Printable Summary Sheet
A condensed reference of key facts, ports, and acronyms for offline study. Use Ctrl+P or the button below to print or save as PDF.
CPSA Summary Sheet
๐ Module A: Soft Skills and Assessment Management
A1 Engagement Lifecycle โ Know the differences between black box, white box, and grey box testing. Understand why project closure and secure data destruction are important.
A2 Law & Compliance โ Know all CMA sections and their penalties. Understand that written authorisation makes testing lawful. Remember the Police and Justice Act 2006 added Section 3A about hacking tools.
A3 Scoping โ Understand the factors that affect scoping decisions and the importance of Rules of Engagement documentation.
A4 Understanding, Explaining and Managing Risk โ Know the types of risks pen testing introduces and how to mitigate them. Understand the importance of DoS planning.
A5 Record Keeping, Interim Reporting & Final Results โ Understand why record keeping is important and the components of a good penetration testing report. Know about CVSS scoring.
๐ง Module B: Core Technical Skills
B1 IP Protocols โ Know TCP flags, the three-way handshake, and differences between TCP and UDP. Be able to identify common ports. Understand IPv4 vs IPv6 differences.
B2 Network Architectures โ Know the security implications of shared vs switched media. Understand VLAN hopping attacks and their mitigations.
B4 Network Mapping & Target Identification โ Understand how traceroute works using TTL. Know why false negatives occur and how to mitigate them.
B5 Interpreting Tool Output โ Know all Nmap port states and what they mean. Be comfortable reading Nmap scan output.
B6 Filtering Avoidance Techniques โ Understand the difference between ingress and egress filtering. Know why egress filtering is important and how attackers exploit its absence.
B8 OS Fingerprinting โ Know default TTL values for common operating systems. Understand the difference between active and passive fingerprinting.
B9 Application Fingerprinting and Evaluating Unknown Services โ Know how to use banner grabbing with netcat. Understand why version detection is important for vulnerability identification.
B10 Network Access Control Analysis โ Know that firewall rules are processed top-down. Understand default deny vs default allow policies.
B11 Cryptography โ Know the key difference between encoding and encryption. Know key sizes for DES, 3DES, AES. Understand why MD5 and SHA-1 are considered weak.
B12 Applications of Cryptography โ Know why WEP is broken. Understand the evolution from SSL to TLS. Know IPsec Transport vs Tunnel mode.
B13 File System Permissions โ Know Unix permission values (rwx = 421). Understand SUID and its security implications. Know basic NTFS permission types.
B14 Audit Techniques โ Know the commands for listing processes and sockets on both Linux and Windows.
๐ Module C: Background Information Gathering and Open Source
C1 Registration Records โ Know which RIR covers which region. Understand what information WHOIS provides.
C2 Domain Name Server (DNS) โ Know ALL DNS record types listed in the syllabus and what they do. Understand zone transfers and why they are dangerous if unrestricted.
C3 Customer Web Site Analysis โ Know what to look for in HTML source code. Understand why robots.txt is useful for reconnaissance.
C4 Google Hacking and Web Enumeration โ Know the main Google search operators. Understand what Shodan is used for.
C5 NNTP Newsgroups and Mailing Lists โ Understand why mailing list archives and forums are useful OSINT sources.
C6 Information Leakage from Mail & News Headers โ Know which email headers leak internal information and what that information reveals.
๐ Module D: Networking Equipment
D1 Management Protocols โ Know the default ports and security weaknesses of each management protocol. Know default SNMP community strings.
D2 Network Traffic Analysis โ Know common Wireshark display filters. Understand how to capture traffic on switched networks.
D3 Networking Protocols โ Know the security issues with each protocol. Understand ARP poisoning and DHCP attacks. Know the difference between TACACS+ and RADIUS.
D4 IPSec โ Know the difference between IKE Main Mode and Aggressive Mode. Know the default port for IKE.
D5 VoIP โ Know SIP ports and basic SIP methods. Understand common VoIP security risks.
