Offensive Security

18CSE412J
Offensive Security
• Offensive Security refers to the practice of actively attacking and exploiting
computer systems and networks to test their defenses and identify vulnerabilities.

• Offensive Security gets often used by companies and organizations to evaluate

the effectiveness of their security measures, as well as by governments and
military organizations to gather intelligence and disrupt the activities of
adversaries.

• Defensive Security, on the other hand, refers to protecting computer systems and
networks from attack by identifying and mitigating vulnerabilities and
implementing measures to prevent or detect unauthorized access or activity.

• Companies and organizations use Defensive Security to safeguard their systems

and data from cyber threats. Even government and military organizations use the
Defensive Security approach to defend against cyber attacks from adversaries.
Types of Hackers

Gobuster Tool enumerates hidden

directories and files in the target domain
by performing. a brute-force attack.
Linux Fundamentals
pwd
• When you first open the terminal, you are in the home directory of your user.
• To know which directory you are in, you can use the “pwd” command.
• It gives us the absolute path, which means the path that starts from the root.

ls
• Use the "ls" command to know what files are in the directory.
• You can see all the hidden files using the command “ls –a”.

cd
• Go to a directory using the ” cd” command. For example, if you are in the home folder and want to go to the
downloads folder, you can type in “cd Downloads”. This command is case-sensitive. To go back from a folder
to the folder before that, you can type “cd ..”.
Linux Fundamentals
mkdir & rmdir
• Use the mkdir command when you need to create a folder or a directory.
• For example, if you want to make a directory called “DIY”, you can type “mkdir DIY”.
• Use rmdir to delete a directory. But rmdir can only be used to delete an empty directory.

rm
• Use the rm command to delete files and directories. Use "rm -r" to delete just the directory. It deletes both the
folder and the files it contains when using only the rm command.

touch

• The touch command is used to create a file. It can be anything, from an empty txt file to an empty zip file. For
example, “touch new.txt”.
Linux Fundamentals
man
• To know more about a command and how to use it, use the man command. It shows the manual pages of the
command.

cp
• Use the cp command to copy files through the command line. It takes two arguments: The first is the file’s location
to be copied, and the second is where to copy.
Linux Fundamentals
mv
• Use the mv command to move files through the command line.
• We can also use the mv command to rename a file.
• For example, if we want to rename the file “text” to “new”, we can use “mv text new”.
• It takes the two arguments, just like the cp command.

locate
• The locate command is used to locate a file in a Linux system, just like the search command in Windows. This
command is useful when you don't know where a file is saved or the actual name of the file.
Linux Fundamentals
Intermediate Commands
echo
• The "echo" command helps us move some data, usually text, into a file.
• For example, if you want to create a new text file or add to an already made text file, you just need to type in, “echo
hello, my name is Aditya >> new.txt”.

cat

• Use the cat command to display the contents of a file. It is usually used to view programs easily.
Linux Fundamentals
Intermediate Commands
nano, vi

• nano and vi are already installed text editors in the Linux command line.

• The nano command is a good text editor that denotes keywords with color and can recognize most languages.

• And vi is simpler than nano.

• You can create or modify a new file using this editor.

• For example, if you need to make a new file named "check.txt",

• you can create it using the command “nano check.txt”.

• You can save your files after editing using the sequence Ctrl+X, then Y.
Linux Fundamentals
Intermediate Commands
sudo

• A widely used command in the Linux command line, sudo stands for "SuperUser Do". So, if you want any
command to be done with administrative or root privileges, you can use the sudo command.

df

• Use the df command to see the available disk space in each of the partitions in your system.

• You can just type in df in the command line and you can see each mounted partition and their used/available space
in % and in KBs.

• You can use the command “df -m” if you want it shown in megabytes.
 Linux Fundamentals
Intermediate Commands
du

• Use du to know the disk usage of a file in your system.

• If you want to know the disk usage for a particular folder or file in Linux, you can type in the command df and the
folder or file name.

tar

• Use tar to work with tarballs (or files compressed in a tarball archive) in the Linux command line.

• It has a long list of uses.

• It can be used to compress and uncompress different types of tar archives like .tar, .tar.gz, .tar.bz2,etc. It works on
the basis of the arguments given to it.

• For example, "tar -cvf" for creating a .tar archive.

