Windows
  • about / Stresstesting Windows
  • Denial / Dealing with Denial
  • network, in Seige / Putting the network under Siege
  • Siege engine, configuring / Configuring your Siege engine
• structured query language (SQL) / Multi-tier web application
• Sulley framework
  • reference / Fuzzer frameworks
• SuperSU
  • reference link / Rooting a Samsung Note 2
• symmetric encryption
  • about / Asymmetric encryption versus symmetric encryption
• symmetric encryption algorithm
  • about / Symmetric encryption algorithm
  • block cipher / Symmetric encryption algorithm
  • stream cipher / Symmetric encryption algorithm
  • Data encryption Standard (DES) / Symmetric encryption algorithm
  • Advance Encryption standard (AES) / Symmetric encryption algorithm
  • International Data Encryption Algorithm (IDEA) / Symmetric encryption algorithm
  • Rivest Cipher 4 (RC4) / Symmetric encryption algorithm

T

• tabnabbing attack
  • about / Tabnabbing attack
• Tcpdump
  • URL / Basic sniffing with tcpdump
• Team Win Recovery Project (TWRP) screen / Rooting a Samsung Note 2
• technical debt
  • about / Demystifying debuggers
• Terminator
  • configuring / Terminator – the terminal emulator for multitasking
  • installing / Terminator – the terminal emulator for multitasking
• terms of service (TOS) / Creating a Spear-Phishing Attack with the Social Engineering Toolkit
• testapp.apk
  • installing / Installing testapp.apk
• test environment
  • setting up / Setting up a test environment
  • victim machine(s), creating / Creating your victim machine(s)
  • testing / Testing your testing environment
• testing
  • Burp Suite Proxy, setting up for / Setting up Burp Suite Proxy for testing
• testing for Injection
  • about / Testing for Injection:
  • column numbers, finding for further extraction / Finding the column numbers for further extraction
  • database functions, running / Running database functions
  • SQLite version, finding / Finding out SQLite version:
  • table names, finding / Finding out table names
• tests
  • reporting / Reporting the tests
  • reporting, with KeepNote / KeepNote – the standalone document organizer
  • reporting, with Dradis / Dradis – the web-based document organizer
• The Hacker's Choice (THC)
  • about / The Amap version scan
• threat modeling
  • about / Mobile application architecture
• threats, at backend
  • about / Threats at the backend
  • authentication/authorization / Threats at the backend
  • session management / Threats at the backend
  • input validation / Threats at the backend
  • improper error handling / Threats at the backend
  • weak cryptography / Threats at the backend
  • attacks, on database / Threats at the backend
• threats, at client side
  • application data at rest / Threats at the client side
  • application data in transit / Threats at the client side
  • vulnerabilities, in code / Threats at the client side
  • data leaks, in app / Threats at the client side
  • platform specific issues / Threats at the client side
• tokens, stealing
  • ways / Different ways to steal tokens
  • brute forcing tokens / Brute forcing tokens
  • sniffing / Sniffing tokens and man-in-the-middle attacks
  • man-in-the-middle attack (MITM) / Sniffing tokens and man-in-the-middle attacks
  • XSS attack used / Stealing session tokens using XSS attack
• tools
  • selecting / Choosing the appropriate time and tool
• tools, for analyzing tokens / Tools to analyze tokens
• tools, for automated analysis
  • about / Tools for automated analysis
• tools, Kali Linux
  • about / Important tools in Kali Linux
  • web application proxies / Web application proxies
  • web vulnerability scanner / Web vulnerability scanner
  • CMS identification tools / CMS identification tools
  • web application fuzzers / Web application fuzzers
• top-level domains (TLDs) / Sub-level and top-level domain enumeration
• Tor
  • using, for penetration testing / Using Tor for penetration testing
  • setting up / Steps to set up Tor and connect anonymously
  • used, for visualizing web request / Visualization of a web request through Tor
  • overview / Final words for Tor
• Tracer, Introspy
  • about / Cydia Substrate and Introspy
  • Cydia Substrate Extension (core) / Cydia Substrate and Introspy
• Transform Application Server (TAS)
  • about / Using Maltego
• types, cross-site scripting
  • about / Types of cross-site scripting
  • persistent XSS / Persistent XSS
  • reflected XSS / Reflected XSS
  • DOM-based XSS / DOM-based XSS