D6 Wireless โ Know the evolution of wireless encryption (WEPโWPAโWPA2). Know why WEP is broken. Understand EAP variants.
D7 Configuration Analysis โ Know Cisco password types, especially that Type 7 is reversible. Know what to look for in a configuration review.
๐ช Module E: Microsoft Windows Security Assessment
E1 Domain Reconnaissance โ Know the ports for NetBIOS (137/138/139) and SMB (445). Understand null sessions.
E2 User Enumeration โ Know the three methods of user enumeration: NetBIOS, SNMP, and LDAP.
E3 Active Directory โ Know all five FSMO roles and whether they are per-domain or per-forest. Understand AD reliance on DNS.
E4 Windows Passwords โ Know the weaknesses of LM vs NTLM hashes. Understand pass-the-hash attacks. Know where hashes are stored.
E5 Windows Vulnerabilities โ Know the post-exploitation steps listed in the syllabus. Understand remote vs local exploits.
E6 Windows Patch Management Strategies โ Know what WSUS, SMS, SUS, and MBSA are and their relationships.
E7 Desktop Lockdown โ Know common breakout techniques for locked-down environments.
E8 Exchange โ Know the services Exchange exposes and why it is a high-value target.
E9 Common Windows Applications โ Know common exploit databases and the importance of cross-referencing software versions.
๐ง Module F: Unix Security Assessment
F1 User Enumeration โ Know how finger, SMTP VRFY/EXPN, rusers, and rwho can be used for user enumeration.
F2 Unix Vulnerabilities โ Know the post-exploitation steps. Understand remote vs local exploit usage. Know where Unix password hashes are stored.
F3 FTP โ Know FTP risks: cleartext credentials, anonymous access, write access dangers.
F4 Sendmail / SMTP โ Know SMTP commands, especially VRFY and EXPN. Understand what an open relay is.
F5 Network File System (NFS) โ Know what root_squash does and why it matters. Understand UID/GID manipulation attacks.
F6 R* Services โ Know what hosts.equiv and .rhosts do. Understand why "+" entries are dangerous.
F7 X11 โ Know the difference between xhost (host-based) and xauth (user-based) access control.
F8 RPC Services โ Know that rpcinfo enumerates RPC services via port 111.
F9 SSH โ Know why SSH v1 should be disabled. Know SSH authentication mechanisms and hardening steps.
๐ Module G: Web Technologies
G1 Web Server Operation โ Know the difference between forward and reverse proxies. Understand virtual hosting.
G2 Web Servers & Their Flaws โ Know the key differences between Apache and IIS and their common vulnerabilities.
G3 Web Enterprise Architectures โ Know the three tiers and the difference between logical and physical separation.
G4 Web Protocols โ Know ALL HTTP methods and major response codes. Know security headers and what they protect against.
G5 Web Mark-up Languages โ Know the security implications of HTML forms and hidden fields. Understand XXE basics.
G6 Web Programming Languages โ Know common web languages and their typical vulnerability patterns.
G7 Web Application Servers โ Know the common application frameworks and their typical vulnerabilities.
G8 Web APIs โ Know what CGI, ISAPI, and Apache modules are and their security implications.
G9 Web Sub-Components โ Know that client-side code can be decompiled and what this reveals. Know the decompilation tools for each technology.
๐ฏ Module H: Web Testing Methodologies
H1 Web Application Reconnaissance โ Know the techniques for identifying web application technologies and structure.
H2 Threat Modelling and Attack Vectors โ Be able to map application functionality to potential attack vectors.
H3 Information Gathering from Web Mark-up โ Know all the information types that can leak from web page source: hidden fields, connection strings, credentials, comments, included files, and authenticated URLs.
H4 Authentication Mechanisms โ Know common authentication weaknesses: enumeration, lockout, password reset, credential storage.
H5 Authorisation Mechanisms โ Understand the difference between horizontal and vertical privilege escalation. Know IDOR.