 Linux Fundamentals
Intermediate Commands
zip, unzip

• Use zip to compress files into a zip archive, and unzip to extract files from a zip archive.

uname

• Use uname to show the information about the system your Linux distro is running. Using the command “uname -a”
prints most of the information about the system. This prints the kernel release date, version, processor type, etc.
 Linux Fundamentals
Intermediate Commands
apt-get

• Use apt to work with packages in the Linux command line.

• Use apt-get to install packages.

• This requires root privileges, so use the sudo command with it.

• For example, if you want to install the text editor jed we can type in the command “sudo apt-get install jed”.
 Linux Fundamentals
Intermediate Commands
chmod

• Use chmod to make a file executable and to change the permissions granted to it in Linux.

• Imagine you have a python code named numbers.py in your computer.

• You'll need to run “python numbers.py” every time you need to run it.

• Instead of that, when you make it executable, you'll just need to run “numbers.py” in the terminal to run the file.

• To make a file executable, use the command “chmod +x numbers.py”.

• use “chmod 755 numbers.py” to give it root permissions or “sudo chmod +x numbers.py” for root executable.
 Linux Fundamentals
Intermediate Commands
hostname

• Use hostname to know your name in your host or network.

• Basically, it displays your hostname and IP address. Just typing “hostname” gives the output.

• Typing in “hostname -I” gives you your IP address in your network.

ping

• Use ping to check your connection to a server.

• for example, “ping google.com”, it checks if it can connect to the server and come back.

• It measures this round-trip time and gives you the details about it.
 Types of Penetration Testing
Penetration Testing
• A pen test is a form of ethical cyber security assessment conducted to identify, safely exploit and help eliminate
vulnerabilities that reside across an organization’s on-premises and remote IT environments.

Internal/External Infrastructure Penetration Testing

• An assessment of on-premise and cloud network infrastructure, including firewalls, system hosts, and devices such as routers
and switches.

• To scope a test, you must know the number of internal and external Ips to be tested, the network subnet size, and the
number of sites.

Wireless Penetration Testing

• A test specifically targeting an organization’s WLAN (wireless local area network) and wireless protocols including
Bluetooth, ZigBee, and Z-Wave.

• Helps to identify rogue access points, weaknesses in encryption, and WPA vulnerabilities.

• To scope an engagement, testers must know the number of wireless and guest networks, locations and unique SSIDs to
be assessed.
 Types of Penetration Testing
Web Application Testing
• An assessment of websites and custom applications delivered over the web, looking to uncover coding, design,
and development flaws that could be maliciously exploited.

Build and Configuration Review

• Review of network builds and configurations to identify misconfigurations across web and app servers, routers,
and firewalls.

• The number of builds, operating systems, and application servers to be reviewed during testing is crucial
information to help scope this type of engagement.

Social Engineering

• An assessment of the ability of your systems and personnel to detect and respond to email phishing attacks.

• Gain precise insight into the potential risks through customized phishing, spear phishing, and Business Email
Compromise (BEC) attacks.
 Types of Penetration Testing
White Box Penetration Testing
• White box penetration testing (also called clear box testing, glass box testing, or internal penetration testing) is
when the pen tester has full knowledge and access to the source code and environment.

• The goal of a white box penetration test aims to conduct an in-depth security audit of a business’s systems and
provide the pen tester with as much detail as possible.

• As a result, the tests are more thorough because the pen tester can access areas where a black box test cannot, such
as quality of code and application design.
 Types of Penetration Testing
Black Box Penetration Testing
• In a black box penetration test, no information is provided to the tester at all.

• The pen tester, in this instance, follows the approach of an unprivileged attacker, from initial access and
execution through to exploitation.

• This scenario can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would
target and compromise an organization. However, this typically makes it the costliest option too.
 Types of Penetration Testing
Grey Box Penetration Testing
• In a grey box penetration test, also known as a translucent box test, only limited information is shared with the
tester.

• Usually, this takes the form of login credentials. Grey box testing is useful to help understand the level of access a
privileged user could gain and the potential damage they could cause.