U

• UID per app / UID per app
• Unicorn-Scan
  • about / Using Unicorn-Scan
  • using / Using Unicorn-Scan
• USB drive
  • Kali Linux, installing on / USB mode
• user dictionary cache
  • about / User dictionary cache
• user installed apps
  • extracting, examples / Example of extracting user installed apps
• user interface, simple SMS stealer
  • about / The user interface
  • code, for MainActivity.java / Code for MainActivity.java
  • code, for reading SMS / Code for reading SMS
  • code, for uploadData() method / Code for the uploadData() method
  • complete code, for MainActivity.java / Complete code for MainActivity.java
• user interface fuzzing
  • about / User interface fuzzing

V

• Valgrind Debugger
  • used, for discovering memory leaks / Using the Valgrind Debugger to discover memory leaks
• virtual hosts
  • identifying / Identifying virtual hosts
  • locating, with search engines / Locating virtual hosts using search engines
  • lookup module, in Recon-ng / The virtual host lookup module in Recon-ng
• virtual private network (VPN) / Secure socket layer
• VMware images
  • of Kali Linux / VMware and ARM images of Kali Linux
• vulnerability assessment
  • about / Vulnerability assessment
• vulnerable apps
  • about / Vulnerable apps
  • GoatDroid / Vulnerable apps
  • SSHDroid / Kali Linux
  • FTP Server / Kali Linux
• vulnerable bank application
  • reference link / Cross-site request forgery