H6 Input Validation โ Know the difference between whitelisting, blacklisting, and sanitisation. Know that server-side validation is mandatory.
H8 Information Disclosure in Error Messages โ Know what information error messages can reveal and why custom error pages are important.
H9 Use of Cross Site Scripting Attacks โ Know the three types of XSS (Reflected, Stored, DOM). Understand the attack implications.
H10 Use of Injection Attacks โ Know all four injection types. Understand SQL injection deeply โ normal and blind. Know that parameterised queries prevent SQL injection.
H11 Session Handling โ Know cookie security attributes (HttpOnly, Secure, SameSite). Understand session fixation.
H12 Encryption โ Know the difference between encoding and encryption. Be able to identify Base64 and common hash formats. Know major SSL/TLS vulnerabilities.
H13 Source Code Review โ Know what to look for in a security code review and common dangerous functions.
โก Module I: Web Testing Techniques
I1 Web Site Structure Discovery โ Know the difference between spidering and forced browsing. Know what response codes mean during discovery.
I2 Cross Site Scripting Attacks โ Know practical XSS payloads and what they can achieve. Understand phishing via XSS.
I3 SQL Injection โ Know all types of SQL injection. Understand how blind SQL injection works. Know sqlmap.
I4 Parameter Manipulation โ Know how interception proxies work and what parameters can be manipulated.
๐๏ธ Module J: Databases
J1 Microsoft SQL Server โ Know default ports and the sa account. Know xp_cmdshell and its risks.
J2 Oracle RDBMS โ Know the default Oracle port and common default accounts. Know the SCOTT/tiger default.
J3 Web / App / Database Connectivity โ Know default ports for all databases. Understand connection string security. Know the common database/language pairings.
๐ Key Ports
| Port | Proto | Service | Security Notes |
|---|---|---|---|
| 21 | TCP | FTP | Cleartext credentials. Check for anonymous access and write permissions. FTP bounce attacks via PORT command. |
| 22 | TCP | SSH | Check version (v1 is vulnerable). Brute-force risk. Key-based auth preferred over password. |
| 23 | TCP | Telnet | All traffic in cleartext including credentials. Should be replaced with SSH. Often found on network equipment. |
| 25 | TCP | SMTP | VRFY/EXPN for user enumeration. Open relay testing. Cleartext unless STARTTLS is used. |
| 53 | TCP/UDP | DNS | Zone transfers (AXFR) on TCP. DNS cache poisoning. Subdomain enumeration. |
| 69 | UDP | TFTP | No authentication whatsoever. Can be used to download router/switch configs. |
| 79 | TCP | Finger | Reveals usernames, real names, login times, idle time. Should be disabled. |
| 80 | TCP | HTTP | Unencrypted web traffic. Full web application testing surface. |
| 88 | TCP | Kerberos | Used by Active Directory. Kerberoasting attacks to extract service ticket hashes. |
| 110 | TCP | POP3 | Cleartext email retrieval. Credentials transmitted in plain text. |
| 111 | TCP/UDP | RPC Portmapper | Enumerates all registered RPC services and their ports via rpcinfo. |
| 135 | TCP | MS RPC | Windows RPC services. Historical remote exploits (MS03-026/Blaster). |
| 137 | UDP | NetBIOS-NS | NetBIOS name resolution and enumeration. Reveals computer names and domain info. |
| 138 | UDP | NetBIOS-DGM | Browser elections and announcements. |
| 139 | TCP | NetBIOS-SSN | Legacy SMB access. Null sessions for enumeration. Share access. |
| 143 | TCP | IMAP | Cleartext email access. Credentials in plain text. |