• Grey box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or
an attack that has breached the network perimeter.
Red Team Vs Blue Team
• Red Team Job Titles
✔ Vulnerability Analyst
✔ Senior Security Consultant
✔ Ethical Hacker
✔ Penetration Tester
• Red Team Certifications
• Certified Ethical Hacker (CEH v12)
• CompTIA PenTest+
• Offensive Cybersecurity Engineer
• Blue Team Job Titles
✔ Cybersecurity Analyst
✔ Incident Responder
✔ Information Security Analyst
✔ Security Engineer
• Blue Team Certifications
• Certified Information System Security Professional (CISSP)
• Certified Information System Auditor (CISA)
• CompTIA Security+
What Is A Cyber Kill Chain?
• Originally developed by Lockheed Martin in 2011.

• The cyber kill chain is intended to defend against sophisticated cyberattacks.

• It is also known as advanced persistent threats (APTs),

• The adversaries spend significant time surveilling and planning an attack.

• Most commonly these attacks involve a combination

of malware, ransomware, Trojans, spoofing and social engineering techniques to carry out their plan.
The Cyber Kill Chain
Reconnaissance

• A malicious actor identifies a target and explores vulnerabilities and weaknesses that can be
exploited within the network.

• The attacker may harvest login credentials or gather other information, such as email addresses,
user IDs, physical locations, software applications and operating system details, all of which may
be useful in phishing or spoofing attacks.
Weaponization

• The attacker creates an attack vector, such as remote access malware, ransomware, virus or worm
that can exploit a known vulnerability.

• The attacker may also set up back doors so that they can continue to access to the system if their
original point of entry is identified and closed by network administrators.
Delivery

• The intruder launches the attack.

• Transmission of weapon to target via email, USB, and websites.

• For example, the attacker may send email attachments or a malicious link to spur user activity to
advance the plan.
Exploitation

• The malicious code is executed within the victim’s system.

• The weapon code is triggered, exploiting vulnerable applications or systems

Installation

• The malware or other attack vector will be installed on the victim’s system.

• This is a turning point in the attack lifecycle, as the threat actor has entered the system and can now
assume control.
Command and control

• The attacker is able to use the malware to assume remote control of a device or identity within the
target network.

• The attacker may also work to move laterally throughout the network, expanding their access and
establishing more points of entry for the future.
Action on objective

• The attacker takes steps to carry out their intended goals, which may include data theft, destruction,
encryption or exfiltration.

Yadav, Tarun & Rao, Arvind. (2015). Technical Aspects of Cyber Kill Chain.
10.1007/978-3-319-22915-7_40.
Reconnaissance Attack
• A reconnaissance attack is a type of security attack that an attacker uses to gather all possible
information about the target before launching an actual attack.
• An attacker uses a reconnaissance attack to prepare for an actual attack.
Information gathered about the target
• Gather initial information
• Determine the network range
• Identify active machines
• Discover open ports and access points
• Fingerprint the operating system
• Uncover services on ports
• Map the network
Methodology

American Registry for Internet Numbers

ARIN - American Registry for Internet Numbers

Types of Reconnaissance
Foot printing

• Footprinting is a part of reconnaissance process which is used for gathering possible information
about a target computer system or network.

• Footprinting could be both passive and active.

• Reviewing a company’s website is an example of passive footprinting, whereas attempting to

gain access to sensitive information through social engineering is an example of active
information gathering.
Information gathered during footprinting
• Domain name
• IP Addresses
• Namespaces
• Employee information
• Phone numbers
• E-mails
• Job Information
Footprinting Tools
• Whois - https://whois.domaintools.com/

whois Lookup is done to get whois information of a domain which consists of record, This
information, which may include the name, address, email, phone number and associated IP addresses,

• Shodan - https://www.shodan.io/

Shodan is a search engine that lets users search for various types of servers (webcams, routers,
servers, etc.) connected to the internet using a variety of filters.

• Nslooup - https://www.nslookup.io/

nslookup is a network administration command-line tool for querying the Domain Name System
to obtain the mapping between domain name and IP address, or other DNS records
Footprinting Tools
• Netcraft - https://sitereport.netcraft.com/

Netcraft is an Internet services company based in Bath, Somerset, England. The company provides
cybercrime disruption services across a range of industries.

• Wayback machine - https://archive.org/web/

The Wayback Machine is a digital archive of the World Wide Web founded by the Internet
Archive, a nonprofit based in San Francisco, California. Created in 1996 and launched to the public in
2001, it allows the user to go "back in time" and see how websites looked in the past.