W

• w3af
  • about / W3af
  • plugins / Plugins
  • graphical interface / Graphical interface
• Wander / Basic sniffing with tcpdump
• weak SSL implementations
  • identifying / Identifying weak SSL implementations
  • identifying, with OpenSSL command-line tool / OpenSSL command-line tool
  • identifying, with SSLScan / SSLScan
  • identifying, with SSLyze / SSLyze
• Web application firewall (WAF) / Status meeting
• web application framework, fingerprinting
  • about / Fingerprinting the web application framework
  • HTTP header / The HTTP header
  • Whatweb scanner / The Whatweb scanner
• web application fuzzers
  • about / Web application fuzzers
• web application fuzzers, in Kali Linux
  • about / Web application fuzzers in Kali Linux
• web application fuzzing
  • about / Web application fuzzing
• web application overview, for penetration testers
  • about / A web application overview for penetration testers
  • HTTP protocol / HTTP protocol
  • response header / Request and response header, The response header
  • request header / The request header
  • HTTP methods / Important HTTP methods for penetration testing
  • session tracking, using cookies / Session tracking using cookies
  • HTML data, in HTTP response / HTML data in HTTP response
  • multi-tier web application / Multi-tier web application
• web application proxies
  • about / Web application proxies
  • Burp proxy / Burp proxy
  • WebScarab / WebScarab and Zed Attack Proxy
  • Zed Access Proxy (ZAP) / WebScarab and Zed Attack Proxy
  • ProxyStrike / ProxyStrike
• web applications
  • testing / The need for testing web applications
  • testing, fuzzing used / Testing web applications using fuzzing
  • fuzzing input / Fuzzing input in web applications
  • result of fuzzing, detecting / Detecting result of fuzzing
• web applications, spidering
  • about / Spidering web applications
  • Burp spider / The Burp spider
  • application login / Application login
• web attacks
  • about / Relating OWASP top 10 mobile risks and web attacks
• web based apps
  • about / Web Based apps, Different types of mobile apps and their threat model
• web browser fuzzing
  • about / Web browser fuzzing
• Web Crawler / Web Crawler – Dirbuster
• web jacking attack
  • about / Web jacking attack
• web request
  • visualizing, through Tor / Visualization of a web request through Tor
• webscape
  • about / Surveying the webscape
  • Robots.txt / Concept of Robots.txt
  • .htaccess / Concept of .htaccess
  • cross-site scripting, quick solutions / Quick solutions to cross-site scripting
  • buffer overflows, reducing / Reducing buffer overflows
  • SQL injection, avoiding / Avoiding SQL injection
• WebScarab
  • about / WebScarab and Zed Attack Proxy
• Webscarab / Tools to analyze tokens
• web servers, scanning
  • about / Scanning web servers for vulnerabilities and misconfigurations
  • HTTP methods, identifying with Nmap / Identifying HTTP methods using Nmap
  • web servers, testing with auxiliary modules / Testing web servers using auxiliary modules in Metasploit
  • scan, automating with WMAP web scanner plugin / Automating scanning using the WMAP web scanner plugin
  • vulnerability scanning / Vulnerability scanning and graphical reports – the Skipfish web application scanner
• web services
  • about / Web services
  • SOAP / Introducing SOAP and RESTful web services
  • RESTful web services / Introducing SOAP and RESTful web services
  • securing / Securing web services
  • insecure direct object reference vulnerability / Insecure direct object reference vulnerability
• website attack
  • about / Website attack
  • Java applet attack / Java applet attack
  • credential harvester attack / Credential harvester attack
  • web jacking attack / Web jacking attack
  • metasploit browser exploit / Metasploit browser exploit
  • tabnabbing attack / Tabnabbing attack
• website defacing / Website defacing
• WebView
  • about / WebView attacks
• WebView attacks
  • about / WebView attacks
  • sensitive local resources, accessing through file scheme / Accessing sensitive local resources through file scheme
  • issues / Other WebView issues
• web vulnerability scanner
  • about / Web vulnerability scanner
  • Nikto / Nikto
  • Skipfish / Skipfish
  • Web Crawler / Web Crawler – Dirbuster
  • OpenVAS / OpenVAS
  • database exploitation / Database exploitation
• Weevely
  • about / Weaseling in with Weevely, Preparing to use Weevely
  • using, preparation steps / Preparing to use Weevely
  • agent, creating / Creating an agent
  • testing, locally / Testing Weevely locally
  • testing, on Windows Server / Testing Weevely on a Windows server
  • commands / Getting help in Weevely
• Weevely, testing on Windows Server
  • about / Testing Weevely on a Windows server
  • help command, running / Getting help in Weevely
  • system info, obtaining / Getting the system info
  • filesystem commands, using / Using filesystem commands in Weevely
  • writing, into files / Writing into files
• While loop
  • structure, reviewing / Reviewing a while loop structure
• Whois
  • about / Whois – extracting domain information
• Windows NET USE command
  • abusing / Abusing the Windows NET USE command
  • Windows user, adding from command line / Adding a Windows user from the command line
• Windows Server
  • Weevely, testing / Testing Weevely on a Windows server
• Windows user
  • adding, from command line / Adding a Windows user from the command line
• WinDump
  • about / More basic sniffing with WinDump (Windows tcpdump)
• Windump.exe
  • URL / Basic sniffing with tcpdump
• WinPcap.exe
  • URL / Basic sniffing with tcpdump
• Wireshark
  • about / Basic sniffing with tcpdump
  • packet hunting with / Packet hunting with Wireshark
  • packet, dissecting / Dissecting the packet, Swimming with Wireshark
• workspaces
  • creating / Creating workspaces to organize your attack

X

• xHydra
  • about / xHydra
  • using / xHydra
• Xposed framework
  • used, for hooking / Hooking using Xposed framework
  • about / Hooking using Xposed framework
• XSS
  • executing, POST method used / XSS using the POST Method
• XSS, combining with JavaScript
  • about / XSS and JavaScript – a deadly combination
  • cookie stealing / Cookie stealing
  • key logger / Key logger
  • website defacing / Website defacing
• XSS attack
  • about / An overview of cross-site scripting
  • example / An overview of cross-site scripting
• xsser
  • about / Xsser
  • features / Features
  • graphical interface / Features
• XSS vulnerabilities
  • stored XSS flaws / Cross-site scripting
  • reflected XSS flaw / Cross-site scripting

Y

• Yahoo! hostname enumerator / Reporting modules

Z

• Zed Access Proxy (ZAP)
  • about / WebScarab and Zed Attack Proxy
• Zed Attack Proxy (ZAP)
  • about / Tools to analyze tokens, Zed Attack Proxy
  • nodes, scoping / Scoping and selecting modes
  • nodes, selecting / Scoping and selecting modes
  • modes / Modes of operation
  • scan policy, defining / Scan policy and attack
• Zenmap
  • about / Zenmap
• zipalign tool / Android app build process
• Zygote / What happens when an app is run?