| 161 | UDP | SNMP | Default community strings "public" (read) and "private" (write). Enumerates system info, users, processes. |
| 162 | UDP | SNMP Trap | Receives alerts from network devices. |
| 389 | TCP | LDAP | AD enumeration. Anonymous bind may be enabled. LDAP injection. |
| 443 | TCP | HTTPS | SSL/TLS vulnerabilities (POODLE, Heartbleed, BEAST). Certificate validation. Cipher suite analysis. |
| 445 | TCP | SMB | File sharing, printer sharing. EternalBlue (MS17-010). Null sessions. Share enumeration. |
| 465 | TCP | SMTPS | Encrypted email submission. |
| 512 | TCP | rexec | r-services โ cleartext, IP-based trust. Should be disabled. |
| 513 | TCP | rlogin | r-services โ .rhosts and hosts.equiv trust relationships. Replace with SSH. |
| 514 | TCP | rsh | r-services โ cleartext remote command execution. Replace with SSH. |
| 587 | TCP | SMTP Submission | Authenticated email sending port. |
| 636 | TCP | LDAPS | Encrypted LDAP. Check for certificate issues. |
| 993 | TCP | IMAPS | Encrypted email access. |
| 995 | TCP | POP3S | Encrypted email retrieval. |
| 1433 | TCP | MSSQL | Check for default sa credentials. xp_cmdshell for OS command execution. SQL injection target. |
| 1434 | UDP | MSSQL Browser | Enumerates SQL Server instances and their ports. |
| 1521 | TCP | Oracle TNS | Banner reveals version. Default accounts (SYS, SYSTEM, SCOTT/tiger). tnscmd enumeration. |
| 2049 | TCP/UDP | NFS | showmount -e for export enumeration. UID/GID manipulation. Check root_squash. |
| 3268 | TCP | Global Catalogue | Partial copy of all AD forest objects. Cross-domain enumeration. |
| 3306 | TCP | MySQL | Default root with no password. SQL injection. UDF for command execution. |
| 3389 | TCP | RDP | BlueKeep (CVE-2019-0708). Brute-force. NLA bypass. Screenshot attacks. |
| 5432 | TCP | PostgreSQL | Check for default credentials. COPY TO/FROM for file access. |
| 5900 | TCP | VNC | Remote desktop access. Often weak or no authentication. Cleartext in older versions. |
| 6000 | TCP | X11 | xhost + disables all access control. Keystroke capture, screen viewing, event injection. |
| 8080 | TCP | HTTP Proxy/Alt | Often used for web proxies, Tomcat, management interfaces. Same testing as port 80. |
| 8443 | TCP | HTTPS Alt | Often used for management interfaces. Same testing as port 443. |
| 49 | TCP | TACACS+ | Cisco AAA protocol. Encrypts entire packet body (more secure than RADIUS). |
| 20 | TCP | FTP Data | Active mode FTP data connection. Cleartext. |
| 500 | UDP | ISAKMP/IKE | VPN negotiation. Aggressive mode leaks pre-shared key hash. Enumerate with ike-scan. |
| 1701 | UDP | L2TP | VPN protocol. Usually paired with IPsec for encryption. L2TP alone has no encryption. |
| 1723 | TCP | PPTP | Deprecated VPN. MS-CHAPv2 authentication is crackable. Uses GRE protocol for tunnel. |
| 1812 | UDP | RADIUS Auth | AAA protocol. Only encrypts password field (less secure than TACACS+). |
| 1813 | UDP | RADIUS Acct | RADIUS accounting traffic. |
| 514 | UDP | Syslog | Cleartext log forwarding. Can reveal system info, errors, security events. |
| 119 | TCP | NNTP | Usenet newsgroups. May contain information about target organisation. |
| 4500 | UDP | IPsec NAT-T | IPsec encapsulated in UDP for NAT traversal. |
| 515 | TCP | LPD | Print service. Historical remote exploits on older Linux, Solaris, OS X. |
| 3269 | TCP | Global Cat SSL | Encrypted Global Catalogue queries. |
๐ Key Acronyms
CMA Computer Misuse Act
DPA Data Protection Act
HRA Human Rights Act
PJA Police and Justice Act