• Wappalyze - https://www.wappalyzer.com/

Wappalyzer is a technology profiler that shows you what websites are built with. To find out the
framework, ecommerce platform, JavaScript libraries and many more
Tool used in kali Linux
• theHarvester (built-in to Kali)
Source code: theHarvster -d <domain> -b <source>
• sublist3r
Source code: sublist3r -d <domain>
Google search
• It is possible to perform effective search on Google by using specific keywords such as to find for
particular type of files at a website you can use
Source Code: site:<domain> filetype: <file type e.g., pdf, docx, etc>
site:nus.edu.sg filetype.pdf
Reconnaissance Attack
Types of reconnaissance attacks
• There are three types of reconnaissance attacks. These are social, public, and software.

Social reconnaissance attacks

• A hacker uses social engineering to gather information about the target. Users share a lot of
personal and business information on social networking sites.
• A hacker can use social networking sites to gather information about the target.
• For example, if the target is a company, the hacker can use social networking sites to reveal
information about the company's employees.
Reconnaissance Attack
Social reconnaissance attacks
• To reduce social reconnaissance attacks, a company must train its employees about what information
they cannot share with others within and outside the company.
• Employees should never share sensitive information on any social platform.
• If an employee shares any confidential information with unknown persons or outside users, the
company must take appropriate action against the employee.

Public reconnaissance attacks

• A hacker collects information about the target from public domains. Companies share location and
business model information on their websites.
• A hacker can use this information to determine the location of the target. From this information, a
hacker can also determine what kind of infrastructure the target uses.
• For example, most web hosting companies share information about their servers and security
equipment.
Reconnaissance Attack
Software reconnaissance attacks
A hacker uses software tools to gather information about the target. Operating systems and software
packages include many tools and utilities for debugging and troubleshooting.

A hacker can use them to collect information about the network and its resources.

For example, a hacker can use the nslookup command to perform a DNS lookup. The nslookup
command resolves an IP address from a fully qualified domain name.

Once the hacker knew the domain name of the business, the hacker can use the whois database to reveal
detailed information about domain owners, mail servers, contact information, authoritative DNS servers,
etc.
Reconnaissance Attack
Software reconnaissance attacks
• In the next step, the hacker can use the ping command. The ping command sends packets to the target
host. If the target host is live, the host replies to the packets.
• Reply packets verify that the target host is live.
Reconnaissance Attack
Software reconnaissance attacks
• In addition to the ping command, the hacker can also use the tracert command. The tracert command
prints the path that packets use to reach the destination device.
• With the help of the ping command and the tracert command, a hacker can create a visual map of the
target network.
Reconnaissance Attack
Software reconnaissance attacks
• In the next step, the hacker can use port scanners to detect running services on the target host. To scan
services, the hacker can use nmap scanner.
Reconnaissance Attack
To mitigate software reconnaissance attacks, an administrator can use the following techniques

• Can disable all unused ports on servers.

• Can use the masking service to hide sensitive information on the whois database.

• Can use NAT to hide the internal structure of the network.

• Can use software or hardware firewall to filter all specious traffic.

Enumeration
• Enumeration is extracting a system’s valid usernames, machine names, share names, directory
names, and other information.

• It is a key component of ethical hacking and penetration testing, as it can provide attackers with a
wealth of information that can be used to exploit vulnerabilities.

• Enumeration is one of the most important steps in ethical hacking because it gives hackers the
necessary information to launch an attack.
Enumeration can be used to gather any of the following information

• Operating system details

• Network infrastructure details
• Usernames of valid users
• Machine names
• Share names
• Directory names
• Printer names
• Web server details
Enumeration
Importance of Enumeration
• Enumeration lets you understand what devices are on your network, where they are located, and
what services they offer.
• Enumeration can be used to find security vulnerabilities within systems and networks.

Enumeration scan
• Open ports on devices
• Access to specific services
• what type of information is being transmitted

• This information can then be used to exploit weaknesses and gain unauthorized access.
Techniques for Enumeration
• The knowledge can then be used to exploit vulnerabilities and gain access to sensitive data.

• The method will depend on the type of system you are targeting.

• The most common methods include email IDs and usernames, default passwords, and DNS zone
transfer.

• Using email IDs and usernames is a great way to gather information about a system. You can use this
information to brute force passwords or gain access to sensitive data. Default passwords are
another common method of enumeration.

• By using default passwords, you can gain access to systems that have not been properly configured.