ROE Rules of Engagement
NDA Non-Disclosure Agreement
TCP Transmission Control Protocol
UDP User Datagram Protocol
ICMP Internet Control Message Protocol
IP Internet Protocol
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
ARP Address Resolution Protocol
VLAN Virtual Local Area Network
NAT Network Address Translation
ACL Access Control List
OSI Open Systems Interconnection
TTL Time to Live
MTU Maximum Transmission Unit
DES Data Encryption Standard
3DES Triple Data Encryption Standard
AES Advanced Encryption Standard
RSA Rivest-Shamir-Adleman
RC4 Rivest Cipher 4
SHA Secure Hash Algorithm
MD5 Message Digest 5
HMAC Hash-based Message Authentication Code
SSL Secure Sockets Layer
TLS Transport Layer Security
IPsec IP Security
SSH Secure Shell
PGP Pretty Good Privacy
WEP Wired Equivalent Privacy
WPA Wi-Fi Protected Access
WPA2 Wi-Fi Protected Access 2
TKIP Temporal Key Integrity Protocol
IDS Intrusion Detection System
IPS Intrusion Prevention System
PKI Public Key Infrastructure
CA Certificate Authority
OSINT Open Source Intelligence
DNS Domain Name System
WHOIS WHOIS (not an acronym)
SOA Start of Authority
MX Mail Exchange
NS Name Server
PTR Pointer Record
CNAME Canonical Name
TXT Text Record
AXFR Authoritative Zone Transfer
SPF Sender Policy Framework
DKIM DomainKeys Identified Mail
RIR Regional Internet Registry
SNMP Simple Network Management Protocol
TFTP Trivial File Transfer Protocol
NTP Network Time Protocol
CDP Cisco Discovery Protocol
HSRP Hot Standby Router Protocol
VRRP Virtual Router Redundancy Protocol
VTP VLAN Trunking Protocol
STP Spanning Tree Protocol
TACACS+ Terminal Access Controller Access-Control System Plus
RADIUS Remote Authentication Dial-In User Service
SIP Session Initiation Protocol
RTP Real-time Transport Protocol
EAP Extensible Authentication Protocol
LEAP Lightweight EAP
PEAP Protected EAP
DHCP Dynamic Host Configuration Protocol
IKE Internet Key Exchange
PCAP Packet Capture
AD Active Directory
DC Domain Controller
FSMO Flexible Single Master Operations
GC Global Catalogue
GPO Group Policy Object
SMB Server Message Block
NTLM NT LAN Manager
LM LAN Manager
SAM Security Account Manager
LDAP Lightweight Directory Access Protocol
WSUS Windows Server Update Services
MBSA Microsoft Baseline Security Analyzer
OWA Outlook Web Access/App
EWS Exchange Web Services
RDP Remote Desktop Protocol
SID Security Identifier
RID Relative Identifier
NFS Network File System
NIS Network Information Service
RPC Remote Procedure Call
SUID Set User ID
SGID Set Group ID
UID User Identifier
GID Group Identifier
SMTP Simple Mail Transfer Protocol
FTP File Transfer Protocol
HTTP HyperText Transfer Protocol
HTTPS HTTP Secure
SOAP Simple Object Access Protocol
REST Representational State Transfer
API Application Programming Interface
CGI Common Gateway Interface
ISAPI Internet Server API
AJAX Asynchronous JavaScript and XML
XSS Cross-Site Scripting
SQLi SQL Injection
XXE XML External Entity
CSRF Cross-Site Request Forgery
IDOR Insecure Direct Object Reference
LFI Local File Inclusion
RFI Remote File Inclusion
SSRF Server-Side Request Forgery
CSP Content Security Policy
HSTS HTTP Strict Transport Security
WAF Web Application Firewall
OWASP Open Web Application Security Project
STRIDE Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege
DOM Document Object Model
BeEF Browser Exploitation Framework
RDBMS Relational Database Management System
TNS Transparent Network Substrate
ODBC Open Database Connectivity
OLE DB Object Linking and Embedding Database
TDS Tabular Data Stream