• DNS zone transfer is a technique that can be used to expose topological information. This information
can be used to identify potential targets for attack.
Process of Enumeration
• Enumeration is the process of identifying all hosts on a network. This can be done in several ways, but
active and passive scanning is the most common method.

• Active scanning involves sending out requests and analyzing the responses to determine which hosts
are active on the network.

• Passive scanning involves listening to traffic and analyzing it to identify hosts.

• Active scanning is more likely to identify all hosts on a network, but it is also more likely to cause
disruptions because it generates a lot of traffic.

• Passive scanning is less likely to identify all hosts but also less likely to cause disruptions because it
does not generate any traffic.
The Types of Enumeration
NetBIOS Enumeration
• NetBIOS is a protocol that allows devices on a network to share resources and communicate with
each other.
• NetBIOS enumeration is querying a device to identify the available NetBIOS resources.
• This can be done using tools like nbtstat and net view.

SNMP Enumeration
• SNMP is a protocol that allows devices to be managed and monitored remotely.
• SNMP enumeration is querying a device to identify what SNMP resources are available.
• This can be done using tools like SNMP-check and snmpwalk.
The Types of Enumeration
LDAP Enumeration
• LDAP is a protocol that allows devices on a network to share information about users and
resources.
• This can be done using tools like ldapsearch.

NTP Enumeration
• Allows devices on a network to synchronize their clocks with each other.
• NTP enumeration is querying a device to identify what NTP resources are available.
• This can be done using tools like Nmap and PRTG Network Monitor
Services and Ports to Enumerate
When conducting a penetration test or simply enumerating services on a target machine, knowing which
ports are associated with it is often useful.

This can be accomplished using a port scanner such as Nmap to scan for open ports on the target
machine.

The following are some of the most commonly used services and their associated ports
• FTP – 21
• SSH – 22
• HTTP – 80
• HTTPS – 443 Enumeration, also known as information gathering
• SMTP – 25
• POP3 – 110
• IMAP – 143
• SNMP – 161
Tools supporting Enumeration
Boot Process
• The process of powering it on and starting the OS

• Power On

• CPU will move to BIOS (Basic Input Output System) in ROM

• BIOS is a firmware that is built into the computer’s motherboard. It initializes computer hardware as the computer
is being booted. It searches for the boot device to boot the software, such as the OS.

• BIOS will be executed (POST – Power on Self Test)

• Power on self-test - all the hardware will be tested (3 long beeps – keyboard error, continuous short beep –
RAM module problem)
Boot Process
• BIOS will load MBR (Master Boot Record) to RAM

• MBR will load the bootloader to RAM

• Bootloader will load OS to RAM

Types of booting
• Hard booting (Cold Booting)
• By clicking the Power On button

• Soft booting (Warm Booting)

• By clicking restart / ctrl+alt+del (click twice)
Windows API
• API – Application Programming Interface

• .h & .dll files

• .h files – header files that contain the definitions of functions that make up the API, like read
process memory but don’t contain the codes that make these functions work.

• .dll files – code that makes the functions work (dll – dynamic link library)
• One dll can implement multiple header files.
DLL
• A DLL is a file containing code that an application can load.

• The use of DLL files is commonly seen in the Microsoft Windows operating system, along with
others.

• According to Microsoft, the purpose of DLL files is to “promote modularization of code, code
reuse, efficient memory usage and reduced disk space.”

What is DLL Hijacking?

• DLL hijacking is a technique used to load malicious code for the purposes of defense evasion,
persistence and privilege escalation.

• Rather than execute malicious code directly via an executable file, adversaries will leverage a
legitimate application to load a malicious DLL file.
User mode
• Windows creates a process for the application.

• Process provides the application with a private virtual address space and a
private handle table.

• One application can't alter data that belongs to another application. Each
application runs in isolation.

• A process running in user mode can't access virtual addresses that are reserved for
the operating system.
Kernel mode
• All code that runs in kernel mode shares a single virtual address space.

• kernel-mode driver isn't isolated from other drivers.

• If a kernel-mode driver accidentally writes to the wrong virtual address, data that
belongs to the operating system or another driver could be compromised.

• If a kernel-mode driver crashes, the entire operating system crashes.

User & Kernel Mode
Windows registry
• The Windows registry is a centralized, hierarchical database that manages resources
and stores configuration settings for applications on the Windows operating system.

• Security account services, user interfaces, and device drivers can all use the Windows
registry.

• It also helps monitor system performance and diagnose system errors.

Windows registry
• Windows computers used to use a number of individual config files

✔ autoexec.bat

✔ config.sys

✔ .ini files

• The release of Windows 95, those were replaced with an organized, hierarchical
folder system.

• You can access the Windows registry by typing regedit in the Windows taskbar.
Windows registry
What is regedit used for?
• Regedit is the Windows registry editor, a graphical tool that lets you view and
monitor the Windows operating system’s registry and edit it if necessary.

• Regedit lets you make root-level or administrative-level changes to your

computer and the configuration settings of applications that connect to the registry.

• Only authorized users with administrative access can use the regedit tool.
How does the Windows registry work
• A hierarchical database structure of keys and values
makes up the registry.

• Registry keys are containers that act like folders, with

values or subkeys contained within them.

• Registry values are similar to files (not containers).

• Not all applications use the registry.

• If you uninstall a program, you usually delete its

settings from the registry — but not always.
How does the Windows registry work
• The main branches of the registry are called hives. And most PCs have five of them.

• All the folders in the registry are called keys except for these five hives.

• HKEY_CLASSES_ROOT — keeps track of default file associations. This is how your computer
knows to open a Word (doc) file.

• HKEY_CURRENT_USER — contains settings specific to your username in Windows.

• HKEY_LOCAL_MACHINE — contains passwords, boot files, software installation files, and

security settings.

• HKEY_USERS — like the CURRENT_USER hive, except it’s for when more than one user is
logged onto the server or computer.
How does the Windows registry work
• HKEY_CURRENT_CONFIG — a real-time measurement of different hardware
activities. Information in this hive isn’t saved permanently to the registry.

When to use the Windows registry

• You may need to use the Windows registry to fix performance issues, like if your
computer keeps crashing.

• Or, you might want to edit the registry to change parts of your user experience, like your
desktop settings.

• Sometimes, items in your registry might be broken, so you should use a registry cleaner
from a trusted software provider.
How does the Windows registry work
• Registry errors can happen when keys or values aren’t found in their usual place.

• Malware might have gained access to your registry. Use malware removal software, free antivirus
for Windows 10 or 11.

• Expert user can edit the Windows registry to speed up the PC.

• Have broken registry items or junk clogging up your system, you should first try using one of the
best PC cleaning tools.

• Avast Cleanup clears the clutter in the registry, ensuring your computer stays streamlined and runs
smoothly.
Windows Operating System Services, Functions, Routines

• Windows API functions Documented, callable subroutines in the Windows API. Examples include
CreateProcess.

• Native system services (or system calls) The undocumented, underlying services in the operating
system that are callable from user mode.

• For example, NtCreateUserProcess internal system service, the Windows Create Process function
calls to create a new process.

• Kernel support functions (or routines) Subroutines inside the Windows operating system that can be
called only from kernel mode.
Windows Operating System Services, Functions, Routines

• For example, ExAllocatePoolWithTag is the routine that device drivers call to allocate memory
from the Windows system heaps.

• Windows services Processes started by the Windows service control manager. For example, the
Task Scheduler service runs in a user-mode process that supports the at command.

• DLLs (dynamic-link libraries) A set of callable subroutines linked together as a binary file that can
be dynamically loaded by applications that use the subroutines.

• Examples include Msvcrt.dll (the C run-time library) and Kernel32.dll (one of Windows API
subsystem libraries).
Processes, Threads, and Jobs
• A program is a static sequence of instructions, whereas a process is a container for a set of resources used
when executing the program instance.

• A private virtual address space, which is a set of virtual memory addresses that the process can use.

• An executable program defines the initial code, mapping data into the process's virtual address space.

• A list of open handles to various system resources - such as semaphores, communication ports, and files -
that are accessible to all threads in the process.
Processes, Threads, and Jobs
• A security context called an access token that identifies the user, security groups, privileges, User Account
Control (UAC) virtualization state, session, and limited use account state associated with the process.

• A unique identifier called a process ID (internally part of an identifier called a client ID).

• At least one thread of execution (although an "empty" process is possible, it is not useful).

• Each process also points to its parent or creator process. If the parent no longer exists, this information is not
updated. Therefore, it is possible for a process to refer to a nonexistent parent.